Update staging certificate names

5 years ago · 4f5b518038
--- a/+ 7
+++ b/+ 7
@ -1582,7 +1582,7 @@ get_certificate() { # get certificate for csr, if all domains validated.
      cp "$gc_fullchain" "$cert_to_check"
      i=0
      while [[ $i -le ${#alternate_links[@]} ]]; do
        cert_issuer=$(openssl crl2pkcs7 -nocrl -certfile "$cert_to_check" | openssl pkcs7 -print_certs -text -noout | grep 'Issuer:' | tail -1 | cut -d= -f2)
        cert_issuer=$(openssl crl2pkcs7 -nocrl -certfile "$cert_to_check" | openssl pkcs7 -print_certs -text -noout | grep 'Issuer:' | tail -1 | awk -F"CN=" '{ print $2 }')
        debug Certificate issued by "$cert_issuer"
        if [[ $cert_issuer = *${PREFERRED_CHAIN}* ]]; then
          debug "Found required certificate"
@ -2400,9 +2400,10 @@ write_domain_template() { # write out a template file for a domain.
 		#USE_SINGLE_ACL="false"

    # Preferred Chain - use an different certificate root from the default
    # Staging options are: "Fake LE Root X1" and "Fake LE Root X2"
    # This uses wildcard matching so requesting "X1" returns the correct certificate - may need to escape characters
    # Staging options are: "(STAGING) Doctored Durian Root CA X3" and "(STAGING) Pretend Pear X1"
    # Production options are: "ISRG Root X1" and "ISRG Root X2"
    #PREFERRED_CHAIN=""
    #PREFERRED_CHAIN="\(STAGING\) Pretend Pear X1"

    # Uncomment this if you need the full chain file to include the root certificate (Java keystores, Nutanix Prism)
    #FULL_CHAIN_INCLUDE_ROOT="true"
@ -2462,9 +2463,10 @@ write_getssl_template() { # write out the main template file
 	#REUSE_PRIVATE_KEY="true"

  # Preferred Chain - use an different certificate root from the default
  # Staging options are: "Fake LE Root X1" and "Fake LE Root X2"
  # This uses wildcard matching so requesting "X1" returns the correct certificate - may need to escape characters
  # Staging options are: "(STAGING) Doctored Durian Root CA X3" and "(STAGING) Pretend Pear X1"
  # Production options are: "ISRG Root X1" and "ISRG Root X2"
  #PREFERRED_CHAIN=""
  #PREFERRED_CHAIN="\(STAGING\) Pretend Pear X1"

  # Uncomment this if you need the full chain file to include the root certificate (Java keystores, Nutanix Prism)
  #FULL_CHAIN_INCLUDE_ROOT="true"
--- a/test/35-preferred-chain.bats
+++ b/test/35-preferred-chain.bats
@ -15,10 +15,12 @@ setup() {

@test "Use PREFERRED_CHAIN to select an alternate root" {
    if [ -n "$STAGING" ]; then
        PREFERRED_CHAIN="Fake LE Root X2"
        PREFERRED_CHAIN="\(STAGING\) Pretend Pear X1"
        CHECK_CHAIN="(STAGING) Pretend Pear X1"
    else
        PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/2 | openssl x509 -text -noout | grep "Issuer:" | cut -d= -f2)
        PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/2 | openssl x509 -text -noout | grep "Issuer:" | awk -F"CN=" '{ print $2 }')
        PREFERRED_CHAIN="${PREFERRED_CHAIN# }" # remove leading whitespace
        CHECK_CHAIN=$PREFERRED_CHAIN
    fi

    CONFIG_FILE="getssl-dns01.cfg"
@ -29,21 +31,27 @@ setup() {
 PREFERRED_CHAIN="${PREFERRED_CHAIN}"
 EOF

    create_certificate
    create_certificate -d
    assert_success
    check_output_for_errors

    issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | cut -d= -f2)
    issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | awk -F"CN=" '{ print $2 }')
    # verify certificate is issued by preferred chain root
    [ "$PREFERRED_CHAIN" = "$issuer" ]
    if [[ "${CHECK_CHAIN}" != "$issuer" ]]; then
        echo "# PREFERRED_CHAIN=$PREFERRED_CHAIN"
        echo "# issuer=$issuer"
    fi

    [ "${CHECK_CHAIN}" = "$issuer" ]
 }


@test "Use PREFERRED_CHAIN to select the default root" {
    if [ -n "$STAGING" ]; then
        PREFERRED_CHAIN="Fake LE Root X1"
        PREFERRED_CHAIN="\(STAGING\) Doctored Durian Root CA X3"
        CHECK_CHAIN="(STAGING) Doctored Durian Root CA X3"
    else
        PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/0 | openssl x509 -text -noout | grep Issuer: | cut -d= -f2 )
        PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/0 | openssl x509 -text -noout | grep Issuer: | awk -F"CN=" '{ print $2 }')
        PREFERRED_CHAIN="${PREFERRED_CHAIN# }" # remove leading whitespace
    fi

@ -59,17 +67,21 @@ EOF
    assert_success
    check_output_for_errors

    issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | cut -d= -f2)
    issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | awk -F"CN=" '{ print $2 }')
    # verify certificate is issued by preferred chain root
    [ "$PREFERRED_CHAIN" = "$issuer" ]
    if [[ "${CHECK_CHAIN}" != "$issuer" ]]; then
        echo "# PREFERRED_CHAIN=$PREFERRED_CHAIN"
        echo "# issuer=$issuer"
    fi
    [ "${CHECK_CHAIN}" = "$issuer" ]
 }


@test "Use PREFERRED_CHAIN to select an alternate root by suffix" {
    if [ -n "$STAGING" ]; then
        FULL_PREFERRED_CHAIN="Fake LE Root X2"
        FULL_PREFERRED_CHAIN="(STAGING) Pretend Pear X1"
    else
        FULL_PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/2 | openssl x509 -text -noout | grep "Issuer:" | cut -d= -f2)
        FULL_PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/2 | openssl x509 -text -noout | grep "Issuer:" | awk -F"CN=" '{ print $2 }')
        FULL_PREFERRED_CHAIN="${FULL_PREFERRED_CHAIN# }" # remove leading whitespace
    fi

@ -87,9 +99,12 @@ EOF
    assert_success
    check_output_for_errors

    issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | cut -d= -f2)
    issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | awk -F"CN=" '{ print $2 }')
    # verify certificate is issued by preferred chain root
    echo "# ${issuer}"
    echo "# ${FULL_PREFERRED_CHAIN}"
    [ "$FULL_PREFERRED_CHAIN" = "$issuer" ]
    if [[ "${FULL_PREFERRED_CHAIN}" != "$issuer" ]]; then
        echo "# PREFERRED_CHAIN=$PREFERRED_CHAIN"
        echo "# FULL_PREFERRED_CHAIN=$FULL_PREFERRED_CHAIN"
        echo "# issuer=$issuer"
    fi
    [ "${FULL_PREFERRED_CHAIN}" = "$issuer" ]
 }
--- a/test/36-full-chain-inc-root.bats
+++ b/test/36-full-chain-inc-root.bats
@ -27,22 +27,27 @@ EOF
    check_output_for_errors

    if [ -n "$STAGING" ]; then
        PREFERRED_CHAIN="Fake LE Root X1"
        PREFERRED_CHAIN="(STAGING) Doctored Durian Root CA X3"
    else
        # pebble doesn't support CA Issuers so the fullchain.crt will just contain the certificate (code path means it won't contain the intermediate cert in this case)
        # This is testing that requesting FULL_CHAIN_INCLUDE_ROOT doesn't fail if there is no CA Issuers in the certificate
        PREFERRED_CHAIN=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | cut -d= -f2)
        PREFERRED_CHAIN=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | awk -F"CN=" '{ print $2 }')
    fi

    final_issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | cut -d= -f2)
    final_issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | awk -F"CN=" '{ print $2 }')

    # verify certificate includes the chain root
    [ "$PREFERRED_CHAIN" = "$final_issuer" ]
    if [[ "${PREFERRED_CHAIN}" != "$final_issuer" ]]; then
        echo "# PREFERRED_CHAIN=$PREFERRED_CHAIN"
        echo "# final_issuer=$final_issuer"
    fi
    [ "${PREFERRED_CHAIN}" = "$final_issuer" ]
 }


@test "Use FULL_CHAIN_INCLUDE_ROOT with dual certificates" {
    if [ -n "$STAGING" ]; then
        PREFERRED_CHAIN="Fake LE Root X1"
        PREFERRED_CHAIN="(STAGING) Doctored Durian Root CA X3"
    fi

    CONFIG_FILE="getssl-dns01.cfg"
@ -66,16 +71,24 @@ EOF
    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.ec.crt" ]

    if [ -n "$STAGING" ]; then
        PREFERRED_CHAIN="Fake LE Root X1"
        PREFERRED_CHAIN="(STAGING) Doctored Durian Root CA X3"
    else
        # pebble doesn't support CA Issuers so the fullchain.crt will just contain the certificate (code path means it won't contain the intermediate cert in this case)
        # This is testing that requesting FULL_CHAIN_INCLUDE_ROOT doesn't fail if there is no CA Issuers in the certificate
        PREFERRED_CHAIN=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | cut -d= -f2)
        PREFERRED_CHAIN=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | awk -F"CN=" '{ print $2 }')
    fi

    # verify both rsa and ecdsa certificates include the chain root
    final_issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | cut -d= -f2)
    [ "$PREFERRED_CHAIN" = "$final_issuer" ]
    ecdsa_final_issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.ec.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | cut -d= -f2)
    [ "$PREFERRED_CHAIN" = "$ecdsa_final_issuer" ]
    final_issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | awk -F"CN=" '{ print $2 }')
    if [[ "${PREFERRED_CHAIN}" != "$final_issuer" ]]; then
        echo "# PREFERRED_CHAIN=$PREFERRED_CHAIN"
        echo "# final_issuer=$final_issuer"
    fi
    [ "${PREFERRED_CHAIN}" = "$final_issuer" ]
    ecdsa_final_issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.ec.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | awk -F"CN=" '{ print $2 }')
    if [[ "$PREFERRED_CHAIN" != "$ecdsa_final_issuer" ]]; then
        echo "# PREFERRED_CHAIN=$PREFERRED_CHAIN"
        echo "# ecdsa_final_issuer=$ecdsa_final_issuer"
    fi
    [ "${PREFERRED_CHAIN}" = "$ecdsa_final_issuer" ]
 }