From cbdf925839ca7b99c121c2fe549bc425d1201c80 Mon Sep 17 00:00:00 2001 From: Scott Gustafson Date: Tue, 15 Aug 2017 10:20:57 -0600 Subject: [PATCH 01/20] moving dig to be the first command to check as nslookup is failing on ubuntu vm Signed-off-by: Scott Gustafson --- getssl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/getssl b/getssl index 7f3713e..b903ab8 100755 --- a/getssl +++ b/getssl @@ -1445,7 +1445,7 @@ get_os requires which requires openssl requires curl -requires nslookup drill dig host DNS_CHECK_FUNC +requires dig nslookup drill host DNS_CHECK_FUNC requires awk requires tr requires date From 69ef4ff80edf807e5a732644b175cee8df8a722e Mon Sep 17 00:00:00 2001 From: Scott Gustafson Date: Tue, 15 Aug 2017 11:04:25 -0600 Subject: [PATCH 02/20] if using dig we need to check for either an SOA or A type record. Signed-off-by: Scott Gustafson --- getssl | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/getssl b/getssl index b903ab8..4b845c0 100755 --- a/getssl +++ b/getssl @@ -389,13 +389,22 @@ check_config() { # check the config files for all obvious errors config_errors=true fi # check domain exist - if [[ "$DNS_CHECK_FUNC" == "drill" ]] || [[ "$DNS_CHECK_FUNC" == "dig" ]]; then + if [[ "$DNS_CHECK_FUNC" == "drill" ]]; then if [[ "$($DNS_CHECK_FUNC "${d}" SOA|grep -c "^${d}")" -ge 1 ]]; then debug "found IP for ${d}" else info "${DOMAIN}: DNS lookup failed for ${d}" config_errors=true fi + elif [[ "$DNS_CHECK_FUNC" == "dig" ]]; then + if [[ "$($DNS_CHECK_FUNC "${d}" -t SOA|grep -c "^${d}")" -ge 1 ]]; then + debug "found SOA IP for ${d}" + elif [[ "$($DNS_CHECK_FUNC "${d}" -t A|grep -c "^${d}")" -ge 1 ]]; then + debug "found A IP for ${d}" + else + info "${DOMAIN}: DNS lookup failed for ${d}" + config_errors=true + fi elif [[ "$DNS_CHECK_FUNC" == "host" ]]; then if [[ "$($DNS_CHECK_FUNC "${d}" |grep -c "^${d}")" -ge 1 ]]; then debug "found IP for ${d}" From 26f224bd3c458f7b33bf311c50f3477cd7eec93c Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Fri, 31 Jan 2020 19:09:51 +0000 Subject: [PATCH 03/20] Create stale.yml --- .github/workflows/stale.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .github/workflows/stale.yml diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml new file mode 100644 index 0000000..8699ac5 --- /dev/null +++ b/.github/workflows/stale.yml @@ -0,0 +1,17 @@ +name: "Close stale issues" +on: + schedule: + - cron: "0 0 * * *" + +jobs: + stale: + runs-on: ubuntu-latest + steps: + - uses: actions/stale@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + stale-issue-message: 'This issue will be closed as no response' + stale-issue-label: 'needs more information' + exempt-issue-label: 'enhancement' + days-before-stale: 60 + days-before-close: 30 From 535909bd3b54944d6292ed29a2c1e245c081c1a8 Mon Sep 17 00:00:00 2001 From: sergio Date: Fri, 21 Feb 2020 01:06:23 +0300 Subject: [PATCH 04/20] ${options} must be without quotes --- dns_scripts/dns_add_nsupdate | 2 +- dns_scripts/dns_del_nsupdate | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dns_scripts/dns_add_nsupdate b/dns_scripts/dns_add_nsupdate index 13b0fc9..7a2f300 100755 --- a/dns_scripts/dns_add_nsupdate +++ b/dns_scripts/dns_add_nsupdate @@ -23,7 +23,7 @@ fi # Note that blank line is a "send" command to nsupdate -nsupdate "${options}" -v < Date: Fri, 21 Feb 2020 01:30:55 +0300 Subject: [PATCH 05/20] indent correction --- dns_scripts/dns_add_nsupdate | 14 +++++++------- dns_scripts/dns_del_nsupdate | 14 +++++++------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/dns_scripts/dns_add_nsupdate b/dns_scripts/dns_add_nsupdate index 7a2f300..7e0a722 100755 --- a/dns_scripts/dns_add_nsupdate +++ b/dns_scripts/dns_add_nsupdate @@ -14,11 +14,11 @@ token="$2" if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then - if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! ${DNS_NSUPDATE_KEY_HOOK} 'add' 'open' "${fulldomain}" ; then - exit $(( $? + 128 )) - fi + if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! ${DNS_NSUPDATE_KEY_HOOK} 'add' 'open' "${fulldomain}" ; then + exit $(( $? + 128 )) + fi - options="-k ${DNS_NSUPDATE_KEYFILE}" + options="-k ${DNS_NSUPDATE_KEYFILE}" fi # Note that blank line is a "send" command to nsupdate @@ -31,9 +31,9 @@ EOF sts=$? if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then - if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! ${DNS_NSUPDATE_KEY_HOOK} 'add' 'close' "${fulldomain}"; then - exit $(( sts + ( $? * 10 ) )) - fi + if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! ${DNS_NSUPDATE_KEY_HOOK} 'add' 'close' "${fulldomain}"; then + exit $(( sts + ( $? * 10 ) )) + fi fi exit ${sts} diff --git a/dns_scripts/dns_del_nsupdate b/dns_scripts/dns_del_nsupdate index d2ff048..8e0f253 100755 --- a/dns_scripts/dns_del_nsupdate +++ b/dns_scripts/dns_del_nsupdate @@ -14,11 +14,11 @@ token="$2" # 'open" / 'close' if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then - if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! "${DNS_NSUPDATE_KEY_HOOK}" 'del' 'open' "${fulldomain}" ; then - exit $(( $? + 128 )) - fi + if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! "${DNS_NSUPDATE_KEY_HOOK}" 'del' 'open' "${fulldomain}" ; then + exit $(( $? + 128 )) + fi - options="-k ${DNS_NSUPDATE_KEYFILE}" + options="-k ${DNS_NSUPDATE_KEYFILE}" fi # Note that blank line is a "send" command to nsupdate @@ -31,9 +31,9 @@ EOF sts=$? if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then - if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! "${DNS_NSUPDATE_KEY_HOOK}" 'del' 'close' "${fulldomain}" ; then - exit $(( sts + ( $? * 10 ) )) - fi + if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! "${DNS_NSUPDATE_KEY_HOOK}" 'del' 'close' "${fulldomain}" ; then + exit $(( sts + ( $? * 10 ) )) + fi fi exit ${sts} From b869824b49cc9e24e4592f75452a8b3b3527bf6d Mon Sep 17 00:00:00 2001 From: sergio Date: Fri, 21 Feb 2020 02:28:25 +0300 Subject: [PATCH 06/20] nsupdate scripts: add support for custom nameserver and zone --- dns_scripts/dns_add_nsupdate | 10 ++++++---- dns_scripts/dns_del_nsupdate | 10 ++++++---- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/dns_scripts/dns_add_nsupdate b/dns_scripts/dns_add_nsupdate index 7e0a722..98f5e7f 100755 --- a/dns_scripts/dns_add_nsupdate +++ b/dns_scripts/dns_add_nsupdate @@ -21,12 +21,14 @@ if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then options="-k ${DNS_NSUPDATE_KEYFILE}" fi -# Note that blank line is a "send" command to nsupdate +if [ -n "${DNS_SERVER}" ]; then + cmd+="server ${DNS_SERVER}\n" +fi -nsupdate ${options} -v < Date: Sat, 22 Feb 2020 18:02:21 +0000 Subject: [PATCH 07/20] Use openssl asn1parse in sign_string --- getssl | 80 ++++++++++++++++------------------------------------------ 1 file changed, 22 insertions(+), 58 deletions(-) diff --git a/getssl b/getssl index dbcd867..d64b276 100755 --- a/getssl +++ b/getssl @@ -339,7 +339,7 @@ check_challenge_completion() { # checks with the ACME server if our challenge is # if ACME response is that their check gave an invalid response, error exit if [[ "$status" == "invalid" ]] ; then - err_detail=$(json_get "$response" detail) + err_detail=$(echo "$response" | grep "detail") error_exit "$domain:Verify error:$err_detail" fi @@ -347,7 +347,8 @@ check_challenge_completion() { # checks with the ACME server if our challenge is if [[ "$status" == "pending" ]] ; then info "Pending" else - error_exit "$domain:Verify error:$response" + err_detail=$(echo "$response" | grep "detail") + error_exit "$domain:Verify error:$status:$err_detail" fi debug "sleep 5 secs before testing verify again" sleep 5 @@ -431,7 +432,7 @@ check_config() { # check the config files for all obvious errors info "${DOMAIN}: ACL location not specified for domain $d in $DOMAIN_DIR/getssl.cfg" config_errors=true fi - # check domain exist + # check domain exists if [[ "$DNS_CHECK_FUNC" == "drill" ]] || [[ "$DNS_CHECK_FUNC" == "dig" ]]; then if [[ "$($DNS_CHECK_FUNC "${d}" |grep -c "${d}")" -ge 1 ]]; then debug "found IP for ${d}" @@ -1807,65 +1808,28 @@ sign_string() { # sign a string with a given key and algorithm and return urlbas if openssl rsa -in "${skey}" -noout 2>/dev/null ; then # RSA key signed64="$(printf '%s' "${str}" | openssl dgst -"$signalg" -sign "$key" | urlbase64)" elif openssl ec -in "${skey}" -noout 2>/dev/null ; then # Elliptic curve key. - signed=$(printf '%s' "${str}" | openssl dgst -"$signalg" -sign "$key" -hex | awk '{print $2}') - debug "EC signature $signed" - if [[ "${signed:4:4}" == "021f" ]]; then #sha256 which needs padding - R=$(echo -n 00;echo "$signed" | cut -c 9-70) - part2=$(echo "$signed" | cut -c 71-) - elif [[ "${signed:4:4}" == "0220" ]]; then #sha256 - R=$(echo "$signed" | cut -c 9-72) - part2=$(echo "$signed" | cut -c 73-) - elif [[ "${signed:4:4}" == "0221" ]]; then #sha256 which needs trimming - R=$(echo "$signed" | cut -c 11-74) - part2=$(echo "$signed" | cut -c 75-) - elif [[ "${signed:4:4}" == "022f" ]]; then #sha384 which needs padding - info "Padding sha384" - R=$(echo -n 00;echo "$signed" | cut -c 9-102) - part2=$(echo "$signed" | cut -c 103-) - elif [[ "${signed:4:4}" == "0230" ]]; then #sha384 - R=$(echo "$signed" | cut -c 9-104) - part2=$(echo "$signed" | cut -c 105-) - elif [[ "${signed:4:4}" == "0231" ]]; then #sha384 which needs trimming - R=$(echo "$signed" | cut -c 11-106) - part2=$(echo "$signed" | cut -c 107-) - elif [[ "${signed:6:4}" == "0240" ]]; then #sha512 which needs padding - R=$(echo -n 00;echo "$signed" | cut -c 9-138) - part2=$(echo "$signed" | cut -c 141-) - elif [[ "${signed:6:4}" == "0241" ]]; then #sha512 which needs padding - R=$(echo -n 00;echo "$signed" | cut -c 11-140) - part2=$(echo "$signed" | cut -c 141-) - elif [[ "${signed:6:4}" == "0242" ]]; then #sha512 - R=$(echo "$signed" | cut -c 11-142) - part2=$(echo "$signed" | cut -c 143-) + # ECDSA signature width + # e.g. 521 bits requires 66 bytes to express, a signature consists of 2 integers so 132 bytes + # https://crypto.stackexchange.com/questions/12299/ecc-key-size-and-signature-size/ + if [ "$signalg" = "sha256" ]; then + w=64 + elif [ "$signalg" = "sha384" ]; then + w=96 + elif [ "$signalg" = "sha512" ]; then + w=132 else - error_exit "error in EC signing couldn't get R from $signed" + error_exit "Unknown signing algorithm $signalg" fi + asn1parse=$(printf '%s' "${str}" | openssl dgst -"$signalg" -sign "$key" | openssl asn1parse -inform DER) + #shellcheck disable=SC2086 + R=$(echo $asn1parse | awk '{ print $13 }' | cut -c2-) debug "R $R" - - if [[ "${part2:0:4}" == "021f" ]]; then #sha256 with padding - S=$(echo -n 00;echo "$part2" | cut -c 5-) - elif [[ "${part2:0:4}" == "0220" ]]; then #sha256 - S=$(echo "$part2" | cut -c 5-68) - elif [[ "${part2:0:4}" == "0221" ]]; then #sha256 - S=$(echo "$part2" | cut -c 7-70) - elif [[ "${part2:0:4}" == "022f" ]]; then #sha384 with padding - S=$(echo -n 00;echo "$part2" | cut -c 5-) - elif [[ "${part2:0:4}" == "0230" ]]; then #sha384 - S=$(echo "$part2" | cut -c 5-100) - elif [[ "${part2:0:4}" == "0231" ]]; then #sha384 - S=$(echo "$part2" | cut -c 7-102) - elif [[ "${part2:0:4}" == "0240" ]]; then #sha512 with padding - S=$(echo -n 00;echo "$part2" | cut -c 5-) - elif [[ "${part2:0:4}" == "0241" ]]; then #sha512 with padding - S=$(echo -n 00;echo "$part2" | cut -c 5-) - elif [[ "${part2:0:4}" == "0242" ]]; then #sha512 - S=$(echo "$part2" | cut -c 5-) - else - error_exit "error in EC signing couldn't get S from $signed" - fi - + #shellcheck disable=SC2086 + S=$(echo $asn1parse | awk '{ print $20 }' | cut -c2-) debug "S $S" - signed64=$(printf '%s' "${R}${S}" | hex2bin | urlbase64 ) + + # pad R and S to the correct length for the signing algorithm + signed64=$(printf "%${w}s%${w}s" "${R}" "${S}" | tr ' ' '0' | hex2bin | urlbase64 ) debug "encoded RS $signed64" fi } From aa5eb90a6b8a54bf178c0b620b8c5ae8ebed4b91 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Sat, 22 Feb 2020 18:04:45 +0000 Subject: [PATCH 08/20] Add tests using staging server --- dns_scripts/dns_add_duckdns | 19 ++++ dns_scripts/dns_del_duckdns | 12 +++ docker-compose.yml | 19 +++- test/1-simple-http01.bats | 7 +- test/2-simple-dns01.bats | 8 +- test/3-dual-rsa-ecdsa.bats | 14 ++- test/4-more-than-10-hosts.bats | 7 +- test/5-secp384-http01.bats | 12 +++ test/6-dual-rsa-ecdsa-copy-2-locations.bats | 13 ++- test/7-duckdns-dns01.bats | 42 ++++++++ test/8-duckdns-ecdsa.bats | 103 ++++++++++++++++++++ test/debug-test.sh | 8 +- test/run-all-tests.cmd | 1 + test/run-all-tests.sh | 1 + test/test-config/getssl-duckdns01.cfg | 37 +++++++ 15 files changed, 293 insertions(+), 10 deletions(-) create mode 100644 dns_scripts/dns_add_duckdns create mode 100644 dns_scripts/dns_del_duckdns create mode 100644 test/7-duckdns-dns01.bats create mode 100644 test/8-duckdns-ecdsa.bats create mode 100644 test/test-config/getssl-duckdns01.cfg diff --git a/dns_scripts/dns_add_duckdns b/dns_scripts/dns_add_duckdns new file mode 100644 index 0000000..ef40efe --- /dev/null +++ b/dns_scripts/dns_add_duckdns @@ -0,0 +1,19 @@ +#!/bin/bash + +# need to add your Token for duckdns below +token=${DUCKDNS_TOKEN:-} + +if [ -z "$token" ]; then + echo "DUCKDNS_TOKEN not set" + exit 1 +fi + +domain="$1" +txtvalue="$2" + +response=$(curl --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=${txtvalue}") +if [ "$response" != "OK" ]; then + echo "Failed to update TXT record for ${domain} at duckdns.org (is the TOKEN valid?)" + echo "Response: $response" + exit 1 +fi diff --git a/dns_scripts/dns_del_duckdns b/dns_scripts/dns_del_duckdns new file mode 100644 index 0000000..b9b9f9f --- /dev/null +++ b/dns_scripts/dns_del_duckdns @@ -0,0 +1,12 @@ +#!/bin/bash + +# need to add your Token for duckdns below +token=${DUCKDNS_TOKEN:-} +domain="$1" + +response=$(curl --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=&clear=true") +if [ "$response" != "OK" ]; then + echo "Failed to update TXT record for ${domain} at duckdns.org (is the TOKEN valid?)" + echo "$response" + exit 1 +fi diff --git a/docker-compose.yml b/docker-compose.yml index 09a4264..8f9e4cb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -156,7 +156,24 @@ services: - i.ubuntu18.getssl.test - j.ubuntu18.getssl.test - k.ubuntu18.getssl.test - + getssl-duckdns: + build: + context: . + dockerfile: test/Dockerfile-ubuntu + container_name: getssl-duckdns + volumes: + - .:/getssl + environment: + GETSSL_HOST: getssl.duckdns.org + GETSSL_IP: 10.30.50.15 + NGINX_CONFIG: /etc/nginx/sites-enabled/default + DUCKDNS_TOKEN: $DUCKDNS_TOKEN + STAGING: "true" + networks: + acmenet: + ipv4_address: 10.30.50.15 + aliases: + - getssl.duckdns.org networks: diff --git a/test/1-simple-http01.bats b/test/1-simple-http01.bats index 4c55304..fd96a8a 100644 --- a/test/1-simple-http01.bats +++ b/test/1-simple-http01.bats @@ -12,6 +12,9 @@ setup() { @test "Create new certificate using HTTP-01 verification" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi CONFIG_FILE="getssl-http01.cfg" setup_environment init_getssl @@ -24,7 +27,9 @@ setup() { @test "Force renewal of certificate using HTTP-01" { - #!FIXME test certificate has been updated + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi run ${CODE_DIR}/getssl -f $GETSSL_HOST assert_success refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' diff --git a/test/2-simple-dns01.bats b/test/2-simple-dns01.bats index 9d9f44b..ffd0b9e 100644 --- a/test/2-simple-dns01.bats +++ b/test/2-simple-dns01.bats @@ -12,6 +12,10 @@ setup() { @test "Create new certificate using DNS-01 verification" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + CONFIG_FILE="getssl-dns01.cfg" setup_environment init_getssl @@ -24,7 +28,9 @@ setup() { @test "Force renewal of certificate using DNS-01" { - #!FIXME test certificate has been updated + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi run ${CODE_DIR}/getssl -f $GETSSL_HOST assert_success refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' diff --git a/test/3-dual-rsa-ecdsa.bats b/test/3-dual-rsa-ecdsa.bats index 2dc9257..7820a96 100644 --- a/test/3-dual-rsa-ecdsa.bats +++ b/test/3-dual-rsa-ecdsa.bats @@ -12,6 +12,9 @@ setup() { @test "Create dual certificates using HTTP-01 verification" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi CONFIG_FILE="getssl-http01-dual-rsa-ecdsa.cfg" setup_environment init_getssl @@ -21,12 +24,17 @@ setup() { @test "Force renewal of dual certificates using HTTP-01" { - #!FIXME test certificate has been updated + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi run ${CODE_DIR}/getssl -f $GETSSL_HOST assert_success } @test "Create dual certificates using DNS-01 verification" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi CONFIG_FILE="getssl-dns01-dual-rsa-ecdsa.cfg" setup_environment init_getssl @@ -36,7 +44,9 @@ setup() { @test "Force renewal of dual certificates using DNS-01" { - #!FIXME test certificate has been updated + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi run ${CODE_DIR}/getssl -f $GETSSL_HOST assert_success cleanup_environment diff --git a/test/4-more-than-10-hosts.bats b/test/4-more-than-10-hosts.bats index ff61d52..5bdfc2a 100644 --- a/test/4-more-than-10-hosts.bats +++ b/test/4-more-than-10-hosts.bats @@ -12,6 +12,9 @@ setup() { @test "Create certificates for more than 10 hosts using HTTP-01 verification" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi CONFIG_FILE="getssl-http01-10-hosts.cfg" setup_environment @@ -30,7 +33,9 @@ setup() { @test "Force renewal of more than 10 certificates using HTTP-01" { - #!FIXME test certificate has been updated + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi run ${CODE_DIR}/getssl -f $GETSSL_HOST assert_success refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' diff --git a/test/5-secp384-http01.bats b/test/5-secp384-http01.bats index 9010d58..29da2da 100644 --- a/test/5-secp384-http01.bats +++ b/test/5-secp384-http01.bats @@ -12,6 +12,9 @@ setup() { @test "Create new secp384r1 certificate using HTTP-01 verification" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi CONFIG_FILE="getssl-http01-secp384.cfg" setup_environment init_getssl @@ -21,12 +24,18 @@ setup() { @test "Force renewal of secp384r1 certificate using HTTP-01" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi run ${CODE_DIR}/getssl -f $GETSSL_HOST assert_success } @test "Create new secp521r1 certificate using HTTP-01 verification" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi CONFIG_FILE="getssl-http01-secp521.cfg" setup_environment init_getssl @@ -36,6 +45,9 @@ setup() { @test "Force renewal of secp521r1 certificate using HTTP-01" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi run ${CODE_DIR}/getssl -f $GETSSL_HOST assert_success } diff --git a/test/6-dual-rsa-ecdsa-copy-2-locations.bats b/test/6-dual-rsa-ecdsa-copy-2-locations.bats index 4e64043..aae21bb 100644 --- a/test/6-dual-rsa-ecdsa-copy-2-locations.bats +++ b/test/6-dual-rsa-ecdsa-copy-2-locations.bats @@ -7,17 +7,24 @@ load '/getssl/test/test_helper.bash' # These are run for every test, not once per file setup() { - export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt - curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a + fi } teardown() { - curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/del-a + if [ -z "$STAGING" ]; then + curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/del-a + fi } @test "Create dual certificates and copy RSA and ECDSA chain and key to two locations" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-2-locations.cfg" setup_environment mkdir -p /root/a.${GETSSL_HOST} diff --git a/test/7-duckdns-dns01.bats b/test/7-duckdns-dns01.bats new file mode 100644 index 0000000..e81b414 --- /dev/null +++ b/test/7-duckdns-dns01.bats @@ -0,0 +1,42 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# These are run for every test, not once per file +setup() { + if [ -n "$STAGING" ]; then + export GETSSL_HOST=getssl.duckdns.org + fi +} + + +@test "Create new certificate using staging server and DuckDNS" { + if [ -z "$STAGING" ]; then + skip "Running internal tests, skipping external test" + fi + CONFIG_FILE="getssl-duckdns01.cfg" + + setup_environment + init_getssl + create_certificate + assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' +} + +@test "Force renewal of certificate using staging server and DuckDNS" { + if [ -z "$STAGING" ]; then + skip "Running internal tests, skipping external test" + fi + run ${CODE_DIR}/getssl -f $GETSSL_HOST + assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' + cleanup_environment + curl --silent -X POST -d '{"host":"getssl.duckdns.org", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/del-a +} diff --git a/test/8-duckdns-ecdsa.bats b/test/8-duckdns-ecdsa.bats new file mode 100644 index 0000000..f50dd05 --- /dev/null +++ b/test/8-duckdns-ecdsa.bats @@ -0,0 +1,103 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# These are run for every test, not once per file +setup() { + if [ -n "$STAGING" ]; then + export GETSSL_HOST=getssl.duckdns.org + fi +} + + +@test "Create new certificate using staging server and prime256v1" { + if [ -z "$STAGING" ]; then + skip "Running internal tests, skipping external test" + fi + CONFIG_FILE="getssl-duckdns01.cfg" + GETSSL_HOST=getssl.duckdns.org + + setup_environment + init_getssl + sed -e 's/rsa/prime256v1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg" + run ${CODE_DIR}/getssl "$GETSSL_HOST" + assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' +} + + +@test "Force renewal of certificate using staging server and prime256v1" { + if [ -z "$STAGING" ]; then + skip "Running internal tests, skipping external test" + fi + run ${CODE_DIR}/getssl -f $GETSSL_HOST + assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' + cleanup_environment +} + + +@test "Create new certificate using staging server and secp384r1" { + if [ -z "$STAGING" ]; then + skip "Running internal tests, skipping external test" + fi + CONFIG_FILE="getssl-duckdns01.cfg" + GETSSL_HOST=getssl.duckdns.org + + setup_environment + init_getssl + sed -e 's/rsa/secp384r1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg" + run ${CODE_DIR}/getssl "$GETSSL_HOST" + assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' +} + + +@test "Force renewal of certificate using staging server and secp384r1" { + if [ -z "$STAGING" ]; then + skip "Running internal tests, skipping external test" + fi + run ${CODE_DIR}/getssl -f $GETSSL_HOST + assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' + cleanup_environment +} + + +@test "Create new certificate using staging server and secp521r1" { + skip "The staging server returns 'ECDSA curve P-521 not allowed'" + + CONFIG_FILE="getssl-duckdns01.cfg" + GETSSL_HOST=getssl.duckdns.org + + setup_environment + init_getssl + sed -e 's/rsa/secp521r1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg" + run ${CODE_DIR}/getssl "$GETSSL_HOST" + assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' +} + + +@test "Force renewal of certificate using staging server and secp521r1" { + skip "The staging server returns 'ECDSA curve P-521 not allowed'" + run ${CODE_DIR}/getssl -f $GETSSL_HOST + assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' + cleanup_environment +} diff --git a/test/debug-test.sh b/test/debug-test.sh index ab00666..1327fde 100644 --- a/test/debug-test.sh +++ b/test/debug-test.sh @@ -13,10 +13,16 @@ CONFIG_FILE=$1 if [ ! -e "$CONFIG_FILE" ]; then CONFIG_FILE=${CODE_DIR}/test/test-config/${CONFIG_FILE} fi + +#shellcheck disable=SC1091 source /getssl/test/test_helper.bash setup_environment 3>&1 -export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + +# Only add the pebble CA to the cert bundle if using pebble +if [ "$(grep -q pebble "${CONFIG_FILE}")" = 0 ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt +fi "${CODE_DIR}/getssl" -c "$GETSSL_HOST" 3>&1 cp "${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg" diff --git a/test/run-all-tests.cmd b/test/run-all-tests.cmd index 16c6fd5..2c5ff6c 100644 --- a/test/run-all-tests.cmd +++ b/test/run-all-tests.cmd @@ -3,3 +3,4 @@ docker exec -it getssl-centos6 bats /getssl/test docker exec -it getssl-debian bats /getssl/test docker exec -it getssl-ubuntu bats /getssl/test docker exec -it getssl-ubuntu18 bats /getssl/test +docker exec -it getssl-duckdns bats /getssl/test diff --git a/test/run-all-tests.sh b/test/run-all-tests.sh index b526c63..6a0eb8a 100644 --- a/test/run-all-tests.sh +++ b/test/run-all-tests.sh @@ -5,3 +5,4 @@ docker exec -it getssl-centos6 bats /getssl/test docker exec -it getssl-debian bats /getssl/test docker exec -it getssl-ubuntu bats /getssl/test docker exec -it getssl-ubuntu18 bats /getssl/test +docker exec -it getssl-duckdns bats /getssl/test diff --git a/test/test-config/getssl-duckdns01.cfg b/test/test-config/getssl-duckdns01.cfg new file mode 100644 index 0000000..4a37bcd --- /dev/null +++ b/test/test-config/getssl-duckdns01.cfg @@ -0,0 +1,37 @@ +# Test that the script works with external dns provider and staging server +# +CA="https://acme-staging-v02.api.letsencrypt.org/directory" + +VALIDATE_VIA_DNS=true +DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_duckdns" +DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns" +AUTH_DNS_SERVER=1.1.1.1 +CHECK_ALL_AUTH_DNS=false +DNS_EXTRA_WAIT=20 + +ACCOUNT_KEY_TYPE="rsa" +PRIVATE_KEY_ALG="rsa" + +# Additional domains - this could be multiple domains / subdomains in a comma separated list +SANS="" + +# Acme Challenge Location. The first line for the domain, the following ones for each additional domain. +ACL=('/var/www/html/.well-known/acme-challenge') + +#Set USE_SINGLE_ACL="true" to use a single ACL for all checks +USE_SINGLE_ACL="false" + +# Location for all your certs, these can either be on the server (full path name) +# or using ssh /sftp as for the ACL +DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key" +CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" +DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert +DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert + +# The command needed to reload apache / nginx or whatever you use +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" + +# Define the server type and confirm correct certificate is installed (using a custom port) +SERVER_TYPE="https" +CHECK_REMOTE="true" From 6fea6179baa512cc97b47aec37e1fb2385ea4f84 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Sat, 22 Feb 2020 18:08:42 +0000 Subject: [PATCH 09/20] Merge pull request #513 from 532910/nsupdate_options --- dns_scripts/dns_add_nsupdate | 24 +++++++++++++----------- dns_scripts/dns_del_nsupdate | 24 +++++++++++++----------- 2 files changed, 26 insertions(+), 22 deletions(-) diff --git a/dns_scripts/dns_add_nsupdate b/dns_scripts/dns_add_nsupdate index 13b0fc9..98f5e7f 100755 --- a/dns_scripts/dns_add_nsupdate +++ b/dns_scripts/dns_add_nsupdate @@ -14,26 +14,28 @@ token="$2" if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then - if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! ${DNS_NSUPDATE_KEY_HOOK} 'add' 'open' "${fulldomain}" ; then - exit $(( $? + 128 )) - fi + if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! ${DNS_NSUPDATE_KEY_HOOK} 'add' 'open' "${fulldomain}" ; then + exit $(( $? + 128 )) + fi - options="-k ${DNS_NSUPDATE_KEYFILE}" + options="-k ${DNS_NSUPDATE_KEYFILE}" fi -# Note that blank line is a "send" command to nsupdate +if [ -n "${DNS_SERVER}" ]; then + cmd+="server ${DNS_SERVER}\n" +fi -nsupdate "${options}" -v < Date: Sat, 22 Feb 2020 18:10:30 +0000 Subject: [PATCH 10/20] Update revision history --- getssl | 1 + 1 file changed, 1 insertion(+) diff --git a/getssl b/getssl index d64b276..f6e3972 100755 --- a/getssl +++ b/getssl @@ -212,6 +212,7 @@ # 2020-02-12 Fix #424 - Sporadic "error in EC signing couldn't get R from ..." (2.18) # 2020-02-12 Fix "Registration key already in use" (2.19) # 2020-02-13 Fix bug with copying to all locations when creating RSA and ECDSA certs (2.20) +# 2020-02-22 Change sign_string to use openssl asn1parse (better fix for #424) # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/} From 2a9cc14f510156e640eaf61350e4d2d5336acb6c Mon Sep 17 00:00:00 2001 From: sergio Date: Sat, 22 Feb 2020 23:36:26 +0300 Subject: [PATCH 11/20] add vim lines for cfg files --- getssl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/getssl b/getssl index f6e3972..03a20d9 100755 --- a/getssl +++ b/getssl @@ -1870,6 +1870,8 @@ usage() { # echos out the program usage write_domain_template() { # write out a template file for a domain. cat > "$1" <<- _EOF_domain_ + # vim: filetype=sh + # # This file is read second (and per domain if running with the -a option) # and overwrites any settings from the first file # @@ -1938,6 +1940,8 @@ write_domain_template() { # write out a template file for a domain. write_getssl_template() { # write out the main template file cat > "$1" <<- _EOF_getssl_ + # vim: filetype=sh + # # This file is read first and is common to all domains # # Uncomment and modify any variables you need From 0278ae50494d64d15f06322e68143a90b3b85abb Mon Sep 17 00:00:00 2001 From: Scott Gustafson Date: Sun, 23 Feb 2020 09:32:13 -0700 Subject: [PATCH 12/20] Fix the merge to include changes on the same lines I ignored. Add dated comment line. --- getssl | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/getssl b/getssl index bd2f296..e807933 100755 --- a/getssl +++ b/getssl @@ -213,6 +213,7 @@ # 2020-02-12 Fix "Registration key already in use" (2.19) # 2020-02-13 Fix bug with copying to all locations when creating RSA and ECDSA certs (2.20) # 2020-02-22 Change sign_string to use openssl asn1parse (better fix for #424) +# 2020-02-23 Add dig to config check for systems without drill (ubuntu) # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/} @@ -433,9 +434,9 @@ check_config() { # check the config files for all obvious errors info "${DOMAIN}: ACL location not specified for domain $d in $DOMAIN_DIR/getssl.cfg" config_errors=true fi - # check domain exist + # check domain exists if [[ "$DNS_CHECK_FUNC" == "drill" ]]; then - if [[ "$($DNS_CHECK_FUNC "${d}" SOA|grep -c "^${d}")" -ge 1 ]]; then + if [[ "$($DNS_CHECK_FUNC "${d}" |grep -c "${d}")" -ge 1 ]]; then debug "found IP for ${d}" else info "${DOMAIN}: DNS lookup failed for ${d}" From 5beb0f8b9c454025a2e51b1ac7ee5e52bd5eaaf3 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Tue, 25 Feb 2020 17:05:22 +0000 Subject: [PATCH 13/20] Fix test breakage from using dig by default --- docker-compose.yml | 4 ++-- test/debug-test.sh | 2 +- test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg | 1 + test/test-config/getssl-dns01.cfg | 1 + 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 8f9e4cb..3eb81b7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,7 +3,7 @@ services: pebble: image: letsencrypt/pebble:latest # TODO enable -strict - command: pebble -config /test/config/pebble-config.json -dnsserver 10.30.50.3:8053 + command: pebble -config /test/config/pebble-config.json -dnsserver 10.30.50.3:53 environment: # with Go 1.13.x which defaults TLS 1.3 to on GODEBUG: "tls13=1" @@ -15,7 +15,7 @@ services: ipv4_address: 10.30.50.2 challtestsrv: image: letsencrypt/pebble-challtestsrv:latest - command: pebble-challtestsrv -defaultIPv6 "" -defaultIPv4 10.30.50.3 + command: pebble-challtestsrv -defaultIPv6 "" -defaultIPv4 10.30.50.3 -dns01 ":53" ports: - 8055:8055 # HTTP Management API networks: diff --git a/test/debug-test.sh b/test/debug-test.sh index 1327fde..8807670 100644 --- a/test/debug-test.sh +++ b/test/debug-test.sh @@ -20,7 +20,7 @@ source /getssl/test/test_helper.bash setup_environment 3>&1 # Only add the pebble CA to the cert bundle if using pebble -if [ "$(grep -q pebble "${CONFIG_FILE}")" = 0 ]; then +if grep -q pebble "${CONFIG_FILE}"; then export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt fi diff --git a/test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg b/test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg index 042ed15..543c201 100644 --- a/test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg +++ b/test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg @@ -7,6 +7,7 @@ CA="https://pebble:14000/dir" VALIDATE_VIA_DNS=true DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv" DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv" +AUTH_DNS_SERVER=10.30.50.3 DUAL_RSA_ECDSA="true" ACCOUNT_KEY_TYPE="prime256v1" diff --git a/test/test-config/getssl-dns01.cfg b/test/test-config/getssl-dns01.cfg index 98637b0..7e26b98 100644 --- a/test/test-config/getssl-dns01.cfg +++ b/test/test-config/getssl-dns01.cfg @@ -7,6 +7,7 @@ CA="https://pebble:14000/dir" VALIDATE_VIA_DNS=true DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv" DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv" +AUTH_DNS_SERVER=10.30.50.3 # Additional domains - this could be multiple domains / subdomains in a comma separated list SANS="" From fef7454746f19ebf56fc834a50876d6846e38ce5 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Tue, 25 Feb 2020 17:06:00 +0000 Subject: [PATCH 14/20] Remove TTL from grep when parsing dig output --- getssl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/getssl b/getssl index e807933..09da52f 100755 --- a/getssl +++ b/getssl @@ -998,7 +998,7 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then | grep '"'|awk -F'"' '{ print $2}') elif [[ "$DNS_CHECK_FUNC" == "drill" ]] || [[ "$DNS_CHECK_FUNC" == "dig" ]]; then check_result=$($DNS_CHECK_FUNC TXT "_acme-challenge.${d}" "@${ns}" \ - | grep '300 IN TXT'|awk -F'"' '{ print $2}') + | grep 'IN TXT'|awk -F'"' '{ print $2}') elif [[ "$DNS_CHECK_FUNC" == "host" ]]; then check_result=$($DNS_CHECK_FUNC -t TXT "_acme-challenge.${d}" "${ns}" \ | grep 'descriptive text'|awk -F'"' '{ print $2}') From 9420d8fd565beb1c88e3d27a91d08e185b398f89 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Wed, 26 Feb 2020 11:22:53 +0000 Subject: [PATCH 15/20] Create stale2.yml --- .github/workflows/stale2.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/stale2.yml diff --git a/.github/workflows/stale2.yml b/.github/workflows/stale2.yml new file mode 100644 index 0000000..cd79668 --- /dev/null +++ b/.github/workflows/stale2.yml @@ -0,0 +1,20 @@ +name: Mark stale issues and pull requests + +on: + schedule: + - cron: "0 0 * * *" + +jobs: + stale: + + runs-on: ubuntu-latest + + steps: + - uses: actions/stale@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + stale-issue-message: 'This issue will be closed as no response' + stale-issue-label: 'needs more information' + exempt-issue-label: 'enhancement' + days-before-stale: 60 + days-before-close: 30 From d68e317798d0021ffe41f666369dac16531f66b1 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Wed, 26 Feb 2020 11:24:18 +0000 Subject: [PATCH 16/20] Delete stale.yml --- .github/workflows/stale.yml | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 .github/workflows/stale.yml diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml deleted file mode 100644 index 8699ac5..0000000 --- a/.github/workflows/stale.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: "Close stale issues" -on: - schedule: - - cron: "0 0 * * *" - -jobs: - stale: - runs-on: ubuntu-latest - steps: - - uses: actions/stale@v1 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - stale-issue-message: 'This issue will be closed as no response' - stale-issue-label: 'needs more information' - exempt-issue-label: 'enhancement' - days-before-stale: 60 - days-before-close: 30 From 0b3bff9082752df6e7703c6e302eff8385e21351 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Wed, 26 Feb 2020 23:12:49 +0000 Subject: [PATCH 17/20] Test using nslookup and on ubuntu16 --- docker-compose.yml | 35 +++++++++++++-- ...ple-dns01.bats => 2-simple-dns01-dig.bats} | 14 +++--- test/2-simple-dns01-nslookup.bats | 34 +++++++++++++++ test/8-duckdns-ecdsa.bats | 43 ++++--------------- test/Dockerfile-ubuntu16 | 25 +++++++++++ test/debug-test.sh | 6 +-- test/run-all-tests.cmd | 9 ++++ test/test-config/getssl-duckdns01.cfg | 2 +- test/test_helper.bash | 3 +- 9 files changed, 122 insertions(+), 49 deletions(-) rename test/{2-simple-dns01.bats => 2-simple-dns01-dig.bats} (63%) create mode 100644 test/2-simple-dns01-nslookup.bats create mode 100644 test/Dockerfile-ubuntu16 diff --git a/docker-compose.yml b/docker-compose.yml index 3eb81b7..b493888 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -129,6 +129,33 @@ services: - i.ubuntu.getssl.test - j.ubuntu.getssl.test - k.ubuntu.getssl.test + getssl-ubuntu16: + build: + context: . + dockerfile: test/Dockerfile-ubuntu16 + container_name: getssl-ubuntu16 + volumes: + - .:/getssl + environment: + GETSSL_HOST: ubuntu16.getssl.test + GETSSL_IP: 10.30.50.14 + NGINX_CONFIG: /etc/nginx/sites-enabled/default + networks: + acmenet: + ipv4_address: 10.30.50.14 + aliases: + - ubuntu16.getssl.test + - a.ubuntu16.getssl.test + - b.ubuntu16.getssl.test + - c.ubuntu16.getssl.test + - d.ubuntu16.getssl.test + - e.ubuntu16.getssl.test + - f.ubuntu16.getssl.test + - g.ubuntu16.getssl.test + - h.ubuntu16.getssl.test + - i.ubuntu16.getssl.test + - j.ubuntu16.getssl.test + - k.ubuntu16.getssl.test getssl-ubuntu18: build: context: . @@ -138,11 +165,11 @@ services: - .:/getssl environment: GETSSL_HOST: ubuntu18.getssl.test - GETSSL_IP: 10.30.50.14 + GETSSL_IP: 10.30.50.15 NGINX_CONFIG: /etc/nginx/sites-enabled/default networks: acmenet: - ipv4_address: 10.30.50.14 + ipv4_address: 10.30.50.15 aliases: - ubuntu18.getssl.test - a.ubuntu18.getssl.test @@ -165,13 +192,13 @@ services: - .:/getssl environment: GETSSL_HOST: getssl.duckdns.org - GETSSL_IP: 10.30.50.15 + GETSSL_IP: 10.30.50.16 NGINX_CONFIG: /etc/nginx/sites-enabled/default DUCKDNS_TOKEN: $DUCKDNS_TOKEN STAGING: "true" networks: acmenet: - ipv4_address: 10.30.50.15 + ipv4_address: 10.30.50.16 aliases: - getssl.duckdns.org diff --git a/test/2-simple-dns01.bats b/test/2-simple-dns01-dig.bats similarity index 63% rename from test/2-simple-dns01.bats rename to test/2-simple-dns01-dig.bats index ffd0b9e..cbac598 100644 --- a/test/2-simple-dns01.bats +++ b/test/2-simple-dns01-dig.bats @@ -11,7 +11,7 @@ setup() { } -@test "Create new certificate using DNS-01 verification" { +@test "Create new certificate using DNS-01 verification (dig)" { if [ -n "$STAGING" ]; then skip "Using staging server, skipping internal test" fi @@ -19,22 +19,24 @@ setup() { CONFIG_FILE="getssl-dns01.cfg" setup_environment init_getssl - create_certificate + create_certificate -d assert_success + assert_output --partial "dig" refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' - refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]' # don't fail for :error:badNonce refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' } -@test "Force renewal of certificate using DNS-01" { +@test "Force renewal of certificate using DNS-01 (dig)" { if [ -n "$STAGING" ]; then skip "Using staging server, skipping internal test" fi - run ${CODE_DIR}/getssl -f $GETSSL_HOST + run ${CODE_DIR}/getssl -d -f $GETSSL_HOST assert_success + assert_output --partial "dig" refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' - refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]' # don't fail for :error:badNonce refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' cleanup_environment } diff --git a/test/2-simple-dns01-nslookup.bats b/test/2-simple-dns01-nslookup.bats new file mode 100644 index 0000000..f92d817 --- /dev/null +++ b/test/2-simple-dns01-nslookup.bats @@ -0,0 +1,34 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + mv /usr/bin/dig /usr/bin/dig.getssl.bak +} + + +teardown() { + mv /usr/bin/dig.getssl.bak /usr/bin/dig +} + + +@test "Create new certificate using DNS-01 verification (nslookup)" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + + CONFIG_FILE="getssl-dns01.cfg" + setup_environment + init_getssl + create_certificate -d + assert_success + assert_output --partial "nslookup" + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]' # don't fail for :error:badNonce + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' +} diff --git a/test/8-duckdns-ecdsa.bats b/test/8-duckdns-ecdsa.bats index f50dd05..0950d96 100644 --- a/test/8-duckdns-ecdsa.bats +++ b/test/8-duckdns-ecdsa.bats @@ -23,10 +23,10 @@ setup() { setup_environment init_getssl sed -e 's/rsa/prime256v1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg" - run ${CODE_DIR}/getssl "$GETSSL_HOST" + run ${CODE_DIR}/getssl -d "$GETSSL_HOST" assert_success refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' - refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]' refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' } @@ -35,10 +35,10 @@ setup() { if [ -z "$STAGING" ]; then skip "Running internal tests, skipping external test" fi - run ${CODE_DIR}/getssl -f $GETSSL_HOST + run ${CODE_DIR}/getssl -d -f $GETSSL_HOST assert_success refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' - refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]' refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' cleanup_environment } @@ -54,10 +54,10 @@ setup() { setup_environment init_getssl sed -e 's/rsa/secp384r1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg" - run ${CODE_DIR}/getssl "$GETSSL_HOST" + run ${CODE_DIR}/getssl -d "$GETSSL_HOST" assert_success refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' - refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]' refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' } @@ -66,38 +66,13 @@ setup() { if [ -z "$STAGING" ]; then skip "Running internal tests, skipping external test" fi - run ${CODE_DIR}/getssl -f $GETSSL_HOST + run ${CODE_DIR}/getssl -d -f $GETSSL_HOST assert_success refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' - refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]' refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' cleanup_environment } -@test "Create new certificate using staging server and secp521r1" { - skip "The staging server returns 'ECDSA curve P-521 not allowed'" - - CONFIG_FILE="getssl-duckdns01.cfg" - GETSSL_HOST=getssl.duckdns.org - - setup_environment - init_getssl - sed -e 's/rsa/secp521r1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg" - run ${CODE_DIR}/getssl "$GETSSL_HOST" - assert_success - refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' - refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' - refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' -} - - -@test "Force renewal of certificate using staging server and secp521r1" { - skip "The staging server returns 'ECDSA curve P-521 not allowed'" - run ${CODE_DIR}/getssl -f $GETSSL_HOST - assert_success - refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' - refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' - refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' - cleanup_environment -} +# Note letsencrypt doesn't support ECDSA curve P-521 as it's being deprecated diff --git a/test/Dockerfile-ubuntu16 b/test/Dockerfile-ubuntu16 new file mode 100644 index 0000000..958bb6f --- /dev/null +++ b/test/Dockerfile-ubuntu16 @@ -0,0 +1,25 @@ +FROM ubuntu:xenial +# xenial = 16 + +# Note this image uses mawk + +# Update and install required software +RUN apt-get update --fix-missing +RUN apt-get install -y git curl dnsutils wget nginx-light + +WORKDIR /root +RUN mkdir /etc/nginx/pki +RUN mkdir /etc/nginx/pki/private +COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default + +# Prevent "Can't load /root/.rnd into RNG" error from openssl +# RUN touch /root/.rnd + +# BATS (Bash Automated Testings) +RUN git clone https://github.com/bats-core/bats-core.git /bats-core +RUN git clone https://github.com/jasonkarns/bats-support /bats-support +RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert +RUN /bats-core/install.sh /usr/local + +# Run eternal loop - for testing +CMD tail -f /dev/null diff --git a/test/debug-test.sh b/test/debug-test.sh index 8807670..890366b 100644 --- a/test/debug-test.sh +++ b/test/debug-test.sh @@ -9,14 +9,14 @@ if [ $# -eq 2 ]; then shift fi +#shellcheck disable=SC1091 +source /getssl/test/test_helper.bash + CONFIG_FILE=$1 if [ ! -e "$CONFIG_FILE" ]; then CONFIG_FILE=${CODE_DIR}/test/test-config/${CONFIG_FILE} fi -#shellcheck disable=SC1091 -source /getssl/test/test_helper.bash - setup_environment 3>&1 # Only add the pebble CA to the cert bundle if using pebble diff --git a/test/run-all-tests.cmd b/test/run-all-tests.cmd index 2c5ff6c..e887b6e 100644 --- a/test/run-all-tests.cmd +++ b/test/run-all-tests.cmd @@ -1,6 +1,15 @@ +echo %time% docker exec -it getssl-alpine bats /getssl/test +echo %time% docker exec -it getssl-centos6 bats /getssl/test +echo %time% docker exec -it getssl-debian bats /getssl/test +echo %time% docker exec -it getssl-ubuntu bats /getssl/test +echo %time% docker exec -it getssl-ubuntu18 bats /getssl/test +echo %time% +docker exec -it getssl-ubuntu16 bats /getssl/test +echo %time% docker exec -it getssl-duckdns bats /getssl/test +echo %time% diff --git a/test/test-config/getssl-duckdns01.cfg b/test/test-config/getssl-duckdns01.cfg index 4a37bcd..10ac366 100644 --- a/test/test-config/getssl-duckdns01.cfg +++ b/test/test-config/getssl-duckdns01.cfg @@ -7,7 +7,7 @@ DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_duckdns" DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns" AUTH_DNS_SERVER=1.1.1.1 CHECK_ALL_AUTH_DNS=false -DNS_EXTRA_WAIT=20 +DNS_EXTRA_WAIT=30 ACCOUNT_KEY_TYPE="rsa" PRIVATE_KEY_ALG="rsa" diff --git a/test/test_helper.bash b/test/test_helper.bash index 554d60a..0d106fa 100644 --- a/test/test_helper.bash +++ b/test/test_helper.bash @@ -39,5 +39,6 @@ init_getssl() { create_certificate() { # Create certificate cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg" - run ${CODE_DIR}/getssl "$GETSSL_HOST" + # shellcheck disable=SC2086 + run ${CODE_DIR}/getssl $1 "$GETSSL_HOST" } From 4ed430562d9e2b7b94d65af699e2a635803b0c2f Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Thu, 27 Feb 2020 09:21:12 +0000 Subject: [PATCH 18/20] Change to using gatsbyjs version (multiple exempt tags) --- .github/workflows/stale2.yml | 38 +++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/.github/workflows/stale2.yml b/.github/workflows/stale2.yml index cd79668..14a3d06 100644 --- a/.github/workflows/stale2.yml +++ b/.github/workflows/stale2.yml @@ -1,20 +1,30 @@ -name: Mark stale issues and pull requests - on: schedule: - - cron: "0 0 * * *" + - cron: "0 0 * * *" + +name: Run Stale Bot on Issue Comments jobs: - stale: - + build: + name: stale runs-on: ubuntu-latest - steps: - - uses: actions/stale@v1 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - stale-issue-message: 'This issue will be closed as no response' - stale-issue-label: 'needs more information' - exempt-issue-label: 'enhancement' - days-before-stale: 60 - days-before-close: 30 + - uses: actions/checkout@master + - name: stale + uses: gatsbyjs/stale@master + with: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + DRY_RUN: true + DAYS_BEFORE_STALE: 60 + DAYS_BEFORE_CLOSE: 30 + STALE_ISSUE_LABEL: 'stale' + STALE_PR_LABEL: 'stale' + OPERATIONS_PER_RUN: 30 + STALE_ISSUE_MESSAGE: 'This issue will be closed as no response' + CLOSE_MESSAGE: 'Closing stale issue' + EXEMPT_ISSUE_LABELS: | + enhancement + bug + feature + help wanted + documentation From f3de9a8cc474b214e049930f22c0a97cbedb881b Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Thu, 27 Feb 2020 09:28:52 +0000 Subject: [PATCH 19/20] Add rfc to exempt tags --- .github/workflows/stale2.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/stale2.yml b/.github/workflows/stale2.yml index 14a3d06..4a676c6 100644 --- a/.github/workflows/stale2.yml +++ b/.github/workflows/stale2.yml @@ -23,8 +23,9 @@ jobs: STALE_ISSUE_MESSAGE: 'This issue will be closed as no response' CLOSE_MESSAGE: 'Closing stale issue' EXEMPT_ISSUE_LABELS: | - enhancement bug + documentation + enhancement feature help wanted - documentation + rfc From 3119ea986cd005d997bf18bcc40d3d9c648b417a Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Thu, 27 Feb 2020 09:29:56 +0000 Subject: [PATCH 20/20] Better stale/close messages --- .github/workflows/stale2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/stale2.yml b/.github/workflows/stale2.yml index 4a676c6..ce6f9c1 100644 --- a/.github/workflows/stale2.yml +++ b/.github/workflows/stale2.yml @@ -20,8 +20,8 @@ jobs: STALE_ISSUE_LABEL: 'stale' STALE_PR_LABEL: 'stale' OPERATIONS_PER_RUN: 30 - STALE_ISSUE_MESSAGE: 'This issue will be closed as no response' - CLOSE_MESSAGE: 'Closing stale issue' + STALE_ISSUE_MESSAGE: 'This issue will be closed as no updates for 60 days' + CLOSE_MESSAGE: 'Closing stale issue after 90 days of inactivity' EXEMPT_ISSUE_LABELS: | bug documentation