Add tests using staging server

dns_scripts/dns_add_duckdns

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# need to add your Token for duckdns below
+token=${DUCKDNS_TOKEN:-}
+
+if [ -z "$token" ]; then
+    echo "DUCKDNS_TOKEN not set"
+    exit 1
+fi
+
+domain="$1"
+txtvalue="$2"
+
+response=$(curl --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=${txtvalue}")
+if [ "$response" != "OK" ]; then
+    echo "Failed to update TXT record for ${domain} at duckdns.org (is the TOKEN valid?)"
+    echo "Response: $response"
+    exit 1
+fi

dns_scripts/dns_del_duckdns

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# need to add your Token for duckdns below
+token=${DUCKDNS_TOKEN:-}
+domain="$1"
+
+response=$(curl --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=&clear=true")
+if [ "$response" != "OK" ]; then
+    echo "Failed to update TXT record for ${domain} at duckdns.org (is the TOKEN valid?)"
+    echo "$response"
+    exit 1
+fi

docker-compose.yml

@@ -156,7 +156,24 @@ services:
           - i.ubuntu18.getssl.test
           - j.ubuntu18.getssl.test
           - k.ubuntu18.getssl.test
-
+  getssl-duckdns:
+    build:
+      context: .
+      dockerfile: test/Dockerfile-ubuntu
+    container_name: getssl-duckdns
+    volumes:
+      - .:/getssl
+    environment:
+      GETSSL_HOST: getssl.duckdns.org
+      GETSSL_IP: 10.30.50.15
+      NGINX_CONFIG: /etc/nginx/sites-enabled/default
+      DUCKDNS_TOKEN: $DUCKDNS_TOKEN
+      STAGING: "true"
+    networks:
+      acmenet:
+        ipv4_address: 10.30.50.15
+        aliases:
+           - getssl.duckdns.org
 
 
 networks:

test/1-simple-http01.bats

@@ -12,6 +12,9 @@ setup() {
 
 
 @test "Create new certificate using HTTP-01 verification" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     CONFIG_FILE="getssl-http01.cfg"
     setup_environment
     init_getssl
@@ -24,7 +27,9 @@ setup() {
 
 
 @test "Force renewal of certificate using HTTP-01" {
-    #!FIXME test certificate has been updated
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     run ${CODE_DIR}/getssl -f $GETSSL_HOST
     assert_success
     refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'

test/2-simple-dns01.bats

@@ -12,6 +12,10 @@ setup() {
 
 
 @test "Create new certificate using DNS-01 verification" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
     CONFIG_FILE="getssl-dns01.cfg"
     setup_environment
     init_getssl
@@ -24,7 +28,9 @@ setup() {
 
 
 @test "Force renewal of certificate using DNS-01" {
-    #!FIXME test certificate has been updated
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     run ${CODE_DIR}/getssl -f $GETSSL_HOST
     assert_success
     refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'

test/3-dual-rsa-ecdsa.bats

@@ -12,6 +12,9 @@ setup() {
 
 
 @test "Create dual certificates using HTTP-01 verification" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     CONFIG_FILE="getssl-http01-dual-rsa-ecdsa.cfg"
     setup_environment
     init_getssl
@@ -21,12 +24,17 @@ setup() {
 
 
 @test "Force renewal of dual certificates using HTTP-01" {
-    #!FIXME test certificate has been updated
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     run ${CODE_DIR}/getssl -f $GETSSL_HOST
     assert_success
 }
 
 @test "Create dual certificates using DNS-01 verification" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     CONFIG_FILE="getssl-dns01-dual-rsa-ecdsa.cfg"
     setup_environment
     init_getssl
@@ -36,7 +44,9 @@ setup() {
 
 
 @test "Force renewal of dual certificates using DNS-01" {
-    #!FIXME test certificate has been updated
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     run ${CODE_DIR}/getssl -f $GETSSL_HOST
     assert_success
     cleanup_environment

test/4-more-than-10-hosts.bats

@@ -12,6 +12,9 @@ setup() {
 
 
 @test "Create certificates for more than 10 hosts using HTTP-01 verification" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     CONFIG_FILE="getssl-http01-10-hosts.cfg"
     setup_environment
 
@@ -30,7 +33,9 @@ setup() {
 
 
 @test "Force renewal of more than 10 certificates using HTTP-01" {
-    #!FIXME test certificate has been updated
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     run ${CODE_DIR}/getssl -f $GETSSL_HOST
     assert_success
     refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'

test/5-secp384-http01.bats

@@ -12,6 +12,9 @@ setup() {
 
 
 @test "Create new secp384r1 certificate using HTTP-01 verification" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     CONFIG_FILE="getssl-http01-secp384.cfg"
     setup_environment
     init_getssl
@@ -21,12 +24,18 @@ setup() {
 
 
 @test "Force renewal of secp384r1 certificate using HTTP-01" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     run ${CODE_DIR}/getssl -f $GETSSL_HOST
     assert_success
 }
 
 
 @test "Create new secp521r1 certificate using HTTP-01 verification" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     CONFIG_FILE="getssl-http01-secp521.cfg"
     setup_environment
     init_getssl
@@ -36,6 +45,9 @@ setup() {
 
 
 @test "Force renewal of secp521r1 certificate using HTTP-01" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     run ${CODE_DIR}/getssl -f $GETSSL_HOST
     assert_success
 }

test/6-dual-rsa-ecdsa-copy-2-locations.bats

@@ -7,17 +7,24 @@ load '/getssl/test/test_helper.bash'
 
 # These are run for every test, not once per file
 setup() {
-    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
-    curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+        curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+    fi
 }
 
 
 teardown() {
-    curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/del-a
+    if [ -z "$STAGING" ]; then
+        curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/del-a
+    fi
 }
 
 
 @test "Create dual certificates and copy RSA and ECDSA chain and key to two locations" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-2-locations.cfg"
     setup_environment
     mkdir -p /root/a.${GETSSL_HOST}

test/7-duckdns-dns01.bats

@@ -0,0 +1,42 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# These are run for every test, not once per file
+setup() {
+    if [ -n "$STAGING" ]; then
+        export GETSSL_HOST=getssl.duckdns.org
+    fi
+}
+
+
+@test "Create new certificate using staging server and DuckDNS" {
+    if [ -z "$STAGING" ]; then
+        skip "Running internal tests, skipping external test"
+    fi
+    CONFIG_FILE="getssl-duckdns01.cfg"
+
+    setup_environment
+    init_getssl
+    create_certificate
+    assert_success
+    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
+    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
+    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+}
+
+@test "Force renewal of certificate using staging server and DuckDNS" {
+    if [ -z "$STAGING" ]; then
+        skip "Running internal tests, skipping external test"
+    fi
+    run ${CODE_DIR}/getssl -f $GETSSL_HOST
+    assert_success
+    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
+    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
+    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+    cleanup_environment
+    curl --silent -X POST -d '{"host":"getssl.duckdns.org", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/del-a
+}

test/8-duckdns-ecdsa.bats

@@ -0,0 +1,103 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# These are run for every test, not once per file
+setup() {
+    if [ -n "$STAGING" ]; then
+        export GETSSL_HOST=getssl.duckdns.org
+    fi
+}
+
+
+@test "Create new certificate using staging server and prime256v1" {
+    if [ -z "$STAGING" ]; then
+        skip "Running internal tests, skipping external test"
+    fi
+    CONFIG_FILE="getssl-duckdns01.cfg"
+    GETSSL_HOST=getssl.duckdns.org
+
+    setup_environment
+    init_getssl
+    sed -e 's/rsa/prime256v1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
+    run ${CODE_DIR}/getssl "$GETSSL_HOST"
+    assert_success
+    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
+    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
+    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+}
+
+
+@test "Force renewal of certificate using staging server and prime256v1" {
+    if [ -z "$STAGING" ]; then
+        skip "Running internal tests, skipping external test"
+    fi
+    run ${CODE_DIR}/getssl -f $GETSSL_HOST
+    assert_success
+    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
+    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
+    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+    cleanup_environment
+}
+
+
+@test "Create new certificate using staging server and secp384r1" {
+    if [ -z "$STAGING" ]; then
+        skip "Running internal tests, skipping external test"
+    fi
+    CONFIG_FILE="getssl-duckdns01.cfg"
+    GETSSL_HOST=getssl.duckdns.org
+
+    setup_environment
+    init_getssl
+    sed -e 's/rsa/secp384r1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
+    run ${CODE_DIR}/getssl "$GETSSL_HOST"
+    assert_success
+    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
+    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
+    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+}
+
+
+@test "Force renewal of certificate using staging server and secp384r1" {
+    if [ -z "$STAGING" ]; then
+        skip "Running internal tests, skipping external test"
+    fi
+    run ${CODE_DIR}/getssl -f $GETSSL_HOST
+    assert_success
+    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
+    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
+    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+    cleanup_environment
+}
+
+
+@test "Create new certificate using staging server and secp521r1" {
+    skip "The staging server returns 'ECDSA curve P-521 not allowed'"
+
+    CONFIG_FILE="getssl-duckdns01.cfg"
+    GETSSL_HOST=getssl.duckdns.org
+
+    setup_environment
+    init_getssl
+    sed -e 's/rsa/secp521r1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
+    run ${CODE_DIR}/getssl "$GETSSL_HOST"
+    assert_success
+    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
+    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
+    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+}
+
+
+@test "Force renewal of certificate using staging server and secp521r1" {
+    skip "The staging server returns 'ECDSA curve P-521 not allowed'"
+    run ${CODE_DIR}/getssl -f $GETSSL_HOST
+    assert_success
+    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
+    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
+    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+    cleanup_environment
+}

test/debug-test.sh

@@ -13,10 +13,16 @@ CONFIG_FILE=$1
 if [ ! -e "$CONFIG_FILE" ]; then
     CONFIG_FILE=${CODE_DIR}/test/test-config/${CONFIG_FILE}
 fi
+
+#shellcheck disable=SC1091
 source /getssl/test/test_helper.bash
 
 setup_environment 3>&1
-export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+
+# Only add the pebble CA to the cert bundle if using pebble
+if [ "$(grep -q pebble "${CONFIG_FILE}")" = 0 ]; then
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+fi
 
 "${CODE_DIR}/getssl" -c "$GETSSL_HOST" 3>&1
 cp "${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"

test/run-all-tests.cmd

@@ -3,3 +3,4 @@ docker exec -it getssl-centos6 bats /getssl/test
 docker exec -it getssl-debian bats /getssl/test
 docker exec -it getssl-ubuntu bats /getssl/test
 docker exec -it getssl-ubuntu18 bats /getssl/test
+docker exec -it getssl-duckdns bats /getssl/test

test/run-all-tests.sh

@@ -5,3 +5,4 @@ docker exec -it getssl-centos6 bats /getssl/test
 docker exec -it getssl-debian bats /getssl/test
 docker exec -it getssl-ubuntu bats /getssl/test
 docker exec -it getssl-ubuntu18 bats /getssl/test
+docker exec -it getssl-duckdns bats /getssl/test

test/test-config/getssl-duckdns01.cfg

@@ -0,0 +1,37 @@
+# Test that the script works with external dns provider and staging server
+#
+CA="https://acme-staging-v02.api.letsencrypt.org/directory"
+
+VALIDATE_VIA_DNS=true
+DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_duckdns"
+DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns"
+AUTH_DNS_SERVER=1.1.1.1
+CHECK_ALL_AUTH_DNS=false
+DNS_EXTRA_WAIT=20
+
+ACCOUNT_KEY_TYPE="rsa"
+PRIVATE_KEY_ALG="rsa"
+
+# Additional domains - this could be multiple domains / subdomains in a comma separated list
+SANS=""
+
+# Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
+ACL=('/var/www/html/.well-known/acme-challenge')
+
+#Set USE_SINGLE_ACL="true" to use a single ACL for all checks
+USE_SINGLE_ACL="false"
+
+# Location for all your certs, these can either be on the server (full path name)
+# or using ssh /sftp as for the ACL
+DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
+DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
+CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
+DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
+DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
+
+# The command needed to reload apache / nginx or whatever you use
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
+
+# Define the server type and confirm correct certificate is installed (using a custom port)
+SERVER_TYPE="https"
+CHECK_REMOTE="true"