Merge branch 'master' of github.com:srvrco/getssl

docker-compose.yml

@@ -7,8 +7,6 @@ services:
     environment:
       # with Go 1.13.x which defaults TLS 1.3 to on
       GODEBUG: "tls13=1"
-      # Don't re-use authorisations (breaks force renew test scripts)
-      # PEBBLE_AUTHZREUSE: "0"
     ports:
       - 14000:14000  # HTTPS ACME API
       - 15000:15000  # HTTPS Management API
@@ -23,33 +21,33 @@ services:
     networks:
       acmenet:
         ipv4_address: 10.30.50.3
-  getssl-ubuntu18:
+  getssl-alpine:
     build:
       context: .
-      dockerfile: test/Dockerfile-ubuntu18
-    container_name: getssl-ubuntu18
+      dockerfile: test/Dockerfile-alpine
+    container_name: getssl-alpine
     volumes:
       - .:/getssl
     environment:
-      GETSSL_HOST: ubuntu18.getssl.test
-      GETSSL_IP: 10.30.50.4
-      NGINX_CONFIG: /etc/nginx/sites-enabled/default
+      GETSSL_HOST: alpine.getssl.test
+      GETSSL_IP: 10.30.50.10
+      NGINX_CONFIG: /etc/nginx/conf.d/default.conf
     networks:
       acmenet:
-        ipv4_address: 10.30.50.4
+        ipv4_address: 10.30.50.10
         aliases:
-          - ubuntu18.getssl.test
-          - a.ubuntu18.getssl.test
-          - b.ubuntu18.getssl.test
-          - c.ubuntu18.getssl.test
-          - d.ubuntu18.getssl.test
-          - e.ubuntu18.getssl.test
-          - f.ubuntu18.getssl.test
-          - g.ubuntu18.getssl.test
-          - h.ubuntu18.getssl.test
-          - i.ubuntu18.getssl.test
-          - j.ubuntu18.getssl.test
-          - k.ubuntu18.getssl.test
+          -   alpine.getssl.test
+          - a.alpine.getssl.test
+          - b.alpine.getssl.test
+          - c.alpine.getssl.test
+          - d.alpine.getssl.test
+          - e.alpine.getssl.test
+          - f.alpine.getssl.test
+          - g.alpine.getssl.test
+          - h.alpine.getssl.test
+          - i.alpine.getssl.test
+          - j.alpine.getssl.test
+          - k.alpine.getssl.test
   getssl-centos6:
     build:
       context: .
@@ -59,11 +57,11 @@ services:
       - .:/getssl
     environment:
       GETSSL_HOST: centos6.getssl.test
-      GETSSL_IP: 10.30.50.5
+      GETSSL_IP: 10.30.50.11
       NGINX_CONFIG: /etc/nginx/conf.d/default.conf
     networks:
       acmenet:
-        ipv4_address: 10.30.50.5
+        ipv4_address: 10.30.50.11
         aliases:
           -   centos6.getssl.test
           - a.centos6.getssl.test
@@ -77,23 +75,89 @@ services:
           - i.centos6.getssl.test
           - j.centos6.getssl.test
           - k.centos6.getssl.test
-  getssl-ubuntu18-no-gawk:
+  getssl-debian:
+    build:
+      context: .
+      dockerfile: test/Dockerfile-debian
+    container_name: getssl-debian
+    volumes:
+      - .:/getssl
+    environment:
+      GETSSL_HOST: debian.getssl.test
+      GETSSL_IP: 10.30.50.12
+      NGINX_CONFIG: /etc/nginx/sites-enabled/default
+    networks:
+      acmenet:
+        ipv4_address: 10.30.50.12
+        aliases:
+          -   debian.getssl.test
+          - a.debian.getssl.test
+          - b.debian.getssl.test
+          - c.debian.getssl.test
+          - d.debian.getssl.test
+          - e.debian.getssl.test
+          - f.debian.getssl.test
+          - g.debian.getssl.test
+          - h.debian.getssl.test
+          - i.debian.getssl.test
+          - j.debian.getssl.test
+          - k.debian.getssl.test
+  getssl-ubuntu:
     build:
       context: .
-      dockerfile: test/Dockerfile-ubuntu18-no-gawk
-    container_name: getssl-ubuntu18-no-gawk
+      dockerfile: test/Dockerfile-ubuntu
+    container_name: getssl-ubuntu
     volumes:
       - .:/getssl
     environment:
-      GETSSL_HOST: ubuntu18-no-gawk.getssl.test
-      GETSSL_IP: 10.30.50.6
+      GETSSL_HOST: ubuntu.getssl.test
+      GETSSL_IP: 10.30.50.13
       NGINX_CONFIG: /etc/nginx/sites-enabled/default
-      TEST_AWK: "yes"
     networks:
       acmenet:
-        ipv4_address: 10.30.50.6
+        ipv4_address: 10.30.50.13
         aliases:
-          - ubuntu18-no-gawk.getssl.test
+          - ubuntu.getssl.test
+          - a.ubuntu.getssl.test
+          - b.ubuntu.getssl.test
+          - c.ubuntu.getssl.test
+          - d.ubuntu.getssl.test
+          - e.ubuntu.getssl.test
+          - f.ubuntu.getssl.test
+          - g.ubuntu.getssl.test
+          - h.ubuntu.getssl.test
+          - i.ubuntu.getssl.test
+          - j.ubuntu.getssl.test
+          - k.ubuntu.getssl.test
+  getssl-ubuntu18:
+    build:
+      context: .
+      dockerfile: test/Dockerfile-ubuntu18
+    container_name: getssl-ubuntu18
+    volumes:
+      - .:/getssl
+    environment:
+      GETSSL_HOST: ubuntu18.getssl.test
+      GETSSL_IP: 10.30.50.14
+      NGINX_CONFIG: /etc/nginx/sites-enabled/default
+    networks:
+      acmenet:
+        ipv4_address: 10.30.50.14
+        aliases:
+          - ubuntu18.getssl.test
+          - a.ubuntu18.getssl.test
+          - b.ubuntu18.getssl.test
+          - c.ubuntu18.getssl.test
+          - d.ubuntu18.getssl.test
+          - e.ubuntu18.getssl.test
+          - f.ubuntu18.getssl.test
+          - g.ubuntu18.getssl.test
+          - h.ubuntu18.getssl.test
+          - i.ubuntu18.getssl.test
+          - j.ubuntu18.getssl.test
+          - k.ubuntu18.getssl.test
+
+
 
 networks:
   acmenet:

test/5-old-awk-error.bats

@@ -1,24 +0,0 @@
-#! /usr/bin/env bats
-
-load '/bats-support/load.bash'
-load '/bats-assert/load.bash'
-load '/getssl/test/test_helper.bash'
-
-
-# This is run for every test
-setup() {
-    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
-}
-
-
-@test "Check getssl fails if an old version of awk is installed" {
-    CONFIG_FILE="getssl-http01.cfg"
-    # Make sure this test only runs on an image running an old version of awk
-    if [[ "$TEST_AWK" != "" ]]; then
-        setup_environment
-        init_getssl
-        create_certificate
-        assert_failure
-        assert_output "getssl: Your version of awk does not work with json_awk (see http://github.com/step-/JSON.awk/issues/6), please install a newer version of mawk or gawk"
-    fi
-}

test/Dockerfile-alpine

@@ -0,0 +1,22 @@
+FROM alpine:latest
+
+# Note this image uses busybox awk instead of gawk
+
+RUN apk --no-cache add supervisor openssl git curl bind-tools wget nginx bash
+
+WORKDIR /root
+
+# Create nginx directories in standard places
+RUN mkdir /run/nginx
+RUN mkdir /etc/nginx/pki
+RUN mkdir /etc/nginx/pki/private
+
+# BATS (Bash Automated Testings)
+RUN git clone https://github.com/bats-core/bats-core.git /bats-core
+RUN git clone https://github.com/jasonkarns/bats-support /bats-support
+RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert
+RUN /bats-core/install.sh /usr/local
+
+# Use supervisord to run nginx in the background
+COPY ./test/alpine-supervisord.conf /etc/supervisord.conf
+ENTRYPOINT /usr/bin/supervisord -c /etc/supervisord.conf

test/Dockerfile-centos6

@@ -1,5 +1,7 @@
 FROM centos:centos6
 
+# Note this image uses gawk
+
 # Update and install required software
 RUN yum -y update
 RUN yum -y install epel-release
@@ -19,4 +21,4 @@ RUN /bats-core/install.sh /usr/local
 EXPOSE 80 443
 
 # Run eternal loop - for testing
-CMD ["/bin/bash", "-c", "while :; do sleep 10; done"]
+CMD tail -f /dev/null

test/Dockerfile-ubuntu

@@ -0,0 +1,23 @@
+FROM ubuntu:latest
+
+# Note this image uses mawk1.3
+
+# Update and install required software
+RUN apt-get update --fix-missing
+RUN apt-get install -y git curl dnsutils wget nginx-light
+RUN apt-get install -y vim dos2unix # for debugging
+# TODO test with drill, dig, host
+
+WORKDIR /root
+
+# Prevent "Can't load /root/.rnd into RNG" error from openssl
+RUN touch /root/.rnd
+
+# BATS (Bash Automated Testings)
+RUN git clone https://github.com/bats-core/bats-core.git /bats-core
+RUN git clone https://github.com/jasonkarns/bats-support /bats-support
+RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert
+RUN /bats-core/install.sh /usr/local
+
+# Run eternal loop - for testing
+CMD tail -f /dev/null

test/Dockerfile-ubuntu18

@@ -1,12 +1,11 @@
 FROM ubuntu:bionic
-# bionic = latest 18 version
+# bionic = 18 LTS (long term support)
+
+# Note this image uses gawk
 
 # Update and install required software
 RUN apt-get update --fix-missing
-# TODO work out why default version of awk fails
-RUN apt-get install -y git curl dnsutils wget gawk nginx-light # linux-libc-dev make gcc binutils
-RUN apt-get install -y vim dos2unix # for debugging
-# TODO test with drill, dig, host
+RUN apt-get install -y git curl dnsutils wget gawk nginx-light
 
 WORKDIR /root
 RUN mkdir /etc/nginx/pki
@@ -25,4 +24,4 @@ RUN /bats-core/install.sh /usr/local
 EXPOSE 80 443
 
 # Run eternal loop - for testing
-CMD ["/bin/bash", "-c", "while :; do sleep 10; done"]
+CMD tail -f /dev/null

test/alpine-supervisord.conf

@@ -0,0 +1,14 @@
+[supervisord]
+nodaemon=true
+logfile=/tmp/supervisord.log
+childlogdir=/tmp
+pidfile = /tmp/supervisord.pid
+
+[program:nginx]
+command=nginx -g 'daemon off;'
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autorestart=false
+startretries=0

test/restart-nginx

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+if [ "$GETSSL_HOST" = "alpine.getssl.test" ]; then
+    killall -HUP nginx >&3-
+    sleep 5
+else
+    service nginx restart >&3-
+fi

test/run-all-tests.sh

@@ -1,5 +1,7 @@
 #!/usr/bin/env bash
 
+docker exec -it getssl-alpine bats /getssl/test
 docker exec -it getssl-centos6 bats /getssl/test
+docker exec -it getssl-debian bats /getssl/test
+docker exec -it getssl-ubuntu bats /getssl/test
 docker exec -it getssl-ubuntu18 bats /getssl/test
-docker exec -it getssl-ubuntu18-no-gawk bats /getssl/test/5-old-awk-error.bats

test/test-config/getssl-dns01.cfg

@@ -2,35 +2,17 @@
 # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 #
-# The staging server is best for testing
-#CA="https://acme-staging.api.letsencrypt.org"
-# This server issues full certificates, however has rate limits
-#CA="https://acme-v01.api.letsencrypt.org"
 CA="https://pebble:14000/dir"
 
 VALIDATE_VIA_DNS=true
 DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
 DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
-# AUTH_DNS_SERVER=10.30.50.3
-
-#PRIVATE_KEY_ALG="rsa"
 
 # Additional domains - this could be multiple domains / subdomains in a comma separated list
-# Note: this is Additional domains - so should not include the primary domain.
 SANS=""
 
 # Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
-# If these start with ssh: then the next variable is assumed to be the hostname and the rest the location.
-# An ssh key will be needed to provide you with access to the remote server.
-# Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign.
-# If left blank, the username on the local server will be used to authenticate against the remote server.
-# If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location
-# These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge"
-# where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.
 ACL=('/var/www/html/.well-known/acme-challenge')
-#     'ssh:server5:/var/www/getssltest.hopto.org/web/.well-known/acme-challenge'
-#     'ssh:sshuserid@server5:/var/www/getssltest.hopto.org/web/.well-known/acme-challenge'
-#     'ftp:ftpuserid:ftppassword:getssltest.hopto.org:/web/.well-known/acme-challenge')
 
 #Set USE_SINGLE_ACL="true" to use a single ACL for all checks
 USE_SINGLE_ACL="false"
@@ -44,11 +26,8 @@ DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
 DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
 
 # The command needed to reload apache / nginx or whatever you use
-RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && service nginx restart >&3-"
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
 
-# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
-# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
-# will be checked for certificate expiry and also will be checked after
-# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
-#SERVER_TYPE="https"
-#CHECK_REMOTE="true"
+# Define the server type and confirm correct certificate is installed
+SERVER_TYPE="https"
+CHECK_REMOTE="true"

test/test-config/getssl-http01-10-hosts.cfg

@@ -5,7 +5,6 @@
 CA="https://pebble:14000/dir"
 
 # Additional domains - this could be multiple domains / subdomains in a comma separated list
-# Note: this is Additional domains - so should not include the primary domain.
 SANS="a.${GETSSL_HOST},b.${GETSSL_HOST},c.${GETSSL_HOST},d.${GETSSL_HOST},e.${GETSSL_HOST},f.${GETSSL_HOST},g.${GETSSL_HOST},h.${GETSSL_HOST},i.${GETSSL_HOST},j.${GETSSL_HOST},k.${GETSSL_HOST}"
 
 # Acme Challenge Location.
@@ -22,7 +21,8 @@ DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
 DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
 
 # The command needed to reload apache / nginx or whatever you use
-RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG}  && service nginx restart >&3-"
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
 
-#SERVER_TYPE="https"
-#CHECK_REMOTE="true"
+# Define the server type and confirm correct certificate is installed
+SERVER_TYPE="https"
+CHECK_REMOTE="true"

test/test-config/getssl-http01.cfg

@@ -2,34 +2,13 @@
 # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 #
-# The staging server is best for testing
-#CA="https://acme-staging.api.letsencrypt.org"
-# This server issues full certificates, however has rate limits
-#CA="https://acme-v01.api.letsencrypt.org"
 CA="https://pebble:14000/dir"
 
-#VALIDATE_VIA_DNS=true
-#DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
-#DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
-
-#PRIVATE_KEY_ALG="rsa"
-
 # Additional domains - this could be multiple domains / subdomains in a comma separated list
-# Note: this is Additional domains - so should not include the primary domain.
 SANS=""
 
-# Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
-# If these start with ssh: then the next variable is assumed to be the hostname and the rest the location.
-# An ssh key will be needed to provide you with access to the remote server.
-# Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign.
-# If left blank, the username on the local server will be used to authenticate against the remote server.
-# If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location
-# These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge"
-# where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.
+# Acme Challenge Location.
 ACL=('/var/www/html/.well-known/acme-challenge')
-#     'ssh:server5:/var/www/getssltest.hopto.org/web/.well-known/acme-challenge'
-#     'ssh:sshuserid@server5:/var/www/getssltest.hopto.org/web/.well-known/acme-challenge'
-#     'ftp:ftpuserid:ftppassword:getssltest.hopto.org:/web/.well-known/acme-challenge')
 
 #Set USE_SINGLE_ACL="true" to use a single ACL for all checks
 USE_SINGLE_ACL="false"
@@ -43,11 +22,8 @@ DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
 DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
 
 # The command needed to reload apache / nginx or whatever you use
-RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && service nginx restart >&3-"
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
 
-# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
-# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
-# will be checked for certificate expiry and also will be checked after
-# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
+# Define the server type and confirm correct certificate is installed
 SERVER_TYPE="https"
 CHECK_REMOTE="true"

test/test_helper.bash

@@ -18,8 +18,8 @@ setup_environment() {
     fi
 
     curl -X POST -d '{"host":"'"$GETSSL_HOST"'", "addresses":["'"$GETSSL_IP"'"]}' http://10.30.50.3:8055/add-a
-    cp ${CODE_DIR}/test/test-config/nginx-ubuntu-no-ssl ${NGINX_CONFIG}
-    service nginx restart >&3-
+    cp ${CODE_DIR}/test/test-config/nginx-ubuntu-no-ssl "${NGINX_CONFIG}"
+    /getssl/test/restart-nginx
 }
 
 
@@ -40,5 +40,4 @@ create_certificate() {
     # Create certificate
     cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
     run ${CODE_DIR}/getssl "$GETSSL_HOST"
-    #!FIXME test certificate has been placed in the expected location
 }