diff --git a/test/10-mixed-case.bats b/test/10-mixed-case.bats index 12b787c..f144058 100644 --- a/test/10-mixed-case.bats +++ b/test/10-mixed-case.bats @@ -7,7 +7,9 @@ load '/getssl/test/test_helper.bash' # This is run for every test setup() { - export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + fi } @test "Check that HTTP-01 verification works if the domain is not lowercase" { diff --git a/test/14-test-revoke.bats b/test/14-test-revoke.bats index e624552..5bdb72b 100644 --- a/test/14-test-revoke.bats +++ b/test/14-test-revoke.bats @@ -7,7 +7,9 @@ load '/getssl/test/test_helper.bash' # This is run for every test setup() { - export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + fi } diff --git a/test/15-test-revoke-no-suffix.bats b/test/15-test-revoke-no-suffix.bats index 26f5f3f..5e8d797 100644 --- a/test/15-test-revoke-no-suffix.bats +++ b/test/15-test-revoke-no-suffix.bats @@ -7,7 +7,9 @@ load '/getssl/test/test_helper.bash' # This is run for every test setup() { - export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + fi } diff --git a/test/17-test-spaces-in-sans-dns01.bats b/test/17-test-spaces-in-sans-dns01.bats index 75dce4b..9f3b3dc 100644 --- a/test/17-test-spaces-in-sans-dns01.bats +++ b/test/17-test-spaces-in-sans-dns01.bats @@ -7,7 +7,9 @@ load '/getssl/test/test_helper.bash' # This is run for every test setup() { - export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + fi } diff --git a/test/17-test-spaces-in-sans-http01.bats b/test/17-test-spaces-in-sans-http01.bats index f3ba482..fab530f 100644 --- a/test/17-test-spaces-in-sans-http01.bats +++ b/test/17-test-spaces-in-sans-http01.bats @@ -7,7 +7,9 @@ load '/getssl/test/test_helper.bash' # This is run for every test setup() { - export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + fi } diff --git a/test/19-test-add-to-sans.bats b/test/19-test-add-to-sans.bats index 8d6f560..8ba9f20 100644 --- a/test/19-test-add-to-sans.bats +++ b/test/19-test-add-to-sans.bats @@ -7,18 +7,21 @@ load '/getssl/test/test_helper.bash' # This is run for every test setup() { - export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt - curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a - curl --silent -X POST -d '{"host":"b.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a + curl --silent -X POST -d '{"host":"b.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a + fi } teardown() { - curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a - curl --silent -X POST -d '{"host":"b.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a + if [ -z "$STAGING" ]; then + curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a + curl --silent -X POST -d '{"host":"b.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a + fi } - @test "Create certificate to check can add to SANS" { skip "FIXME: Certificate is not recreated when SANS is updated" if [ -n "$STAGING" ]; then diff --git a/test/2-simple-dns01-dig.bats b/test/2-simple-dns01-dig.bats index 6e1eca3..6f701b3 100644 --- a/test/2-simple-dns01-dig.bats +++ b/test/2-simple-dns01-dig.bats @@ -6,7 +6,9 @@ load '/getssl/test/test_helper.bash' setup() { - export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + fi if [ -f /usr/bin/host ]; then mv /usr/bin/host /usr/bin/host.getssl.bak fi diff --git a/test/2-simple-dns01-nslookup.bats b/test/2-simple-dns01-nslookup.bats index d13b318..c883485 100644 --- a/test/2-simple-dns01-nslookup.bats +++ b/test/2-simple-dns01-nslookup.bats @@ -7,7 +7,9 @@ load '/getssl/test/test_helper.bash' # This is run for every test setup() { - export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + fi if [ -f /usr/bin/dig ]; then mv /usr/bin/dig /usr/bin/dig.getssl.bak fi diff --git a/test/20-wildcard-simple.bats b/test/20-wildcard-simple.bats new file mode 100644 index 0000000..e9b0f98 --- /dev/null +++ b/test/20-wildcard-simple.bats @@ -0,0 +1,68 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + fi +} + + +@test "Create wildcard certificate" { + if [ -n "$STAGING" ]; then + CONFIG_FILE="getssl-staging-dns01.cfg" + else + CONFIG_FILE="getssl-dns01.cfg" + fi + + GETSSL_CMD_HOST="*.${GETSSL_HOST}" + setup_environment + init_getssl + create_certificate + assert_success + check_output_for_errors +} + + +@test "Check CHECK_REMOTE works for wildcard certificates" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + + run ${CODE_DIR}/getssl "*.$GETSSL_HOST" + assert_success + assert_line --partial "certificate is valid for more than" + check_output_for_errors +} + + +@test "Force renewal of wildcard certificate" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + + run ${CODE_DIR}/getssl -f "*.$GETSSL_HOST" + assert_success + refute_line --partial "certificate is valid for more than" + check_output_for_errors +} + + +@test "Check renewal of near-expiration wildcard certificate" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + + echo "RENEW_ALLOW=2000" >> "${INSTALL_DIR}/.getssl/*.${GETSSL_HOST}/getssl.cfg" + + run ${CODE_DIR}/getssl "*.$GETSSL_HOST" + assert_success + refute_line --partial "certificate is valid for more than" + check_output_for_errors + cleanup_environment +} diff --git a/test/21-wildcard-dual-rsa.bats b/test/21-wildcard-dual-rsa.bats new file mode 100644 index 0000000..7f0943f --- /dev/null +++ b/test/21-wildcard-dual-rsa.bats @@ -0,0 +1,82 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + fi +} + + +@test "Create secp384r1 wildcard certificate" { + if [ -n "$STAGING" ]; then + CONFIG_FILE="getssl-staging-dns01.cfg" + else + CONFIG_FILE="getssl-dns01.cfg" + fi + + GETSSL_CMD_HOST="*.${GETSSL_HOST}" + + setup_environment + init_getssl + + cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg +ACCOUNT_KEY_TYPE="secp384r1" +PRIVATE_KEY_ALG="secp384r1" +EOF + + create_certificate + assert_success + check_output_for_errors + run openssl x509 -noout -text -in "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" + assert_line --partial "Public Key Algorithm: id-ecPublicKey" + cleanup_environment +} + + +@test "Create dual certificates using DNS-01 verification" { + if [ -n "$STAGING" ]; then + CONFIG_FILE="getssl-staging-dns01.cfg" + else + CONFIG_FILE="getssl-dns01.cfg" + fi + + GETSSL_CMD_HOST="*.${GETSSL_HOST}" + + setup_environment + init_getssl + + cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg +DUAL_RSA_ECDSA="true" +ACCOUNT_KEY_TYPE="prime256v1" +PRIVATE_KEY_ALG="prime256v1" +EOF + + check_nginx + if [ "$OLD_NGINX" = "false" ]; then + echo 'RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-dual-certs ${NGINX_CONFIG} && /getssl/test/restart-nginx"' >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg + else + echo 'CHECK_REMOTE="false"' >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg + fi + + create_certificate + assert_success + check_output_for_errors + check_certificates + assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/chain.ec.crt" ] + assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.ec.crt" ] + assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.ec.crt" ] + + run openssl x509 -noout -text -in "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" + assert_line --partial "Public Key Algorithm: rsaEncryption" + + run openssl x509 -noout -text -in "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.ec.crt" + assert_line --partial "Public Key Algorithm: id-ecPublicKey" + + cleanup_environment +} diff --git a/test/22-wildcard-dual-rsa-ecdsa-copy-2-locations.bats b/test/22-wildcard-dual-rsa-ecdsa-copy-2-locations.bats new file mode 100644 index 0000000..238142e --- /dev/null +++ b/test/22-wildcard-dual-rsa-ecdsa-copy-2-locations.bats @@ -0,0 +1,65 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# These are run for every test, not once per file +setup() { + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + fi +} + + +@test "Create dual certificates (one wildcard) and copy RSA and ECDSA chain and key to two locations" { + if [ -n "$STAGING" ]; then + CONFIG_FILE="getssl-staging-dns01.cfg" + else + CONFIG_FILE="getssl-dns01.cfg" + fi + + GETSSL_CMD_HOST="*.${GETSSL_HOST}" + + setup_environment + init_getssl + + cat <<- 'EOF' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg +DUAL_RSA_ECDSA="true" +ACCOUNT_KEY_TYPE="prime256v1" +PRIVATE_KEY_ALG="prime256v1" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key;/root/a.${GETSSL_HOST}/server.key" +DOMAIN_CHAIN_LOCATION="/etc/nginx/pki/domain-chain.crt;/root/a.${GETSSL_HOST}/domain-chain.crt" # this is the domain cert and CA cert +EOF + + check_nginx + if [ "$OLD_NGINX" = "false" ]; then + echo 'RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-dual-certs ${NGINX_CONFIG} && /getssl/test/restart-nginx"' >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg + else + echo 'CHECK_REMOTE="false"' >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg + fi + + create_certificate + assert_success + check_output_for_errors + + if [ "$OLD_NGINX" = "false" ]; then + assert_line --partial "rsa certificate installed OK on server" + assert_line --partial "prime256v1 certificate installed OK on server" + fi + + # Check that the RSA chain and key have been copied to both locations + assert [ -e "/etc/nginx/pki/domain-chain.crt" ] + assert [ -e "/root/a.${GETSSL_HOST}/domain-chain.crt" ] + assert [ -e "/etc/nginx/pki/private/server.key" ] + assert [ -e "/root/a.${GETSSL_HOST}/server.key" ] + + # Check that the ECDSA chain and key have been copied to both locations + assert [ -e "/etc/nginx/pki/domain-chain.ec.crt" ] + assert [ -e "/root/a.${GETSSL_HOST}/domain-chain.ec.crt" ] + assert [ -e "/etc/nginx/pki/private/server.ec.key" ] + assert [ -e "/root/a.${GETSSL_HOST}/server.ec.key" ] + + cleanup_environment +} diff --git a/test/23-wildcard-check-globbing.bats b/test/23-wildcard-check-globbing.bats new file mode 100644 index 0000000..1c812b1 --- /dev/null +++ b/test/23-wildcard-check-globbing.bats @@ -0,0 +1,46 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + fi +} + + +@test "Check for globbing for wildcard domains" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + else + CONFIG_FILE="getssl-dns01.cfg" + fi + + GETSSL_CMD_HOST="*.${GETSSL_HOST}" + setup_environment + + init_getssl + + # Create a directory in /root which looks like a domain so that if glob expansion is performed a certificate for the wrong domain will be created + mkdir -p "${INSTALL_DIR}/a.${GETSSL_HOST}" + + create_certificate + assert_success + check_output_for_errors +} + + +@test "Force renewal of wildcard certificate" { + if [ -n "$STAGING" ]; then + skip "Not trying on staging server yet" + fi + + run ${CODE_DIR}/getssl -f "*.$GETSSL_HOST" + assert_success + refute_line --partial "certificate is valid for more than" + check_output_for_errors +} diff --git a/test/24-wildcard-sans.bats b/test/24-wildcard-sans.bats new file mode 100644 index 0000000..6e463c8 --- /dev/null +++ b/test/24-wildcard-sans.bats @@ -0,0 +1,69 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + curl --silent -X POST -d '{"host":"wild-'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a + fi +} + + +teardown() { + if [ -z "$STAGING" ]; then + curl --silent -X POST -d '{"host":"wild-'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a + fi +} + + +@test "Check can create certificate for wildcard domain as arg and non-wildcard in SANS" { + if [ -n "$STAGING" ]; then + CONFIG_FILE="getssl-staging-dns01.cfg" + else + CONFIG_FILE="getssl-dns01.cfg" + fi + + # Staging server generates an error if try to create a certificate for *.domain and a.domain + # so create for *.wild-domain and a.domain instead + GETSSL_CMD_HOST="*.wild-${GETSSL_HOST}" + setup_environment + init_getssl + + echo 'SANS="${GETSSL_HOST}"' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg + + create_certificate + assert_success + check_output_for_errors + run openssl x509 -noout -text -in "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" + # verify certificate is for wildcard domain with non-wildcard domain in the Subject Alternative Name list + assert_output --regexp "Subject: CN[ ]?=[ ]?\*.wild-${GETSSL_HOST}" + assert_output --partial "DNS:${GETSSL_HOST}" +} + + +@test "Check can create certificate for non-wildcard domain as arg and wildcard in SANS" { + if [ -n "$STAGING" ]; then + CONFIG_FILE="getssl-staging-dns01.cfg" + else + CONFIG_FILE="getssl-dns01.cfg" + fi + + GETSSL_CMD_HOST="${GETSSL_HOST}" + setup_environment + init_getssl + + echo 'SANS="*.wild-${GETSSL_HOST}"' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg + + create_certificate + assert_success + check_output_for_errors + run openssl x509 -noout -text -in "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" + # verify certificate is for non-wildcard domain with wildcard domain in the Subject Alternative Name list + assert_output --regexp "Subject: CN[ ]?=[ ]?${GETSSL_HOST}" + assert_output --partial "DNS:*.wild-${GETSSL_HOST}" +} diff --git a/test/25-wildcard-all.bats b/test/25-wildcard-all.bats new file mode 100644 index 0000000..8e428ab --- /dev/null +++ b/test/25-wildcard-all.bats @@ -0,0 +1,42 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + fi +} + + +@test "Check can create certificate for wildcard domain using --all" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + else + CONFIG_FILE="getssl-dns01.cfg" + fi + + GETSSL_CMD_HOST="*.${GETSSL_HOST}" + setup_environment + # Create .getssl directory and .getssl/*.{host} directory + init_getssl + cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/*.${GETSSL_HOST}/getssl.cfg" + + # create another domain in the .getssl directory + run ${CODE_DIR}/getssl -c "a.${GETSSL_HOST}" + cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/a.${GETSSL_HOST}/getssl.cfg" + + # Create a directory in /root which looks like a domain so that if glob expansion is performed the wildcard certificate won't be created + mkdir -p "${INSTALL_DIR}/a.${GETSSL_HOST}" + + run ${CODE_DIR}/getssl --all + + assert_success + assert_line --partial "Certificate saved in /root/.getssl/*.${GETSSL_HOST}/*.${GETSSL_HOST}" + assert_line --partial "Certificate saved in /root/.getssl/a.${GETSSL_HOST}/a.${GETSSL_HOST}" + check_output_for_errors +} diff --git a/test/26-wildcard-revoke.bats b/test/26-wildcard-revoke.bats new file mode 100644 index 0000000..1416ef4 --- /dev/null +++ b/test/26-wildcard-revoke.bats @@ -0,0 +1,49 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + fi +} + + +@test "Create certificate to check wildcard revoke" { + if [ -n "$STAGING" ]; then + CONFIG_FILE="getssl-staging-dns01.cfg" + else + CONFIG_FILE="getssl-dns01.cfg" + fi + + GETSSL_CMD_HOST="*.${GETSSL_HOST}" + setup_environment + init_getssl + create_certificate + assert_success + check_output_for_errors +} + + +@test "Check we can revoke a wildcard certificate" { + if [ -n "$STAGING" ]; then + CONFIG_FILE="getssl-staging-dns01.cfg" + else + CONFIG_FILE="getssl-dns01.cfg" + fi + . "${CODE_DIR}/test/test-config/${CONFIG_FILE}" + + GETSSL_CMD_HOST="*.${GETSSL_HOST}" + + CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt + KEY=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key + + run ${CODE_DIR}/getssl -d --revoke $CERT $KEY $CA + assert_line "certificate revoked" + assert_success + check_output_for_errors "debug" +} diff --git a/test/27-wildcard-existing-cert.bats b/test/27-wildcard-existing-cert.bats new file mode 100644 index 0000000..76f2aa7 --- /dev/null +++ b/test/27-wildcard-existing-cert.bats @@ -0,0 +1,45 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + fi +} + + +@test "Check that new creating a new configuration files uses details from existing certificate" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + else + CONFIG_FILE="getssl-dns01.cfg" + fi + + # Create and install certificate for wildcard + another domain + GETSSL_CMD_HOST="*.${GETSSL_HOST}" + setup_environment + init_getssl + + echo 'SANS="a.${GETSSL_HOST}"' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg + + create_certificate + assert_success + check_output_for_errors + + # Delete configuration + rm -r ${INSTALL_DIR}/.getssl + + # Create configuration + run ${CODE_DIR}/getssl -c "${GETSSL_CMD_HOST}" + + # Assert that the newly created configuration contains the additional domain in SANS + # if this fails then error in tests will be "grep failed" - this means SANS did not hold the expected value + # eg SANS="a.centos7.getssl.test" + grep -q "SANS=\"a.${GETSSL_HOST}\"" ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl.cfg + assert_success +} diff --git a/test/28-wildcard-error-http01-validation.bats b/test/28-wildcard-error-http01-validation.bats new file mode 100644 index 0000000..dbb64b7 --- /dev/null +++ b/test/28-wildcard-error-http01-validation.bats @@ -0,0 +1,31 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + fi +} + + +@test "Check that trying to create a wildcard certificate using http-01 validation shows an error message" { + if [ -n "$STAGING" ]; then + skip "Internal test, no need to test on staging server" + else + CONFIG_FILE="getssl-http01.cfg" + fi + + # Try and create a wildcard certificate using http-01 validation + GETSSL_CMD_HOST="*.${GETSSL_HOST}" + setup_environment + init_getssl + + create_certificate + assert_failure + assert_line --partial "cannot use http-01 validation for wildcard domains" +} diff --git a/test/README-Testing.md b/test/README-Testing.md index 3cd4b2c..d713914 100644 --- a/test/README-Testing.md +++ b/test/README-Testing.md @@ -8,7 +8,7 @@ For continuous integration testing we have the following: 1. Uses `docker-compose` to start `pebble` (letsencrypt test server) and `challtestsrv` (minimal dns client for pebble) 2. Then runs the `bats` test scripts (all the files with a ".bats" extension) for each OS (alpine, centos6, debian, ubuntu) -3. Runs the `bats` test script against the staging server (using nn ubuntu docker image and duckdns.org) +3. Runs the `bats` test script against the staging server (using ubuntu docker image and duckdns.org) ## To run all the tests on a single OS diff --git a/test/run-test.cmd b/test/run-test.cmd index 43c4e40..23235c9 100644 --- a/test/run-test.cmd +++ b/test/run-test.cmd @@ -49,6 +49,7 @@ docker run -it ^ --network-alias i.%OS%.getssl.test ^ --network-alias j.%OS%.getssl.test ^ --network-alias k.%OS%.getssl.test ^ + --network-alias wild-%ALIAS% ^ --name getssl-%OS% ^ getssl-%OS% ^ %COMMAND% diff --git a/test/run-test.sh b/test/run-test.sh index d99d5a3..8a2a9f2 100755 --- a/test/run-test.sh +++ b/test/run-test.sh @@ -42,6 +42,7 @@ docker run \ --network-alias "i.$OS.getssl.test" \ --network-alias "j.$OS.getssl.test" \ --network-alias "k.$OS.getssl.test" \ + --network-alias "wild-$OS.getssl.test" \ --name "getssl-$OS" \ "getssl-$OS" \ $COMMAND diff --git a/test/test-config/getssl-dns01-dual-rsa-ecdsa-2-locations.cfg b/test/test-config/getssl-dns01-dual-rsa-ecdsa-2-locations.cfg new file mode 100644 index 0000000..829e73c --- /dev/null +++ b/test/test-config/getssl-dns01-dual-rsa-ecdsa-2-locations.cfg @@ -0,0 +1,37 @@ +# Test that more than one location can be specified for CERT and KEY locations and that the +# files are copied to both locations when both RSA and ECDSA certificates are created +# +CA="https://pebble:14000/dir" + +VALIDATE_VIA_DNS=true +DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv" +DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv" +AUTH_DNS_SERVER=10.30.50.3 + +# Speed up the test by reducing the number or retries and the wait between retries. +DNS_WAIT=2 +DNS_WAIT_COUNT=11 +DNS_EXTRA_WAIT=0 + +DUAL_RSA_ECDSA="true" +ACCOUNT_KEY_TYPE="prime256v1" +PRIVATE_KEY_ALG="prime256v1" + +# Additional domains - this could be multiple domains / subdomains in a comma separated list +SANS="" +# SANS="a.${GETSSL_HOST}" + +# Location for all your certs, these can either be on the server (full path name) +# or using ssh /sftp as for the ACL +DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key;/root/a.${GETSSL_HOST}/server.key" +CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" +DOMAIN_CHAIN_LOCATION="/etc/nginx/pki/domain-chain.crt;/root/a.${GETSSL_HOST}/domain-chain.crt" # this is the domain cert and CA cert +DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert + +# The command needed to reload apache / nginx or whatever you use +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-dual-certs ${NGINX_CONFIG} && /getssl/test/restart-nginx" + +# Define the server type and confirm correct certificate is installed +SERVER_TYPE="https" +CHECK_REMOTE="true" diff --git a/test/test-config/getssl-dns01-secp384.cfg b/test/test-config/getssl-dns01-secp384.cfg new file mode 100644 index 0000000..2cc360c --- /dev/null +++ b/test/test-config/getssl-dns01-secp384.cfg @@ -0,0 +1,36 @@ +# Uncomment and modify any variables you need +# see https://github.com/srvrco/getssl/wiki/Config-variables for details +# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs +# +CA="https://pebble:14000/dir" + +VALIDATE_VIA_DNS=true +DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv" +DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv" +AUTH_DNS_SERVER=10.30.50.3 + +# Speed up the test by reducing the number or retries and the wait between retries. +DNS_WAIT=2 +DNS_WAIT_COUNT=11 +DNS_EXTRA_WAIT=0 + +ACCOUNT_KEY_TYPE="secp384r1" +PRIVATE_KEY_ALG="secp384r1" + +# Additional domains - this could be multiple domains / subdomains in a comma separated list +SANS="" + +# Location for all your certs, these can either be on the server (full path name) +# or using ssh /sftp as for the ACL +DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key" +CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" +DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert +DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert + +# The command needed to reload apache / nginx or whatever you use +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" + +# Define the server type and confirm correct certificate is installed +SERVER_TYPE="https" +CHECK_REMOTE="true" diff --git a/test/test-config/getssl-dns01.cfg b/test/test-config/getssl-dns01.cfg index e995c80..c67f995 100644 --- a/test/test-config/getssl-dns01.cfg +++ b/test/test-config/getssl-dns01.cfg @@ -31,3 +31,10 @@ RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /get # Define the server type and confirm correct certificate is installed SERVER_TYPE="https" CHECK_REMOTE="true" + +#_USE_DEBUG=1 +#_RUNNING_TEST=1 + +if [[ -s "$DOMAIN_DIR/getssl_test_specific.cfg" ]]; then + . $DOMAIN_DIR/getssl_test_specific.cfg +fi diff --git a/test/test-config/getssl-staging-dns01.cfg b/test/test-config/getssl-staging-dns01.cfg index 910c7fe..905c44d 100644 --- a/test/test-config/getssl-staging-dns01.cfg +++ b/test/test-config/getssl-staging-dns01.cfg @@ -31,6 +31,10 @@ DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert # The command needed to reload apache / nginx or whatever you use RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" -# Define the server type and confirm correct certificate is installed (using a custom port) +# Define the server type and confirm correct certificate is installed SERVER_TYPE="https" CHECK_REMOTE="true" + +if [[ -s "$DOMAIN_DIR/getssl_test_specific.cfg" ]]; then + . $DOMAIN_DIR/getssl_test_specific.cfg +fi diff --git a/test/test_helper.bash b/test/test_helper.bash index db79ea4..c5d5320 100644 --- a/test/test_helper.bash +++ b/test/test_helper.bash @@ -3,99 +3,103 @@ CODE_DIR=/getssl check_certificates() { - assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/chain.crt" ] - assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" ] - assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" ] + assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/chain.crt" ] + assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" ] + assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" ] } # Only nginx > 1.11.0 support dual certificates in a single configuration file # https://unix.stackexchange.com/questions/285924/how-to-compare-a-programs-version-in-a-shell-script check_nginx() { - requiredver="1.11.0" - currentver=$(nginx -v 2>&1 | awk -F"/" '{print $2}') - if [ "$(printf '%s\n' "$requiredver" "$currentver" | sort -V | head -n1)" = "$requiredver" ]; then - export OLD_NGINX="false" - else - echo "INFO: Running nginx version $currentver which doesn't support dual certificates" >&3 - echo "INFO: not checking that certificate is installed correctly" >&3 - export OLD_NGINX="true" - fi + requiredver="1.11.0" + currentver=$(nginx -v 2>&1 | awk -F"/" '{print $2}') + if [ "$(printf '%s\n' "$requiredver" "$currentver" | sort -V | head -n1)" = "$requiredver" ]; then + export OLD_NGINX="false" + else + echo "INFO: Running nginx version $currentver which doesn't support dual certificates" >&3 + echo "INFO: not checking that certificate is installed correctly" >&3 + export OLD_NGINX="true" + fi } check_output_for_errors() { - refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' - # less strict tests if running with debug output - if [ -n "$1" ]; then - # don't fail for :error:badNonce - refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]' - # don't check for "Warnings:" as there might be a warning message if nslookup doesn't support -debug (alpine/ubuntu) - refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg][^:]' - else - refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' - refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' - fi - refute_line --partial 'command not found' + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + # less strict tests if running with debug output + if [ -n "$1" ]; then + # don't fail for :error:badNonce + refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]' + # don't check for "Warnings:" as there might be a warning message if nslookup doesn't support -debug (alpine/ubuntu) + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg][^:]' + else + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' + fi + refute_line --partial 'command not found' } cleanup_environment() { + if [ -z "$STAGING" ]; then curl --silent -X POST -d '{"host":"'"$GETSSL_HOST"'"}' http://10.30.50.3:8055/clear-a + fi } create_certificate() { - # Create certificate - cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl.cfg" - # shellcheck disable=SC2086 - run ${CODE_DIR}/getssl $1 "$GETSSL_CMD_HOST" + # Create certificate + cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl.cfg" + # shellcheck disable=SC2086 + run ${CODE_DIR}/getssl $1 "$GETSSL_CMD_HOST" } init_getssl() { - # Run initialisation (create account key, etc) - run ${CODE_DIR}/getssl -c "$GETSSL_CMD_HOST" - assert_success - [ -d "$INSTALL_DIR/.getssl" ] + # Run initialisation (create account key, etc) + run ${CODE_DIR}/getssl -c "$GETSSL_CMD_HOST" + assert_success + [ -d "$INSTALL_DIR/.getssl" ] } setup_environment() { - # One-off test setup - if [[ -d ${INSTALL_DIR}/.getssl ]]; then - rm -r ${INSTALL_DIR}/.getssl - fi + # One-off test setup + if [[ -d ${INSTALL_DIR}/.getssl ]]; then + rm -r ${INSTALL_DIR}/.getssl + fi + if [ -z "$STAGING" ]; then curl --silent -X POST -d '{"host":"'"$GETSSL_HOST"'", "addresses":["'"$GETSSL_IP"'"]}' http://10.30.50.3:8055/add-a - cp ${CODE_DIR}/test/test-config/nginx-ubuntu-no-ssl "${NGINX_CONFIG}" - /getssl/test/restart-nginx + fi + cp ${CODE_DIR}/test/test-config/nginx-ubuntu-no-ssl "${NGINX_CONFIG}" + /getssl/test/restart-nginx } # start nginx in background on alpine via supervisord # shellcheck disable=SC2153 # Ignore GETSSL_OS looks like typo of GETSSL_IP if [[ -f /usr/bin/supervisord && -f /etc/supervisord.conf ]]; then - if [[ ! $(pgrep supervisord) ]]; then - /usr/bin/supervisord -c /etc/supervisord.conf >&3- - fi + if [[ ! $(pgrep supervisord) ]]; then + /usr/bin/supervisord -c /etc/supervisord.conf >&3- + fi elif [[ "$GETSSL_OS" == "centos"[78] ]]; then - if [ -z "$(pgrep nginx)" ]; then - nginx >&3- - fi + if [ -z "$(pgrep nginx)" ]; then + nginx >&3- + fi fi # Find NGINX configuration directory for HTTP-01 testing (need to add SSL to config) if [[ -f /etc/nginx/conf.d/default.conf ]]; then - export NGINX_CONFIG=/etc/nginx/conf.d/default.conf + export NGINX_CONFIG=/etc/nginx/conf.d/default.conf elif [[ -f /etc/nginx/sites-enabled/default ]]; then - export NGINX_CONFIG=/etc/nginx/sites-enabled/default + export NGINX_CONFIG=/etc/nginx/sites-enabled/default else - echo "Can't find NGINX directory" - exit 1 + echo "Can't find NGINX directory" + exit 1 fi # Find IP address if [[ -n "$(command -v ip)" ]]; then - GETSSL_IP=$(ip address | awk '/10.30.50/ { print $2 }' | awk -F/ '{ print $1 }') + GETSSL_IP=$(ip address | awk '/10.30.50/ { print $2 }' | awk -F/ '{ print $1 }') elif [[ -n "$(command -v hostname)" ]]; then - GETSSL_IP=$(hostname -I | sed -e 's/[[:space:]]*$//') + GETSSL_IP=$(hostname -I | sed -e 's/[[:space:]]*$//') else - echo "Cannot find IP address" - exit 1 + echo "Cannot find IP address" + exit 1 fi export GETSSL_IP @@ -103,11 +107,11 @@ export GETSSL_IP GETSSL_CMD_HOST=$GETSSL_HOST export GETSSL_CMD_HOST -if [ ! -f ${INSTALL_DIR}/pebble.minica.pem ]; then - wget --quiet --no-clobber https://raw.githubusercontent.com/letsencrypt/pebble/master/test/certs/pebble.minica.pem 2>&1 - CERT_FILE=/etc/ssl/certs/ca-certificates.crt - if [ ! -f $CERT_FILE ]; then - CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt - fi - cat $CERT_FILE ${INSTALL_DIR}/pebble.minica.pem > ${INSTALL_DIR}/pebble-ca-bundle.crt +if [ -z "$STAGING" ] && [ ! -f ${INSTALL_DIR}/pebble.minica.pem ]; then + wget --quiet --no-clobber https://raw.githubusercontent.com/letsencrypt/pebble/master/test/certs/pebble.minica.pem 2>&1 + CERT_FILE=/etc/ssl/certs/ca-certificates.crt + if [ ! -f $CERT_FILE ]; then + CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt + fi + cat $CERT_FILE ${INSTALL_DIR}/pebble.minica.pem > ${INSTALL_DIR}/pebble-ca-bundle.crt fi