From 84996161286c36d1503e4eba691bace27e9db27b Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Tue, 14 Jul 2020 21:40:30 +0100 Subject: [PATCH 1/5] Support centos8 --- test/Dockerfile-centos8 | 20 ++++++++++++++++++++ test/restart-nginx | 2 +- test/test_helper.bash | 2 +- 3 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 test/Dockerfile-centos8 diff --git a/test/Dockerfile-centos8 b/test/Dockerfile-centos8 new file mode 100644 index 0000000..15c14d6 --- /dev/null +++ b/test/Dockerfile-centos8 @@ -0,0 +1,20 @@ +FROM centos:centos8 + +# Note this image uses drill, does not have dig or nslookup installed + +# Update and install required software +RUN yum -y update +RUN yum -y install epel-release +RUN yum -y install git curl bind-utils wget which nginx + +WORKDIR /root +RUN mkdir /etc/nginx/pki +RUN mkdir /etc/nginx/pki/private +COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf +COPY ./test/test-config/nginx-centos7.conf /etc/nginx/nginx.conf + +# BATS (Bash Automated Testings) +RUN git clone https://github.com/bats-core/bats-core.git /bats-core +RUN git clone https://github.com/bats-core/bats-support /bats-support +RUN git clone https://github.com/bats-core/bats-assert /bats-assert +RUN /bats-core/install.sh /usr/local diff --git a/test/restart-nginx b/test/restart-nginx index e62433d..4dc8af0 100755 --- a/test/restart-nginx +++ b/test/restart-nginx @@ -3,7 +3,7 @@ if [ "$GETSSL_OS" = "alpine" ]; then killall -HUP nginx >&3- sleep 5 -elif [ "$GETSSL_OS" == "centos7" ]; then +elif [[ "$GETSSL_OS" == "centos"[78] ]]; then pgrep nginx | head -1 | xargs kill -HUP sleep 5 else diff --git a/test/test_helper.bash b/test/test_helper.bash index fafad5c..9358619 100644 --- a/test/test_helper.bash +++ b/test/test_helper.bash @@ -72,7 +72,7 @@ if [[ -f /usr/bin/supervisord && -f /etc/supervisord.conf ]]; then if [[ ! $(pgrep supervisord) ]]; then /usr/bin/supervisord -c /etc/supervisord.conf >&3- fi -elif [ "$GETSSL_OS" == "centos7" ]; then +elif [[ "$GETSSL_OS" == "centos"[78] ]]; then if [ -z "$(pgrep nginx)" ]; then nginx >&3- fi From 31958a27f3395e9256ef579dc91e5f1a6c29609e Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Tue, 14 Jul 2020 21:40:51 +0100 Subject: [PATCH 2/5] Check error message shown if ACL has a leading space --- test/16-test-bad-acl.bats | 23 +++++++++++++++++ test/test-config/getssl-http01-bad-acl.cfg | 29 ++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 test/16-test-bad-acl.bats create mode 100644 test/test-config/getssl-http01-bad-acl.cfg diff --git a/test/16-test-bad-acl.bats b/test/16-test-bad-acl.bats new file mode 100644 index 0000000..d953951 --- /dev/null +++ b/test/16-test-bad-acl.bats @@ -0,0 +1,23 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt +} + + +@test "Test behaviour if ACL= line has a space" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + CONFIG_FILE="getssl-http01-bad-acl.cfg" + setup_environment + init_getssl + create_certificate + assert_failure +} diff --git a/test/test-config/getssl-http01-bad-acl.cfg b/test/test-config/getssl-http01-bad-acl.cfg new file mode 100644 index 0000000..461d3a3 --- /dev/null +++ b/test/test-config/getssl-http01-bad-acl.cfg @@ -0,0 +1,29 @@ +# Uncomment and modify any variables you need +# see https://github.com/srvrco/getssl/wiki/Config-variables for details +# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs +# +CA="https://pebble:14000/dir" + +# Additional domains - this could be multiple domains / subdomains in a comma separated list +SANS="" + +# Acme Challenge Location. +ACL= ('/var/www/html/.well-known/acme-challenge') + +#Set USE_SINGLE_ACL="true" to use a single ACL for all checks +USE_SINGLE_ACL="false" + +# Location for all your certs, these can either be on the server (full path name) +# or using ssh /sftp as for the ACL +DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key" +CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" +DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert +DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert + +# The command needed to reload apache / nginx or whatever you use +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" + +# Define the server type and confirm correct certificate is installed +SERVER_TYPE="https" +CHECK_REMOTE="true" From 13f3a8b8def1510f8d5f362952e32cc001101c76 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Tue, 14 Jul 2020 21:41:21 +0100 Subject: [PATCH 3/5] Support space delimited SANS --- getssl | 15 ++-- test/15-test-revoke-no-suffix.bats | 4 +- test/17-test-spaces-in-sans.bats | 75 +++++++++++++++++++ ...tp01-spaces-sans-and-ignore-dir-domain.cfg | 29 +++++++ .../test-config/getssl-http01-spaces-sans.cfg | 28 +++++++ 5 files changed, 143 insertions(+), 8 deletions(-) create mode 100644 test/17-test-spaces-in-sans.bats create mode 100644 test/test-config/getssl-http01-spaces-sans-and-ignore-dir-domain.cfg create mode 100644 test/test-config/getssl-http01-spaces-sans.cfg diff --git a/getssl b/getssl index 4a1a43c..a5e72cf 100755 --- a/getssl +++ b/getssl @@ -231,11 +231,14 @@ # 2020-05-06 Fix missing fullchain.ec.crt when creating dual certificates (2.27) # 2020-05-14 Add --notify-valid option (exit 2 if certificate is valid) # 2020-05-23 Fix --revoke (didn't work with ACMEv02) (2.28) +# 2020-06-06 Fix missing URL_revoke definition when no CA directory suffix (#566) +# 2020-06-18 Fix CHECK_REMOTE for DUAL_RSA_ECDSA (#570) +# 2020-07-14 Support space separated SANS (#574) (2.29) # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/} PROGDIR="$(cd "$(dirname "$0")" || exit; pwd -P;)" -VERSION="2.28" +VERSION="2.29" # defaults ACCOUNT_KEY_LENGTH=4096 @@ -497,7 +500,7 @@ check_config() { # check the config files for all obvious errors # get all domains if [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then - alldomains=${SANS//,/ } + alldomains=${SANS//[, ]/ } else alldomains=$(echo "$DOMAIN,$SANS" | sed "s/,/ /g") fi @@ -784,7 +787,7 @@ create_csr() { # create a csr using a given key (if it doesn't already exist) if [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then alldomains=$(echo "$SANS" | sed -e 's/ //g; s/,$//; y/,/\n/' | sort -u) else - alldomains=$(echo "$DOMAIN,$SANS" | sed -e 's/ //g; s/,$//; y/,/\n/' | sort -u) + alldomains=$(echo "$DOMAIN,$SANS" | sed -e 's/,/ /g; s/ $//; y/ /\n/' | sort -u) fi domains_in_csr=$(openssl req -text -noout -in "$csr_file" \ | sed -n -e 's/^ *Subject: .* CN=\([A-Za-z0-9.-]*\).*$/\1/p; /^ *DNS:.../ { s/ *DNS://g; y/,/\n/; p; }' \ @@ -2695,9 +2698,9 @@ fi if [[ -z "$SANS" ]]; then SANLIST="subjectAltName=DNS:${DOMAIN}" elif [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then - SANLIST="subjectAltName=DNS:${SANS//,/,DNS:}" + SANLIST="subjectAltName=DNS:${SANS//[, ]/,DNS:}" else - SANLIST="subjectAltName=DNS:${DOMAIN},DNS:${SANS//,/,DNS:}" + SANLIST="subjectAltName=DNS:${DOMAIN},DNS:${SANS//[, ]/,DNS:}" fi debug "created SAN list = $SANLIST" @@ -2757,7 +2760,7 @@ info "Verify each domain" # loop through domains for cert ( from SANS list) if [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then - alldomains=${SANS//,/ } + alldomains=${SANS//[, ]/ } else alldomains=$(echo "$DOMAIN,$SANS" | sed "s/,/ /g") fi diff --git a/test/15-test-revoke-no-suffix.bats b/test/15-test-revoke-no-suffix.bats index ce97ddd..7b19c5a 100644 --- a/test/15-test-revoke-no-suffix.bats +++ b/test/15-test-revoke-no-suffix.bats @@ -11,7 +11,7 @@ setup() { } -@test "Create certificate to check revoke" { +@test "Create certificate to check revoke (no suffix)" { if [ -n "$STAGING" ]; then CONFIG_FILE="getssl-staging-dns01-no-suffix.cfg" else @@ -26,7 +26,7 @@ setup() { } -@test "Check we can revoke a certificate" { +@test "Check we can revoke a certificate (no suffix)" { if [ -n "$STAGING" ]; then CONFIG_FILE="getssl-staging-dns01.cfg" else diff --git a/test/17-test-spaces-in-sans.bats b/test/17-test-spaces-in-sans.bats new file mode 100644 index 0000000..01e7090 --- /dev/null +++ b/test/17-test-spaces-in-sans.bats @@ -0,0 +1,75 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt +} + + +@test "Test behaviour if SANS line is space separated instead of comma separated" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + CONFIG_FILE="getssl-http01-spaces-sans.cfg" + setup_environment + + # Add hosts to DNS (also need to be added as aliases in docker-compose.yml) + for prefix in a b c; do + curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a + done + + init_getssl + create_certificate + assert_success + check_output_for_errors +} + + +@test "Test renewal if SANS line is space separated instead of comma separated" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + run ${CODE_DIR}/getssl -f $GETSSL_HOST + assert_success + check_output_for_errors + cleanup_environment +} + + +@test "Test behaviour if SANS line is space separated and IGNORE_DIRECTORY_DOMAIN" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + CONFIG_FILE="getssl-http01-spaces-sans-and-ignore-dir-domain.cfg" + setup_environment + + # Add hosts to DNS (also need to be added as aliases in docker-compose.yml) + for prefix in a b c; do + curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a + done + + init_getssl + create_certificate + assert_success + check_output_for_errors +} + + +@test "Test renewal if SANS line is space separated and IGNORE_DIRECTORY_DOMAIN" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + run ${CODE_DIR}/getssl -f $GETSSL_HOST + assert_success + check_output_for_errors + cleanup_environment + + for prefix in a b c; do + curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'"}' http://10.30.50.3:8055/clear-a + done +} diff --git a/test/test-config/getssl-http01-spaces-sans-and-ignore-dir-domain.cfg b/test/test-config/getssl-http01-spaces-sans-and-ignore-dir-domain.cfg new file mode 100644 index 0000000..1b3cdca --- /dev/null +++ b/test/test-config/getssl-http01-spaces-sans-and-ignore-dir-domain.cfg @@ -0,0 +1,29 @@ +# Uncomment and modify any variables you need +# see https://github.com/srvrco/getssl/wiki/Config-variables for details +# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs + +CA="https://pebble:14000/dir" + +# Ignore directory domain (i.e. the domain passed on the command line), and just use the domains in the SANS list +IGNORE_DIRECTORY_DOMAIN="true" +SANS="a.${GETSSL_HOST} b.${GETSSL_HOST} c.${GETSSL_HOST}" + +# Acme Challenge Location. +ACL=('/var/www/html/.well-known/acme-challenge') + +# Use a single ACL for all checks +USE_SINGLE_ACL="true" + +# Location for all your certs, these can either be on the server (full path name) +DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key" +CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" +DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert +DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert + +# The command needed to reload apache / nginx or whatever you use +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" + +# Define the server type and confirm correct certificate is installed +SERVER_TYPE="https" +CHECK_REMOTE="true" diff --git a/test/test-config/getssl-http01-spaces-sans.cfg b/test/test-config/getssl-http01-spaces-sans.cfg new file mode 100644 index 0000000..c93b4f7 --- /dev/null +++ b/test/test-config/getssl-http01-spaces-sans.cfg @@ -0,0 +1,28 @@ +# Uncomment and modify any variables you need +# see https://github.com/srvrco/getssl/wiki/Config-variables for details +# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs + +CA="https://pebble:14000/dir" + +# Additional domains - this could be multiple domains / subdomains in a comma separated list +SANS="a.${GETSSL_HOST} b.${GETSSL_HOST} c.${GETSSL_HOST}" + +# Acme Challenge Location. +ACL=('/var/www/html/.well-known/acme-challenge') + +# Use a single ACL for all checks +USE_SINGLE_ACL="true" + +# Location for all your certs, these can either be on the server (full path name) +DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key" +CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" +DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert +DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert + +# The command needed to reload apache / nginx or whatever you use +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" + +# Define the server type and confirm correct certificate is installed +SERVER_TYPE="https" +CHECK_REMOTE="true" From ed880a39feeb459f83473e13440cb5c14ab3a4ed Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Wed, 15 Jul 2020 14:34:49 +0100 Subject: [PATCH 4/5] Add centos8 --- .github/workflows/run-all-tests.yml | 172 +++++++++++++++------------- 1 file changed, 90 insertions(+), 82 deletions(-) diff --git a/.github/workflows/run-all-tests.yml b/.github/workflows/run-all-tests.yml index 08fb41b..7bb05dc 100644 --- a/.github/workflows/run-all-tests.yml +++ b/.github/workflows/run-all-tests.yml @@ -1,82 +1,90 @@ -name: Run all tests -on: - push: - branches: - - master - pull_request: - branches: - - master -jobs: - test-alpine: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - name: Build the docker-compose stack - run: docker-compose up -d --build - - name: Run test suite on Alpine - run: test/run-test.sh alpine - test-centos6: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - name: Build the docker-compose stack - run: docker-compose up -d --build - - name: Run test suite on CentOS6 - run: test/run-test.sh centos6 - test-centos7: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - name: Build the docker-compose stack - run: docker-compose up -d --build - - name: Run test suite on CentOS7 - run: test/run-test.sh centos7 - test-centos7-staging: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - name: Build the docker-compose stack - run: docker-compose up -d --build - - name: Run test suite on CentOS7 against Staging using DuckDNS - run: test/run-test.sh centos7-staging - test-debian: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - name: Build the docker-compose stack - run: docker-compose up -d --build - - name: Run test suite on Debian - run: test/run-test.sh debian - test-ubuntu: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - name: Build the docker-compose stack - run: docker-compose up -d --build - - name: Run test suite on Ubuntu - run: test/run-test.sh ubuntu - test-ubuntu16: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - name: Build the docker-compose stack - run: docker-compose up -d --build - - name: Run test suite on Ubuntu16 - run: test/run-test.sh ubuntu16 - test-ubuntu18: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - name: Build the docker-compose stack - run: docker-compose up -d --build - - name: Run test suite on Ubuntu18 - run: test/run-test.sh ubuntu18 - test-ubuntu-staging: - needs: test-centos7-staging - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - name: Build the docker-compose stack - run: docker-compose up -d --build - - name: Run test suite on Ubuntu against Staging using DuckDNS - run: test/run-test.sh ubuntu-staging +name: Run all tests +on: + push: + branches: + - master + pull_request: + branches: + - master +jobs: + test-alpine: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - name: Build the docker-compose stack + run: docker-compose up -d --build + - name: Run test suite on Alpine + run: test/run-test.sh alpine + test-centos6: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - name: Build the docker-compose stack + run: docker-compose up -d --build + - name: Run test suite on CentOS6 + run: test/run-test.sh centos6 + test-centos7: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - name: Build the docker-compose stack + run: docker-compose up -d --build + - name: Run test suite on CentOS7 + run: test/run-test.sh centos7 + test-centos7-staging: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - name: Build the docker-compose stack + run: docker-compose up -d --build + - name: Run test suite on CentOS7 against Staging using DuckDNS + run: test/run-test.sh centos7-staging + test-centos8: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - name: Build the docker-compose stack + run: docker-compose up -d --build + - name: Run test suite on CentOS8 + run: test/run-test.sh centos8 + test-debian: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - name: Build the docker-compose stack + run: docker-compose up -d --build + - name: Run test suite on Debian + run: test/run-test.sh debian + test-ubuntu: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - name: Build the docker-compose stack + run: docker-compose up -d --build + - name: Run test suite on Ubuntu + run: test/run-test.sh ubuntu + test-ubuntu16: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - name: Build the docker-compose stack + run: docker-compose up -d --build + - name: Run test suite on Ubuntu16 + run: test/run-test.sh ubuntu16 + test-ubuntu18: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - name: Build the docker-compose stack + run: docker-compose up -d --build + - name: Run test suite on Ubuntu18 + run: test/run-test.sh ubuntu18 + test-ubuntu-staging: + needs: test-centos7-staging + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - name: Build the docker-compose stack + run: docker-compose up -d --build + - name: Run test suite on Ubuntu against Staging using DuckDNS + run: test/run-test.sh ubuntu-staging From 5c66f2956d85e87078958b5519fb64c512fe6a7a Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Thu, 16 Jul 2020 11:37:02 +0100 Subject: [PATCH 5/5] Test space delimited SANS using DNS-01 authentication --- test/17-test-spaces-in-sans-dns01.bats | 75 +++++++++++++++++++ ...ats => 17-test-spaces-in-sans-http01.bats} | 8 +- test/9-multiple-domains-dns01.bats | 4 +- ... getssl-dns01-ignore-directory-domain.cfg} | 0 ....cfg => getssl-dns01-multiple-domains.cfg} | 0 ...ns01-spaces-sans-and-ignore-dir-domain.cfg | 35 +++++++++ test/test-config/getssl-dns01-spaces-sans.cfg | 34 +++++++++ 7 files changed, 150 insertions(+), 6 deletions(-) create mode 100644 test/17-test-spaces-in-sans-dns01.bats rename test/{17-test-spaces-in-sans.bats => 17-test-spaces-in-sans-http01.bats} (94%) rename test/test-config/{getssl-ignore-directory-domain.cfg => getssl-dns01-ignore-directory-domain.cfg} (100%) rename test/test-config/{getssl-multiple-domains-dns01.cfg => getssl-dns01-multiple-domains.cfg} (100%) create mode 100644 test/test-config/getssl-dns01-spaces-sans-and-ignore-dir-domain.cfg create mode 100644 test/test-config/getssl-dns01-spaces-sans.cfg diff --git a/test/17-test-spaces-in-sans-dns01.bats b/test/17-test-spaces-in-sans-dns01.bats new file mode 100644 index 0000000..c54de7b --- /dev/null +++ b/test/17-test-spaces-in-sans-dns01.bats @@ -0,0 +1,75 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt +} + + +@test "Test behaviour if SANS line is space separated instead of comma separated (dns01)" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + CONFIG_FILE="getssl-dns01-spaces-sans.cfg" + setup_environment + + # Add hosts to DNS (also need to be added as aliases in docker-compose.yml) + for prefix in a b c; do + curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a + done + + init_getssl + create_certificate + assert_success + check_output_for_errors +} + + +@test "Test renewal if SANS line is space separated instead of comma separated (dns01)" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + run ${CODE_DIR}/getssl -f $GETSSL_HOST + assert_success + check_output_for_errors + cleanup_environment +} + + +@test "Test behaviour if SANS line is space separated and IGNORE_DIRECTORY_DOMAIN (dns01)" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + CONFIG_FILE="getssl-dns01-spaces-sans-and-ignore-dir-domain.cfg" + setup_environment + + # Add hosts to DNS (also need to be added as aliases in docker-compose.yml) + for prefix in a b c; do + curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a + done + + init_getssl + create_certificate + assert_success + check_output_for_errors +} + + +@test "Test renewal if SANS line is space separated and IGNORE_DIRECTORY_DOMAIN (dns01)" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + run ${CODE_DIR}/getssl -f $GETSSL_HOST + assert_success + check_output_for_errors + cleanup_environment + + for prefix in a b c; do + curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'"}' http://10.30.50.3:8055/clear-a + done +} diff --git a/test/17-test-spaces-in-sans.bats b/test/17-test-spaces-in-sans-http01.bats similarity index 94% rename from test/17-test-spaces-in-sans.bats rename to test/17-test-spaces-in-sans-http01.bats index 01e7090..2d2d667 100644 --- a/test/17-test-spaces-in-sans.bats +++ b/test/17-test-spaces-in-sans-http01.bats @@ -11,7 +11,7 @@ setup() { } -@test "Test behaviour if SANS line is space separated instead of comma separated" { +@test "Test behaviour if SANS line is space separated instead of comma separated (http01)" { if [ -n "$STAGING" ]; then skip "Using staging server, skipping internal test" fi @@ -30,7 +30,7 @@ setup() { } -@test "Test renewal if SANS line is space separated instead of comma separated" { +@test "Test renewal if SANS line is space separated instead of comma separated (http01)" { if [ -n "$STAGING" ]; then skip "Using staging server, skipping internal test" fi @@ -41,7 +41,7 @@ setup() { } -@test "Test behaviour if SANS line is space separated and IGNORE_DIRECTORY_DOMAIN" { +@test "Test behaviour if SANS line is space separated and IGNORE_DIRECTORY_DOMAIN (http01)" { if [ -n "$STAGING" ]; then skip "Using staging server, skipping internal test" fi @@ -60,7 +60,7 @@ setup() { } -@test "Test renewal if SANS line is space separated and IGNORE_DIRECTORY_DOMAIN" { +@test "Test renewal if SANS line is space separated and IGNORE_DIRECTORY_DOMAIN (http01)" { if [ -n "$STAGING" ]; then skip "Using staging server, skipping internal test" fi diff --git a/test/9-multiple-domains-dns01.bats b/test/9-multiple-domains-dns01.bats index c1de91c..65eab09 100644 --- a/test/9-multiple-domains-dns01.bats +++ b/test/9-multiple-domains-dns01.bats @@ -16,7 +16,7 @@ setup() { if [ -n "$STAGING" ]; then skip "Using staging server, skipping internal test" fi - CONFIG_FILE="getssl-multiple-domains-dns01.cfg" + CONFIG_FILE="getssl-dns01-multiple-domains.cfg" setup_environment # Add top level domain from SANS to DNS @@ -47,7 +47,7 @@ setup() { if [ -n "$STAGING" ]; then skip "Using staging server, skipping internal test" fi - CONFIG_FILE="getssl-ignore-directory-domain.cfg" + CONFIG_FILE="getssl-dns01-ignore-directory-domain.cfg" setup_environment # Add top level domain from SANS to DNS diff --git a/test/test-config/getssl-ignore-directory-domain.cfg b/test/test-config/getssl-dns01-ignore-directory-domain.cfg similarity index 100% rename from test/test-config/getssl-ignore-directory-domain.cfg rename to test/test-config/getssl-dns01-ignore-directory-domain.cfg diff --git a/test/test-config/getssl-multiple-domains-dns01.cfg b/test/test-config/getssl-dns01-multiple-domains.cfg similarity index 100% rename from test/test-config/getssl-multiple-domains-dns01.cfg rename to test/test-config/getssl-dns01-multiple-domains.cfg diff --git a/test/test-config/getssl-dns01-spaces-sans-and-ignore-dir-domain.cfg b/test/test-config/getssl-dns01-spaces-sans-and-ignore-dir-domain.cfg new file mode 100644 index 0000000..453d046 --- /dev/null +++ b/test/test-config/getssl-dns01-spaces-sans-and-ignore-dir-domain.cfg @@ -0,0 +1,35 @@ +# Uncomment and modify any variables you need +# see https://github.com/srvrco/getssl/wiki/Config-variables for details +# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs + +CA="https://pebble:14000/dir" + +VALIDATE_VIA_DNS=true +DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv" +DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv" +PUBLIC_DNS_SERVER=10.30.50.3 +DNS_EXTRA_WAIT="" + +# Ignore directory domain (i.e. the domain passed on the command line), and just use the domains in the SANS list +IGNORE_DIRECTORY_DOMAIN="true" +SANS="a.${GETSSL_HOST} b.${GETSSL_HOST} c.${GETSSL_HOST}" + +# Acme Challenge Location. +ACL=('/var/www/html/.well-known/acme-challenge') + +# Use a single ACL for all checks +USE_SINGLE_ACL="true" + +# Location for all your certs, these can either be on the server (full path name) +DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key" +CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" +DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert +DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert + +# The command needed to reload apache / nginx or whatever you use +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" + +# Define the server type and confirm correct certificate is installed +SERVER_TYPE="https" +CHECK_REMOTE="true" diff --git a/test/test-config/getssl-dns01-spaces-sans.cfg b/test/test-config/getssl-dns01-spaces-sans.cfg new file mode 100644 index 0000000..2b7e02b --- /dev/null +++ b/test/test-config/getssl-dns01-spaces-sans.cfg @@ -0,0 +1,34 @@ +# Uncomment and modify any variables you need +# see https://github.com/srvrco/getssl/wiki/Config-variables for details +# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs + +CA="https://pebble:14000/dir" + +VALIDATE_VIA_DNS=true +DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv" +DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv" +PUBLIC_DNS_SERVER=10.30.50.3 +DNS_EXTRA_WAIT="" + +# Additional domains - this could be multiple domains / subdomains in a comma separated list +SANS="a.${GETSSL_HOST} b.${GETSSL_HOST} c.${GETSSL_HOST}" + +# Acme Challenge Location. +ACL=('/var/www/html/.well-known/acme-challenge') + +# Use a single ACL for all checks +USE_SINGLE_ACL="true" + +# Location for all your certs, these can either be on the server (full path name) +DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key" +CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" +DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert +DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert + +# The command needed to reload apache / nginx or whatever you use +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" + +# Define the server type and confirm correct certificate is installed +SERVER_TYPE="https" +CHECK_REMOTE="true"