Merge pull request #684 from srvrco/fix-host-idn-bug

Fix host idn bug
4 years ago · a3983b35f0
--- a/+ 17
+++ b/+ 17
@ -263,6 +263,7 @@
 # 2021-07-07 Request new certificate if SANs have changed (#669)(#673)
 # 2021-07-12 Do not redirect outputs on remote commands when the debug option is used (atisne)
 # 2021-07-20 Use +noidnout to enable certificates for IDN domains (#679)(2.37)
 # 2021-07-22 Only pass +noidnout param to dig/drill(#682)(2.38)
 # ----------------------------------------------------------------------------------------

 case :$SHELLOPTS: in
@ -271,7 +272,7 @@ esac

 PROGNAME=${0##*/}
 PROGDIR="$(cd "$(dirname "$0")" || exit; pwd -P;)"
 VERSION="2.37"
 VERSION="2.38"

 # defaults
 ACCOUNT_KEY_LENGTH=4096
@ -693,28 +694,27 @@ check_config() { # check the config files for all obvious errors

      # check domain exists using all DNS utilities. DNS_CHECK_OPTIONS may bind IP address or provide TSIG

      # add +noidnout if idn-domain so search for domain in results works
      if [[ "${d}" == xn--* || "${d}" == *".xn--"* ]]; then
        if [[ "$HAS_DIG_OR_DRILL" != "dig" || "$DIG_SUPPORTS_NOIDNOUT" == "true" ]]; then
          DNS_CHECK_OPTIONS="$DNS_CHECK_OPTIONS +noidnout"
        fi
      fi

      found_ip=false
      if [[ -n "$HAS_DIG_OR_DRILL" ]]; then
        debug "DNS lookup using $HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS ${d}"
        # add +noidnout if idn-domain so search for domain in results works
        DIG_CHECK_OPTIONS="$DNS_CHECK_OPTIONS"
        if [[ ("${d}" == xn--* || "${d}" == *".xn--"* ) && "$DIG_SUPPORTS_NOIDNOUT" == "true" ]]; then
          DIG_CHECK_OPTIONS="$DNS_CHECK_OPTIONS +noidnout"
        fi

        debug "DNS lookup using $HAS_DIG_OR_DRILL $DIG_CHECK_OPTIONS ${d}"
        # shellcheck disable=SC2086
        if [[ "$($HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS -t SOA "${d}" |grep -c -i "^${d}")" -ge 1 ]]; then
        if [[ "$($HAS_DIG_OR_DRILL $DIG_CHECK_OPTIONS -t SOA "${d}" |grep -c -i "^${d}")" -ge 1 ]]; then
          found_ip=true
        elif [[ "$($HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS -t A "${d}"|grep -c -i "^${d}")" -ge 1 ]]; then
        elif [[ "$($HAS_DIG_OR_DRILL $DIG_CHECK_OPTIONS -t A "${d}"|grep -c -i "^${d}")" -ge 1 ]]; then
          found_ip=true
        elif [[ "$($HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS -t AAAA "${d}"|grep -c -i "^${d}")" -ge 1 ]]; then
        elif [[ "$($HAS_DIG_OR_DRILL $DIG_CHECK_OPTIONS -t AAAA "${d}"|grep -c -i "^${d}")" -ge 1 ]]; then
          found_ip=true
        fi
      fi

      if [[ "$HAS_HOST" == "true" ]]; then
        debug "DNS lookup using host ${d}"
        debug "DNS lookup using host $DNS_CHECK_OPTIONS ${d}"
        # shellcheck disable=SC2086
        if [[ "$(host $DNS_CHECK_OPTIONS "${d}" |grep -c -i "^${d}")" -ge 1 ]]; then
          found_ip=true
@ -722,7 +722,7 @@ check_config() { # check the config files for all obvious errors
      fi

      if [[ "$HAS_NSLOOKUP" == "true" ]]; then
        debug "DNS lookup using nslookup -query AAAA ${d}"
        debug "DNS lookup using nslookup $DNS_CHECK_OPTIONS -query AAAA ${d}"
        # shellcheck disable=SC2086
        if [[ "$(nslookup $DNS_CHECK_OPTIONS -query=AAAA "${d}"|grep -c -i "^${d}.*has AAAA address")" -ge 1 ]]; then
          debug "found IPv6 record for ${d}"
@ -1161,7 +1161,6 @@ find_dns_utils() {
    fi

    if [[ -n "$(command -v drill 2>/dev/null)" ]]; then
        debug "HAS DIG_OR_DRILL=drill"
        HAS_DIG_OR_DRILL="drill"
    elif [[ -n "$(command -v dig 2>/dev/null)" ]] && dig >/dev/null 2>&1; then
        if dig -r >/dev/null 2>&1; then
@ -1170,8 +1169,10 @@ find_dns_utils() {
        else
          HAS_DIG_OR_DRILL="dig"
        fi
    fi

        if dig +noidnout >/dev/null 2>&1; then
    if [[ -n "$HAS_DIG_OR_DRILL" ]]; then
        if $HAS_DIG_OR_DRILL +noidnout >/dev/null 2>&1; then
          DIG_SUPPORTS_NOIDNOUT=true
        fi

--- a/test/37-idn.bats
+++ b/test/37-idn.bats
@ -7,14 +7,13 @@ load '/getssl/test/test_helper.bash'
 setup_file() {
    if [ -z "$STAGING" ]; then
        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
        GETSSL_CMD_HOST=${GETSSL_HOST/getssl/xn--t-r1a81lydm69gz81r}
        curl --silent -X POST -d '{"host":"'$GETSSL_CMD_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
        curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
    fi
 }

 # This is run for every test
 setup() {
    GETSSL_CMD_HOST=${GETSSL_HOST/getssl/xn--t-r1a81lydm69gz81r}
    GETSSL_CMD_HOST=${GETSSL_IDN_HOST}

    # use the test description to move tools we don't want to test out of the way
    DNS_TOOL=${BATS_TEST_DESCRIPTION##*:}
@ -39,7 +38,7 @@ teardown() {

 teardown_file() {
    if [ -z "$STAGING" ]; then
        curl --silent -X POST -d '{"host":"'$GETSSL_CMD_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
        curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
    fi
 }

--- a/test/38-idn-http01-check-noidnout.bats
+++ b/test/38-idn-http01-check-noidnout.bats
@ -0,0 +1,44 @@
 #! /usr/bin/env bats

 load '/bats-support/load.bash'
 load '/bats-assert/load.bash'
 load '/getssl/test/test_helper.bash'

 setup_file() {
    if [ -z "$STAGING" ]; then
        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
        curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
    fi
 }

 setup() {
    GETSSL_CMD_HOST=$GETSSL_IDN_HOST
 }

 teardown_file() {
    if [ -z "$STAGING" ]; then
        curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a

    fi
 }

@test "Ensure noidnout in check_config isn't passed to host and nslookup (HTTP-01)" {
    if [ -n "$STAGING" ]; then
        skip "Using staging server, skipping internal test"
    fi
    CONFIG_FILE="getssl-http01.cfg"
    setup_environment
    init_getssl
    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
 SANS="${GETSSL_HOST}"
 USE_SINGLE_ACL="true"
 EOF

    create_certificate -d --check-config

    assert_success
    refute_output --partial "DNS lookup using host  +noidnout"
    refute_output --partial "DNS lookup using nslookup  +noidnout"
    refute_output --partial "+noidnout $GETSSL_HOST"
    check_output_for_errors
 }
--- a/test/run-test.cmd
+++ b/test/run-test.cmd
@ -8,11 +8,11 @@ SET COMMAND=%2 %3

 :CheckAlias
 REM check if OS *contains* staging
 SET GETSSL_IDN_HOST=%OS%.xn--t-r1a81lydm69gz81r.test
 IF NOT x%OS:duck=%==x%OS% GOTO duckdns
 IF NOT x%OS:dynu=%==x%OS% GOTO dynu
 IF NOT x%OS:bash=%==x%OS% GOTO bash
 SET ALIAS=%OS%.getssl.test
 SET IDN=%OS%.xn--t-r1a81lydm69gz81r.test
 SET STAGING=
 SET GETSSL_OS=%OS%
 GOTO Run
@ -51,12 +51,13 @@ IF %ErrorLevel% EQU 1 GOTO End
@echo on
 docker run -it ^
  --env GETSSL_HOST=%ALIAS% %STAGING% ^
  --env GETSSL_IDN_HOST=%GETSSL_IDN_HOST% ^
  --env GETSSL_OS=%GETSSL_OS% ^
  -v %cd%:/getssl ^
  --rm ^
  --network %CurrDirName%_acmenet ^
  --network-alias %ALIAS% ^
  --network-alias %IDN% ^
  --network-alias %GETSSL_IDN_HOST% ^
  --network-alias a.%OS%.getssl.test ^
  --network-alias b.%OS%.getssl.test ^
  --network-alias c.%OS%.getssl.test ^
--- a/test/run-test.sh
+++ b/test/run-test.sh
@ -15,7 +15,7 @@ else
 fi

 ALIAS="$OS.getssl.test"
 IDN="$OS.xn--t-r1a81lydm69gz81r.test"
 GETSSL_IDN_HOST="$OS.xn--t-r1a81lydm69gz81r.test"
 STAGING=""
 GETSSL_OS=$OS

@ -35,12 +35,13 @@ docker build --rm -f "test/Dockerfile-$OS" -t "getssl-$OS" .
 # shellcheck disable=SC2086
 docker run \
  --env GETSSL_HOST=$ALIAS $STAGING \
  --env GETSSL_IDN_HOST=$GETSSL_IDN_HOST \
  --env GETSSL_OS=$GETSSL_OS \
  -v "$(pwd)":/getssl \
  --rm \
  --network ${PWD##*/}_acmenet \
  --network-alias $ALIAS \
  --network-alias $IDN \
  --network-alias $GETSSL_IDN_HOST \
  --network-alias "a.$OS.getssl.test" \
  --network-alias "b.$OS.getssl.test" \
  --network-alias "c.$OS.getssl.test" \
--- a/test/test_helper.bash
+++ b/test/test_helper.bash
@ -47,7 +47,7 @@ create_certificate() {
  # Create certificate
  cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl.cfg"
  # shellcheck disable=SC2086
  run ${CODE_DIR}/getssl $1 "$GETSSL_CMD_HOST"
  run ${CODE_DIR}/getssl "$@" "$GETSSL_CMD_HOST"
 }

 init_getssl() {