RuhNetConsulting
/
getssl
mirror of https://github.com/srvrco/getssl
1
0
Fork 0
Code Issues 0 Projects 0 Releases 51 Wiki Activity
Browse Source

Merge branch 'master' of timkimber.github.com:srvrco/getssl

pull/740/head
Tim Kimber 6 years ago
parent
21795e11db 7966338b0d
commit
29fb293a19
No known key found for this signature in database GPG Key ID: 3E1804964E76BD18
24 changed files with 477 additions and 105 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +31
    -0
      .github/workflows/stale2.yml
  2. +19
    -0
      dns_scripts/dns_add_duckdns
  3. +13
    -11
      dns_scripts/dns_add_nsupdate
  4. +12
    -0
      dns_scripts/dns_del_duckdns
  5. +13
    -11
      dns_scripts/dns_del_nsupdate
  6. +49
    -5
      docker-compose.yml
  7. +40
    -61
      getssl
  8. +6
    -1
      test/1-simple-http01.bats
  9. +42
    -0
      test/2-simple-dns01-dig.bats
  10. +34
    -0
      test/2-simple-dns01-nslookup.bats
  11. +12
    -2
      test/3-dual-rsa-ecdsa.bats
  12. +6
    -1
      test/4-more-than-10-hosts.bats
  13. +12
    -0
      test/5-secp384-http01.bats
  14. +10
    -3
      test/6-dual-rsa-ecdsa-copy-2-locations.bats
  15. +15
    -7
      test/7-duckdns-dns01.bats
  16. +78
    -0
      test/8-duckdns-ecdsa.bats
  17. +25
    -0
      test/Dockerfile-ubuntu16
  18. +8
    -2
      test/debug-test.sh
  19. +10
    -0
      test/run-all-tests.cmd
  20. +1
    -0
      test/run-all-tests.sh
  21. +1
    -0
      test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg
  22. +1
    -0
      test/test-config/getssl-dns01.cfg
  23. +37
    -0
      test/test-config/getssl-duckdns01.cfg
  24. +2
    -1
      test/test_helper.bash

+ 31
- 0
.github/workflows/stale2.yml View File

@ -0,0 +1,31 @@
on:
schedule:
- cron: "0 0 * * *"
name: Run Stale Bot on Issue Comments
jobs:
build:
name: stale
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: stale
uses: gatsbyjs/stale@master
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DRY_RUN: true
DAYS_BEFORE_STALE: 60
DAYS_BEFORE_CLOSE: 30
STALE_ISSUE_LABEL: 'stale'
STALE_PR_LABEL: 'stale'
OPERATIONS_PER_RUN: 30
STALE_ISSUE_MESSAGE: 'This issue will be closed as no updates for 60 days'
CLOSE_MESSAGE: 'Closing stale issue after 90 days of inactivity'
EXEMPT_ISSUE_LABELS: |
bug
documentation
enhancement
feature
help wanted
rfc

+ 19
- 0
dns_scripts/dns_add_duckdns View File

@ -0,0 +1,19 @@
#!/bin/bash
# need to add your Token for duckdns below
token=${DUCKDNS_TOKEN:-}
if [ -z "$token" ]; then
echo "DUCKDNS_TOKEN not set"
exit 1
fi
domain="$1"
txtvalue="$2"
response=$(curl --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=${txtvalue}")
if [ "$response" != "OK" ]; then
echo "Failed to update TXT record for ${domain} at duckdns.org (is the TOKEN valid?)"
echo "Response: $response"
exit 1
fi

+ 13
- 11
dns_scripts/dns_add_nsupdate View File

@ -14,26 +14,28 @@ token="$2"
if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then
if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! ${DNS_NSUPDATE_KEY_HOOK} 'add' 'open' "${fulldomain}" ; then
exit $(( $? + 128 ))
fi
if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! ${DNS_NSUPDATE_KEY_HOOK} 'add' 'open' "${fulldomain}" ; then
exit $(( $? + 128 ))
fi
options="-k ${DNS_NSUPDATE_KEYFILE}"
options="-k ${DNS_NSUPDATE_KEYFILE}"
fi
# Note that blank line is a "send" command to nsupdate
if [ -n "${DNS_SERVER}" ]; then
cmd+="server ${DNS_SERVER}\n"
fi
nsupdate "${options}" -v <<EOF
update add _acme-challenge.${fulldomain}. 300 in TXT "${token}"
cmd+="update add ${DNS_ZONE:-"_acme-challenge.${fulldomain}."} 300 in TXT \"${token}\"\n"
cmd+="\n" # blank line is a "send" command to nsupdate
EOF
printf "$cmd" | nsupdate ${options} -v
sts=$?
if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then
if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! ${DNS_NSUPDATE_KEY_HOOK} 'add' 'close' "${fulldomain}"; then
exit $(( sts + ( $? * 10 ) ))
fi
if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! ${DNS_NSUPDATE_KEY_HOOK} 'add' 'close' "${fulldomain}"; then
exit $(( sts + ( $? * 10 ) ))
fi
fi
exit ${sts}

+ 12
- 0
dns_scripts/dns_del_duckdns View File

@ -0,0 +1,12 @@
#!/bin/bash
# need to add your Token for duckdns below
token=${DUCKDNS_TOKEN:-}
domain="$1"
response=$(curl --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=&clear=true")
if [ "$response" != "OK" ]; then
echo "Failed to update TXT record for ${domain} at duckdns.org (is the TOKEN valid?)"
echo "$response"
exit 1
fi

+ 13
- 11
dns_scripts/dns_del_nsupdate View File

@ -14,26 +14,28 @@ token="$2"
# 'open" / 'close'
if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then
if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! "${DNS_NSUPDATE_KEY_HOOK}" 'del' 'open' "${fulldomain}" ; then
exit $(( $? + 128 ))
fi
if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! "${DNS_NSUPDATE_KEY_HOOK}" 'del' 'open' "${fulldomain}" ; then
exit $(( $? + 128 ))
fi
options="-k ${DNS_NSUPDATE_KEYFILE}"
options="-k ${DNS_NSUPDATE_KEYFILE}"
fi
# Note that blank line is a "send" command to nsupdate
if [ -n "${DNS_SERVER}" ]; then
cmd+="server ${DNS_SERVER}\n"
fi
nsupdate "${options}" -v <<EOF
update delete "_acme-challenge.${fulldomain}." 300 in TXT "${token}"
cmd+="update delete ${DNS_ZONE:-"_acme-challenge.${fulldomain}."} 300 in TXT \"${token}\"\n"
cmd+="\n" # blank line is a "send" command to nsupdate
EOF
printf "$cmd" | nsupdate ${options} -v
sts=$?
if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then
if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! "${DNS_NSUPDATE_KEY_HOOK}" 'del' 'close' "${fulldomain}" ; then
exit $(( sts + ( $? * 10 ) ))
fi
if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! "${DNS_NSUPDATE_KEY_HOOK}" 'del' 'close' "${fulldomain}" ; then
exit $(( sts + ( $? * 10 ) ))
fi
fi
exit ${sts}

+ 49
- 5
docker-compose.yml View File

@ -3,7 +3,7 @@ services:
pebble:
image: letsencrypt/pebble:latest
# TODO enable -strict
command: pebble -config /test/config/pebble-config.json -dnsserver 10.30.50.3:8053
command: pebble -config /test/config/pebble-config.json -dnsserver 10.30.50.3:53
environment:
# with Go 1.13.x which defaults TLS 1.3 to on
GODEBUG: "tls13=1"
@ -15,7 +15,7 @@ services:
ipv4_address: 10.30.50.2
challtestsrv:
image: letsencrypt/pebble-challtestsrv:latest
command: pebble-challtestsrv -defaultIPv6 "" -defaultIPv4 10.30.50.3
command: pebble-challtestsrv -defaultIPv6 "" -defaultIPv4 10.30.50.3 -dns01 ":53"
ports:
- 8055:8055 # HTTP Management API
networks:
@ -129,6 +129,33 @@ services:
- i.ubuntu.getssl.test
- j.ubuntu.getssl.test
- k.ubuntu.getssl.test
getssl-ubuntu16:
build:
context: .
dockerfile: test/Dockerfile-ubuntu16
container_name: getssl-ubuntu16
volumes:
- .:/getssl
environment:
GETSSL_HOST: ubuntu16.getssl.test
GETSSL_IP: 10.30.50.14
NGINX_CONFIG: /etc/nginx/sites-enabled/default
networks:
acmenet:
ipv4_address: 10.30.50.14
aliases:
- ubuntu16.getssl.test
- a.ubuntu16.getssl.test
- b.ubuntu16.getssl.test
- c.ubuntu16.getssl.test
- d.ubuntu16.getssl.test
- e.ubuntu16.getssl.test
- f.ubuntu16.getssl.test
- g.ubuntu16.getssl.test
- h.ubuntu16.getssl.test
- i.ubuntu16.getssl.test
- j.ubuntu16.getssl.test
- k.ubuntu16.getssl.test
getssl-ubuntu18:
build:
context: .
@ -138,11 +165,11 @@ services:
- .:/getssl
environment:
GETSSL_HOST: ubuntu18.getssl.test
GETSSL_IP: 10.30.50.14
GETSSL_IP: 10.30.50.15
NGINX_CONFIG: /etc/nginx/sites-enabled/default
networks:
acmenet:
ipv4_address: 10.30.50.14
ipv4_address: 10.30.50.15
aliases:
- ubuntu18.getssl.test
- a.ubuntu18.getssl.test
@ -156,7 +183,24 @@ services:
- i.ubuntu18.getssl.test
- j.ubuntu18.getssl.test
- k.ubuntu18.getssl.test
getssl-duckdns:
build:
context: .
dockerfile: test/Dockerfile-ubuntu
container_name: getssl-duckdns
volumes:
- .:/getssl
environment:
GETSSL_HOST: getssl.duckdns.org
GETSSL_IP: 10.30.50.16
NGINX_CONFIG: /etc/nginx/sites-enabled/default
DUCKDNS_TOKEN: $DUCKDNS_TOKEN
STAGING: "true"
networks:
acmenet:
ipv4_address: 10.30.50.16
aliases:
- getssl.duckdns.org
networks:


+ 40
- 61
getssl View File

@ -212,6 +212,8 @@
# 2020-02-12 Fix #424 - Sporadic "error in EC signing couldn't get R from ..." (2.18)
# 2020-02-12 Fix "Registration key already in use" (2.19)
# 2020-02-13 Fix bug with copying to all locations when creating RSA and ECDSA certs (2.20)
# 2020-02-22 Change sign_string to use openssl asn1parse (better fix for #424)
# 2020-02-23 Add dig to config check for systems without drill (ubuntu)
# ----------------------------------------------------------------------------------------
PROGNAME=${0##*/}
@ -339,7 +341,7 @@ check_challenge_completion() { # checks with the ACME server if our challenge is
# if ACME response is that their check gave an invalid response, error exit
if [[ "$status" == "invalid" ]] ; then
err_detail=$(json_get "$response" detail)
err_detail=$(echo "$response" | grep "detail")
error_exit "$domain:Verify error:$err_detail"
fi
@ -347,7 +349,8 @@ check_challenge_completion() { # checks with the ACME server if our challenge is
if [[ "$status" == "pending" ]] ; then
info "Pending"
else
error_exit "$domain:Verify error:$response"
err_detail=$(echo "$response" | grep "detail")
error_exit "$domain:Verify error:$status:$err_detail"
fi
debug "sleep 5 secs before testing verify again"
sleep 5
@ -431,14 +434,23 @@ check_config() { # check the config files for all obvious errors
info "${DOMAIN}: ACL location not specified for domain $d in $DOMAIN_DIR/getssl.cfg"
config_errors=true
fi
# check domain exist
if [[ "$DNS_CHECK_FUNC" == "drill" ]] || [[ "$DNS_CHECK_FUNC" == "dig" ]]; then
# check domain exists
if [[ "$DNS_CHECK_FUNC" == "drill" ]]; then
if [[ "$($DNS_CHECK_FUNC "${d}" |grep -c "${d}")" -ge 1 ]]; then
debug "found IP for ${d}"
else
info "${DOMAIN}: DNS lookup failed for ${d}"
config_errors=true
fi
elif [[ "$DNS_CHECK_FUNC" == "dig" ]]; then
if [[ "$($DNS_CHECK_FUNC "${d}" -t SOA|grep -c "^${d}")" -ge 1 ]]; then
debug "found SOA IP for ${d}"
elif [[ "$($DNS_CHECK_FUNC "${d}" -t A|grep -c "^${d}")" -ge 1 ]]; then
debug "found A IP for ${d}"
else
info "${DOMAIN}: DNS lookup failed for ${d}"
config_errors=true
fi
elif [[ "$DNS_CHECK_FUNC" == "host" ]]; then
if [[ "$($DNS_CHECK_FUNC "${d}" |grep -c "^${d}")" -ge 1 ]]; then
debug "found IP for ${d}"
@ -986,7 +998,7 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then
| grep '"'|awk -F'"' '{ print $2}')
elif [[ "$DNS_CHECK_FUNC" == "drill" ]] || [[ "$DNS_CHECK_FUNC" == "dig" ]]; then
check_result=$($DNS_CHECK_FUNC TXT "_acme-challenge.${d}" "@${ns}" \
| grep '300 IN TXT'|awk -F'"' '{ print $2}')
| grep 'IN TXT'|awk -F'"' '{ print $2}')
elif [[ "$DNS_CHECK_FUNC" == "host" ]]; then
check_result=$($DNS_CHECK_FUNC -t TXT "_acme-challenge.${d}" "${ns}" \
| grep 'descriptive text'|awk -F'"' '{ print $2}')
@ -1807,65 +1819,28 @@ sign_string() { # sign a string with a given key and algorithm and return urlbas
if openssl rsa -in "${skey}" -noout 2>/dev/null ; then # RSA key
signed64="$(printf '%s' "${str}" | openssl dgst -"$signalg" -sign "$key" | urlbase64)"
elif openssl ec -in "${skey}" -noout 2>/dev/null ; then # Elliptic curve key.
signed=$(printf '%s' "${str}" | openssl dgst -"$signalg" -sign "$key" -hex | awk '{print $2}')
debug "EC signature $signed"
if [[ "${signed:4:4}" == "021f" ]]; then #sha256 which needs padding
R=$(echo -n 00;echo "$signed" | cut -c 9-70)
part2=$(echo "$signed" | cut -c 71-)
elif [[ "${signed:4:4}" == "0220" ]]; then #sha256
R=$(echo "$signed" | cut -c 9-72)
part2=$(echo "$signed" | cut -c 73-)
elif [[ "${signed:4:4}" == "0221" ]]; then #sha256 which needs trimming
R=$(echo "$signed" | cut -c 11-74)
part2=$(echo "$signed" | cut -c 75-)
elif [[ "${signed:4:4}" == "022f" ]]; then #sha384 which needs padding
info "Padding sha384"
R=$(echo -n 00;echo "$signed" | cut -c 9-102)
part2=$(echo "$signed" | cut -c 103-)
elif [[ "${signed:4:4}" == "0230" ]]; then #sha384
R=$(echo "$signed" | cut -c 9-104)
part2=$(echo "$signed" | cut -c 105-)
elif [[ "${signed:4:4}" == "0231" ]]; then #sha384 which needs trimming
R=$(echo "$signed" | cut -c 11-106)
part2=$(echo "$signed" | cut -c 107-)
elif [[ "${signed:6:4}" == "0240" ]]; then #sha512 which needs padding
R=$(echo -n 00;echo "$signed" | cut -c 9-138)
part2=$(echo "$signed" | cut -c 141-)
elif [[ "${signed:6:4}" == "0241" ]]; then #sha512 which needs padding
R=$(echo -n 00;echo "$signed" | cut -c 11-140)
part2=$(echo "$signed" | cut -c 141-)
elif [[ "${signed:6:4}" == "0242" ]]; then #sha512
R=$(echo "$signed" | cut -c 11-142)
part2=$(echo "$signed" | cut -c 143-)
# ECDSA signature width
# e.g. 521 bits requires 66 bytes to express, a signature consists of 2 integers so 132 bytes
# https://crypto.stackexchange.com/questions/12299/ecc-key-size-and-signature-size/
if [ "$signalg" = "sha256" ]; then
w=64
elif [ "$signalg" = "sha384" ]; then
w=96
elif [ "$signalg" = "sha512" ]; then
w=132
else
error_exit "error in EC signing couldn't get R from $signed"
error_exit "Unknown signing algorithm $signalg"
fi
asn1parse=$(printf '%s' "${str}" | openssl dgst -"$signalg" -sign "$key" | openssl asn1parse -inform DER)
#shellcheck disable=SC2086
R=$(echo $asn1parse | awk '{ print $13 }' | cut -c2-)
debug "R $R"
if [[ "${part2:0:4}" == "021f" ]]; then #sha256 with padding
S=$(echo -n 00;echo "$part2" | cut -c 5-)
elif [[ "${part2:0:4}" == "0220" ]]; then #sha256
S=$(echo "$part2" | cut -c 5-68)
elif [[ "${part2:0:4}" == "0221" ]]; then #sha256
S=$(echo "$part2" | cut -c 7-70)
elif [[ "${part2:0:4}" == "022f" ]]; then #sha384 with padding
S=$(echo -n 00;echo "$part2" | cut -c 5-)
elif [[ "${part2:0:4}" == "0230" ]]; then #sha384
S=$(echo "$part2" | cut -c 5-100)
elif [[ "${part2:0:4}" == "0231" ]]; then #sha384
S=$(echo "$part2" | cut -c 7-102)
elif [[ "${part2:0:4}" == "0240" ]]; then #sha512 with padding
S=$(echo -n 00;echo "$part2" | cut -c 5-)
elif [[ "${part2:0:4}" == "0241" ]]; then #sha512 with padding
S=$(echo -n 00;echo "$part2" | cut -c 5-)
elif [[ "${part2:0:4}" == "0242" ]]; then #sha512
S=$(echo "$part2" | cut -c 5-)
else
error_exit "error in EC signing couldn't get S from $signed"
fi
#shellcheck disable=SC2086
S=$(echo $asn1parse | awk '{ print $20 }' | cut -c2-)
debug "S $S"
signed64=$(printf '%s' "${R}${S}" | hex2bin | urlbase64 )
# pad R and S to the correct length for the signing algorithm
signed64=$(printf "%${w}s%${w}s" "${R}" "${S}" | tr ' ' '0' | hex2bin | urlbase64 )
debug "encoded RS $signed64"
fi
}
@ -1905,6 +1880,8 @@ usage() { # echos out the program usage
write_domain_template() { # write out a template file for a domain.
cat > "$1" <<- _EOF_domain_
# vim: filetype=sh
#
# This file is read second (and per domain if running with the -a option)
# and overwrites any settings from the first file
#
@ -1973,6 +1950,8 @@ write_domain_template() { # write out a template file for a domain.
write_getssl_template() { # write out the main template file
cat > "$1" <<- _EOF_getssl_
# vim: filetype=sh
#
# This file is read first and is common to all domains
#
# Uncomment and modify any variables you need
@ -2098,7 +2077,7 @@ get_os
requires which
requires openssl
requires curl
requires nslookup drill dig host DNS_CHECK_FUNC
requires dig nslookup drill host DNS_CHECK_FUNC
requires awk
requires tr
requires date


+ 6
- 1
test/1-simple-http01.bats View File

@ -12,6 +12,9 @@ setup() {
@test "Create new certificate using HTTP-01 verification" {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
CONFIG_FILE="getssl-http01.cfg"
setup_environment
init_getssl
@ -24,7 +27,9 @@ setup() {
@test "Force renewal of certificate using HTTP-01" {
#!FIXME test certificate has been updated
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
run ${CODE_DIR}/getssl -f $GETSSL_HOST
assert_success
refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'


+ 42
- 0
test/2-simple-dns01-dig.bats View File

@ -0,0 +1,42 @@
#! /usr/bin/env bats
load '/bats-support/load.bash'
load '/bats-assert/load.bash'
load '/getssl/test/test_helper.bash'
# This is run for every test
setup() {
export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
}
@test "Create new certificate using DNS-01 verification (dig)" {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
CONFIG_FILE="getssl-dns01.cfg"
setup_environment
init_getssl
create_certificate -d
assert_success
assert_output --partial "dig"
refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]' # don't fail for :error:badNonce
refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
}
@test "Force renewal of certificate using DNS-01 (dig)" {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
run ${CODE_DIR}/getssl -d -f $GETSSL_HOST
assert_success
assert_output --partial "dig"
refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]' # don't fail for :error:badNonce
refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
cleanup_environment
}

+ 34
- 0
test/2-simple-dns01-nslookup.bats View File

@ -0,0 +1,34 @@
#! /usr/bin/env bats
load '/bats-support/load.bash'
load '/bats-assert/load.bash'
load '/getssl/test/test_helper.bash'
# This is run for every test
setup() {
export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
mv /usr/bin/dig /usr/bin/dig.getssl.bak
}
teardown() {
mv /usr/bin/dig.getssl.bak /usr/bin/dig
}
@test "Create new certificate using DNS-01 verification (nslookup)" {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
CONFIG_FILE="getssl-dns01.cfg"
setup_environment
init_getssl
create_certificate -d
assert_success
assert_output --partial "nslookup"
refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]' # don't fail for :error:badNonce
refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
}

+ 12
- 2
test/3-dual-rsa-ecdsa.bats View File

@ -12,6 +12,9 @@ setup() {
@test "Create dual certificates using HTTP-01 verification" {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
CONFIG_FILE="getssl-http01-dual-rsa-ecdsa.cfg"
setup_environment
init_getssl
@ -21,12 +24,17 @@ setup() {
@test "Force renewal of dual certificates using HTTP-01" {
#!FIXME test certificate has been updated
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
run ${CODE_DIR}/getssl -f $GETSSL_HOST
assert_success
}
@test "Create dual certificates using DNS-01 verification" {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
CONFIG_FILE="getssl-dns01-dual-rsa-ecdsa.cfg"
setup_environment
init_getssl
@ -36,7 +44,9 @@ setup() {
@test "Force renewal of dual certificates using DNS-01" {
#!FIXME test certificate has been updated
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
run ${CODE_DIR}/getssl -f $GETSSL_HOST
assert_success
cleanup_environment


+ 6
- 1
test/4-more-than-10-hosts.bats View File

@ -12,6 +12,9 @@ setup() {
@test "Create certificates for more than 10 hosts using HTTP-01 verification" {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
CONFIG_FILE="getssl-http01-10-hosts.cfg"
setup_environment
@ -30,7 +33,9 @@ setup() {
@test "Force renewal of more than 10 certificates using HTTP-01" {
#!FIXME test certificate has been updated
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
run ${CODE_DIR}/getssl -f $GETSSL_HOST
assert_success
refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'


+ 12
- 0
test/5-secp384-http01.bats View File

@ -12,6 +12,9 @@ setup() {
@test "Create new secp384r1 certificate using HTTP-01 verification" {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
CONFIG_FILE="getssl-http01-secp384.cfg"
setup_environment
init_getssl
@ -21,12 +24,18 @@ setup() {
@test "Force renewal of secp384r1 certificate using HTTP-01" {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
run ${CODE_DIR}/getssl -f $GETSSL_HOST
assert_success
}
@test "Create new secp521r1 certificate using HTTP-01 verification" {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
CONFIG_FILE="getssl-http01-secp521.cfg"
setup_environment
init_getssl
@ -36,6 +45,9 @@ setup() {
@test "Force renewal of secp521r1 certificate using HTTP-01" {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
run ${CODE_DIR}/getssl -f $GETSSL_HOST
assert_success
}

+ 10
- 3
test/6-dual-rsa-ecdsa-copy-2-locations.bats View File

@ -7,17 +7,24 @@ load '/getssl/test/test_helper.bash'
# These are run for every test, not once per file
setup() {
export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
if [ -z "$STAGING" ]; then
export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
fi
}
teardown() {
curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/del-a
if [ -z "$STAGING" ]; then
curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/del-a
fi
}
@test "Create dual certificates and copy RSA and ECDSA chain and key to two locations" {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-2-locations.cfg"
setup_environment
mkdir -p /root/a.${GETSSL_HOST}


test/2-simple-dns01.bats → test/7-duckdns-dns01.bats View File


+ 78
- 0
test/8-duckdns-ecdsa.bats View File

@ -0,0 +1,78 @@
#! /usr/bin/env bats
load '/bats-support/load.bash'
load '/bats-assert/load.bash'
load '/getssl/test/test_helper.bash'
# These are run for every test, not once per file
setup() {
if [ -n "$STAGING" ]; then
export GETSSL_HOST=getssl.duckdns.org
fi
}
@test "Create new certificate using staging server and prime256v1" {
if [ -z "$STAGING" ]; then
skip "Running internal tests, skipping external test"
fi
CONFIG_FILE="getssl-duckdns01.cfg"
GETSSL_HOST=getssl.duckdns.org
setup_environment
init_getssl
sed -e 's/rsa/prime256v1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
run ${CODE_DIR}/getssl -d "$GETSSL_HOST"
assert_success
refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'
refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
}
@test "Force renewal of certificate using staging server and prime256v1" {
if [ -z "$STAGING" ]; then
skip "Running internal tests, skipping external test"
fi
run ${CODE_DIR}/getssl -d -f $GETSSL_HOST
assert_success
refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'
refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
cleanup_environment
}
@test "Create new certificate using staging server and secp384r1" {
if [ -z "$STAGING" ]; then
skip "Running internal tests, skipping external test"
fi
CONFIG_FILE="getssl-duckdns01.cfg"
GETSSL_HOST=getssl.duckdns.org
setup_environment
init_getssl
sed -e 's/rsa/secp384r1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
run ${CODE_DIR}/getssl -d "$GETSSL_HOST"
assert_success
refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'
refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
}
@test "Force renewal of certificate using staging server and secp384r1" {
if [ -z "$STAGING" ]; then
skip "Running internal tests, skipping external test"
fi
run ${CODE_DIR}/getssl -d -f $GETSSL_HOST
assert_success
refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'
refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
cleanup_environment
}
# Note letsencrypt doesn't support ECDSA curve P-521 as it's being deprecated

+ 25
- 0
test/Dockerfile-ubuntu16 View File

@ -0,0 +1,25 @@
FROM ubuntu:xenial
# xenial = 16
# Note this image uses mawk
# Update and install required software
RUN apt-get update --fix-missing
RUN apt-get install -y git curl dnsutils wget nginx-light
WORKDIR /root
RUN mkdir /etc/nginx/pki
RUN mkdir /etc/nginx/pki/private
COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default
# Prevent "Can't load /root/.rnd into RNG" error from openssl
# RUN touch /root/.rnd
# BATS (Bash Automated Testings)
RUN git clone https://github.com/bats-core/bats-core.git /bats-core
RUN git clone https://github.com/jasonkarns/bats-support /bats-support
RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert
RUN /bats-core/install.sh /usr/local
# Run eternal loop - for testing
CMD tail -f /dev/null

+ 8
- 2
test/debug-test.sh View File

@ -9,14 +9,20 @@ if [ $# -eq 2 ]; then
shift
fi
#shellcheck disable=SC1091
source /getssl/test/test_helper.bash
CONFIG_FILE=$1
if [ ! -e "$CONFIG_FILE" ]; then
CONFIG_FILE=${CODE_DIR}/test/test-config/${CONFIG_FILE}
fi
source /getssl/test/test_helper.bash
setup_environment 3>&1
export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
# Only add the pebble CA to the cert bundle if using pebble
if grep -q pebble "${CONFIG_FILE}"; then
export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
fi
"${CODE_DIR}/getssl" -c "$GETSSL_HOST" 3>&1
cp "${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"


+ 10
- 0
test/run-all-tests.cmd View File

@ -1,5 +1,15 @@
echo %time%
docker exec -it getssl-alpine bats /getssl/test
echo %time%
docker exec -it getssl-centos6 bats /getssl/test
echo %time%
docker exec -it getssl-debian bats /getssl/test
echo %time%
docker exec -it getssl-ubuntu bats /getssl/test
echo %time%
docker exec -it getssl-ubuntu18 bats /getssl/test
echo %time%
docker exec -it getssl-ubuntu16 bats /getssl/test
echo %time%
docker exec -it getssl-duckdns bats /getssl/test
echo %time%

+ 1
- 0
test/run-all-tests.sh View File

@ -5,3 +5,4 @@ docker exec -it getssl-centos6 bats /getssl/test
docker exec -it getssl-debian bats /getssl/test
docker exec -it getssl-ubuntu bats /getssl/test
docker exec -it getssl-ubuntu18 bats /getssl/test
docker exec -it getssl-duckdns bats /getssl/test

+ 1
- 0
test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg View File

@ -7,6 +7,7 @@ CA="https://pebble:14000/dir"
VALIDATE_VIA_DNS=true
DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
AUTH_DNS_SERVER=10.30.50.3
DUAL_RSA_ECDSA="true"
ACCOUNT_KEY_TYPE="prime256v1"


+ 1
- 0
test/test-config/getssl-dns01.cfg View File

@ -7,6 +7,7 @@ CA="https://pebble:14000/dir"
VALIDATE_VIA_DNS=true
DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
AUTH_DNS_SERVER=10.30.50.3
# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS=""


+ 37
- 0
test/test-config/getssl-duckdns01.cfg View File

@ -0,0 +1,37 @@
# Test that the script works with external dns provider and staging server
#
CA="https://acme-staging-v02.api.letsencrypt.org/directory"
VALIDATE_VIA_DNS=true
DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_duckdns"
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns"
AUTH_DNS_SERVER=1.1.1.1
CHECK_ALL_AUTH_DNS=false
DNS_EXTRA_WAIT=30
ACCOUNT_KEY_TYPE="rsa"
PRIVATE_KEY_ALG="rsa"
# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS=""
# Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
ACL=('/var/www/html/.well-known/acme-challenge')
#Set USE_SINGLE_ACL="true" to use a single ACL for all checks
USE_SINGLE_ACL="false"
# Location for all your certs, these can either be on the server (full path name)
# or using ssh /sftp as for the ACL
DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
# The command needed to reload apache / nginx or whatever you use
RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
# Define the server type and confirm correct certificate is installed (using a custom port)
SERVER_TYPE="https"
CHECK_REMOTE="true"

+ 2
- 1
test/test_helper.bash View File

@ -39,5 +39,6 @@ init_getssl() {
create_certificate() {
# Create certificate
cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
run ${CODE_DIR}/getssl "$GETSSL_HOST"
# shellcheck disable=SC2086
run ${CODE_DIR}/getssl $1 "$GETSSL_HOST"
}

Write Preview
Loading…
Cancel
Save