Merge pull request #572 from srvrco/dual-cert-check-remote

Fix CHECK_REMOTE for DUAL_RSA_ECDSA

dns_scripts/dns_add_duckdns

@@ -11,7 +11,7 @@ fi
 domain="$1"
 txtvalue="$2"
 
-response=$(curl --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=${txtvalue}")
+response=$(curl --retry 5 --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=${txtvalue}")
 if [ "$response" != "OK" ]; then
     echo "Failed to update TXT record for ${domain} at duckdns.org (is the TOKEN valid?)"
     echo "Response: $response"

dns_scripts/dns_del_duckdns

@@ -4,7 +4,7 @@
 token=${DUCKDNS_TOKEN:-}
 domain="$1"
 
-response=$(curl --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=&clear=true")
+response=$(curl --retry 5 --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=&clear=true")
 if [ "$response" != "OK" ]; then
     echo "Failed to update TXT record for ${domain} at duckdns.org (is the TOKEN valid?)"
     echo "$response"

getssl

@@ -2561,9 +2561,14 @@ fi
 # if check_remote is true then connect and obtain the current certificate (if not forcing renewal)
 if [[ "${CHECK_REMOTE}" == "true" ]] && [[ $_FORCE_RENEW -eq 0 ]]; then
   debug "getting certificate for $DOMAIN from remote server"
+if [[ "$DUAL_RSA_ECDSA" == "true" ]]; then
+    CIPHER="-cipher RSA"
+else
+    CIPHER=""
+fi
   # shellcheck disable=SC2086
   EX_CERT=$(echo \
-    | openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" ${REMOTE_EXTRA} 2>/dev/null \
+    | openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" ${REMOTE_EXTRA} ${CIPHER} 2>/dev/null \
     | openssl x509 2>/dev/null)
   if [[ -n "$EX_CERT" ]]; then # if obtained a cert
     if [[ -s "$CERT_FILE" ]]; then # if local exists
@@ -2817,16 +2822,30 @@ fi
 # Check if the certificate is installed correctly
 if [[ ${CHECK_REMOTE} == "true" ]]; then
   sleep "$CHECK_REMOTE_WAIT"
-  # shellcheck disable=SC2086
-  CERT_REMOTE=$(echo \
-    | openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" ${REMOTE_EXTRA} 2>/dev/null \
-    | openssl x509 -noout -fingerprint 2>/dev/null)
-  CERT_LOCAL=$(openssl x509 -noout -fingerprint < "$CERT_FILE" 2>/dev/null)
-  if [[ "$CERT_LOCAL" == "$CERT_REMOTE" ]]; then
-    info "${DOMAIN} - certificate installed OK on server"
+  if [[ "$DUAL_RSA_ECDSA" == "true" ]]; then
+    PARAMS=("-cipher RSA" "-cipher ECDSA")
+    CERTS=("$CERT_FILE" "${CERT_FILE%.*}.ec.crt")
+    TYPES=("rsa" "$PRIVATE_KEY_ALG")
   else
-    error_exit "${DOMAIN} - certificate obtained but certificate on server is different from the new certificate"
+    PARAMS=("")
+    CERTS=("$CERT_FILE")
+    TYPES=("$PRIVATE_KEY_ALG")
   fi
+
+  for ((i=0; i<${#PARAMS[@]};++i)); do
+    debug "Checking ${CERTS[i]}"
+    # shellcheck disable=SC2086
+    CERT_REMOTE=$(echo \
+        | openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" ${REMOTE_EXTRA} ${PARAMS[i]} 2>/dev/null \
+        | openssl x509 -noout -fingerprint 2>/dev/null)
+    CERT_LOCAL=$(openssl x509 -noout -fingerprint < "${CERTS[i]}" 2>/dev/null)
+    if [[ "$CERT_LOCAL" == "$CERT_REMOTE" ]]; then
+        info "${DOMAIN} - ${TYPES[i]} certificate installed OK on server"
+    else
+        info "${CERTS[i]} didn't match server"
+        error_exit "${DOMAIN} - ${TYPES[i]} certificate obtained but certificate on server is different from the new certificate"
+    fi
+  done
 fi
 # end of Check if the certificate is installed correctly
 

test/2-simple-dns01-dig.bats

@@ -27,11 +27,11 @@ teardown() {
 
 
 @test "Create new certificate using DNS-01 verification (dig)" {
+    CONFIG_FILE="getssl-dns01.cfg"
     if [ -n "$STAGING" ]; then
-        skip "Using staging server, skipping internal test"
+        CONFIG_FILE="getssl-staging-dns01.cfg"
     fi
 
-    CONFIG_FILE="getssl-dns01.cfg"
     setup_environment
     init_getssl
     create_certificate -d
@@ -42,9 +42,6 @@ teardown() {
 
 
 @test "Force renewal of certificate using DNS-01 (dig)" {
-    if [ -n "$STAGING" ]; then
-        skip "Using staging server, skipping internal test"
-    fi
     run ${CODE_DIR}/getssl -d -f $GETSSL_HOST
     assert_success
     assert_output --partial "dig"

test/2-simple-dns01-nslookup.bats

@@ -28,11 +28,11 @@ teardown() {
 
 
 @test "Create new certificate using DNS-01 verification (nslookup)" {
+    CONFIG_FILE="getssl-dns01.cfg"
     if [ -n "$STAGING" ]; then
-        skip "Using staging server, skipping internal test"
+        CONFIG_FILE="getssl-dns01.cfg"
     fi
 
-    CONFIG_FILE="getssl-dns01.cfg"
     setup_environment
     init_getssl
     create_certificate -d

test/3-dual-rsa-ecdsa.bats

@@ -15,7 +15,14 @@ setup() {
     if [ -n "$STAGING" ]; then
         skip "Using staging server, skipping internal test"
     fi
-    CONFIG_FILE="getssl-http01-dual-rsa-ecdsa.cfg"
+
+    check_nginx
+    if [ "$OLD_NGINX" = "false" ]; then
+        CONFIG_FILE="getssl-http01-dual-rsa-ecdsa.cfg"
+    else
+        CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-old-nginx.cfg"
+    fi
+
     setup_environment
     init_getssl
     create_certificate
@@ -28,6 +35,22 @@ setup() {
 }
 
 
+@test "Check renewal test works for dual certificates using HTTP-01" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    check_nginx
+    run ${CODE_DIR}/getssl -d $GETSSL_HOST
+
+    if [ "$OLD_NGINX" = "false" ]; then
+        assert_line "certificate on server is same as the local cert"
+    else
+        assert_line --partial "certificate is valid for more than 30 days"
+    fi
+    assert_success
+}
+
+
 @test "Force renewal of dual certificates using HTTP-01" {
     if [ -n "$STAGING" ]; then
         skip "Using staging server, skipping internal test"
@@ -37,11 +60,19 @@ setup() {
     check_output_for_errors
 }
 
+
 @test "Create dual certificates using DNS-01 verification" {
     if [ -n "$STAGING" ]; then
         skip "Using staging server, skipping internal test"
     fi
-    CONFIG_FILE="getssl-dns01-dual-rsa-ecdsa.cfg"
+
+    check_nginx
+    if [ "$OLD_NGINX" = "false" ]; then
+        CONFIG_FILE="getssl-dns01-dual-rsa-ecdsa.cfg"
+    else
+        CONFIG_FILE="getssl-dns01-dual-rsa-ecdsa-old-nginx.cfg"
+    fi
+
     setup_environment
     init_getssl
     create_certificate

test/6-dual-rsa-ecdsa-copy-2-locations.bats

@@ -25,7 +25,14 @@ teardown() {
     if [ -n "$STAGING" ]; then
         skip "Using staging server, skipping internal test"
     fi
-    CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-2-locations.cfg"
+
+    check_nginx
+    if [ "$OLD_NGINX" = "false" ]; then
+        CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-2-locations.cfg"
+    else
+        CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-2-locations-old-nginx.cfg"
+    fi
+
     setup_environment
     mkdir -p /root/a.${GETSSL_HOST}
 

test/7-staging-dns01-dig.bats

@@ -7,6 +7,7 @@ load '/getssl/test/test_helper.bash'
 
 
 @test "Create new certificate using staging server, dig and DuckDNS" {
+    skip
     if [ -z "$STAGING" ]; then
         skip "Running internal tests, skipping external test"
     fi
@@ -20,6 +21,7 @@ load '/getssl/test/test_helper.bash'
 }
 
 @test "Force renewal of certificate using staging server, dig and DuckDNS" {
+    skip
     if [ -z "$STAGING" ]; then
         skip "Running internal tests, skipping external test"
     fi

test/Dockerfile-centos6

@@ -1,6 +1,9 @@
 FROM centos:centos6
 
 # Note this image uses gawk
+# Note if you are running this using WSL2 you need to put the following lines in %userprofile%\.wslconfig
+# [wsl2]
+# kernelCommandLine = vsyscall=emulate
 
 # Update and install required software
 RUN yum -y update

test/test-config/getssl-dns01-dual-rsa-ecdsa-old-nginx.cfg

@@ -0,0 +1,39 @@
+# Uncomment and modify any variables you need
+# see https://github.com/srvrco/getssl/wiki/Config-variables for details
+# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
+#
+CA="https://pebble:14000/dir"
+
+VALIDATE_VIA_DNS=true
+DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
+DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
+PUBLIC_DNS_SERVER=10.30.50.3
+DNS_EXTRA_WAIT=""
+
+DUAL_RSA_ECDSA="true"
+ACCOUNT_KEY_TYPE="prime256v1"
+PRIVATE_KEY_ALG="prime256v1"
+
+# Additional domains - this could be multiple domains / subdomains in a comma separated list
+SANS=""
+
+# Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
+ACL=('/var/www/html/.well-known/acme-challenge')
+
+#Set USE_SINGLE_ACL="true" to use a single ACL for all checks
+USE_SINGLE_ACL="false"
+
+# Location for all your certs, these can either be on the server (full path name)
+# or using ssh /sftp as for the ACL
+DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.ec.crt"
+DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.ec.key"
+CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
+DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
+DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
+
+# The command needed to reload apache / nginx or whatever you use
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
+
+# Define the server type and confirm correct certificate is installed
+SERVER_TYPE="https"
+CHECK_REMOTE="false"

test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg

@@ -32,7 +32,7 @@ DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
 DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
 
 # The command needed to reload apache / nginx or whatever you use
-RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-dual-certs ${NGINX_CONFIG} && /getssl/test/restart-nginx"
 
 # Define the server type and confirm correct certificate is installed
 SERVER_TYPE="https"

test/test-config/getssl-http01-dual-rsa-ecdsa-2-locations-old-nginx.cfg

@@ -0,0 +1,32 @@
+# Test that more than one location can be specified for CERT and KEY locations and that the
+# files are copied to both locations when both RSA and ECDSA certificates are created
+#
+CA="https://pebble:14000/dir"
+
+DUAL_RSA_ECDSA="true"
+ACCOUNT_KEY_TYPE="prime256v1"
+PRIVATE_KEY_ALG="prime256v1"
+
+# Additional domains - this could be multiple domains / subdomains in a comma separated list
+SANS="a.${GETSSL_HOST}"
+
+# Acme Challenge Location.
+ACL=('/var/www/html/.well-known/acme-challenge')
+
+#Set USE_SINGLE_ACL="true" to use a single ACL for all checks
+USE_SINGLE_ACL="true"
+
+# Location for all your certs, these can either be on the server (full path name)
+# or using ssh /sftp as for the ACL
+DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
+DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key;/root/a.${GETSSL_HOST}/server.key"
+CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
+DOMAIN_CHAIN_LOCATION="/etc/nginx/pki/domain-chain.crt;/root/a.${GETSSL_HOST}/domain-chain.crt" # this is the domain cert and CA cert
+DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
+
+# The command needed to reload apache / nginx or whatever you use
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
+
+# Define the server type and confirm correct certificate is installed
+SERVER_TYPE="https"
+CHECK_REMOTE="false"

test/test-config/getssl-http01-dual-rsa-ecdsa-2-locations.cfg

@@ -25,7 +25,7 @@ DOMAIN_CHAIN_LOCATION="/etc/nginx/pki/domain-chain.crt;/root/a.${GETSSL_HOST}/do
 DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
 
 # The command needed to reload apache / nginx or whatever you use
-RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-dual-certs ${NGINX_CONFIG} && /getssl/test/restart-nginx"
 
 # Define the server type and confirm correct certificate is installed
 SERVER_TYPE="https"

test/test-config/getssl-http01-dual-rsa-ecdsa-old-nginx.cfg

@@ -0,0 +1,33 @@
+# Uncomment and modify any variables you need
+# see https://github.com/srvrco/getssl/wiki/Config-variables for details
+# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
+#
+CA="https://pebble:14000/dir"
+
+DUAL_RSA_ECDSA="true"
+ACCOUNT_KEY_TYPE="prime256v1"
+PRIVATE_KEY_ALG="prime256v1"
+
+# Additional domains - this could be multiple domains / subdomains in a comma separated list
+SANS=""
+
+# Acme Challenge Location.
+ACL=('/var/www/html/.well-known/acme-challenge')
+
+#Set USE_SINGLE_ACL="true" to use a single ACL for all checks
+USE_SINGLE_ACL="false"
+
+# Location for all your certs, these can either be on the server (full path name)
+# or using ssh /sftp as for the ACL
+DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.ec.crt"
+DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.ec.key"
+CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
+DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
+DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
+
+# The command needed to reload apache / nginx or whatever you use
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
+
+# Define the server type and confirm correct certificate is installed
+SERVER_TYPE="https"
+CHECK_REMOTE="false"

test/test-config/getssl-http01-dual-rsa-ecdsa.cfg

@@ -26,7 +26,7 @@ DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
 DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
 
 # The command needed to reload apache / nginx or whatever you use
-RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-dual-certs ${NGINX_CONFIG} && /getssl/test/restart-nginx"
 
 # Define the server type and confirm correct certificate is installed
 SERVER_TYPE="https"

test/test-config/nginx-ubuntu-dual-certs

@@ -0,0 +1,97 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# http://wiki.nginx.org/Pitfalls
+# http://wiki.nginx.org/QuickStart
+# http://wiki.nginx.org/Configuration
+#
+# Generally, you will want to move this file somewhere, and start with a clean
+# file but keep this around for reference. Or just disable in sites-enabled.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+server {
+	listen 80 default_server;
+	listen 5002 default_server;
+	listen [::]:5002 default_server;
+
+	# SSL configuration
+	#
+    listen 443 ssl default_server;
+	listen [::]:443 ssl default_server;
+
+	listen 5001 ssl default_server;
+	listen [::]:5001 ssl default_server;
+	#
+	# Note: You should disable gzip for SSL traffic.
+	# See: https://bugs.debian.org/773332
+	#
+	# Read up on ssl_ciphers to ensure a secure configuration.
+	# See: https://bugs.debian.org/765782
+	#
+	# Self signed certs generated by the ssl-cert package
+	# Don't use them in a production server!
+	#
+	# include snippets/snakeoil.conf;
+
+	root /var/www/html;
+
+	# Add index.php to the list if you are using PHP
+	index index.html index.htm index.nginx-debian.html;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+	server_name _;
+    ssl_certificate /etc/nginx/pki/server.crt;
+    ssl_certificate_key /etc/nginx/pki/private/server.key;
+
+    ssl_certificate /etc/nginx/pki/server.ec.crt;
+    ssl_certificate_key /etc/nginx/pki/private/server.ec.key;
+
+	location / {
+		# First attempt to serve request as file, then
+		# as directory, then fall back to displaying a 404.
+		try_files $uri $uri/ =404;
+	}
+
+	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+	#
+	#location ~ \.php$ {
+	#	include snippets/fastcgi-php.conf;
+	#
+	#	# With php7.0-cgi alone:
+	#	fastcgi_pass 127.0.0.1:9000;
+	#	# With php7.0-fpm:
+	#	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
+	#}
+
+	# deny access to .htaccess files, if Apache's document root
+	# concurs with nginx's one
+	#
+	#location ~ /\.ht {
+	#	deny all;
+	#}
+}
+
+
+# Virtual Host configuration for example.com
+#
+# You can move that to a different file under sites-available/ and symlink that
+# to sites-enabled/ to enable it.
+#
+#server {
+#	listen 80;
+#	listen [::]:80;
+#
+#	server_name example.com;
+#
+#	root /var/www/example.com;
+#	index index.html;
+#
+#	location / {
+#		try_files $uri $uri/ =404;
+#	}
+#}

test/test_helper.bash

@@ -8,6 +8,20 @@ check_certificates()
     assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" ]
 }
 
+# Only nginx > 1.11.0 support dual certificates in a single configuration file
+# https://unix.stackexchange.com/questions/285924/how-to-compare-a-programs-version-in-a-shell-script
+check_nginx() {
+    requiredver="1.11.0"
+    currentver="$(nginx -v)"
+    if [ "$(printf '%s\n' "$requiredver" "$currentver" | sort -V | head -n1)" = "$requiredver" ]; then
+        export OLD_NGINX="false"
+    else
+        echo "INFO: Running nginx version $currentver which doesn't support dual certificates" >&3
+        echo "INFO: not checking that certificate is installed correctly" >&3
+        export OLD_NGINX="true"
+    fi
+}
+
 check_output_for_errors() {
     refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
     # less strict tests if running with debug output