Tests for wildcard changes

test/10-mixed-case.bats

@@ -7,7 +7,9 @@ load '/getssl/test/test_helper.bash'
 
 # This is run for every test
 setup() {
-    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
 }
 
 @test "Check that HTTP-01 verification works if the domain is not lowercase" {

test/14-test-revoke.bats

@@ -7,7 +7,9 @@ load '/getssl/test/test_helper.bash'
 
 # This is run for every test
 setup() {
-    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
 }
 
 

test/15-test-revoke-no-suffix.bats

@@ -7,7 +7,9 @@ load '/getssl/test/test_helper.bash'
 
 # This is run for every test
 setup() {
-    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
 }
 
 

test/17-test-spaces-in-sans-dns01.bats

@@ -7,7 +7,9 @@ load '/getssl/test/test_helper.bash'
 
 # This is run for every test
 setup() {
-    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
 }
 
 

test/17-test-spaces-in-sans-http01.bats

@@ -7,7 +7,9 @@ load '/getssl/test/test_helper.bash'
 
 # This is run for every test
 setup() {
-    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
 }
 
 

test/19-test-add-to-sans.bats

@@ -7,18 +7,21 @@ load '/getssl/test/test_helper.bash'
 
 # This is run for every test
 setup() {
-    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
-    curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
-    curl --silent -X POST -d '{"host":"b.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+        curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+        curl --silent -X POST -d '{"host":"b.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+    fi
 }
 
 teardown() {
-    curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
-    curl --silent -X POST -d '{"host":"b.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
+    if [ -z "$STAGING" ]; then
+        curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
+        curl --silent -X POST -d '{"host":"b.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
+    fi
 }
 
 
-
 @test "Create certificate to check can add to SANS" {
     skip "FIXME: Certificate is not recreated when SANS is updated"
     if [ -n "$STAGING" ]; then

test/2-simple-dns01-dig.bats

@@ -6,7 +6,9 @@ load '/getssl/test/test_helper.bash'
 
 
 setup() {
-    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
     if [ -f /usr/bin/host ]; then
         mv /usr/bin/host /usr/bin/host.getssl.bak
     fi

test/2-simple-dns01-nslookup.bats

@@ -7,7 +7,9 @@ load '/getssl/test/test_helper.bash'
 
 # This is run for every test
 setup() {
-    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
     if [ -f /usr/bin/dig ]; then
         mv /usr/bin/dig /usr/bin/dig.getssl.bak
     fi

test/20-wildcard-simple.bats

@@ -0,0 +1,68 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Create wildcard certificate" {
+    if [ -n "$STAGING" ]; then
+        CONFIG_FILE="getssl-staging-dns01.cfg"
+    else
+        CONFIG_FILE="getssl-dns01.cfg"
+    fi
+
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+    setup_environment
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Check CHECK_REMOTE works for wildcard certificates" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    run ${CODE_DIR}/getssl "*.$GETSSL_HOST"
+    assert_success
+    assert_line --partial "certificate is valid for more than"
+    check_output_for_errors
+}
+
+
+@test "Force renewal of wildcard certificate" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    run ${CODE_DIR}/getssl -f "*.$GETSSL_HOST"
+    assert_success
+    refute_line --partial "certificate is valid for more than"
+    check_output_for_errors
+}
+
+
+@test "Check renewal of near-expiration wildcard certificate" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    echo "RENEW_ALLOW=2000" >> "${INSTALL_DIR}/.getssl/*.${GETSSL_HOST}/getssl.cfg"
+
+    run ${CODE_DIR}/getssl "*.$GETSSL_HOST"
+    assert_success
+    refute_line --partial "certificate is valid for more than"
+    check_output_for_errors
+    cleanup_environment
+}

test/21-wildcard-dual-rsa.bats

@@ -0,0 +1,82 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Create secp384r1 wildcard certificate" {
+    if [ -n "$STAGING" ]; then
+        CONFIG_FILE="getssl-staging-dns01.cfg"
+    else
+        CONFIG_FILE="getssl-dns01.cfg"
+    fi
+
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+
+    setup_environment
+    init_getssl
+
+    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+ACCOUNT_KEY_TYPE="secp384r1"
+PRIVATE_KEY_ALG="secp384r1"
+EOF
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+    run openssl x509 -noout -text -in "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt"
+    assert_line --partial "Public Key Algorithm: id-ecPublicKey"
+    cleanup_environment
+}
+
+
+@test "Create dual certificates using DNS-01 verification" {
+    if [ -n "$STAGING" ]; then
+        CONFIG_FILE="getssl-staging-dns01.cfg"
+    else
+        CONFIG_FILE="getssl-dns01.cfg"
+    fi
+
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+
+    setup_environment
+    init_getssl
+
+    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+DUAL_RSA_ECDSA="true"
+ACCOUNT_KEY_TYPE="prime256v1"
+PRIVATE_KEY_ALG="prime256v1"
+EOF
+
+    check_nginx
+    if [ "$OLD_NGINX" = "false" ]; then
+        echo 'RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-dual-certs ${NGINX_CONFIG} && /getssl/test/restart-nginx"' >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+    else
+        echo 'CHECK_REMOTE="false"' >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+    fi
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+    check_certificates
+    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/chain.ec.crt" ]
+    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.ec.crt" ]
+    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.ec.crt" ]
+
+    run openssl x509 -noout -text -in "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt"
+    assert_line --partial "Public Key Algorithm: rsaEncryption"
+
+    run openssl x509 -noout -text -in "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.ec.crt"
+    assert_line --partial "Public Key Algorithm: id-ecPublicKey"
+
+    cleanup_environment
+}

test/22-wildcard-dual-rsa-ecdsa-copy-2-locations.bats

@@ -0,0 +1,65 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# These are run for every test, not once per file
+setup() {
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Create dual certificates (one wildcard) and copy RSA and ECDSA chain and key to two locations" {
+    if [ -n "$STAGING" ]; then
+        CONFIG_FILE="getssl-staging-dns01.cfg"
+    else
+        CONFIG_FILE="getssl-dns01.cfg"
+    fi
+
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+
+    setup_environment
+    init_getssl
+
+    cat <<- 'EOF' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+DUAL_RSA_ECDSA="true"
+ACCOUNT_KEY_TYPE="prime256v1"
+PRIVATE_KEY_ALG="prime256v1"
+DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key;/root/a.${GETSSL_HOST}/server.key"
+DOMAIN_CHAIN_LOCATION="/etc/nginx/pki/domain-chain.crt;/root/a.${GETSSL_HOST}/domain-chain.crt" # this is the domain cert and CA cert
+EOF
+
+    check_nginx
+    if [ "$OLD_NGINX" = "false" ]; then
+        echo 'RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-dual-certs ${NGINX_CONFIG} && /getssl/test/restart-nginx"' >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+    else
+        echo 'CHECK_REMOTE="false"' >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+    fi
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+
+    if [ "$OLD_NGINX" = "false" ]; then
+        assert_line --partial "rsa certificate installed OK on server"
+        assert_line --partial "prime256v1 certificate installed OK on server"
+    fi
+
+    # Check that the RSA chain and key have been copied to both locations
+    assert [ -e "/etc/nginx/pki/domain-chain.crt" ]
+    assert [ -e "/root/a.${GETSSL_HOST}/domain-chain.crt" ]
+    assert [ -e "/etc/nginx/pki/private/server.key" ]
+    assert [ -e "/root/a.${GETSSL_HOST}/server.key" ]
+
+    # Check that the ECDSA chain and key have been copied to both locations
+    assert [ -e "/etc/nginx/pki/domain-chain.ec.crt" ]
+    assert [ -e "/root/a.${GETSSL_HOST}/domain-chain.ec.crt" ]
+    assert [ -e "/etc/nginx/pki/private/server.ec.key" ]
+    assert [ -e "/root/a.${GETSSL_HOST}/server.ec.key" ]
+
+    cleanup_environment
+}

test/23-wildcard-check-globbing.bats

@@ -0,0 +1,46 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Check for globbing for wildcard domains" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    else
+        CONFIG_FILE="getssl-dns01.cfg"
+    fi
+
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+    setup_environment
+
+    init_getssl
+
+    # Create a directory in /root which looks like a domain so that if glob expansion is performed a certificate for the wrong domain will be created
+    mkdir -p "${INSTALL_DIR}/a.${GETSSL_HOST}"
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Force renewal of wildcard certificate" {
+    if [ -n "$STAGING" ]; then
+        skip "Not trying on staging server yet"
+    fi
+
+    run ${CODE_DIR}/getssl -f "*.$GETSSL_HOST"
+    assert_success
+    refute_line --partial "certificate is valid for more than"
+    check_output_for_errors
+}

test/24-wildcard-sans.bats

@@ -0,0 +1,69 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+        curl --silent -X POST -d '{"host":"wild-'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+    fi
+}
+
+
+teardown() {
+    if [ -z "$STAGING" ]; then
+        curl --silent -X POST -d '{"host":"wild-'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
+    fi
+}
+
+
+@test "Check can create certificate for wildcard domain as arg and non-wildcard in SANS" {
+    if [ -n "$STAGING" ]; then
+        CONFIG_FILE="getssl-staging-dns01.cfg"
+    else
+        CONFIG_FILE="getssl-dns01.cfg"
+    fi
+
+    # Staging server generates an error if try to create a certificate for *.domain and a.domain
+    # so create for *.wild-domain and a.domain instead
+    GETSSL_CMD_HOST="*.wild-${GETSSL_HOST}"
+    setup_environment
+    init_getssl
+
+    echo 'SANS="${GETSSL_HOST}"' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+    run openssl x509 -noout -text -in "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt"
+    # verify certificate is for wildcard domain with non-wildcard domain in the Subject Alternative Name list
+    assert_output --regexp "Subject: CN[ ]?=[ ]?\*.wild-${GETSSL_HOST}"
+    assert_output --partial "DNS:${GETSSL_HOST}"
+}
+
+
+@test "Check can create certificate for non-wildcard domain as arg and wildcard in SANS" {
+    if [ -n "$STAGING" ]; then
+        CONFIG_FILE="getssl-staging-dns01.cfg"
+    else
+        CONFIG_FILE="getssl-dns01.cfg"
+    fi
+
+    GETSSL_CMD_HOST="${GETSSL_HOST}"
+    setup_environment
+    init_getssl
+
+    echo 'SANS="*.wild-${GETSSL_HOST}"' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+    run openssl x509 -noout -text -in "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt"
+    # verify certificate is for non-wildcard domain with wildcard domain in the Subject Alternative Name list
+    assert_output --regexp "Subject: CN[ ]?=[ ]?${GETSSL_HOST}"
+    assert_output --partial "DNS:*.wild-${GETSSL_HOST}"
+}

test/25-wildcard-all.bats

@@ -0,0 +1,42 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Check can create certificate for wildcard domain using --all" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    else
+        CONFIG_FILE="getssl-dns01.cfg"
+    fi
+
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+    setup_environment
+    # Create .getssl directory and .getssl/*.{host} directory
+    init_getssl
+    cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/*.${GETSSL_HOST}/getssl.cfg"
+
+    # create another domain in the .getssl directory
+    run ${CODE_DIR}/getssl -c "a.${GETSSL_HOST}"
+    cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/a.${GETSSL_HOST}/getssl.cfg"
+
+    # Create a directory in /root which looks like a domain so that if glob expansion is performed the wildcard certificate won't be created
+    mkdir -p "${INSTALL_DIR}/a.${GETSSL_HOST}"
+
+    run ${CODE_DIR}/getssl --all
+
+    assert_success
+    assert_line --partial "Certificate saved in /root/.getssl/*.${GETSSL_HOST}/*.${GETSSL_HOST}"
+    assert_line --partial "Certificate saved in /root/.getssl/a.${GETSSL_HOST}/a.${GETSSL_HOST}"
+    check_output_for_errors
+}

test/26-wildcard-revoke.bats

@@ -0,0 +1,49 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Create certificate to check wildcard revoke" {
+    if [ -n "$STAGING" ]; then
+        CONFIG_FILE="getssl-staging-dns01.cfg"
+    else
+        CONFIG_FILE="getssl-dns01.cfg"
+    fi
+
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+    setup_environment
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Check we can revoke a wildcard certificate" {
+    if [ -n "$STAGING" ]; then
+        CONFIG_FILE="getssl-staging-dns01.cfg"
+    else
+        CONFIG_FILE="getssl-dns01.cfg"
+    fi
+    . "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
+
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+
+    CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
+    KEY=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key
+
+    run ${CODE_DIR}/getssl -d --revoke $CERT $KEY $CA
+    assert_line "certificate revoked"
+    assert_success
+    check_output_for_errors "debug"
+}

test/27-wildcard-existing-cert.bats

@@ -0,0 +1,45 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Check that new creating a new configuration files uses details from existing certificate" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    else
+        CONFIG_FILE="getssl-dns01.cfg"
+    fi
+
+    # Create and install certificate for wildcard + another domain
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+    setup_environment
+    init_getssl
+
+    echo 'SANS="a.${GETSSL_HOST}"' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+
+    # Delete configuration
+    rm -r ${INSTALL_DIR}/.getssl
+
+    # Create configuration
+    run ${CODE_DIR}/getssl -c "${GETSSL_CMD_HOST}"
+
+    # Assert that the newly created configuration contains the additional domain in SANS
+    # if this fails then error in tests will be "grep failed" - this means SANS did not hold the expected value
+    # eg   SANS="a.centos7.getssl.test"
+    grep -q "SANS=\"a.${GETSSL_HOST}\"" ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl.cfg
+    assert_success
+}

test/28-wildcard-error-http01-validation.bats

@@ -0,0 +1,31 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Check that trying to create a wildcard certificate using http-01 validation shows an error message" {
+    if [ -n "$STAGING" ]; then
+        skip "Internal test, no need to test on staging server"
+    else
+        CONFIG_FILE="getssl-http01.cfg"
+    fi
+
+    # Try and create a wildcard certificate using http-01 validation
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+    setup_environment
+    init_getssl
+
+    create_certificate
+    assert_failure
+    assert_line --partial "cannot use http-01 validation for wildcard domains"
+}

test/README-Testing.md

@@ -8,7 +8,7 @@ For continuous integration testing we have the following:
 
 1. Uses `docker-compose` to start `pebble` (letsencrypt test server) and `challtestsrv` (minimal dns client for pebble)
 2. Then runs the `bats` test scripts (all the files with a ".bats" extension) for each OS (alpine, centos6, debian, ubuntu)
-3. Runs the `bats` test script against the staging server (using nn ubuntu docker image and duckdns.org)
+3. Runs the `bats` test script against the staging server (using ubuntu docker image and duckdns.org)
 
 ## To run all the tests on a single OS
 

test/run-test.cmd

@@ -49,6 +49,7 @@ docker run -it ^
   --network-alias i.%OS%.getssl.test ^
   --network-alias j.%OS%.getssl.test ^
   --network-alias k.%OS%.getssl.test ^
+  --network-alias wild-%ALIAS% ^
   --name getssl-%OS% ^
   getssl-%OS% ^
   %COMMAND%

test/run-test.sh

@@ -42,6 +42,7 @@ docker run \
   --network-alias "i.$OS.getssl.test" \
   --network-alias "j.$OS.getssl.test" \
   --network-alias "k.$OS.getssl.test" \
+  --network-alias "wild-$OS.getssl.test" \
   --name "getssl-$OS" \
   "getssl-$OS" \
   $COMMAND

test/test-config/getssl-dns01-dual-rsa-ecdsa-2-locations.cfg

@@ -0,0 +1,37 @@
+# Test that more than one location can be specified for CERT and KEY locations and that the
+# files are copied to both locations when both RSA and ECDSA certificates are created
+#
+CA="https://pebble:14000/dir"
+
+VALIDATE_VIA_DNS=true
+DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
+DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
+AUTH_DNS_SERVER=10.30.50.3
+
+# Speed up the test by reducing the number or retries and the wait between retries.
+DNS_WAIT=2
+DNS_WAIT_COUNT=11
+DNS_EXTRA_WAIT=0
+
+DUAL_RSA_ECDSA="true"
+ACCOUNT_KEY_TYPE="prime256v1"
+PRIVATE_KEY_ALG="prime256v1"
+
+# Additional domains - this could be multiple domains / subdomains in a comma separated list
+SANS=""
+# SANS="a.${GETSSL_HOST}"
+
+# Location for all your certs, these can either be on the server (full path name)
+# or using ssh /sftp as for the ACL
+DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
+DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key;/root/a.${GETSSL_HOST}/server.key"
+CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
+DOMAIN_CHAIN_LOCATION="/etc/nginx/pki/domain-chain.crt;/root/a.${GETSSL_HOST}/domain-chain.crt" # this is the domain cert and CA cert
+DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
+
+# The command needed to reload apache / nginx or whatever you use
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-dual-certs ${NGINX_CONFIG} && /getssl/test/restart-nginx"
+
+# Define the server type and confirm correct certificate is installed
+SERVER_TYPE="https"
+CHECK_REMOTE="true"

test/test-config/getssl-dns01-secp384.cfg

@@ -0,0 +1,36 @@
+# Uncomment and modify any variables you need
+# see https://github.com/srvrco/getssl/wiki/Config-variables for details
+# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
+#
+CA="https://pebble:14000/dir"
+
+VALIDATE_VIA_DNS=true
+DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
+DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
+AUTH_DNS_SERVER=10.30.50.3
+
+# Speed up the test by reducing the number or retries and the wait between retries.
+DNS_WAIT=2
+DNS_WAIT_COUNT=11
+DNS_EXTRA_WAIT=0
+
+ACCOUNT_KEY_TYPE="secp384r1"
+PRIVATE_KEY_ALG="secp384r1"
+
+# Additional domains - this could be multiple domains / subdomains in a comma separated list
+SANS=""
+
+# Location for all your certs, these can either be on the server (full path name)
+# or using ssh /sftp as for the ACL
+DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
+DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
+CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
+DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
+DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
+
+# The command needed to reload apache / nginx or whatever you use
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
+
+# Define the server type and confirm correct certificate is installed
+SERVER_TYPE="https"
+CHECK_REMOTE="true"

test/test-config/getssl-dns01.cfg

@@ -31,3 +31,10 @@ RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /get
 # Define the server type and confirm correct certificate is installed
 SERVER_TYPE="https"
 CHECK_REMOTE="true"
+
+#_USE_DEBUG=1
+#_RUNNING_TEST=1
+
+if [[ -s "$DOMAIN_DIR/getssl_test_specific.cfg" ]]; then
+    . $DOMAIN_DIR/getssl_test_specific.cfg
+fi

test/test-config/getssl-staging-dns01.cfg

@@ -31,6 +31,10 @@ DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
 # The command needed to reload apache / nginx or whatever you use
 RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
 
-# Define the server type and confirm correct certificate is installed (using a custom port)
+# Define the server type and confirm correct certificate is installed
 SERVER_TYPE="https"
 CHECK_REMOTE="true"
+
+if [[ -s "$DOMAIN_DIR/getssl_test_specific.cfg" ]]; then
+    . $DOMAIN_DIR/getssl_test_specific.cfg
+fi

test/test_helper.bash

@@ -3,99 +3,103 @@ CODE_DIR=/getssl
 
 check_certificates()
 {
-    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/chain.crt" ]
-    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" ]
-    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" ]
+  assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/chain.crt" ]
+  assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" ]
+  assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" ]
 }
 
 # Only nginx > 1.11.0 support dual certificates in a single configuration file
 # https://unix.stackexchange.com/questions/285924/how-to-compare-a-programs-version-in-a-shell-script
 check_nginx() {
-    requiredver="1.11.0"
-    currentver=$(nginx -v 2>&1 | awk -F"/" '{print $2}')
-    if [ "$(printf '%s\n' "$requiredver" "$currentver" | sort -V | head -n1)" = "$requiredver" ]; then
-        export OLD_NGINX="false"
-    else
-        echo "INFO: Running nginx version $currentver which doesn't support dual certificates" >&3
-        echo "INFO: not checking that certificate is installed correctly" >&3
-        export OLD_NGINX="true"
-    fi
+  requiredver="1.11.0"
+  currentver=$(nginx -v 2>&1 | awk -F"/" '{print $2}')
+  if [ "$(printf '%s\n' "$requiredver" "$currentver" | sort -V | head -n1)" = "$requiredver" ]; then
+    export OLD_NGINX="false"
+  else
+    echo "INFO: Running nginx version $currentver which doesn't support dual certificates" >&3
+    echo "INFO: not checking that certificate is installed correctly" >&3
+    export OLD_NGINX="true"
+  fi
 }
 
 check_output_for_errors() {
-    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
-    # less strict tests if running with debug output
-    if [ -n "$1" ]; then
-        # don't fail for :error:badNonce
-        refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'
-        # don't check for "Warnings:" as there might be a warning message if nslookup doesn't support -debug (alpine/ubuntu)
-        refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg][^:]'
-    else
-        refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
-        refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
-    fi
-    refute_line --partial 'command not found'
+  refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
+  # less strict tests if running with debug output
+  if [ -n "$1" ]; then
+      # don't fail for :error:badNonce
+      refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'
+      # don't check for "Warnings:" as there might be a warning message if nslookup doesn't support -debug (alpine/ubuntu)
+      refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg][^:]'
+  else
+      refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
+      refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+  fi
+  refute_line --partial 'command not found'
 }
 
 cleanup_environment() {
+  if [ -z "$STAGING" ]; then
     curl --silent -X POST -d '{"host":"'"$GETSSL_HOST"'"}' http://10.30.50.3:8055/clear-a
+  fi
 }
 
 create_certificate() {
-    # Create certificate
-    cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl.cfg"
-    # shellcheck disable=SC2086
-    run ${CODE_DIR}/getssl $1 "$GETSSL_CMD_HOST"
+  # Create certificate
+  cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl.cfg"
+  # shellcheck disable=SC2086
+  run ${CODE_DIR}/getssl $1 "$GETSSL_CMD_HOST"
 }
 
 init_getssl() {
-    # Run initialisation (create account key, etc)
-    run ${CODE_DIR}/getssl -c "$GETSSL_CMD_HOST"
-    assert_success
-    [ -d "$INSTALL_DIR/.getssl" ]
+  # Run initialisation (create account key, etc)
+  run ${CODE_DIR}/getssl -c "$GETSSL_CMD_HOST"
+  assert_success
+  [ -d "$INSTALL_DIR/.getssl" ]
 }
 
 setup_environment() {
-    # One-off test setup
-    if [[ -d ${INSTALL_DIR}/.getssl ]]; then
-        rm -r ${INSTALL_DIR}/.getssl
-    fi
+  # One-off test setup
+  if [[ -d ${INSTALL_DIR}/.getssl ]]; then
+    rm -r ${INSTALL_DIR}/.getssl
+  fi
 
+  if [ -z "$STAGING" ]; then
     curl --silent -X POST -d '{"host":"'"$GETSSL_HOST"'", "addresses":["'"$GETSSL_IP"'"]}' http://10.30.50.3:8055/add-a
-    cp ${CODE_DIR}/test/test-config/nginx-ubuntu-no-ssl "${NGINX_CONFIG}"
-    /getssl/test/restart-nginx
+  fi
+  cp ${CODE_DIR}/test/test-config/nginx-ubuntu-no-ssl "${NGINX_CONFIG}"
+  /getssl/test/restart-nginx
 }
 
 # start nginx in background on alpine via supervisord
 # shellcheck disable=SC2153 # Ignore GETSSL_OS looks like typo of GETSSL_IP
 if [[ -f /usr/bin/supervisord && -f /etc/supervisord.conf ]]; then
-    if [[ ! $(pgrep supervisord) ]]; then
-        /usr/bin/supervisord -c /etc/supervisord.conf >&3-
-    fi
+  if [[ ! $(pgrep supervisord) ]]; then
+    /usr/bin/supervisord -c /etc/supervisord.conf >&3-
+  fi
 elif [[ "$GETSSL_OS" == "centos"[78] ]]; then
-    if [ -z "$(pgrep nginx)" ]; then
-        nginx >&3-
-    fi
+  if [ -z "$(pgrep nginx)" ]; then
+    nginx >&3-
+  fi
 fi
 
 # Find NGINX configuration directory for HTTP-01 testing (need to add SSL to config)
 if [[ -f /etc/nginx/conf.d/default.conf ]]; then
-    export NGINX_CONFIG=/etc/nginx/conf.d/default.conf
+  export NGINX_CONFIG=/etc/nginx/conf.d/default.conf
 elif [[ -f /etc/nginx/sites-enabled/default ]]; then
-    export NGINX_CONFIG=/etc/nginx/sites-enabled/default
+  export NGINX_CONFIG=/etc/nginx/sites-enabled/default
 else
-    echo "Can't find NGINX directory"
-    exit 1
+  echo "Can't find NGINX directory"
+  exit 1
 fi
 
 # Find IP address
 if [[ -n "$(command -v ip)" ]]; then
-    GETSSL_IP=$(ip address | awk '/10.30.50/ { print $2 }' | awk -F/ '{ print $1 }')
+  GETSSL_IP=$(ip address | awk '/10.30.50/ { print $2 }' | awk -F/ '{ print $1 }')
 elif [[ -n "$(command -v hostname)" ]]; then
-    GETSSL_IP=$(hostname -I | sed -e 's/[[:space:]]*$//')
+  GETSSL_IP=$(hostname -I | sed -e 's/[[:space:]]*$//')
 else
-    echo "Cannot find IP address"
-    exit 1
+  echo "Cannot find IP address"
+  exit 1
 fi
 
 export GETSSL_IP
@@ -103,11 +107,11 @@ export GETSSL_IP
 GETSSL_CMD_HOST=$GETSSL_HOST
 export GETSSL_CMD_HOST
 
-if [ ! -f ${INSTALL_DIR}/pebble.minica.pem ]; then
-    wget --quiet --no-clobber https://raw.githubusercontent.com/letsencrypt/pebble/master/test/certs/pebble.minica.pem 2>&1
-    CERT_FILE=/etc/ssl/certs/ca-certificates.crt
-    if [ ! -f $CERT_FILE ]; then
-        CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt
-    fi
-    cat $CERT_FILE ${INSTALL_DIR}/pebble.minica.pem > ${INSTALL_DIR}/pebble-ca-bundle.crt
+if [ -z "$STAGING" ] && [ ! -f ${INSTALL_DIR}/pebble.minica.pem ]; then
+  wget --quiet --no-clobber https://raw.githubusercontent.com/letsencrypt/pebble/master/test/certs/pebble.minica.pem 2>&1
+  CERT_FILE=/etc/ssl/certs/ca-certificates.crt
+  if [ ! -f $CERT_FILE ]; then
+    CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt
+  fi
+  cat $CERT_FILE ${INSTALL_DIR}/pebble.minica.pem > ${INSTALL_DIR}/pebble-ca-bundle.crt
 fi