From 2dbaf3e14d1d65dca263dc49ec235334bab4c022 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Fri, 10 Jan 2020 19:24:57 +0000 Subject: [PATCH] Update templates, clean up test code --- getssl | 12 +++++++----- test/Dockerfile-rhel6 | 5 ----- test/Dockerfile-ubuntu | 5 ----- test/README.md | 20 ++++++++++++++++++++ test/run-test.sh | 14 ++++++++++---- 5 files changed, 37 insertions(+), 19 deletions(-) create mode 100644 test/README.md diff --git a/getssl b/getssl index f0b31f5..5d46286 100755 --- a/getssl +++ b/getssl @@ -193,7 +193,9 @@ # 2019-11-22 #456 Fix shellcheck issues # 2019-11-23 #459 Fix missing chain.crt # 2019-12-18 #462 Use POST-as-GET for ACMEv2 endpoints -# 2020-01-07 #464 and #486 "json was blank" (change all curl request to use POST-as-GET) (2.15) +# 2020-01-07 #464 and #486 "json was blank" (change all curl request to use POST-as-GET) +# 2020-01-08 Error and exit if rate limited, exit if curl returns nothing +# 2020-01-10 Change domain and getssl templates to v2 (2.15) # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/} @@ -212,7 +214,7 @@ CODE_LOCATION="https://raw.githubusercontent.com/srvrco/getssl/master/getssl" CSR_SUBJECT="/" CURL_USERAGENT="${PROGNAME}/${VERSION}" DEACTIVATE_AUTH="false" -DEFAULT_REVOKE_CA="https://acme-v01.api.letsencrypt.org" +DEFAULT_REVOKE_CA="https://acme-v02.api.letsencrypt.org" DNS_EXTRA_WAIT="" DNS_WAIT=10 DOMAIN_KEY_LENGTH=4096 @@ -1566,7 +1568,7 @@ write_domain_template() { # write out a template file for a domain. # The staging server is best for testing #CA="https://acme-staging-v02.api.letsencrypt.org/directory" # This server issues full certificates, however has rate limits - #CA="https://acme-v01.api.letsencrypt.org" + #CA="https://acme-v02.api.letsencrypt.org" #PRIVATE_KEY_ALG="rsa" @@ -1619,7 +1621,7 @@ write_getssl_template() { # write out the main template file # The staging server is best for testing (hence set as default) CA="https://acme-staging-v02.api.letsencrypt.org/directory" # This server issues full certificates, however has rate limits - #CA="https://acme-v01.api.letsencrypt.org" + #CA="https://acme-v02.api.letsencrypt.org" #AGREEMENT="$AGREEMENT" @@ -2021,7 +2023,7 @@ if [[ -s "$CERT_FILE" ]]; then enddate_s=$(date_epoc "$enddate") if [[ $(date_renew) -lt "$enddate_s" ]] && [[ $_FORCE_RENEW -ne 1 ]]; then issuer=$(openssl x509 -in "$CERT_FILE" -noout -issuer 2>/dev/null) - if [[ "$issuer" == *"Fake LE Intermediate"* ]] && [[ "$CA" == "https://acme-v01.api.letsencrypt.org" ]]; then + if [[ "$issuer" == *"Fake LE Intermediate"* ]] && [[ "$CA" == "https://acme-v02.api.letsencrypt.org" ]]; then debug "upgrading from fake cert to real" else info "${DOMAIN}: certificate is valid for more than $RENEW_ALLOW days (until $enddate)" diff --git a/test/Dockerfile-rhel6 b/test/Dockerfile-rhel6 index 5ebb278..019da84 100644 --- a/test/Dockerfile-rhel6 +++ b/test/Dockerfile-rhel6 @@ -20,8 +20,3 @@ EXPOSE 80 443 # Run eternal loop - for testing CMD ["/bin/bash", "-c", "while :; do sleep 10; done"] - -# with Pebble -# docker-compose -f "docker-compose.yml" up -d --build -# docker exec -it getssl /bin/bash -# /getssl/test/run-test.sh diff --git a/test/Dockerfile-ubuntu b/test/Dockerfile-ubuntu index 7f1a8e5..b0f09f8 100644 --- a/test/Dockerfile-ubuntu +++ b/test/Dockerfile-ubuntu @@ -21,8 +21,3 @@ EXPOSE 80 443 # Run eternal loop - for testing CMD ["/bin/bash", "-c", "while :; do sleep 10; done"] - -# with Pebble -# docker-compose -f "docker-compose.yml" up -d --build -# docker exec -it getssl /bin/bash -# /getssl/test/run-test.sh diff --git a/test/README.md b/test/README.md new file mode 100644 index 0000000..9d0aedd --- /dev/null +++ b/test/README.md @@ -0,0 +1,20 @@ +# Testing + +This directory contains a simple test script which tests creating certificates with Pebble (testing version of the LetsEncrypt server) + +Start up pebble, the challdnstest server for DNS challenges +`docker-compose -f "docker-compose.yml" up -d --build` + +Run the tests +`docker exec -it getssl /getssl/test/run-test.sh` + +Debug (need to set CURL_CA_BUNDLE as pebble uses a local certificate, otherwise you get a "unknown API version" error) +`docker exec -it getssl /bin/bash` +`export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt` +`/getssl/getssl -d getssl` + +# TODO +1. Move to BATS (bash automated testing) instead of run-test.sh +2. Test RHEL6, Debian as well +3. Test SSH, SFTP +4. Test wildcards diff --git a/test/run-test.sh b/test/run-test.sh index e93ae89..b983899 100644 --- a/test/run-test.sh +++ b/test/run-test.sh @@ -3,7 +3,9 @@ set -e # Test setup -rm -r /root/.getssl +if [[ -d /root/.getssl ]]; then + rm -r /root/.getssl +fi wget --no-clobber https://raw.githubusercontent.com/letsencrypt/pebble/master/test/certs/pebble.minica.pem # cat /etc/pki/tls/certs/ca-bundle.crt /root/pebble.minica.pem > /root/pebble-ca-bundle.crt @@ -24,11 +26,12 @@ cp /getssl/test/test-config/getssl-http01.cfg /root/.getssl/getssl/getssl.cfg # Test #2 - http-01 forced renewal echo Test \#2 - http-01 forced renewal -sleep 5 # There's a race condition if renew too soon (authlink returns "valid" instead of "pending") +# There's a race condition if renew too soon (authlink returns "valid" instead of "pending") +echo Sleeping 20s to allow previous validation to expire +sleep 20 /getssl/getssl getssl -f # Test cleanup - rm -r /root/.getssl # Test #3 - dns-01 verification @@ -43,5 +46,8 @@ cp /getssl/test/test-config/getssl-dns01.cfg /root/.getssl/getssl/getssl.cfg # Test #4 - dns-01 forced renewal echo Test \#4 - dns-01 forced renewal -sleep 5 # There's a race condition if renew too soon (authlink returns "valid" instead of "pending") +# There's a race condition if renew too soon (authlink returns "valid" instead of "pending") +echo Sleeping 30s to allow previous validation to expire +sleep 30 + /getssl/getssl getssl -f