From 8203c38b364e28e42dd6951286a70a0df63111d8 Mon Sep 17 00:00:00 2001
From: Tim Kimber <tkimber@mobius.org.uk>
Date: Thu, 16 Jan 2020 11:48:02 +0000
Subject: [PATCH 1/3] Disable auth reuse to fix force-renew tests

---
 docker-compose.yml |  2 ++
 test/run-test.sh   | 10 ----------
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index b770b44..f4b3567 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,6 +7,8 @@ services:
     environment:
       # with Go 1.13.x which defaults TLS 1.3 to on
       GODEBUG: "tls13=1"
+      # don't reuse authorizations (breaks testing force renew)
+      PEBBLE_AUTHZREUSE: 0
     ports:
       - 14000:14000  # HTTPS ACME API
       - 15000:15000  # HTTPS Management API
diff --git a/test/run-test.sh b/test/run-test.sh
index b983899..8051922 100644
--- a/test/run-test.sh
+++ b/test/run-test.sh
@@ -25,10 +25,6 @@ cp /getssl/test/test-config/getssl-http01.cfg /root/.getssl/getssl/getssl.cfg
 
 # Test #2 - http-01 forced renewal
 echo Test \#2 - http-01 forced renewal
-
-# There's a race condition if renew too soon (authlink returns "valid" instead of "pending")
-echo Sleeping 20s to allow previous validation to expire
-sleep 20
 /getssl/getssl getssl -f
 
 # Test cleanup
@@ -36,7 +32,6 @@ rm -r /root/.getssl
 
 # Test #3 - dns-01 verification
 echo Test \#3 - dns-01 verification
-
 cp /getssl/test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default
 service nginx restart
 /getssl/getssl -c getssl
@@ -45,9 +40,4 @@ cp /getssl/test/test-config/getssl-dns01.cfg /root/.getssl/getssl/getssl.cfg
 
 # Test #4 - dns-01 forced renewal
 echo Test \#4 - dns-01 forced renewal
-
-# There's a race condition if renew too soon (authlink returns "valid" instead of "pending")
-echo Sleeping 30s to allow previous validation to expire
-sleep 30
-
 /getssl/getssl getssl -f

From f17590af52c0db97fd3105cd66aa187e5240c2ce Mon Sep 17 00:00:00 2001
From: Tim Kimber <tkimber@mobius.org.uk>
Date: Thu, 16 Jan 2020 11:50:55 +0000
Subject: [PATCH 2/3] Revert ready for challenge for ACME v1

---
 getssl | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/getssl b/getssl
index e52b3d0..5352e11 100755
--- a/getssl
+++ b/getssl
@@ -286,14 +286,15 @@ check_challenge_completion() { # checks with the ACME server if our challenge is
   keyauthorization=$3
 
   debug "sending request to ACME server saying we're ready for challenge"
-  send_signed_request "$uri" "{}"
 
   # check response from our request to perform challenge
   if [[ $API -eq 1 ]]; then
+    send_signed_request "$uri" "{\"resource\": \"challenge\", \"keyAuthorization\": \"$keyauthorization\"}"
     if [[ -n "$code" ]] && [[ ! "$code" == '202' ]] ; then
       error_exit "$domain:Challenge error: $code"
     fi
   else # APIv2
+    send_signed_request "$uri" "{}"
     if [[ -n "$code" ]] && [[ ! "$code" == '200' ]] ; then
       detail=$(echo "$response" | grep "detail" | awk -F\" '{print $4}')
       error_exit "$domain:Challenge error: $code:Detail: $detail"
@@ -303,7 +304,13 @@ check_challenge_completion() { # checks with the ACME server if our challenge is
   # loop "forever" to keep checking for a response from the ACME server.
   while true ; do
     debug "checking if challenge is complete"
-    send_signed_request "$uri" ""
+    if [[ $API -eq 1 ]]; then
+      if ! get_cr "$uri" ; then
+        error_exit "$domain:Verify error:$code"
+      fi
+    else # APIv2
+      send_signed_request "$uri" ""
+    fi
 
     status=$(json_get "$response" status)
 

From 197c5f8faa86d146ec69666a58f9f00e0f7ed149 Mon Sep 17 00:00:00 2001
From: Tim Kimber <tkimber@mobius.org.uk>
Date: Fri, 17 Jan 2020 20:34:14 +0000
Subject: [PATCH 3/3] Ignore base64 errors

---
 getssl | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/getssl b/getssl
index 5352e11..8269195 100755
--- a/getssl
+++ b/getssl
@@ -196,10 +196,11 @@
 # 2020-01-07 #464 and #486 "json was blank" (change all curl request to use POST-as-GET)
 # 2020-01-08 Error and exit if rate limited, exit if curl returns nothing
 # 2020-01-10 Change domain and getssl templates to v2 (2.15)
+# 2020-01-17 #473 and #477 Don't use POST-as-GET when sending ready for challenge for ACMEv1 (2.16)
 # ----------------------------------------------------------------------------------------
 
 PROGNAME=${0##*/}
-VERSION="2.15"
+VERSION="2.16"
 
 # defaults
 ACCOUNT_KEY_LENGTH=4096
@@ -1444,8 +1445,7 @@ send_signed_request() { # Sends a request to the ACME server, signed with your p
       responseHeaders=$(cat "$CURL_HEADER")
       if [[ "$needbase64" && ${response##*()} != "{"* ]]; then
         # response is in base64 too, decode
-        #!FIXME need to use openssl base64 decoder if it exists
-        response=$(echo "$response" | base64 -d)
+        response=$(echo "$response" | base64 -d 2>&1)
       fi
 
       debug responseHeaders "$responseHeaders"