From 9350bce17f453a5c0ba05cba4e9c430f4ca1d513 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Thu, 10 Dec 2020 18:39:29 +0000 Subject: [PATCH 01/11] Add dns scripts for Dynu.com --- dns_scripts/dns_add_dynu | 68 ++++++++++++++++++++++++++++++++++++++++ dns_scripts/dns_del_dynu | 63 +++++++++++++++++++++++++++++++++++++ 2 files changed, 131 insertions(+) create mode 100644 dns_scripts/dns_add_dynu create mode 100644 dns_scripts/dns_del_dynu diff --git a/dns_scripts/dns_add_dynu b/dns_scripts/dns_add_dynu new file mode 100644 index 0000000..7a08ce8 --- /dev/null +++ b/dns_scripts/dns_add_dynu @@ -0,0 +1,68 @@ +#!/usr/bin/env bash +# Need to add your API key below or set as env variable +apikey=${DYNU_API_KEY:-''} + +# This script adds a token to dynu.com DNS for the ACME challenge +# usage dns_add_dynu "domain name" "token" +# return codes are; +# 0 - success +# 1 - error in input +# 2 - error within internal processing +# 3 - error in result ( domain not found in dynu.com etc) + +fulldomain="${1}" +token="${2}" + +API='https://api.dynu.com/v2/dns' + +# Check initial parameters +if [[ -z "$fulldomain" ]]; then + echo "DNS script requires full domain name as first parameter" + exit 1 +fi +if [[ -z "$token" ]]; then + echo "DNS script requires challenge token as second parameter" + exit 1 +fi + +curl_params=( -H "accept: application/json" -H "API-Key: $apikey" -H 'Content-Type: application/json' ) + +# Get domain id +resp=$(curl --silent "${curl_params[@]}" -X GET "$API") + +# Match domain id +re="\"id\":([^,]*),\"name\":\"getssl-testing.freeddns.org\"" +if [[ "$resp" =~ $re ]]; then + domain_id="${BASH_REMATCH[1]}" +fi + +if [[ -z "$domain_id" ]]; then + echo 'Domain name not found on your Dynu account' + exit 3 +fi + +# Check for existing _acme-challenge TXT record +resp=$(curl --silent "${curl_params[@]}" -X GET "${API}/record/_acme-challenge.${fulldomain}?recordType=TXT") +re="\"id\":([^,]*)" +if [[ "$resp" =~ $re ]]; then + record_id="${BASH_REMATCH[1]}" +fi + +if [[ -z "$record_id" ]]; then + # Add new TXT challenge record + resp=$(curl --silent \ + "${curl_params[@]}" \ + -X POST "${API}/${domain_id}/record" \ + --data "{\"nodeName\":\"_acme-challenge\",\"recordType\":\"TXT\",\"textData\":\"$token\"}") +else + resp=$(curl --silent \ + "${curl_params[@]}" \ + -X POST "${API}/${domain_id}/record/${record_id}" \ + --data "{\"nodeName\":\"_acme-challenge\",\"recordType\":\"TXT\",\"textData\":\"$token\"}") +fi + +# If adding record failed (exception:) then print error message +if [[ "${resp// }" == *'"exception"'* ]]; then + echo "Error: DNS challenge not added: unknown error - ${resp}" + exit 3 +fi diff --git a/dns_scripts/dns_del_dynu b/dns_scripts/dns_del_dynu new file mode 100644 index 0000000..310bb61 --- /dev/null +++ b/dns_scripts/dns_del_dynu @@ -0,0 +1,63 @@ +#!/usr/bin/env bash +# Need to add your API key below or set as env variable +apikey=${DYNU_API_KEY:-''} + +# This script deletes the _acme-challenge TXT record from the dynu.com DNS entry for the domain +# usage dns_del_dynu "domain name" +# return codes are; +# 0 - success +# 1 - error in input +# 2 - error within internal processing +# 3 - error in result ( domain not found in dynu.com etc) + +fulldomain="${1}" + +API='https://api.dynu.com/v2/dns' + +# Check initial parameters +if [[ -z "$fulldomain" ]]; then + echo "DNS script requires full domain name as first parameter" + exit 1 +fi +if [[ -z "$apikey" ]]; then + echo "DNS script requires an apikey to be set" + exit 1 +fi + +curl_params=( -H "accept: application/json" -H "API-Key: $apikey" -H 'Content-Type: application/json' ) + +# Get domain id +resp=$(curl --silent "${curl_params[@]}" -X GET "$API") + +# Match domain id +re="\"id\":([^,]*),\"name\":\"getssl-testing.freeddns.org\"" +if [[ "$resp" =~ $re ]]; then + domain_id="${BASH_REMATCH[1]}" +fi + +if [[ -z "$domain_id" ]]; then + echo 'Domain name not found on your Dynu account' + exit 3 +fi + +# Find existing _acme-challenge TXT record +resp=$(curl --silent "${curl_params[@]}" -X GET "${API}/record/_acme-challenge.${fulldomain}?recordType=TXT") +re="\"id\":([^,]*)" +if [[ "$resp" =~ $re ]]; then + record_id="${BASH_REMATCH[1]}" +fi + +if [[ -z "$record_id" ]]; then + echo "No _acme-challenge TXT record found for $fulldomain" + exit 3 +fi + +resp=$(curl --silent \ + "${curl_params[@]}" \ + -X DELETE "${API}/${domain_id}/record/${record_id}") + +# If adding record failed (exception:) then print error message +if [[ "${resp// }" == *'"exception"'* ]]; then + echo "Error: DNS challenge not added: unknown error - ${resp}" + exit 3 +fi From d35f7baf9139edeacdc35e732ed28ae04ccd1a82 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Thu, 17 Dec 2020 21:58:47 +0000 Subject: [PATCH 02/11] Some fixes to get_auth_dns --- getssl | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/getssl b/getssl index f509060..8c85771 100755 --- a/getssl +++ b/getssl @@ -520,12 +520,24 @@ check_challenge_completion_dns() { # perform validation via DNS challenge check_result=$($DNS_CHECK_FUNC TXT "_acme-challenge.${lower_d}" "@${ns}" \ | grep -i "^_acme-challenge.${lower_d}" \ | grep 'IN\WTXT'|awk -F'"' '{ print $2}') + debug "check_result=$check_result" + if [[ -z "$check_result" ]]; then + debug "$DNS_CHECK_FUNC" ANY "_acme-challenge.${lower_d}" "@${ns}" + check_result=$($DNS_CHECK_FUNC ANY "_acme-challenge.${lower_d}" "@${ns}" \ + | grep -i "^_acme-challenge.${lower_d}" \ + | grep 'IN\WTXT'|awk -F'"' '{ print $2}') + debug "check_result=$check_result" + fi elif [[ "$DNS_CHECK_FUNC" == "host" ]]; then check_result=$($DNS_CHECK_FUNC -t TXT "_acme-challenge.${lower_d}" "${ns}" \ | grep 'descriptive text'|awk -F'"' '{ print $2}') else check_result=$(nslookup -type=txt "_acme-challenge.${lower_d}" "${ns}" \ | grep 'text ='|awk -F'"' '{ print $2}') + if [[ -z "$check_result" ]]; then + check_result=$(nslookup -type=any "_acme-challenge.${lower_d}" "${ns}" \ + | grep 'text ='|awk -F'"' '{ print $2}') + fi fi debug "expecting $auth_key" debug "${ns} gave ... $check_result" @@ -538,6 +550,7 @@ check_challenge_completion_dns() { # perform validation via DNS challenge if [[ $DNS_WAIT_RETRY_ADD == "true" && $(( ntries % 10 )) == 0 ]]; then debug "Retrying adding dns via command: $DNS_ADD_COMMAND $lower_d $auth_key" + test_output "Retrying adding dns via command: $DNS_ADD_COMMAND" eval "$DNS_DEL_COMMAND" "$lower_d" "$auth_key" if ! eval "$DNS_ADD_COMMAND" "$lower_d" "$auth_key" ; then error_exit "DNS_ADD_COMMAND failed for domain $d" @@ -1165,10 +1178,12 @@ for d in "${alldomains[@]}"; do # find a primary / authoritative DNS server for the domain if [[ -z "$AUTH_DNS_SERVER" ]]; then get_auth_dns "$d" + elif [[ "$CHECK_PUBLIC_DNS_SERVER" == "true" ]]; then + primary_ns="$AUTH_DNS_SERVER $PUBLIC_DNS_SERVER" else primary_ns="$AUTH_DNS_SERVER" fi - debug primary_ns "$primary_ns" + debug set primary_ns = "$primary_ns" check_challenge_completion_dns "${token}" "${uri}" "${keyauthorization}" "${d}" "${primary_ns}" "${auth_key}" else # set up the correct http token for verification @@ -1270,11 +1285,11 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n if [[ -z "$all_auth_dns_servers" ]]; then error_exit "couldn't find primary DNS server - please set AUTH_DNS_SERVER in config" fi + primary_ns="$all_auth_dns_servers" if [[ "$CHECK_PUBLIC_DNS_SERVER" == "true" ]]; then - primary_ns="$all_auth_dns_servers $PUBLIC_DNS_SERVER" - else - primary_ns="$all_auth_dns_servers" + primary_ns="$primary_ns $PUBLIC_DNS_SERVER" fi + return fi @@ -1348,8 +1363,8 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n primary_ns="$primary_ns $PUBLIC_DNS_SERVER" fi - debug set primary_ns = "$primary_ns" test_output set primary_ns ="$primary_ns" + return fi fi @@ -1428,9 +1443,6 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n primary_ns=$(echo "$all_auth_dns_servers" | awk '{print $1}') fi - if [[ "$CHECK_PUBLIC_DNS_SERVER" == "true" ]]; then - primary_ns="$primary_ns $PUBLIC_DNS_SERVER" - fi return fi fi From 1199739fc97bf8b845933d17e42dbd002812e884 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Thu, 17 Dec 2020 22:00:04 +0000 Subject: [PATCH 03/11] Move DNS used for staging tests to Dynu --- dns_scripts/dns_add_dynu | 14 +++++--- dns_scripts/dns_del_dynu | 22 ++++++++---- test/15-test-revoke-no-suffix.bats | 6 +++- test/18-staging-retry-dns-add.bats | 16 +++++++-- test/Dockerfile-centos7-staging | 1 + test/Dockerfile-ubuntu-staging | 1 + test/dns_add_fail | 6 ++++ test/dns_fail_add_duckdns | 19 ---------- test/run-test.cmd | 2 +- test/run-test.sh | 3 +- .../getssl-staging-dns01-fail-dns-add.cfg | 33 ----------------- .../getssl-staging-dns01-no-suffix.cfg | 36 ------------------- test/test-config/getssl-staging-dns01.cfg | 11 ++++-- 13 files changed, 62 insertions(+), 108 deletions(-) create mode 100644 test/dns_add_fail delete mode 100755 test/dns_fail_add_duckdns delete mode 100644 test/test-config/getssl-staging-dns01-fail-dns-add.cfg delete mode 100644 test/test-config/getssl-staging-dns01-no-suffix.cfg diff --git a/dns_scripts/dns_add_dynu b/dns_scripts/dns_add_dynu index 7a08ce8..e20470d 100644 --- a/dns_scripts/dns_add_dynu +++ b/dns_scripts/dns_add_dynu @@ -28,10 +28,11 @@ fi curl_params=( -H "accept: application/json" -H "API-Key: $apikey" -H 'Content-Type: application/json' ) # Get domain id -resp=$(curl --silent "${curl_params[@]}" -X GET "$API") +# curl -X GET https://api.dynu.com/v2/dns/getroot/ubuntu-getssl.freeddns.org +resp=$(curl --silent "${curl_params[@]}" -X GET "$API/getroot/${fulldomain}") # Match domain id -re="\"id\":([^,]*),\"name\":\"getssl-testing.freeddns.org\"" +re="\"id\":([^,]*),\"domainName\":\"${fulldomain}\"" if [[ "$resp" =~ $re ]]; then domain_id="${BASH_REMATCH[1]}" fi @@ -42,6 +43,7 @@ if [[ -z "$domain_id" ]]; then fi # Check for existing _acme-challenge TXT record +# curl -X GET "https://api.dynu.com/v2/dns/record/_acme-challenge.ubuntu-getssl.freeddns.org?recordType=TXT" resp=$(curl --silent "${curl_params[@]}" -X GET "${API}/record/_acme-challenge.${fulldomain}?recordType=TXT") re="\"id\":([^,]*)" if [[ "$resp" =~ $re ]]; then @@ -53,16 +55,18 @@ if [[ -z "$record_id" ]]; then resp=$(curl --silent \ "${curl_params[@]}" \ -X POST "${API}/${domain_id}/record" \ - --data "{\"nodeName\":\"_acme-challenge\",\"recordType\":\"TXT\",\"textData\":\"$token\"}") + --data "{\"nodeName\":\"_acme-challenge\",\"recordType\":\"TXT\",\"state\":\"true\",\"textData\":\"$token\"}") else + # Update existing record + # curl -X POST https://api.dynu.com/v2/dns/9329328/record/7082063 -d "{\"nodeName\":\"_acme-challenge\",\"recordType\":\"TXT\",\"state\":\"true\",\"textData\":\"Test2\"}" resp=$(curl --silent \ "${curl_params[@]}" \ -X POST "${API}/${domain_id}/record/${record_id}" \ - --data "{\"nodeName\":\"_acme-challenge\",\"recordType\":\"TXT\",\"textData\":\"$token\"}") + --data "{\"nodeName\":\"_acme-challenge\",\"recordType\":\"TXT\",\"state\":\"true\",\"textData\":\"$token\"}") fi # If adding record failed (exception:) then print error message -if [[ "${resp// }" == *'"exception"'* ]]; then +if [[ "$resp" != *"\"statusCode\":200"* ]]; then echo "Error: DNS challenge not added: unknown error - ${resp}" exit 3 fi diff --git a/dns_scripts/dns_del_dynu b/dns_scripts/dns_del_dynu index 310bb61..1d8d588 100644 --- a/dns_scripts/dns_del_dynu +++ b/dns_scripts/dns_del_dynu @@ -10,6 +10,12 @@ apikey=${DYNU_API_KEY:-''} # 2 - error within internal processing # 3 - error in result ( domain not found in dynu.com etc) +# After deleting the TXT record from Dynu.com it takes over 30 minutes to add a new TXT record! +# This doesn't happen when updating the TXT record, just for delete then add +# As this is used for testing, changed the delete to a no-op. + +exit 0 + fulldomain="${1}" API='https://api.dynu.com/v2/dns' @@ -20,17 +26,18 @@ if [[ -z "$fulldomain" ]]; then exit 1 fi if [[ -z "$apikey" ]]; then - echo "DNS script requires an apikey to be set" + echo "DNS script requires apikey environment variable to be set" exit 1 fi curl_params=( -H "accept: application/json" -H "API-Key: $apikey" -H 'Content-Type: application/json' ) # Get domain id -resp=$(curl --silent "${curl_params[@]}" -X GET "$API") +# curl -X GET https://api.dynu.com/v2/dns/getroot/ubuntu-getssl.freeddns.org +resp=$(curl --silent "${curl_params[@]}" -X GET "$API/getroot/${fulldomain}") # Match domain id -re="\"id\":([^,]*),\"name\":\"getssl-testing.freeddns.org\"" +re="\"id\":([^,]*),\"domainName\":\"${fulldomain}\"" if [[ "$resp" =~ $re ]]; then domain_id="${BASH_REMATCH[1]}" fi @@ -40,7 +47,8 @@ if [[ -z "$domain_id" ]]; then exit 3 fi -# Find existing _acme-challenge TXT record +# Check for existing _acme-challenge TXT record +# curl -X GET "https://api.dynu.com/v2/dns/record/_acme-challenge.ubuntu-getssl.freeddns.org?recordType=TXT" resp=$(curl --silent "${curl_params[@]}" -X GET "${API}/record/_acme-challenge.${fulldomain}?recordType=TXT") re="\"id\":([^,]*)" if [[ "$resp" =~ $re ]]; then @@ -48,8 +56,8 @@ if [[ "$resp" =~ $re ]]; then fi if [[ -z "$record_id" ]]; then - echo "No _acme-challenge TXT record found for $fulldomain" - exit 3 + echo "No _acme-challenge.${fulldomain} TXT record found" + exit 0 fi resp=$(curl --silent \ @@ -57,7 +65,7 @@ resp=$(curl --silent \ -X DELETE "${API}/${domain_id}/record/${record_id}") # If adding record failed (exception:) then print error message -if [[ "${resp// }" == *'"exception"'* ]]; then +if [[ "$resp" != *"\"statusCode\":200"* ]]; then echo "Error: DNS challenge not added: unknown error - ${resp}" exit 3 fi diff --git a/test/15-test-revoke-no-suffix.bats b/test/15-test-revoke-no-suffix.bats index 5e8d797..96e174b 100644 --- a/test/15-test-revoke-no-suffix.bats +++ b/test/15-test-revoke-no-suffix.bats @@ -15,10 +15,12 @@ setup() { @test "Create certificate to check revoke (no suffix)" { if [ -n "$STAGING" ]; then - CONFIG_FILE="getssl-staging-dns01-no-suffix.cfg" + CONFIG_FILE="getssl-staging-dns01.cfg" else CONFIG_FILE="getssl-http01-no-suffix.cfg" fi + echo 'CA="https://acme-staging-v02.api.letsencrypt.org"' >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg + . "${CODE_DIR}/test/test-config/${CONFIG_FILE}" setup_environment init_getssl @@ -34,6 +36,8 @@ setup() { else CONFIG_FILE="getssl-http01.cfg" fi + echo 'CA="https://acme-staging-v02.api.letsencrypt.org"' >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg + . "${CODE_DIR}/test/test-config/${CONFIG_FILE}" CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt KEY=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key diff --git a/test/18-staging-retry-dns-add.bats b/test/18-staging-retry-dns-add.bats index 8b636d6..bca7c05 100644 --- a/test/18-staging-retry-dns-add.bats +++ b/test/18-staging-retry-dns-add.bats @@ -6,14 +6,26 @@ load '/getssl/test/test_helper.bash' -@test "Check retry add dns command if dns isn't updated (DuckDNS)" { +@test "Check retry add dns command if dns isn't updated" { if [ -z "$STAGING" ]; then skip "Running internal tests, skipping external test" fi - CONFIG_FILE="getssl-staging-dns01-fail-dns-add.cfg" + + CONFIG_FILE="getssl-staging-dns01.cfg" setup_environment init_getssl + + cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg +DNS_ADD_COMMAND="/getssl/test/dns_add_fail" + +# Speed up the test by reducing the number or retries and the wait between retries. +DNS_WAIT=2 +DNS_WAIT_COUNT=11 +DNS_EXTRA_WAIT=0 +CHECK_ALL_AUTH_DNS="false" +CHECK_PUBLIC_DNS_SERVER="false" +EOF create_certificate -d assert_failure assert_line --partial "Retrying adding dns via command" diff --git a/test/Dockerfile-centos7-staging b/test/Dockerfile-centos7-staging index 0b2ff08..ad49896 100644 --- a/test/Dockerfile-centos7-staging +++ b/test/Dockerfile-centos7-staging @@ -9,6 +9,7 @@ RUN yum -y install git curl bind-utils ldns wget which nginx ENV staging "true" ENV DUCKDNS_TOKEN 1d616aa9-b8e4-4bb4-b312-3289de82badb +ENV DYNU_API_KEY 65cXefd35XbYf36546eg5dYcZT6X52Y2 WORKDIR /root RUN mkdir /etc/nginx/pki diff --git a/test/Dockerfile-ubuntu-staging b/test/Dockerfile-ubuntu-staging index 1ee3f83..3032c85 100644 --- a/test/Dockerfile-ubuntu-staging +++ b/test/Dockerfile-ubuntu-staging @@ -8,6 +8,7 @@ ENV DEBIAN_FRONTEND noninteractive # Ensure tests in this image use the staging server ENV staging "true" ENV DUCKDNS_TOKEN 1d616aa9-b8e4-4bb4-b312-3289de82badb +ENV DYNU_API_KEY 65cXefd35XbYf36546eg5dYcZT6X52Y2 # Update and install required software RUN apt-get update --fix-missing diff --git a/test/dns_add_fail b/test/dns_add_fail new file mode 100644 index 0000000..44ab42b --- /dev/null +++ b/test/dns_add_fail @@ -0,0 +1,6 @@ +#!/bin/bash + +# Special test script which will always fail to update dns + +echo "This is a test script to check retry works if DNS isn't updated" +exit 0 diff --git a/test/dns_fail_add_duckdns b/test/dns_fail_add_duckdns deleted file mode 100755 index 03df89f..0000000 --- a/test/dns_fail_add_duckdns +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -# Special test script which will always fail to update dns - -token=${DUCKDNS_TOKEN:-} - -if [ -z "$token" ]; then - echo "DUCKDNS_TOKEN not set" - exit 1 -fi - -domain="$1" - -response=$(curl --retry 5 --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=FAIL") -if [ "$response" != "OK" ]; then - echo "Failed to update TXT record for ${domain} at duckdns.org (is the TOKEN valid?)" - echo "Response: $response" - exit 1 -fi diff --git a/test/run-test.cmd b/test/run-test.cmd index 23235c9..0462617 100644 --- a/test/run-test.cmd +++ b/test/run-test.cmd @@ -23,7 +23,7 @@ set COMMAND=bats /getssl/test GOTO CheckAlias :staging -set ALIAS=%OS:-staging=%-getssl.duckdns.org +set ALIAS=%OS:-staging=%-getssl.freeddns.org set STAGING=--env STAGING=true :Run diff --git a/test/run-test.sh b/test/run-test.sh index 8a2a9f2..760c600 100755 --- a/test/run-test.sh +++ b/test/run-test.sh @@ -15,7 +15,8 @@ else fi if [[ "$OS" == *"staging"* ]]; then - ALIAS="${OS%-staging}-getssl.duckdns.org" + #ALIAS="${OS%-staging}-getssl.duckdns.org" + ALIAS="${OS%-staging}-getssl.freeddns.org" STAGING="--env STAGING=true" else ALIAS="$OS.getssl.test" diff --git a/test/test-config/getssl-staging-dns01-fail-dns-add.cfg b/test/test-config/getssl-staging-dns01-fail-dns-add.cfg deleted file mode 100644 index 2985d32..0000000 --- a/test/test-config/getssl-staging-dns01-fail-dns-add.cfg +++ /dev/null @@ -1,33 +0,0 @@ -# Special config to test that the retry dns_add_command logic works -# -CA="https://acme-staging-v02.api.letsencrypt.org/directory" - -# Generic staging config -VALIDATE_VIA_DNS=true -DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns" -PUBLIC_DNS_SERVER=ns2.duckdns.org -CHECK_ALL_AUTH_DNS=true - -# Test that the retry works (dns_add_command will always fail) -DNS_WAIT_RETRY_ADD="true" -DNS_ADD_COMMAND="/getssl/test/dns_fail_add_duckdns" - -# Speed up the test by reducing the number or retries and the wait between retries. -DNS_WAIT=2 -DNS_WAIT_COUNT=11 -DNS_EXTRA_WAIT=0 - -# Standard config -ACCOUNT_KEY_TYPE="rsa" -PRIVATE_KEY_ALG="rsa" -SANS="" -ACL=('/var/www/html/.well-known/acme-challenge') -USE_SINGLE_ACL="false" -DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" -DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key" -CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" -DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert -DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert -RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" -SERVER_TYPE="https" -CHECK_REMOTE="true" diff --git a/test/test-config/getssl-staging-dns01-no-suffix.cfg b/test/test-config/getssl-staging-dns01-no-suffix.cfg deleted file mode 100644 index b4f5202..0000000 --- a/test/test-config/getssl-staging-dns01-no-suffix.cfg +++ /dev/null @@ -1,36 +0,0 @@ -# Test that the script works with external dns provider and staging server -# -CA="https://acme-staging-v02.api.letsencrypt.org" - -VALIDATE_VIA_DNS=true -DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_duckdns" -DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns" -PUBLIC_DNS_SERVER=ns2.duckdns.org -CHECK_ALL_AUTH_DNS=true -DNS_EXTRA_WAIT=120 - -# Speed up the test by reducing the number or retries and the wait between retries. -DNS_WAIT=2 -DNS_WAIT_COUNT=11 -DNS_WAIT_RETRY_ADD="true" - -ACCOUNT_KEY_TYPE="rsa" -PRIVATE_KEY_ALG="rsa" - -# Additional domains - this could be multiple domains / subdomains in a comma separated list -SANS="" - -# Location for all your certs, these can either be on the server (full path name) -# or using ssh /sftp as for the ACL -DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" -DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key" -CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" -DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert -DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert - -# The command needed to reload apache / nginx or whatever you use -RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" - -# Define the server type and confirm correct certificate is installed (using a custom port) -SERVER_TYPE="https" -CHECK_REMOTE="true" diff --git a/test/test-config/getssl-staging-dns01.cfg b/test/test-config/getssl-staging-dns01.cfg index 19413cd..64a7388 100644 --- a/test/test-config/getssl-staging-dns01.cfg +++ b/test/test-config/getssl-staging-dns01.cfg @@ -3,15 +3,17 @@ CA="https://acme-staging-v02.api.letsencrypt.org/directory" VALIDATE_VIA_DNS=true -DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_duckdns" -DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns" -PUBLIC_DNS_SERVER=1.1.1.1 +DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_dynu" +DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_dynu" +PUBLIC_DNS_SERVER="8.8.8.8 resolver1.infoserve.de" +AUTH_DNS_SERVER=ns1.dynu.com CHECK_ALL_AUTH_DNS="true" CHECK_PUBLIC_DNS_SERVER="true" DNS_EXTRA_WAIT=120 # Speed up the test by reducing the number or retries and retrying DNS_ADD after 10 failures DNS_WAIT_COUNT=20 +DNS_WAIT=30 DNS_WAIT_RETRY_ADD="true" ACCOUNT_KEY_TYPE="rsa" @@ -38,3 +40,6 @@ CHECK_REMOTE="true" if [[ -s "$DOMAIN_DIR/getssl_test_specific.cfg" ]]; then . $DOMAIN_DIR/getssl_test_specific.cfg fi + +#_RUNNING_TEST=1 +#_USE_DEBUG=1 From 92673dae6ea8aeb31f95eb6fff33fd263f3ddcd1 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Thu, 10 Dec 2020 18:39:29 +0000 Subject: [PATCH 04/11] Add dns scripts for Dynu.com --- dns_scripts/dns_add_dynu | 68 ++++++++++++++++++++++++++++++++++++++++ dns_scripts/dns_del_dynu | 63 +++++++++++++++++++++++++++++++++++++ 2 files changed, 131 insertions(+) create mode 100644 dns_scripts/dns_add_dynu create mode 100644 dns_scripts/dns_del_dynu diff --git a/dns_scripts/dns_add_dynu b/dns_scripts/dns_add_dynu new file mode 100644 index 0000000..7a08ce8 --- /dev/null +++ b/dns_scripts/dns_add_dynu @@ -0,0 +1,68 @@ +#!/usr/bin/env bash +# Need to add your API key below or set as env variable +apikey=${DYNU_API_KEY:-''} + +# This script adds a token to dynu.com DNS for the ACME challenge +# usage dns_add_dynu "domain name" "token" +# return codes are; +# 0 - success +# 1 - error in input +# 2 - error within internal processing +# 3 - error in result ( domain not found in dynu.com etc) + +fulldomain="${1}" +token="${2}" + +API='https://api.dynu.com/v2/dns' + +# Check initial parameters +if [[ -z "$fulldomain" ]]; then + echo "DNS script requires full domain name as first parameter" + exit 1 +fi +if [[ -z "$token" ]]; then + echo "DNS script requires challenge token as second parameter" + exit 1 +fi + +curl_params=( -H "accept: application/json" -H "API-Key: $apikey" -H 'Content-Type: application/json' ) + +# Get domain id +resp=$(curl --silent "${curl_params[@]}" -X GET "$API") + +# Match domain id +re="\"id\":([^,]*),\"name\":\"getssl-testing.freeddns.org\"" +if [[ "$resp" =~ $re ]]; then + domain_id="${BASH_REMATCH[1]}" +fi + +if [[ -z "$domain_id" ]]; then + echo 'Domain name not found on your Dynu account' + exit 3 +fi + +# Check for existing _acme-challenge TXT record +resp=$(curl --silent "${curl_params[@]}" -X GET "${API}/record/_acme-challenge.${fulldomain}?recordType=TXT") +re="\"id\":([^,]*)" +if [[ "$resp" =~ $re ]]; then + record_id="${BASH_REMATCH[1]}" +fi + +if [[ -z "$record_id" ]]; then + # Add new TXT challenge record + resp=$(curl --silent \ + "${curl_params[@]}" \ + -X POST "${API}/${domain_id}/record" \ + --data "{\"nodeName\":\"_acme-challenge\",\"recordType\":\"TXT\",\"textData\":\"$token\"}") +else + resp=$(curl --silent \ + "${curl_params[@]}" \ + -X POST "${API}/${domain_id}/record/${record_id}" \ + --data "{\"nodeName\":\"_acme-challenge\",\"recordType\":\"TXT\",\"textData\":\"$token\"}") +fi + +# If adding record failed (exception:) then print error message +if [[ "${resp// }" == *'"exception"'* ]]; then + echo "Error: DNS challenge not added: unknown error - ${resp}" + exit 3 +fi diff --git a/dns_scripts/dns_del_dynu b/dns_scripts/dns_del_dynu new file mode 100644 index 0000000..310bb61 --- /dev/null +++ b/dns_scripts/dns_del_dynu @@ -0,0 +1,63 @@ +#!/usr/bin/env bash +# Need to add your API key below or set as env variable +apikey=${DYNU_API_KEY:-''} + +# This script deletes the _acme-challenge TXT record from the dynu.com DNS entry for the domain +# usage dns_del_dynu "domain name" +# return codes are; +# 0 - success +# 1 - error in input +# 2 - error within internal processing +# 3 - error in result ( domain not found in dynu.com etc) + +fulldomain="${1}" + +API='https://api.dynu.com/v2/dns' + +# Check initial parameters +if [[ -z "$fulldomain" ]]; then + echo "DNS script requires full domain name as first parameter" + exit 1 +fi +if [[ -z "$apikey" ]]; then + echo "DNS script requires an apikey to be set" + exit 1 +fi + +curl_params=( -H "accept: application/json" -H "API-Key: $apikey" -H 'Content-Type: application/json' ) + +# Get domain id +resp=$(curl --silent "${curl_params[@]}" -X GET "$API") + +# Match domain id +re="\"id\":([^,]*),\"name\":\"getssl-testing.freeddns.org\"" +if [[ "$resp" =~ $re ]]; then + domain_id="${BASH_REMATCH[1]}" +fi + +if [[ -z "$domain_id" ]]; then + echo 'Domain name not found on your Dynu account' + exit 3 +fi + +# Find existing _acme-challenge TXT record +resp=$(curl --silent "${curl_params[@]}" -X GET "${API}/record/_acme-challenge.${fulldomain}?recordType=TXT") +re="\"id\":([^,]*)" +if [[ "$resp" =~ $re ]]; then + record_id="${BASH_REMATCH[1]}" +fi + +if [[ -z "$record_id" ]]; then + echo "No _acme-challenge TXT record found for $fulldomain" + exit 3 +fi + +resp=$(curl --silent \ + "${curl_params[@]}" \ + -X DELETE "${API}/${domain_id}/record/${record_id}") + +# If adding record failed (exception:) then print error message +if [[ "${resp// }" == *'"exception"'* ]]; then + echo "Error: DNS challenge not added: unknown error - ${resp}" + exit 3 +fi From 2e558854c3a9ef18c8df5460880641a92997011a Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Thu, 17 Dec 2020 21:58:47 +0000 Subject: [PATCH 05/11] Some fixes to get_auth_dns --- getssl | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/getssl b/getssl index 0caa2a4..84ef2cc 100755 --- a/getssl +++ b/getssl @@ -520,12 +520,24 @@ check_challenge_completion_dns() { # perform validation via DNS challenge check_result=$($DNS_CHECK_FUNC TXT "_acme-challenge.${lower_d}" "@${ns}" \ | grep -i "^_acme-challenge.${lower_d}" \ | grep 'IN\WTXT'|awk -F'"' '{ print $2}') + debug "check_result=$check_result" + if [[ -z "$check_result" ]]; then + debug "$DNS_CHECK_FUNC" ANY "_acme-challenge.${lower_d}" "@${ns}" + check_result=$($DNS_CHECK_FUNC ANY "_acme-challenge.${lower_d}" "@${ns}" \ + | grep -i "^_acme-challenge.${lower_d}" \ + | grep 'IN\WTXT'|awk -F'"' '{ print $2}') + debug "check_result=$check_result" + fi elif [[ "$DNS_CHECK_FUNC" == "host" ]]; then check_result=$($DNS_CHECK_FUNC -t TXT "_acme-challenge.${lower_d}" "${ns}" \ | grep 'descriptive text'|awk -F'"' '{ print $2}') else check_result=$(nslookup -type=txt "_acme-challenge.${lower_d}" "${ns}" \ | grep 'text ='|awk -F'"' '{ print $2}') + if [[ -z "$check_result" ]]; then + check_result=$(nslookup -type=any "_acme-challenge.${lower_d}" "${ns}" \ + | grep 'text ='|awk -F'"' '{ print $2}') + fi fi debug "expecting $auth_key" debug "${ns} gave ... $check_result" @@ -538,6 +550,7 @@ check_challenge_completion_dns() { # perform validation via DNS challenge if [[ $DNS_WAIT_RETRY_ADD == "true" && $(( ntries % 10 )) == 0 ]]; then debug "Retrying adding dns via command: $DNS_ADD_COMMAND $lower_d $auth_key" + test_output "Retrying adding dns via command: $DNS_ADD_COMMAND" eval "$DNS_DEL_COMMAND" "$lower_d" "$auth_key" if ! eval "$DNS_ADD_COMMAND" "$lower_d" "$auth_key" ; then error_exit "DNS_ADD_COMMAND failed for domain $d" @@ -1165,10 +1178,12 @@ for d in "${alldomains[@]}"; do # find a primary / authoritative DNS server for the domain if [[ -z "$AUTH_DNS_SERVER" ]]; then get_auth_dns "$d" + elif [[ "$CHECK_PUBLIC_DNS_SERVER" == "true" ]]; then + primary_ns="$AUTH_DNS_SERVER $PUBLIC_DNS_SERVER" else primary_ns="$AUTH_DNS_SERVER" fi - debug primary_ns "$primary_ns" + debug set primary_ns = "$primary_ns" check_challenge_completion_dns "${token}" "${uri}" "${keyauthorization}" "${d}" "${primary_ns}" "${auth_key}" else # set up the correct http token for verification @@ -1270,11 +1285,11 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n if [[ -z "$all_auth_dns_servers" ]]; then error_exit "couldn't find primary DNS server - please set AUTH_DNS_SERVER in config" fi + primary_ns="$all_auth_dns_servers" if [[ "$CHECK_PUBLIC_DNS_SERVER" == "true" ]]; then - primary_ns="$all_auth_dns_servers $PUBLIC_DNS_SERVER" - else - primary_ns="$all_auth_dns_servers" + primary_ns="$primary_ns $PUBLIC_DNS_SERVER" fi + return fi @@ -1348,8 +1363,8 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n primary_ns="$primary_ns $PUBLIC_DNS_SERVER" fi - debug set primary_ns = "$primary_ns" test_output set primary_ns ="$primary_ns" + return fi fi @@ -1428,9 +1443,6 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n primary_ns=$(echo "$all_auth_dns_servers" | awk '{print $1}') fi - if [[ "$CHECK_PUBLIC_DNS_SERVER" == "true" ]]; then - primary_ns="$primary_ns $PUBLIC_DNS_SERVER" - fi return fi fi From 5732867d2dfda26576aa1eb17da7d4355d7f2b13 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Thu, 17 Dec 2020 22:00:04 +0000 Subject: [PATCH 06/11] Move DNS used for staging tests to Dynu --- dns_scripts/dns_add_dynu | 14 +++++--- dns_scripts/dns_del_dynu | 22 ++++++++---- test/15-test-revoke-no-suffix.bats | 6 +++- test/18-staging-retry-dns-add.bats | 16 +++++++-- test/Dockerfile-centos7-staging | 1 + test/Dockerfile-ubuntu-staging | 1 + test/dns_add_fail | 6 ++++ test/dns_fail_add_duckdns | 19 ---------- test/run-test.cmd | 2 +- test/run-test.sh | 3 +- .../getssl-staging-dns01-fail-dns-add.cfg | 33 ----------------- .../getssl-staging-dns01-no-suffix.cfg | 36 ------------------- test/test-config/getssl-staging-dns01.cfg | 11 ++++-- 13 files changed, 62 insertions(+), 108 deletions(-) create mode 100644 test/dns_add_fail delete mode 100755 test/dns_fail_add_duckdns delete mode 100644 test/test-config/getssl-staging-dns01-fail-dns-add.cfg delete mode 100644 test/test-config/getssl-staging-dns01-no-suffix.cfg diff --git a/dns_scripts/dns_add_dynu b/dns_scripts/dns_add_dynu index 7a08ce8..e20470d 100644 --- a/dns_scripts/dns_add_dynu +++ b/dns_scripts/dns_add_dynu @@ -28,10 +28,11 @@ fi curl_params=( -H "accept: application/json" -H "API-Key: $apikey" -H 'Content-Type: application/json' ) # Get domain id -resp=$(curl --silent "${curl_params[@]}" -X GET "$API") +# curl -X GET https://api.dynu.com/v2/dns/getroot/ubuntu-getssl.freeddns.org +resp=$(curl --silent "${curl_params[@]}" -X GET "$API/getroot/${fulldomain}") # Match domain id -re="\"id\":([^,]*),\"name\":\"getssl-testing.freeddns.org\"" +re="\"id\":([^,]*),\"domainName\":\"${fulldomain}\"" if [[ "$resp" =~ $re ]]; then domain_id="${BASH_REMATCH[1]}" fi @@ -42,6 +43,7 @@ if [[ -z "$domain_id" ]]; then fi # Check for existing _acme-challenge TXT record +# curl -X GET "https://api.dynu.com/v2/dns/record/_acme-challenge.ubuntu-getssl.freeddns.org?recordType=TXT" resp=$(curl --silent "${curl_params[@]}" -X GET "${API}/record/_acme-challenge.${fulldomain}?recordType=TXT") re="\"id\":([^,]*)" if [[ "$resp" =~ $re ]]; then @@ -53,16 +55,18 @@ if [[ -z "$record_id" ]]; then resp=$(curl --silent \ "${curl_params[@]}" \ -X POST "${API}/${domain_id}/record" \ - --data "{\"nodeName\":\"_acme-challenge\",\"recordType\":\"TXT\",\"textData\":\"$token\"}") + --data "{\"nodeName\":\"_acme-challenge\",\"recordType\":\"TXT\",\"state\":\"true\",\"textData\":\"$token\"}") else + # Update existing record + # curl -X POST https://api.dynu.com/v2/dns/9329328/record/7082063 -d "{\"nodeName\":\"_acme-challenge\",\"recordType\":\"TXT\",\"state\":\"true\",\"textData\":\"Test2\"}" resp=$(curl --silent \ "${curl_params[@]}" \ -X POST "${API}/${domain_id}/record/${record_id}" \ - --data "{\"nodeName\":\"_acme-challenge\",\"recordType\":\"TXT\",\"textData\":\"$token\"}") + --data "{\"nodeName\":\"_acme-challenge\",\"recordType\":\"TXT\",\"state\":\"true\",\"textData\":\"$token\"}") fi # If adding record failed (exception:) then print error message -if [[ "${resp// }" == *'"exception"'* ]]; then +if [[ "$resp" != *"\"statusCode\":200"* ]]; then echo "Error: DNS challenge not added: unknown error - ${resp}" exit 3 fi diff --git a/dns_scripts/dns_del_dynu b/dns_scripts/dns_del_dynu index 310bb61..1d8d588 100644 --- a/dns_scripts/dns_del_dynu +++ b/dns_scripts/dns_del_dynu @@ -10,6 +10,12 @@ apikey=${DYNU_API_KEY:-''} # 2 - error within internal processing # 3 - error in result ( domain not found in dynu.com etc) +# After deleting the TXT record from Dynu.com it takes over 30 minutes to add a new TXT record! +# This doesn't happen when updating the TXT record, just for delete then add +# As this is used for testing, changed the delete to a no-op. + +exit 0 + fulldomain="${1}" API='https://api.dynu.com/v2/dns' @@ -20,17 +26,18 @@ if [[ -z "$fulldomain" ]]; then exit 1 fi if [[ -z "$apikey" ]]; then - echo "DNS script requires an apikey to be set" + echo "DNS script requires apikey environment variable to be set" exit 1 fi curl_params=( -H "accept: application/json" -H "API-Key: $apikey" -H 'Content-Type: application/json' ) # Get domain id -resp=$(curl --silent "${curl_params[@]}" -X GET "$API") +# curl -X GET https://api.dynu.com/v2/dns/getroot/ubuntu-getssl.freeddns.org +resp=$(curl --silent "${curl_params[@]}" -X GET "$API/getroot/${fulldomain}") # Match domain id -re="\"id\":([^,]*),\"name\":\"getssl-testing.freeddns.org\"" +re="\"id\":([^,]*),\"domainName\":\"${fulldomain}\"" if [[ "$resp" =~ $re ]]; then domain_id="${BASH_REMATCH[1]}" fi @@ -40,7 +47,8 @@ if [[ -z "$domain_id" ]]; then exit 3 fi -# Find existing _acme-challenge TXT record +# Check for existing _acme-challenge TXT record +# curl -X GET "https://api.dynu.com/v2/dns/record/_acme-challenge.ubuntu-getssl.freeddns.org?recordType=TXT" resp=$(curl --silent "${curl_params[@]}" -X GET "${API}/record/_acme-challenge.${fulldomain}?recordType=TXT") re="\"id\":([^,]*)" if [[ "$resp" =~ $re ]]; then @@ -48,8 +56,8 @@ if [[ "$resp" =~ $re ]]; then fi if [[ -z "$record_id" ]]; then - echo "No _acme-challenge TXT record found for $fulldomain" - exit 3 + echo "No _acme-challenge.${fulldomain} TXT record found" + exit 0 fi resp=$(curl --silent \ @@ -57,7 +65,7 @@ resp=$(curl --silent \ -X DELETE "${API}/${domain_id}/record/${record_id}") # If adding record failed (exception:) then print error message -if [[ "${resp// }" == *'"exception"'* ]]; then +if [[ "$resp" != *"\"statusCode\":200"* ]]; then echo "Error: DNS challenge not added: unknown error - ${resp}" exit 3 fi diff --git a/test/15-test-revoke-no-suffix.bats b/test/15-test-revoke-no-suffix.bats index 5e8d797..96e174b 100644 --- a/test/15-test-revoke-no-suffix.bats +++ b/test/15-test-revoke-no-suffix.bats @@ -15,10 +15,12 @@ setup() { @test "Create certificate to check revoke (no suffix)" { if [ -n "$STAGING" ]; then - CONFIG_FILE="getssl-staging-dns01-no-suffix.cfg" + CONFIG_FILE="getssl-staging-dns01.cfg" else CONFIG_FILE="getssl-http01-no-suffix.cfg" fi + echo 'CA="https://acme-staging-v02.api.letsencrypt.org"' >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg + . "${CODE_DIR}/test/test-config/${CONFIG_FILE}" setup_environment init_getssl @@ -34,6 +36,8 @@ setup() { else CONFIG_FILE="getssl-http01.cfg" fi + echo 'CA="https://acme-staging-v02.api.letsencrypt.org"' >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg + . "${CODE_DIR}/test/test-config/${CONFIG_FILE}" CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt KEY=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key diff --git a/test/18-staging-retry-dns-add.bats b/test/18-staging-retry-dns-add.bats index 8b636d6..bca7c05 100644 --- a/test/18-staging-retry-dns-add.bats +++ b/test/18-staging-retry-dns-add.bats @@ -6,14 +6,26 @@ load '/getssl/test/test_helper.bash' -@test "Check retry add dns command if dns isn't updated (DuckDNS)" { +@test "Check retry add dns command if dns isn't updated" { if [ -z "$STAGING" ]; then skip "Running internal tests, skipping external test" fi - CONFIG_FILE="getssl-staging-dns01-fail-dns-add.cfg" + + CONFIG_FILE="getssl-staging-dns01.cfg" setup_environment init_getssl + + cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg +DNS_ADD_COMMAND="/getssl/test/dns_add_fail" + +# Speed up the test by reducing the number or retries and the wait between retries. +DNS_WAIT=2 +DNS_WAIT_COUNT=11 +DNS_EXTRA_WAIT=0 +CHECK_ALL_AUTH_DNS="false" +CHECK_PUBLIC_DNS_SERVER="false" +EOF create_certificate -d assert_failure assert_line --partial "Retrying adding dns via command" diff --git a/test/Dockerfile-centos7-staging b/test/Dockerfile-centos7-staging index 0b2ff08..ad49896 100644 --- a/test/Dockerfile-centos7-staging +++ b/test/Dockerfile-centos7-staging @@ -9,6 +9,7 @@ RUN yum -y install git curl bind-utils ldns wget which nginx ENV staging "true" ENV DUCKDNS_TOKEN 1d616aa9-b8e4-4bb4-b312-3289de82badb +ENV DYNU_API_KEY 65cXefd35XbYf36546eg5dYcZT6X52Y2 WORKDIR /root RUN mkdir /etc/nginx/pki diff --git a/test/Dockerfile-ubuntu-staging b/test/Dockerfile-ubuntu-staging index 1ee3f83..3032c85 100644 --- a/test/Dockerfile-ubuntu-staging +++ b/test/Dockerfile-ubuntu-staging @@ -8,6 +8,7 @@ ENV DEBIAN_FRONTEND noninteractive # Ensure tests in this image use the staging server ENV staging "true" ENV DUCKDNS_TOKEN 1d616aa9-b8e4-4bb4-b312-3289de82badb +ENV DYNU_API_KEY 65cXefd35XbYf36546eg5dYcZT6X52Y2 # Update and install required software RUN apt-get update --fix-missing diff --git a/test/dns_add_fail b/test/dns_add_fail new file mode 100644 index 0000000..44ab42b --- /dev/null +++ b/test/dns_add_fail @@ -0,0 +1,6 @@ +#!/bin/bash + +# Special test script which will always fail to update dns + +echo "This is a test script to check retry works if DNS isn't updated" +exit 0 diff --git a/test/dns_fail_add_duckdns b/test/dns_fail_add_duckdns deleted file mode 100755 index 03df89f..0000000 --- a/test/dns_fail_add_duckdns +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -# Special test script which will always fail to update dns - -token=${DUCKDNS_TOKEN:-} - -if [ -z "$token" ]; then - echo "DUCKDNS_TOKEN not set" - exit 1 -fi - -domain="$1" - -response=$(curl --retry 5 --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=FAIL") -if [ "$response" != "OK" ]; then - echo "Failed to update TXT record for ${domain} at duckdns.org (is the TOKEN valid?)" - echo "Response: $response" - exit 1 -fi diff --git a/test/run-test.cmd b/test/run-test.cmd index 23235c9..0462617 100644 --- a/test/run-test.cmd +++ b/test/run-test.cmd @@ -23,7 +23,7 @@ set COMMAND=bats /getssl/test GOTO CheckAlias :staging -set ALIAS=%OS:-staging=%-getssl.duckdns.org +set ALIAS=%OS:-staging=%-getssl.freeddns.org set STAGING=--env STAGING=true :Run diff --git a/test/run-test.sh b/test/run-test.sh index 8a2a9f2..760c600 100755 --- a/test/run-test.sh +++ b/test/run-test.sh @@ -15,7 +15,8 @@ else fi if [[ "$OS" == *"staging"* ]]; then - ALIAS="${OS%-staging}-getssl.duckdns.org" + #ALIAS="${OS%-staging}-getssl.duckdns.org" + ALIAS="${OS%-staging}-getssl.freeddns.org" STAGING="--env STAGING=true" else ALIAS="$OS.getssl.test" diff --git a/test/test-config/getssl-staging-dns01-fail-dns-add.cfg b/test/test-config/getssl-staging-dns01-fail-dns-add.cfg deleted file mode 100644 index 2985d32..0000000 --- a/test/test-config/getssl-staging-dns01-fail-dns-add.cfg +++ /dev/null @@ -1,33 +0,0 @@ -# Special config to test that the retry dns_add_command logic works -# -CA="https://acme-staging-v02.api.letsencrypt.org/directory" - -# Generic staging config -VALIDATE_VIA_DNS=true -DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns" -PUBLIC_DNS_SERVER=ns2.duckdns.org -CHECK_ALL_AUTH_DNS=true - -# Test that the retry works (dns_add_command will always fail) -DNS_WAIT_RETRY_ADD="true" -DNS_ADD_COMMAND="/getssl/test/dns_fail_add_duckdns" - -# Speed up the test by reducing the number or retries and the wait between retries. -DNS_WAIT=2 -DNS_WAIT_COUNT=11 -DNS_EXTRA_WAIT=0 - -# Standard config -ACCOUNT_KEY_TYPE="rsa" -PRIVATE_KEY_ALG="rsa" -SANS="" -ACL=('/var/www/html/.well-known/acme-challenge') -USE_SINGLE_ACL="false" -DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" -DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key" -CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" -DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert -DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert -RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" -SERVER_TYPE="https" -CHECK_REMOTE="true" diff --git a/test/test-config/getssl-staging-dns01-no-suffix.cfg b/test/test-config/getssl-staging-dns01-no-suffix.cfg deleted file mode 100644 index b4f5202..0000000 --- a/test/test-config/getssl-staging-dns01-no-suffix.cfg +++ /dev/null @@ -1,36 +0,0 @@ -# Test that the script works with external dns provider and staging server -# -CA="https://acme-staging-v02.api.letsencrypt.org" - -VALIDATE_VIA_DNS=true -DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_duckdns" -DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns" -PUBLIC_DNS_SERVER=ns2.duckdns.org -CHECK_ALL_AUTH_DNS=true -DNS_EXTRA_WAIT=120 - -# Speed up the test by reducing the number or retries and the wait between retries. -DNS_WAIT=2 -DNS_WAIT_COUNT=11 -DNS_WAIT_RETRY_ADD="true" - -ACCOUNT_KEY_TYPE="rsa" -PRIVATE_KEY_ALG="rsa" - -# Additional domains - this could be multiple domains / subdomains in a comma separated list -SANS="" - -# Location for all your certs, these can either be on the server (full path name) -# or using ssh /sftp as for the ACL -DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" -DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key" -CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" -DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert -DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert - -# The command needed to reload apache / nginx or whatever you use -RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" - -# Define the server type and confirm correct certificate is installed (using a custom port) -SERVER_TYPE="https" -CHECK_REMOTE="true" diff --git a/test/test-config/getssl-staging-dns01.cfg b/test/test-config/getssl-staging-dns01.cfg index 19413cd..64a7388 100644 --- a/test/test-config/getssl-staging-dns01.cfg +++ b/test/test-config/getssl-staging-dns01.cfg @@ -3,15 +3,17 @@ CA="https://acme-staging-v02.api.letsencrypt.org/directory" VALIDATE_VIA_DNS=true -DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_duckdns" -DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns" -PUBLIC_DNS_SERVER=1.1.1.1 +DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_dynu" +DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_dynu" +PUBLIC_DNS_SERVER="8.8.8.8 resolver1.infoserve.de" +AUTH_DNS_SERVER=ns1.dynu.com CHECK_ALL_AUTH_DNS="true" CHECK_PUBLIC_DNS_SERVER="true" DNS_EXTRA_WAIT=120 # Speed up the test by reducing the number or retries and retrying DNS_ADD after 10 failures DNS_WAIT_COUNT=20 +DNS_WAIT=30 DNS_WAIT_RETRY_ADD="true" ACCOUNT_KEY_TYPE="rsa" @@ -38,3 +40,6 @@ CHECK_REMOTE="true" if [[ -s "$DOMAIN_DIR/getssl_test_specific.cfg" ]]; then . $DOMAIN_DIR/getssl_test_specific.cfg fi + +#_RUNNING_TEST=1 +#_USE_DEBUG=1 From 26dadf3c7fb3d58b06df0564bcf8f02ac260a041 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Tue, 22 Dec 2020 12:48:06 +0000 Subject: [PATCH 07/11] Split tests into pebble/staging --- ...run-all-tests.yml => run-tests-pebble.yml} | 27 +------------------ .../workflows/run-tests-staging-duckdns.yml | 25 +++++++++++++++++ .github/workflows/run-tests-staging-dynu.yml | 25 +++++++++++++++++ 3 files changed, 51 insertions(+), 26 deletions(-) rename .github/workflows/{run-all-tests.yml => run-tests-pebble.yml} (67%) create mode 100644 .github/workflows/run-tests-staging-duckdns.yml create mode 100644 .github/workflows/run-tests-staging-dynu.yml diff --git a/.github/workflows/run-all-tests.yml b/.github/workflows/run-tests-pebble.yml similarity index 67% rename from .github/workflows/run-all-tests.yml rename to .github/workflows/run-tests-pebble.yml index 7bb05dc..0e26962 100644 --- a/.github/workflows/run-all-tests.yml +++ b/.github/workflows/run-tests-pebble.yml @@ -1,4 +1,4 @@ -name: Run all tests +name: Run all tests on pebble on: push: branches: @@ -15,14 +15,6 @@ jobs: run: docker-compose up -d --build - name: Run test suite on Alpine run: test/run-test.sh alpine - test-centos6: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - name: Build the docker-compose stack - run: docker-compose up -d --build - - name: Run test suite on CentOS6 - run: test/run-test.sh centos6 test-centos7: runs-on: ubuntu-latest steps: @@ -31,14 +23,6 @@ jobs: run: docker-compose up -d --build - name: Run test suite on CentOS7 run: test/run-test.sh centos7 - test-centos7-staging: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - name: Build the docker-compose stack - run: docker-compose up -d --build - - name: Run test suite on CentOS7 against Staging using DuckDNS - run: test/run-test.sh centos7-staging test-centos8: runs-on: ubuntu-latest steps: @@ -79,12 +63,3 @@ jobs: run: docker-compose up -d --build - name: Run test suite on Ubuntu18 run: test/run-test.sh ubuntu18 - test-ubuntu-staging: - needs: test-centos7-staging - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - name: Build the docker-compose stack - run: docker-compose up -d --build - - name: Run test suite on Ubuntu against Staging using DuckDNS - run: test/run-test.sh ubuntu-staging diff --git a/.github/workflows/run-tests-staging-duckdns.yml b/.github/workflows/run-tests-staging-duckdns.yml new file mode 100644 index 0000000..54da950 --- /dev/null +++ b/.github/workflows/run-tests-staging-duckdns.yml @@ -0,0 +1,25 @@ +name: Run all tests using DuckDNS +on: + push: + branches: + - master + pull_request: + branches: + - master +jobs: + test-centos7-duckdns: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - name: Build the docker-compose stack + run: docker-compose up -d --build + - name: Run test suite on CentOS7 against Staging using DuckDNS + run: test/run-test.sh centos7-duckdns + test-ubuntu-duckdns: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - name: Build the docker-compose stack + run: docker-compose up -d --build + - name: Run test suite on Ubuntu against Staging using DuckDNS + run: test/run-test.sh ubuntu-duckdns diff --git a/.github/workflows/run-tests-staging-dynu.yml b/.github/workflows/run-tests-staging-dynu.yml new file mode 100644 index 0000000..c523278 --- /dev/null +++ b/.github/workflows/run-tests-staging-dynu.yml @@ -0,0 +1,25 @@ +name: Run all tests using Dynu +on: + push: + branches: + - master + pull_request: + branches: + - master +jobs: + test-centos7-dynu: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - name: Build the docker-compose stack + run: docker-compose up -d --build + - name: Run test suite on CentOS7 against Staging using Dynu + run: test/run-test.sh centos7-dynu + test-ubuntu-dynu: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - name: Build the docker-compose stack + run: docker-compose up -d --build + - name: Run test suite on Ubuntu against Staging using Dynu + run: test/run-test.sh ubuntu-dynu From 5d6988f0eca3175f3ef3cdbd72fb41e1b15b8b4a Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Tue, 22 Dec 2020 12:48:57 +0000 Subject: [PATCH 08/11] Test using both Dynu.com and Duckdns.org --- ...os7-staging => Dockerfile-centos7-duckdns} | 2 +- test/Dockerfile-centos7-dynu | 29 ++++++++++++++++++ ...untu-staging => Dockerfile-ubuntu-duckdns} | 2 +- test/Dockerfile-ubuntu-dynu | 30 +++++++++++++++++++ test/run-test.cmd | 18 +++++++---- test/run-test.sh | 14 +++++---- test/test-config/getssl-staging-dns01.cfg | 10 +++++-- test/u1-test-get_auth_dns-dig.bats | 14 ++++----- test/u2-test-get_auth_dns-drill.bats | 14 ++++----- 9 files changed, 104 insertions(+), 29 deletions(-) rename test/{Dockerfile-centos7-staging => Dockerfile-centos7-duckdns} (94%) create mode 100644 test/Dockerfile-centos7-dynu rename test/{Dockerfile-ubuntu-staging => Dockerfile-ubuntu-duckdns} (94%) create mode 100644 test/Dockerfile-ubuntu-dynu diff --git a/test/Dockerfile-centos7-staging b/test/Dockerfile-centos7-duckdns similarity index 94% rename from test/Dockerfile-centos7-staging rename to test/Dockerfile-centos7-duckdns index ad49896..719c9de 100644 --- a/test/Dockerfile-centos7-staging +++ b/test/Dockerfile-centos7-duckdns @@ -8,8 +8,8 @@ RUN yum -y install epel-release RUN yum -y install git curl bind-utils ldns wget which nginx ENV staging "true" +ENV dynamic_dns "dynu" ENV DUCKDNS_TOKEN 1d616aa9-b8e4-4bb4-b312-3289de82badb -ENV DYNU_API_KEY 65cXefd35XbYf36546eg5dYcZT6X52Y2 WORKDIR /root RUN mkdir /etc/nginx/pki diff --git a/test/Dockerfile-centos7-dynu b/test/Dockerfile-centos7-dynu new file mode 100644 index 0000000..01d41a7 --- /dev/null +++ b/test/Dockerfile-centos7-dynu @@ -0,0 +1,29 @@ +FROM centos:centos7 + +# Note this image uses gawk + +# Update and install required software +RUN yum -y update +RUN yum -y install epel-release +RUN yum -y install git curl bind-utils ldns wget which nginx + +ENV staging "true" +ENV dynamic_dns "duckdns" +ENV DYNU_API_KEY 65cXefd35XbYf36546eg5dYcZT6X52Y2 + +WORKDIR /root +RUN mkdir /etc/nginx/pki +RUN mkdir /etc/nginx/pki/private +COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf +COPY ./test/test-config/nginx-centos7.conf /etc/nginx/nginx.conf + +# BATS (Bash Automated Testings) +RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1 +RUN git clone https://github.com/bats-core/bats-support /bats-support +RUN git clone https://github.com/bats-core/bats-assert /bats-assert +RUN /bats-core/install.sh /usr/local + +EXPOSE 80 443 + +# Run eternal loop - for testing +CMD tail -f /dev/null diff --git a/test/Dockerfile-ubuntu-staging b/test/Dockerfile-ubuntu-duckdns similarity index 94% rename from test/Dockerfile-ubuntu-staging rename to test/Dockerfile-ubuntu-duckdns index 3032c85..f4cf9e3 100644 --- a/test/Dockerfile-ubuntu-staging +++ b/test/Dockerfile-ubuntu-duckdns @@ -7,8 +7,8 @@ ENV DEBIAN_FRONTEND noninteractive # Ensure tests in this image use the staging server ENV staging "true" +ENV dynamic_dns "duckdns" ENV DUCKDNS_TOKEN 1d616aa9-b8e4-4bb4-b312-3289de82badb -ENV DYNU_API_KEY 65cXefd35XbYf36546eg5dYcZT6X52Y2 # Update and install required software RUN apt-get update --fix-missing diff --git a/test/Dockerfile-ubuntu-dynu b/test/Dockerfile-ubuntu-dynu new file mode 100644 index 0000000..2ea8c31 --- /dev/null +++ b/test/Dockerfile-ubuntu-dynu @@ -0,0 +1,30 @@ +FROM ubuntu:latest + +# Note this image uses mawk1.3 + +# Set noninteractive otherwise tzdata hangs +ENV DEBIAN_FRONTEND noninteractive + +# Ensure tests in this image use the staging server +ENV staging "true" +ENV dynamic_dns "dynu" +ENV DYNU_API_KEY 65cXefd35XbYf36546eg5dYcZT6X52Y2 + +# Update and install required software +RUN apt-get update --fix-missing +RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light +RUN apt-get install -y vim dos2unix # for debugging + +WORKDIR /root + +# Prevent "Can't load /root/.rnd into RNG" error from openssl +RUN touch /root/.rnd + +# BATS (Bash Automated Testings) +RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1 +RUN git clone https://github.com/bats-core/bats-support /bats-support +RUN git clone https://github.com/bats-core/bats-assert /bats-assert +RUN /bats-core/install.sh /usr/local + +# Run eternal loop - for testing +CMD tail -f /dev/null diff --git a/test/run-test.cmd b/test/run-test.cmd index 0462617..af5fb30 100644 --- a/test/run-test.cmd +++ b/test/run-test.cmd @@ -8,7 +8,8 @@ set COMMAND=%2 %3 :CheckAlias REM check if OS *contains* staging -IF NOT x%OS:staging=%==x%OS% GOTO staging +IF NOT x%OS:duck=%==x%OS% GOTO duckdns +IF NOT x%OS:dynu=%==x%OS% GOTO dynu set ALIAS=%OS%.getssl.test set STAGING= GOTO Run @@ -22,9 +23,16 @@ REM set COMMAND=/getssl/test/run-bats.sh set COMMAND=bats /getssl/test GOTO CheckAlias -:staging -set ALIAS=%OS:-staging=%-getssl.freeddns.org -set STAGING=--env STAGING=true +:duckdns +set ALIAS=%OS:-duckdns=%-getssl.duckdns.org +set STAGING=--env STAGING=true --env dynamic_dns=duckdns +set GETSSL_OS=%OS:-duckdns=% +GOTO Run + +:dynu +set ALIAS=%OS:-dynu=%-getssl.freeddns.org +set STAGING=--env STAGING=true --env dynamic_dns=dynu +set GETSSL_OS=%OS:-dynu=% :Run for %%I in (.) do set CurrDirName=%%~nxI @@ -33,7 +41,7 @@ docker build --rm -f "test\Dockerfile-%OS%" -t getssl-%OS% . @echo on docker run -it ^ --env GETSSL_HOST=%ALIAS% %STAGING% ^ - --env GETSSL_OS=%OS:-staging=% ^ + --env GETSSL_OS=%GETSSL_OS% ^ -v %cd%:/getssl ^ --rm ^ --network %CurrDirName%_acmenet ^ diff --git a/test/run-test.sh b/test/run-test.sh index 760c600..0503c2d 100755 --- a/test/run-test.sh +++ b/test/run-test.sh @@ -14,10 +14,14 @@ else COMMAND="bats /getssl/test" fi -if [[ "$OS" == *"staging"* ]]; then - #ALIAS="${OS%-staging}-getssl.duckdns.org" - ALIAS="${OS%-staging}-getssl.freeddns.org" - STAGING="--env STAGING=true" +if [[ "$OS" == *"duckdns"* ]]; then + ALIAS="${OS%-duckdns}-getssl.duckdns.org" + STAGING="--env STAGING=true --env dynamic_dns=duckdns" + GETSSL_OS="${OS%-duckdns}" +elif [[ "$OS" == *"dynu"* ]]; then + ALIAS="${OS%-dynu}-getssl.freeddns.org" + STAGING="--env STAGING=true --env dynamic_dns=dynu" + GETSSL_OS="${OS%-dynu}" else ALIAS="$OS.getssl.test" STAGING="" @@ -27,7 +31,7 @@ docker build --rm -f "test/Dockerfile-$OS" -t "getssl-$OS" . # shellcheck disable=SC2086 docker run \ --env GETSSL_HOST=$ALIAS $STAGING \ - --env GETSSL_OS=${OS%-staging} \ + --env GETSSL_OS=$GETSSL_OS \ -v "$(pwd)":/getssl \ --rm \ --network ${PWD##*/}_acmenet \ diff --git a/test/test-config/getssl-staging-dns01.cfg b/test/test-config/getssl-staging-dns01.cfg index 64a7388..8859686 100644 --- a/test/test-config/getssl-staging-dns01.cfg +++ b/test/test-config/getssl-staging-dns01.cfg @@ -3,10 +3,14 @@ CA="https://acme-staging-v02.api.letsencrypt.org/directory" VALIDATE_VIA_DNS=true -DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_dynu" -DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_dynu" +DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_${dynamic_dns}" +DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_${dynamic_dns}" PUBLIC_DNS_SERVER="8.8.8.8 resolver1.infoserve.de" -AUTH_DNS_SERVER=ns1.dynu.com +if [[ "${dynamic_dns}" == "dynu" ]]; then + AUTH_DNS_SERVER=ns1.dynu.com +else + AUTH_DNS_SERVER=ns1.duckdns.org +fi CHECK_ALL_AUTH_DNS="true" CHECK_PUBLIC_DNS_SERVER="true" DNS_EXTRA_WAIT=120 diff --git a/test/u1-test-get_auth_dns-dig.bats b/test/u1-test-get_auth_dns-dig.bats index d13cc56..6e64e68 100644 --- a/test/u1-test-get_auth_dns-dig.bats +++ b/test/u1-test-get_auth_dns-dig.bats @@ -59,14 +59,14 @@ teardown() { run get_auth_dns ubuntu-getssl.duckdns.org # Assert that we've found the primary_ns server - assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org' + assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org' # Assert that we had to use dig NS assert_line --partial 'Using dig NS' # Check all Authoritive DNS servers are returned if requested CHECK_ALL_AUTH_DNS=true run get_auth_dns ubuntu-getssl.duckdns.org - assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org' + assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org' } @@ -86,7 +86,7 @@ teardown() { run get_auth_dns ubuntu-getssl.duckdns.org # Assert that we've found the primary_ns server - assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org' + assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org' # Assert that we had to use dig NS assert_line --partial 'Using dig SOA' @@ -95,12 +95,12 @@ teardown() { # Check all Authoritive DNS servers are returned if requested CHECK_ALL_AUTH_DNS=true run get_auth_dns ubuntu-getssl.duckdns.org - assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org' + assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org' # Check that we also check the public DNS server if requested CHECK_PUBLIC_DNS_SERVER=true run get_auth_dns ubuntu-getssl.duckdns.org - assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org 1\.0\.0\.1' + assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org 1\.0\.0\.1' } @@ -165,7 +165,7 @@ teardown() { run get_auth_dns www.duckdns.org # Assert that we've found the primary_ns server - assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org' + assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org' # Assert that we found a CNAME but didn't use dig NS assert_line --partial 'Using dig CNAME' @@ -174,5 +174,5 @@ teardown() { # Check all Authoritive DNS servers are returned if requested CHECK_ALL_AUTH_DNS=true run get_auth_dns www.duckdns.org - assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org' + assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org' } diff --git a/test/u2-test-get_auth_dns-drill.bats b/test/u2-test-get_auth_dns-drill.bats index 1db1011..c5feadf 100644 --- a/test/u2-test-get_auth_dns-drill.bats +++ b/test/u2-test-get_auth_dns-drill.bats @@ -78,14 +78,14 @@ teardown() { run get_auth_dns ubuntu-getssl.duckdns.org # Assert that we've found the primary_ns server - assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org' + assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org' # Assert that we had to use drill NS assert_line --partial 'Using drill NS' # Check all Authoritive DNS servers are returned if requested CHECK_ALL_AUTH_DNS=true run get_auth_dns ubuntu-getssl.duckdns.org - assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org' + assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org' } @@ -110,7 +110,7 @@ teardown() { run get_auth_dns ubuntu-getssl.duckdns.org # Assert that we've found the primary_ns server - assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org' + assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org' # Assert that we had to use drill NS assert_line --partial 'Using drill SOA' @@ -119,12 +119,12 @@ teardown() { # Check all Authoritive DNS servers are returned if requested CHECK_ALL_AUTH_DNS=true run get_auth_dns ubuntu-getssl.duckdns.org - assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org' + assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org' # Check that we also check the public DNS server if requested CHECK_PUBLIC_DNS_SERVER=true run get_auth_dns ubuntu-getssl.duckdns.org - assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org 1\.0\.0\.1' + assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org 1\.0\.0\.1' } @@ -202,7 +202,7 @@ teardown() { run get_auth_dns www.duckdns.org # Assert that we've found the primary_ns server - assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org' + assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org' # Assert that we found a CNAME but didn't use drill NS assert_line --partial 'Using drill CNAME' @@ -211,5 +211,5 @@ teardown() { # Check all Authoritive DNS servers are returned if requested CHECK_ALL_AUTH_DNS=true run get_auth_dns www.duckdns.org - assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org' + assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org ns[1-4]+\.duckdns\.org' } From f33f796c932b6031e3db518054d3a37b7b6bb08f Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Tue, 22 Dec 2020 14:43:54 +0000 Subject: [PATCH 09/11] Ensure GETSSL_OS variable is set --- test/run-test.cmd | 1 + test/run-test.sh | 1 + 2 files changed, 2 insertions(+) diff --git a/test/run-test.cmd b/test/run-test.cmd index af5fb30..47b2a79 100644 --- a/test/run-test.cmd +++ b/test/run-test.cmd @@ -12,6 +12,7 @@ IF NOT x%OS:duck=%==x%OS% GOTO duckdns IF NOT x%OS:dynu=%==x%OS% GOTO dynu set ALIAS=%OS%.getssl.test set STAGING= +set GETSSL_OS=%OS% GOTO Run :NoOS diff --git a/test/run-test.sh b/test/run-test.sh index 0503c2d..715dae3 100755 --- a/test/run-test.sh +++ b/test/run-test.sh @@ -25,6 +25,7 @@ elif [[ "$OS" == *"dynu"* ]]; then else ALIAS="$OS.getssl.test" STAGING="" + GETSSL_OS=$OS fi docker build --rm -f "test/Dockerfile-$OS" -t "getssl-$OS" . From b931b79d622af7728f0727268df08467f2e68cf0 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Tue, 22 Dec 2020 14:49:12 +0000 Subject: [PATCH 10/11] Fix execute permission on dns scripts --- dns_scripts/dns_add_dynu | 0 dns_scripts/dns_del_dynu | 0 test/dns_add_fail | 0 3 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 dns_scripts/dns_add_dynu mode change 100644 => 100755 dns_scripts/dns_del_dynu mode change 100644 => 100755 test/dns_add_fail diff --git a/dns_scripts/dns_add_dynu b/dns_scripts/dns_add_dynu old mode 100644 new mode 100755 diff --git a/dns_scripts/dns_del_dynu b/dns_scripts/dns_del_dynu old mode 100644 new mode 100755 diff --git a/test/dns_add_fail b/test/dns_add_fail old mode 100644 new mode 100755 From 1d1159f946ccc47ef037ca86dfdeb2ca0290aa16 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Tue, 22 Dec 2020 18:57:33 +0000 Subject: [PATCH 11/11] Add timing information to tests --- getssl | 2 +- test/run-test.cmd | 2 +- test/run-test.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/getssl b/getssl index 924c835..2257349 100755 --- a/getssl +++ b/getssl @@ -507,7 +507,7 @@ check_challenge_completion_dns() { # perform validation via DNS challenge # check for token at public dns server, waiting for a valid response. for ns in $primary_ns; do - debug "checking dns at $ns" + info "checking dns at $ns" ntries=0 check_dns="fail" while [[ "$check_dns" == "fail" ]]; do diff --git a/test/run-test.cmd b/test/run-test.cmd index 47b2a79..ed6ad6e 100644 --- a/test/run-test.cmd +++ b/test/run-test.cmd @@ -21,7 +21,7 @@ GOTO CheckCommand :NoCmd REM set COMMAND=/getssl/test/run-bats.sh -set COMMAND=bats /getssl/test +set COMMAND=bats /getssl/test --timing GOTO CheckAlias :duckdns diff --git a/test/run-test.sh b/test/run-test.sh index 715dae3..18443cd 100755 --- a/test/run-test.sh +++ b/test/run-test.sh @@ -11,7 +11,7 @@ if [ $# -gt 1 ]; then shift COMMAND=$* else - COMMAND="bats /getssl/test" + COMMAND="bats /getssl/test --timing" fi if [[ "$OS" == *"duckdns"* ]]; then