Merge pull request #519 from scott-42/master

Prefer dig on config check over nslookup and drill with ubuntu
6 years ago · 7966338b0d
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -3,7 +3,7 @@ services:
  pebble:
    image: letsencrypt/pebble:latest
    # TODO enable -strict
    command: pebble -config /test/config/pebble-config.json -dnsserver 10.30.50.3:8053
    command: pebble -config /test/config/pebble-config.json -dnsserver 10.30.50.3:53
    environment:
      # with Go 1.13.x which defaults TLS 1.3 to on
      GODEBUG: "tls13=1"
@ -15,7 +15,7 @@ services:
        ipv4_address: 10.30.50.2
  challtestsrv:
    image: letsencrypt/pebble-challtestsrv:latest
    command: pebble-challtestsrv -defaultIPv6 "" -defaultIPv4 10.30.50.3
    command: pebble-challtestsrv -defaultIPv6 "" -defaultIPv4 10.30.50.3 -dns01 ":53"
    ports:
      - 8055:8055  # HTTP Management API
    networks:
@ -129,6 +129,33 @@ services:
          - i.ubuntu.getssl.test
          - j.ubuntu.getssl.test
          - k.ubuntu.getssl.test
  getssl-ubuntu16:
    build:
      context: .
      dockerfile: test/Dockerfile-ubuntu16
    container_name: getssl-ubuntu16
    volumes:
      - .:/getssl
    environment:
      GETSSL_HOST: ubuntu16.getssl.test
      GETSSL_IP: 10.30.50.14
      NGINX_CONFIG: /etc/nginx/sites-enabled/default
    networks:
      acmenet:
        ipv4_address: 10.30.50.14
        aliases:
          - ubuntu16.getssl.test
          - a.ubuntu16.getssl.test
          - b.ubuntu16.getssl.test
          - c.ubuntu16.getssl.test
          - d.ubuntu16.getssl.test
          - e.ubuntu16.getssl.test
          - f.ubuntu16.getssl.test
          - g.ubuntu16.getssl.test
          - h.ubuntu16.getssl.test
          - i.ubuntu16.getssl.test
          - j.ubuntu16.getssl.test
          - k.ubuntu16.getssl.test
  getssl-ubuntu18:
    build:
      context: .
@ -138,11 +165,11 @@ services:
      - .:/getssl
    environment:
      GETSSL_HOST: ubuntu18.getssl.test
      GETSSL_IP: 10.30.50.14
      GETSSL_IP: 10.30.50.15
      NGINX_CONFIG: /etc/nginx/sites-enabled/default
    networks:
      acmenet:
        ipv4_address: 10.30.50.14
        ipv4_address: 10.30.50.15
        aliases:
          - ubuntu18.getssl.test
          - a.ubuntu18.getssl.test
@ -165,13 +192,13 @@ services:
      - .:/getssl
    environment:
      GETSSL_HOST: getssl.duckdns.org
      GETSSL_IP: 10.30.50.15
      GETSSL_IP: 10.30.50.16
      NGINX_CONFIG: /etc/nginx/sites-enabled/default
      DUCKDNS_TOKEN: $DUCKDNS_TOKEN
      STAGING: "true"
    networks:
      acmenet:
        ipv4_address: 10.30.50.15
        ipv4_address: 10.30.50.16
        aliases:
           - getssl.duckdns.org

--- a/+ 13
+++ b/+ 13
@ -213,6 +213,7 @@
 # 2020-02-12 Fix "Registration key already in use" (2.19)
 # 2020-02-13 Fix bug with copying to all locations when creating RSA and ECDSA certs (2.20)
 # 2020-02-22 Change sign_string to use openssl asn1parse (better fix for #424)
 # 2020-02-23 Add dig to config check for systems without drill (ubuntu)
 # ----------------------------------------------------------------------------------------

 PROGNAME=${0##*/}
@ -434,13 +435,22 @@ check_config() { # check the config files for all obvious errors
        config_errors=true
      fi
      # check domain exists
      if [[ "$DNS_CHECK_FUNC" == "drill" ]] || [[ "$DNS_CHECK_FUNC" == "dig" ]]; then
      if [[ "$DNS_CHECK_FUNC" == "drill" ]]; then
        if [[ "$($DNS_CHECK_FUNC "${d}" |grep -c "${d}")" -ge 1 ]]; then
          debug "found IP for ${d}"
        else
          info "${DOMAIN}: DNS lookup failed for ${d}"
          config_errors=true
        fi
      elif [[ "$DNS_CHECK_FUNC" == "dig" ]]; then
        if [[ "$($DNS_CHECK_FUNC "${d}" -t SOA|grep -c "^${d}")" -ge 1 ]]; then
          debug "found SOA IP for ${d}"
        elif [[ "$($DNS_CHECK_FUNC "${d}" -t A|grep -c "^${d}")" -ge 1 ]]; then
          debug "found A IP for ${d}"
        else
          info "${DOMAIN}: DNS lookup failed for ${d}"
          config_errors=true
        fi
      elif [[ "$DNS_CHECK_FUNC" == "host" ]]; then
        if [[ "$($DNS_CHECK_FUNC "${d}" |grep -c "^${d}")" -ge 1 ]]; then
          debug "found IP for ${d}"
@ -988,7 +998,7 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then
                           | grep '"'|awk -F'"' '{ print $2}')
          elif [[ "$DNS_CHECK_FUNC" == "drill" ]] || [[ "$DNS_CHECK_FUNC" == "dig" ]]; then
            check_result=$($DNS_CHECK_FUNC TXT "_acme-challenge.${d}" "@${ns}" \
                           | grep '300 IN TXT'|awk -F'"' '{ print $2}')
                           | grep 'IN TXT'|awk -F'"' '{ print $2}')
          elif [[ "$DNS_CHECK_FUNC" == "host" ]]; then
            check_result=$($DNS_CHECK_FUNC -t TXT "_acme-challenge.${d}" "${ns}" \
                           | grep 'descriptive text'|awk -F'"' '{ print $2}')
@ -2067,7 +2077,7 @@ get_os
 requires which
 requires openssl
 requires curl
 requires nslookup drill dig host DNS_CHECK_FUNC
 requires dig nslookup drill host DNS_CHECK_FUNC
 requires awk
 requires tr
 requires date
--- a/test/2-simple-dns01-dig.bats
+++ b/test/2-simple-dns01-dig.bats
--- a/test/2-simple-dns01-nslookup.bats
+++ b/test/2-simple-dns01-nslookup.bats
@ -0,0 +1,34 @@
 #! /usr/bin/env bats

 load '/bats-support/load.bash'
 load '/bats-assert/load.bash'
 load '/getssl/test/test_helper.bash'


 # This is run for every test
 setup() {
    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
    mv /usr/bin/dig /usr/bin/dig.getssl.bak
 }


 teardown() {
    mv /usr/bin/dig.getssl.bak /usr/bin/dig
 }


@test "Create new certificate using DNS-01 verification (nslookup)" {
    if [ -n "$STAGING" ]; then
        skip "Using staging server, skipping internal test"
    fi

    CONFIG_FILE="getssl-dns01.cfg"
    setup_environment
    init_getssl
    create_certificate -d
    assert_success
    assert_output --partial "nslookup"
    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
    refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'  # don't fail for :error:badNonce
    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
 }
--- a/test/8-duckdns-ecdsa.bats
+++ b/test/8-duckdns-ecdsa.bats
@ -23,10 +23,10 @@ setup() {
    setup_environment
    init_getssl
    sed -e 's/rsa/prime256v1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
    run ${CODE_DIR}/getssl "$GETSSL_HOST"
    run ${CODE_DIR}/getssl -d "$GETSSL_HOST"
    assert_success
    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
    refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'
    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
 }

@ -35,10 +35,10 @@ setup() {
    if [ -z "$STAGING" ]; then
        skip "Running internal tests, skipping external test"
    fi
    run ${CODE_DIR}/getssl -f $GETSSL_HOST
    run ${CODE_DIR}/getssl -d -f $GETSSL_HOST
    assert_success
    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
    refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'
    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
    cleanup_environment
 }
@ -54,10 +54,10 @@ setup() {
    setup_environment
    init_getssl
    sed -e 's/rsa/secp384r1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
    run ${CODE_DIR}/getssl "$GETSSL_HOST"
    run ${CODE_DIR}/getssl -d "$GETSSL_HOST"
    assert_success
    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
    refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'
    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
 }

@ -66,38 +66,13 @@ setup() {
    if [ -z "$STAGING" ]; then
        skip "Running internal tests, skipping external test"
    fi
    run ${CODE_DIR}/getssl -f $GETSSL_HOST
    run ${CODE_DIR}/getssl -d -f $GETSSL_HOST
    assert_success
    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
    refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'
    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
    cleanup_environment
 }


@test "Create new certificate using staging server and secp521r1" {
    skip "The staging server returns 'ECDSA curve P-521 not allowed'"

    CONFIG_FILE="getssl-duckdns01.cfg"
    GETSSL_HOST=getssl.duckdns.org

    setup_environment
    init_getssl
    sed -e 's/rsa/secp521r1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
    run ${CODE_DIR}/getssl "$GETSSL_HOST"
    assert_success
    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
 }


@test "Force renewal of certificate using staging server and secp521r1" {
    skip "The staging server returns 'ECDSA curve P-521 not allowed'"
    run ${CODE_DIR}/getssl -f $GETSSL_HOST
    assert_success
    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
    cleanup_environment
 }
 # Note letsencrypt doesn't support ECDSA curve P-521 as it's being deprecated
--- a/test/Dockerfile-ubuntu16
+++ b/test/Dockerfile-ubuntu16
@ -0,0 +1,25 @@
 FROM ubuntu:xenial
 # xenial = 16

 # Note this image uses mawk

 # Update and install required software
 RUN apt-get update --fix-missing
 RUN apt-get install -y git curl dnsutils wget nginx-light

 WORKDIR /root
 RUN mkdir /etc/nginx/pki
 RUN mkdir /etc/nginx/pki/private
 COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default

 # Prevent "Can't load /root/.rnd into RNG" error from openssl
 # RUN touch /root/.rnd

 # BATS (Bash Automated Testings)
 RUN git clone https://github.com/bats-core/bats-core.git /bats-core
 RUN git clone https://github.com/jasonkarns/bats-support /bats-support
 RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert
 RUN /bats-core/install.sh /usr/local

 # Run eternal loop - for testing
 CMD tail -f /dev/null
--- a/test/debug-test.sh
+++ b/test/debug-test.sh
@ -9,18 +9,18 @@ if [ $# -eq 2 ]; then
    shift
 fi

 #shellcheck disable=SC1091
 source /getssl/test/test_helper.bash

 CONFIG_FILE=$1
 if [ ! -e "$CONFIG_FILE" ]; then
    CONFIG_FILE=${CODE_DIR}/test/test-config/${CONFIG_FILE}
 fi

 #shellcheck disable=SC1091
 source /getssl/test/test_helper.bash

 setup_environment 3>&1

 # Only add the pebble CA to the cert bundle if using pebble
 if [ "$(grep -q pebble "${CONFIG_FILE}")" = 0 ]; then
 if grep -q pebble "${CONFIG_FILE}"; then
    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
 fi

--- a/test/run-all-tests.cmd
+++ b/test/run-all-tests.cmd
@ -1,6 +1,15 @@
 echo %time%
 docker exec -it getssl-alpine bats /getssl/test
 echo %time%
 docker exec -it getssl-centos6 bats /getssl/test
 echo %time%
 docker exec -it getssl-debian bats /getssl/test
 echo %time%
 docker exec -it getssl-ubuntu bats /getssl/test
 echo %time%
 docker exec -it getssl-ubuntu18 bats /getssl/test
 echo %time%
 docker exec -it getssl-ubuntu16 bats /getssl/test
 echo %time%
 docker exec -it getssl-duckdns bats /getssl/test
 echo %time%
--- a/test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg
+++ b/test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg
@ -7,6 +7,7 @@ CA="https://pebble:14000/dir"
 VALIDATE_VIA_DNS=true
 DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
 DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
 AUTH_DNS_SERVER=10.30.50.3

 DUAL_RSA_ECDSA="true"
 ACCOUNT_KEY_TYPE="prime256v1"
--- a/test/test-config/getssl-dns01.cfg
+++ b/test/test-config/getssl-dns01.cfg
@ -7,6 +7,7 @@ CA="https://pebble:14000/dir"
 VALIDATE_VIA_DNS=true
 DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
 DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
 AUTH_DNS_SERVER=10.30.50.3

 # Additional domains - this could be multiple domains / subdomains in a comma separated list
 SANS=""
--- a/test/test-config/getssl-duckdns01.cfg
+++ b/test/test-config/getssl-duckdns01.cfg
@ -7,7 +7,7 @@ DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_duckdns"
 DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns"
 AUTH_DNS_SERVER=1.1.1.1
 CHECK_ALL_AUTH_DNS=false
 DNS_EXTRA_WAIT=20
 DNS_EXTRA_WAIT=30

 ACCOUNT_KEY_TYPE="rsa"
 PRIVATE_KEY_ALG="rsa"
--- a/test/test_helper.bash
+++ b/test/test_helper.bash
@ -39,5 +39,6 @@ init_getssl() {
 create_certificate() {
    # Create certificate
    cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
    run ${CODE_DIR}/getssl "$GETSSL_HOST"
    # shellcheck disable=SC2086
    run ${CODE_DIR}/getssl $1 "$GETSSL_HOST"
 }