Merge pull request #479 from srvrco/fix-v1-renew

Fix for ACMEv1 renewals

docker-compose.yml

@@ -7,6 +7,8 @@ services:
     environment:
       # with Go 1.13.x which defaults TLS 1.3 to on
       GODEBUG: "tls13=1"
+      # don't reuse authorizations (breaks testing force renew)
+      PEBBLE_AUTHZREUSE: 0
     ports:
       - 14000:14000  # HTTPS ACME API
       - 15000:15000  # HTTPS Management API

getssl

@@ -196,10 +196,11 @@
 # 2020-01-07 #464 and #486 "json was blank" (change all curl request to use POST-as-GET)
 # 2020-01-08 Error and exit if rate limited, exit if curl returns nothing
 # 2020-01-10 Change domain and getssl templates to v2 (2.15)
+# 2020-01-17 #473 and #477 Don't use POST-as-GET when sending ready for challenge for ACMEv1 (2.16)
 # ----------------------------------------------------------------------------------------
 
 PROGNAME=${0##*/}
-VERSION="2.15"
+VERSION="2.16"
 
 # defaults
 ACCOUNT_KEY_LENGTH=4096
@@ -286,14 +287,15 @@ check_challenge_completion() { # checks with the ACME server if our challenge is
   keyauthorization=$3
 
   debug "sending request to ACME server saying we're ready for challenge"
-  send_signed_request "$uri" "{}"
 
   # check response from our request to perform challenge
   if [[ $API -eq 1 ]]; then
+    send_signed_request "$uri" "{\"resource\": \"challenge\", \"keyAuthorization\": \"$keyauthorization\"}"
     if [[ -n "$code" ]] && [[ ! "$code" == '202' ]] ; then
       error_exit "$domain:Challenge error: $code"
     fi
   else # APIv2
+    send_signed_request "$uri" "{}"
     if [[ -n "$code" ]] && [[ ! "$code" == '200' ]] ; then
       detail=$(echo "$response" | grep "detail" | awk -F\" '{print $4}')
       error_exit "$domain:Challenge error: $code:Detail: $detail"
@@ -303,7 +305,13 @@ check_challenge_completion() { # checks with the ACME server if our challenge is
   # loop "forever" to keep checking for a response from the ACME server.
   while true ; do
     debug "checking if challenge is complete"
-    send_signed_request "$uri" ""
+    if [[ $API -eq 1 ]]; then
+      if ! get_cr "$uri" ; then
+        error_exit "$domain:Verify error:$code"
+      fi
+    else # APIv2
+      send_signed_request "$uri" ""
+    fi
 
     status=$(json_get "$response" status)
 
@@ -1437,8 +1445,7 @@ send_signed_request() { # Sends a request to the ACME server, signed with your p
       responseHeaders=$(cat "$CURL_HEADER")
       if [[ "$needbase64" && ${response##*()} != "{"* ]]; then
         # response is in base64 too, decode
-        #!FIXME need to use openssl base64 decoder if it exists
-        response=$(echo "$response" | base64 -d)
+        response=$(echo "$response" | base64 -d 2>&1)
       fi
 
       debug responseHeaders "$responseHeaders"

test/run-test.sh

@@ -25,10 +25,6 @@ cp /getssl/test/test-config/getssl-http01.cfg /root/.getssl/getssl/getssl.cfg
 
 # Test #2 - http-01 forced renewal
 echo Test \#2 - http-01 forced renewal
-
-# There's a race condition if renew too soon (authlink returns "valid" instead of "pending")
-echo Sleeping 20s to allow previous validation to expire
-sleep 20
 /getssl/getssl getssl -f
 
 # Test cleanup
@@ -36,7 +32,6 @@ rm -r /root/.getssl
 
 # Test #3 - dns-01 verification
 echo Test \#3 - dns-01 verification
-
 cp /getssl/test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default
 service nginx restart
 /getssl/getssl -c getssl
@@ -45,9 +40,4 @@ cp /getssl/test/test-config/getssl-dns01.cfg /root/.getssl/getssl/getssl.cfg
 
 # Test #4 - dns-01 forced renewal
 echo Test \#4 - dns-01 forced renewal
-
-# There's a race condition if renew too soon (authlink returns "valid" instead of "pending")
-echo Sleeping 30s to allow previous validation to expire
-sleep 30
-
 /getssl/getssl getssl -f