From aa5eb90a6b8a54bf178c0b620b8c5ae8ebed4b91 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Sat, 22 Feb 2020 18:04:45 +0000 Subject: [PATCH] Add tests using staging server --- dns_scripts/dns_add_duckdns | 19 ++++ dns_scripts/dns_del_duckdns | 12 +++ docker-compose.yml | 19 +++- test/1-simple-http01.bats | 7 +- test/2-simple-dns01.bats | 8 +- test/3-dual-rsa-ecdsa.bats | 14 ++- test/4-more-than-10-hosts.bats | 7 +- test/5-secp384-http01.bats | 12 +++ test/6-dual-rsa-ecdsa-copy-2-locations.bats | 13 ++- test/7-duckdns-dns01.bats | 42 ++++++++ test/8-duckdns-ecdsa.bats | 103 ++++++++++++++++++++ test/debug-test.sh | 8 +- test/run-all-tests.cmd | 1 + test/run-all-tests.sh | 1 + test/test-config/getssl-duckdns01.cfg | 37 +++++++ 15 files changed, 293 insertions(+), 10 deletions(-) create mode 100644 dns_scripts/dns_add_duckdns create mode 100644 dns_scripts/dns_del_duckdns create mode 100644 test/7-duckdns-dns01.bats create mode 100644 test/8-duckdns-ecdsa.bats create mode 100644 test/test-config/getssl-duckdns01.cfg diff --git a/dns_scripts/dns_add_duckdns b/dns_scripts/dns_add_duckdns new file mode 100644 index 0000000..ef40efe --- /dev/null +++ b/dns_scripts/dns_add_duckdns @@ -0,0 +1,19 @@ +#!/bin/bash + +# need to add your Token for duckdns below +token=${DUCKDNS_TOKEN:-} + +if [ -z "$token" ]; then + echo "DUCKDNS_TOKEN not set" + exit 1 +fi + +domain="$1" +txtvalue="$2" + +response=$(curl --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=${txtvalue}") +if [ "$response" != "OK" ]; then + echo "Failed to update TXT record for ${domain} at duckdns.org (is the TOKEN valid?)" + echo "Response: $response" + exit 1 +fi diff --git a/dns_scripts/dns_del_duckdns b/dns_scripts/dns_del_duckdns new file mode 100644 index 0000000..b9b9f9f --- /dev/null +++ b/dns_scripts/dns_del_duckdns @@ -0,0 +1,12 @@ +#!/bin/bash + +# need to add your Token for duckdns below +token=${DUCKDNS_TOKEN:-} +domain="$1" + +response=$(curl --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=&clear=true") +if [ "$response" != "OK" ]; then + echo "Failed to update TXT record for ${domain} at duckdns.org (is the TOKEN valid?)" + echo "$response" + exit 1 +fi diff --git a/docker-compose.yml b/docker-compose.yml index 09a4264..8f9e4cb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -156,7 +156,24 @@ services: - i.ubuntu18.getssl.test - j.ubuntu18.getssl.test - k.ubuntu18.getssl.test - + getssl-duckdns: + build: + context: . + dockerfile: test/Dockerfile-ubuntu + container_name: getssl-duckdns + volumes: + - .:/getssl + environment: + GETSSL_HOST: getssl.duckdns.org + GETSSL_IP: 10.30.50.15 + NGINX_CONFIG: /etc/nginx/sites-enabled/default + DUCKDNS_TOKEN: $DUCKDNS_TOKEN + STAGING: "true" + networks: + acmenet: + ipv4_address: 10.30.50.15 + aliases: + - getssl.duckdns.org networks: diff --git a/test/1-simple-http01.bats b/test/1-simple-http01.bats index 4c55304..fd96a8a 100644 --- a/test/1-simple-http01.bats +++ b/test/1-simple-http01.bats @@ -12,6 +12,9 @@ setup() { @test "Create new certificate using HTTP-01 verification" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi CONFIG_FILE="getssl-http01.cfg" setup_environment init_getssl @@ -24,7 +27,9 @@ setup() { @test "Force renewal of certificate using HTTP-01" { - #!FIXME test certificate has been updated + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi run ${CODE_DIR}/getssl -f $GETSSL_HOST assert_success refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' diff --git a/test/2-simple-dns01.bats b/test/2-simple-dns01.bats index 9d9f44b..ffd0b9e 100644 --- a/test/2-simple-dns01.bats +++ b/test/2-simple-dns01.bats @@ -12,6 +12,10 @@ setup() { @test "Create new certificate using DNS-01 verification" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + CONFIG_FILE="getssl-dns01.cfg" setup_environment init_getssl @@ -24,7 +28,9 @@ setup() { @test "Force renewal of certificate using DNS-01" { - #!FIXME test certificate has been updated + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi run ${CODE_DIR}/getssl -f $GETSSL_HOST assert_success refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' diff --git a/test/3-dual-rsa-ecdsa.bats b/test/3-dual-rsa-ecdsa.bats index 2dc9257..7820a96 100644 --- a/test/3-dual-rsa-ecdsa.bats +++ b/test/3-dual-rsa-ecdsa.bats @@ -12,6 +12,9 @@ setup() { @test "Create dual certificates using HTTP-01 verification" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi CONFIG_FILE="getssl-http01-dual-rsa-ecdsa.cfg" setup_environment init_getssl @@ -21,12 +24,17 @@ setup() { @test "Force renewal of dual certificates using HTTP-01" { - #!FIXME test certificate has been updated + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi run ${CODE_DIR}/getssl -f $GETSSL_HOST assert_success } @test "Create dual certificates using DNS-01 verification" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi CONFIG_FILE="getssl-dns01-dual-rsa-ecdsa.cfg" setup_environment init_getssl @@ -36,7 +44,9 @@ setup() { @test "Force renewal of dual certificates using DNS-01" { - #!FIXME test certificate has been updated + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi run ${CODE_DIR}/getssl -f $GETSSL_HOST assert_success cleanup_environment diff --git a/test/4-more-than-10-hosts.bats b/test/4-more-than-10-hosts.bats index ff61d52..5bdfc2a 100644 --- a/test/4-more-than-10-hosts.bats +++ b/test/4-more-than-10-hosts.bats @@ -12,6 +12,9 @@ setup() { @test "Create certificates for more than 10 hosts using HTTP-01 verification" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi CONFIG_FILE="getssl-http01-10-hosts.cfg" setup_environment @@ -30,7 +33,9 @@ setup() { @test "Force renewal of more than 10 certificates using HTTP-01" { - #!FIXME test certificate has been updated + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi run ${CODE_DIR}/getssl -f $GETSSL_HOST assert_success refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' diff --git a/test/5-secp384-http01.bats b/test/5-secp384-http01.bats index 9010d58..29da2da 100644 --- a/test/5-secp384-http01.bats +++ b/test/5-secp384-http01.bats @@ -12,6 +12,9 @@ setup() { @test "Create new secp384r1 certificate using HTTP-01 verification" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi CONFIG_FILE="getssl-http01-secp384.cfg" setup_environment init_getssl @@ -21,12 +24,18 @@ setup() { @test "Force renewal of secp384r1 certificate using HTTP-01" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi run ${CODE_DIR}/getssl -f $GETSSL_HOST assert_success } @test "Create new secp521r1 certificate using HTTP-01 verification" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi CONFIG_FILE="getssl-http01-secp521.cfg" setup_environment init_getssl @@ -36,6 +45,9 @@ setup() { @test "Force renewal of secp521r1 certificate using HTTP-01" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi run ${CODE_DIR}/getssl -f $GETSSL_HOST assert_success } diff --git a/test/6-dual-rsa-ecdsa-copy-2-locations.bats b/test/6-dual-rsa-ecdsa-copy-2-locations.bats index 4e64043..aae21bb 100644 --- a/test/6-dual-rsa-ecdsa-copy-2-locations.bats +++ b/test/6-dual-rsa-ecdsa-copy-2-locations.bats @@ -7,17 +7,24 @@ load '/getssl/test/test_helper.bash' # These are run for every test, not once per file setup() { - export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt - curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a + fi } teardown() { - curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/del-a + if [ -z "$STAGING" ]; then + curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/del-a + fi } @test "Create dual certificates and copy RSA and ECDSA chain and key to two locations" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-2-locations.cfg" setup_environment mkdir -p /root/a.${GETSSL_HOST} diff --git a/test/7-duckdns-dns01.bats b/test/7-duckdns-dns01.bats new file mode 100644 index 0000000..e81b414 --- /dev/null +++ b/test/7-duckdns-dns01.bats @@ -0,0 +1,42 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# These are run for every test, not once per file +setup() { + if [ -n "$STAGING" ]; then + export GETSSL_HOST=getssl.duckdns.org + fi +} + + +@test "Create new certificate using staging server and DuckDNS" { + if [ -z "$STAGING" ]; then + skip "Running internal tests, skipping external test" + fi + CONFIG_FILE="getssl-duckdns01.cfg" + + setup_environment + init_getssl + create_certificate + assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' +} + +@test "Force renewal of certificate using staging server and DuckDNS" { + if [ -z "$STAGING" ]; then + skip "Running internal tests, skipping external test" + fi + run ${CODE_DIR}/getssl -f $GETSSL_HOST + assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' + cleanup_environment + curl --silent -X POST -d '{"host":"getssl.duckdns.org", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/del-a +} diff --git a/test/8-duckdns-ecdsa.bats b/test/8-duckdns-ecdsa.bats new file mode 100644 index 0000000..f50dd05 --- /dev/null +++ b/test/8-duckdns-ecdsa.bats @@ -0,0 +1,103 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# These are run for every test, not once per file +setup() { + if [ -n "$STAGING" ]; then + export GETSSL_HOST=getssl.duckdns.org + fi +} + + +@test "Create new certificate using staging server and prime256v1" { + if [ -z "$STAGING" ]; then + skip "Running internal tests, skipping external test" + fi + CONFIG_FILE="getssl-duckdns01.cfg" + GETSSL_HOST=getssl.duckdns.org + + setup_environment + init_getssl + sed -e 's/rsa/prime256v1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg" + run ${CODE_DIR}/getssl "$GETSSL_HOST" + assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' +} + + +@test "Force renewal of certificate using staging server and prime256v1" { + if [ -z "$STAGING" ]; then + skip "Running internal tests, skipping external test" + fi + run ${CODE_DIR}/getssl -f $GETSSL_HOST + assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' + cleanup_environment +} + + +@test "Create new certificate using staging server and secp384r1" { + if [ -z "$STAGING" ]; then + skip "Running internal tests, skipping external test" + fi + CONFIG_FILE="getssl-duckdns01.cfg" + GETSSL_HOST=getssl.duckdns.org + + setup_environment + init_getssl + sed -e 's/rsa/secp384r1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg" + run ${CODE_DIR}/getssl "$GETSSL_HOST" + assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' +} + + +@test "Force renewal of certificate using staging server and secp384r1" { + if [ -z "$STAGING" ]; then + skip "Running internal tests, skipping external test" + fi + run ${CODE_DIR}/getssl -f $GETSSL_HOST + assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' + cleanup_environment +} + + +@test "Create new certificate using staging server and secp521r1" { + skip "The staging server returns 'ECDSA curve P-521 not allowed'" + + CONFIG_FILE="getssl-duckdns01.cfg" + GETSSL_HOST=getssl.duckdns.org + + setup_environment + init_getssl + sed -e 's/rsa/secp521r1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg" + run ${CODE_DIR}/getssl "$GETSSL_HOST" + assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' +} + + +@test "Force renewal of certificate using staging server and secp521r1" { + skip "The staging server returns 'ECDSA curve P-521 not allowed'" + run ${CODE_DIR}/getssl -f $GETSSL_HOST + assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' + cleanup_environment +} diff --git a/test/debug-test.sh b/test/debug-test.sh index ab00666..1327fde 100644 --- a/test/debug-test.sh +++ b/test/debug-test.sh @@ -13,10 +13,16 @@ CONFIG_FILE=$1 if [ ! -e "$CONFIG_FILE" ]; then CONFIG_FILE=${CODE_DIR}/test/test-config/${CONFIG_FILE} fi + +#shellcheck disable=SC1091 source /getssl/test/test_helper.bash setup_environment 3>&1 -export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + +# Only add the pebble CA to the cert bundle if using pebble +if [ "$(grep -q pebble "${CONFIG_FILE}")" = 0 ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt +fi "${CODE_DIR}/getssl" -c "$GETSSL_HOST" 3>&1 cp "${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg" diff --git a/test/run-all-tests.cmd b/test/run-all-tests.cmd index 16c6fd5..2c5ff6c 100644 --- a/test/run-all-tests.cmd +++ b/test/run-all-tests.cmd @@ -3,3 +3,4 @@ docker exec -it getssl-centos6 bats /getssl/test docker exec -it getssl-debian bats /getssl/test docker exec -it getssl-ubuntu bats /getssl/test docker exec -it getssl-ubuntu18 bats /getssl/test +docker exec -it getssl-duckdns bats /getssl/test diff --git a/test/run-all-tests.sh b/test/run-all-tests.sh index b526c63..6a0eb8a 100644 --- a/test/run-all-tests.sh +++ b/test/run-all-tests.sh @@ -5,3 +5,4 @@ docker exec -it getssl-centos6 bats /getssl/test docker exec -it getssl-debian bats /getssl/test docker exec -it getssl-ubuntu bats /getssl/test docker exec -it getssl-ubuntu18 bats /getssl/test +docker exec -it getssl-duckdns bats /getssl/test diff --git a/test/test-config/getssl-duckdns01.cfg b/test/test-config/getssl-duckdns01.cfg new file mode 100644 index 0000000..4a37bcd --- /dev/null +++ b/test/test-config/getssl-duckdns01.cfg @@ -0,0 +1,37 @@ +# Test that the script works with external dns provider and staging server +# +CA="https://acme-staging-v02.api.letsencrypt.org/directory" + +VALIDATE_VIA_DNS=true +DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_duckdns" +DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns" +AUTH_DNS_SERVER=1.1.1.1 +CHECK_ALL_AUTH_DNS=false +DNS_EXTRA_WAIT=20 + +ACCOUNT_KEY_TYPE="rsa" +PRIVATE_KEY_ALG="rsa" + +# Additional domains - this could be multiple domains / subdomains in a comma separated list +SANS="" + +# Acme Challenge Location. The first line for the domain, the following ones for each additional domain. +ACL=('/var/www/html/.well-known/acme-challenge') + +#Set USE_SINGLE_ACL="true" to use a single ACL for all checks +USE_SINGLE_ACL="false" + +# Location for all your certs, these can either be on the server (full path name) +# or using ssh /sftp as for the ACL +DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key" +CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" +DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert +DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert + +# The command needed to reload apache / nginx or whatever you use +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" + +# Define the server type and confirm correct certificate is installed (using a custom port) +SERVER_TYPE="https" +CHECK_REMOTE="true"