From 6d56c3847413bc58decff4d19e65d0ffbf804af9 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Thu, 23 Jan 2020 07:05:39 +0000 Subject: [PATCH] Test more than 10 domains (i7 branch) --- .vscode/settings.json | 14 ++++++- docker-compose.yml | 13 ++++++ getssl | 2 +- test/pebble/config/pebble-config.json | 11 +++++ test/run-test-10-hosts.sh | 28 +++++++++++++ test/run-test-dual-eca.sh | 46 +++++++++++++++++++++ test/run-test.sh | 9 ---- test/test-config/getssl-http01-10-hosts.cfg | 28 +++++++++++++ 8 files changed, 139 insertions(+), 12 deletions(-) create mode 100644 test/pebble/config/pebble-config.json create mode 100644 test/run-test-10-hosts.sh create mode 100644 test/run-test-dual-eca.sh create mode 100644 test/test-config/getssl-http01-10-hosts.cfg diff --git a/.vscode/settings.json b/.vscode/settings.json index 3c60cc7..6b48186 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -13,5 +13,15 @@ "rhel", "roboxes", "workdir" - ] -} \ No newline at end of file + ], + "workbench.colorCustomizations": { + "titleBar.activeBackground": "#68217a", + "titleBar.inactiveBackground": "#68217a99", + "titleBar.activeForeground": "#e7e7e7", + "titleBar.inactiveForeground": "#e7e7e799", + "statusBar.background": "#68217a", + "statusBarItem.hoverBackground": "#8a2ca2", + "statusBar.foreground": "#e7e7e7" + }, + "peacock.color": "#68217A" +} diff --git a/docker-compose.yml b/docker-compose.yml index 5c851d2..46c411f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,6 +7,8 @@ services: environment: # with Go 1.13.x which defaults TLS 1.3 to on GODEBUG: "tls13=1" + # Don't re-use authorisations (breaks force renew test scripts) + # PEBBLE_AUTHZREUSE: "0" ports: - 14000:14000 # HTTPS ACME API - 15000:15000 # HTTPS Management API @@ -33,6 +35,17 @@ services: ipv4_address: 10.30.50.4 aliases: - getssl.test + - a.getssl.test + - b.getssl.test + - c.getssl.test + - d.getssl.test + - e.getssl.test + - f.getssl.test + - g.getssl.test + - h.getssl.test + - i.getssl.test + - j.getssl.test + - k.getssl.test networks: acmenet: diff --git a/getssl b/getssl index 1dd4af7..a23b7d7 100755 --- a/getssl +++ b/getssl @@ -1467,7 +1467,7 @@ json_get() { # get values from json if [[ -n "$6" ]]; then full=$(json_awk "$1") section=$(echo "$full" | grep "\"$2\"" | grep "\"$3\"" | grep "\"$4\"" | awk -F"," '{print $2}') - echo "$full" | grep "^..${5}\",$section" | awk '{print $2}' | tr -d '"' + echo "$full" | grep "^..${5}\",$section\]" | awk '{print $2}' | tr -d '"' elif [[ -n "$5" ]]; then full=$(json_awk "$1") section=$(echo "$full" | grep "\"$2\"" | grep "\"$3\"" | grep "\"$4\"" | awk -F"," '{print $2}') diff --git a/test/pebble/config/pebble-config.json b/test/pebble/config/pebble-config.json new file mode 100644 index 0000000..ec5bc7e --- /dev/null +++ b/test/pebble/config/pebble-config.json @@ -0,0 +1,11 @@ + +{ + "pebble": { + "listenAddress": "0.0.0.0:14000", + "managementListenAddress": "0.0.0.0:15000", + "httpPort": 80, + "tlsPort": 443, + "ocspResponderURL": "", + "externalAccountBindingRequired": false + } + } diff --git a/test/run-test-10-hosts.sh b/test/run-test-10-hosts.sh new file mode 100644 index 0000000..8749186 --- /dev/null +++ b/test/run-test-10-hosts.sh @@ -0,0 +1,28 @@ +#! /bin/bash + +set -e + +# Test setup +if [[ -d /root/.getssl ]]; then + rm -r /root/.getssl +fi + +HOST=getssl.test + +wget --no-clobber https://raw.githubusercontent.com/letsencrypt/pebble/master/test/certs/pebble.minica.pem +# cat /etc/pki/tls/certs/ca-bundle.crt /root/pebble.minica.pem > /root/pebble-ca-bundle.crt +cat /etc/ssl/certs/ca-certificates.crt /root/pebble.minica.pem > /root/pebble-ca-bundle.crt +export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + +for prefix in a b c d e f g h i j k; do + curl -X POST -d '{"host":"'$prefix.$HOST'", "addresses":["10.30.50.4"]}' http://10.30.50.3:8055/add-a +done + +# Test #1 - http-01 verification +echo Test \#1 - http-01 verification + +cp /getssl/test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default +service nginx restart +/getssl/getssl -c $HOST +cp /getssl/test/test-config/getssl-http01-10-hosts.cfg /root/.getssl/${HOST}/getssl.cfg +/getssl/getssl -f $HOST diff --git a/test/run-test-dual-eca.sh b/test/run-test-dual-eca.sh new file mode 100644 index 0000000..c225587 --- /dev/null +++ b/test/run-test-dual-eca.sh @@ -0,0 +1,46 @@ +#! /bin/bash + +set -e + +# Test setup +if [[ -d /root/.getssl ]]; then + rm -r /root/.getssl +fi + +HOST=getssl.test + +wget --no-clobber https://raw.githubusercontent.com/letsencrypt/pebble/master/test/certs/pebble.minica.pem +# cat /etc/pki/tls/certs/ca-bundle.crt /root/pebble.minica.pem > /root/pebble-ca-bundle.crt +cat /etc/ssl/certs/ca-certificates.crt /root/pebble.minica.pem > /root/pebble-ca-bundle.crt +export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + +curl -X POST -d '{"host":"'$HOST'", "addresses":["10.30.50.4"]}' http://10.30.50.3:8055/add-a + +# Test #1 - http-01 verification +echo Test \#1 - http-01 verification + +cp /getssl/test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default +service nginx restart +/getssl/getssl -c $HOST +cp /getssl/test/test-config/getssl-http01-dual-rsa-ecdsa.cfg /root/.getssl/${HOST}/getssl.cfg +/getssl/getssl -f $HOST + +# Test #2 - http-01 forced renewal +echo Test \#2 - http-01 forced renewal +/getssl/getssl $HOST -f + +# Test cleanup +rm -r /root/.getssl + +# Test #3 - dns-01 verification +echo Test \#3 - dns-01 verification + +cp /getssl/test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default +service nginx restart +/getssl/getssl -c $HOST +cp /getssl/test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg /root/.getssl/${HOST}/getssl.cfg +/getssl/getssl $HOST + +# Test #4 - dns-01 forced renewal +echo Test \#4 - dns-01 forced renewal +/getssl/getssl $HOST -f diff --git a/test/run-test.sh b/test/run-test.sh index 32bea02..594b8f1 100644 --- a/test/run-test.sh +++ b/test/run-test.sh @@ -27,10 +27,6 @@ cp /getssl/test/test-config/getssl-http01.cfg /root/.getssl/${HOST}/getssl.cfg # Test #2 - http-01 forced renewal echo Test \#2 - http-01 forced renewal - -# Remove previous validation tokens -rm -rf /var/www/html/.well-known -service nginx restart /getssl/getssl $HOST -f # Test cleanup @@ -47,9 +43,4 @@ cp /getssl/test/test-config/getssl-dns01.cfg /root/.getssl/${HOST}/getssl.cfg # Test #4 - dns-01 forced renewal echo Test \#4 - dns-01 forced renewal - -# There's a race condition if renew too soon (authlink returns "valid" instead of "pending") -echo Sleeping 30s to allow previous validation to expire -sleep 30 - /getssl/getssl $HOST -f diff --git a/test/test-config/getssl-http01-10-hosts.cfg b/test/test-config/getssl-http01-10-hosts.cfg new file mode 100644 index 0000000..22e4353 --- /dev/null +++ b/test/test-config/getssl-http01-10-hosts.cfg @@ -0,0 +1,28 @@ +# Uncomment and modify any variables you need +# see https://github.com/srvrco/getssl/wiki/Config-variables for details +# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs + +CA="https://pebble:14000/dir" + +# Additional domains - this could be multiple domains / subdomains in a comma separated list +# Note: this is Additional domains - so should not include the primary domain. +SANS="a.getssl.test,b.getssl.test,c.getssl.test,d.getssl.test,e.getssl.test,f.getssl.test,g.getssl.test,h.getssl.test,i.getssl.test,j.getssl.test,k.getssl.test" + +# Acme Challenge Location. +ACL=('/var/www/html/.well-known/acme-challenge') + +# Use a single ACL for all checks +USE_SINGLE_ACL="true" + +# Location for all your certs, these can either be on the server (full path name) +DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key" +CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" +DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert +DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert + +# The command needed to reload apache / nginx or whatever you use +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl /etc/nginx/sites-enabled/default && service nginx restart" + +#SERVER_TYPE="https" +#CHECK_REMOTE="true"