From 0f9e831b3a5cefdaa54685ee39a5ca10729f9701 Mon Sep 17 00:00:00 2001 From: In/Progress Date: Sun, 2 Dec 2018 19:29:17 +0000 Subject: [PATCH 01/23] Allow file copying via davs (WebDAV over HTTPS) --- getssl | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/getssl b/getssl index 7f3713e..2c7d4a8 100755 --- a/getssl +++ b/getssl @@ -564,6 +564,20 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required. lcd $fromdir put $fromfile _EOF + elif [[ "${to:0:5}" == "davs:" ]] ; then + debug "using davs to copy the file from $from" + davsuser=$(echo "$to"| awk -F: '{print $2}') + davspass=$(echo "$to"| awk -F: '{print $3}') + davshost=$(echo "$to"| awk -F: '{print $4}') + davsport=$(echo "$to"| awk -F: '{print $5}') + davslocn=$(echo "$to"| awk -F: '{print $6}') + davsdirn=$(dirname "$davslocn") + davsfile=$(basename "$davslocn") + fromdir=$(dirname "$from") + fromfile=$(basename "$from") + debug "davs user=$davsuser - pass=$davspass - host=$davshost port=$davsport dir=$davsdirn file=$davsfile" + debug "from dir=$fromdir file=$fromfile" + curl -u "${davsuser}:${davspass}" -T "${fromdir}/${fromfile}" "https://${davshost}:${davsport}${davsdirn}/${davsfile}" else if ! mkdir -p "$(dirname "$to")" ; then error_exit "cannot create ACL directory $(basename "$to")" From f7324f35d711c4479fb286381d97b41585e142e1 Mon Sep 17 00:00:00 2001 From: In/Progress Date: Sun, 2 Dec 2018 20:08:40 +0000 Subject: [PATCH 02/23] Add documentation for ACL transfer via davs --- getssl | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/getssl b/getssl index 2c7d4a8..70878d7 100755 --- a/getssl +++ b/getssl @@ -1313,10 +1313,13 @@ write_domain_template() { # write out a template file for a domain. # If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location # These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge" # where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain. + # You can also user WebDAV over HTTPS as transport mechanism. To do so, start with davs: followed by username, + # password, host, port (explicitly needed even if using default port 443) and path on the server. #ACL=('/var/www/${DOMAIN}/web/.well-known/acme-challenge' # 'ssh:server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge' # 'ssh:sshuserid@server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge' - # 'ftp:ftpuserid:ftppassword:${DOMAIN}:/web/.well-known/acme-challenge') + # 'ftp:ftpuserid:ftppassword:${DOMAIN}:/web/.well-known/acme-challenge' + # 'davs:davsuserid:davspassword:{DOMAIN}:443:/web/.well-known/acme-challenge') #Set USE_SINGLE_ACL="true" to use a single ACL for all checks #USE_SINGLE_ACL="false" From 3a379ecebb875e37f73318768db6227d068b5cf7 Mon Sep 17 00:00:00 2001 From: In/Progress Date: Sun, 2 Dec 2018 20:19:46 +0000 Subject: [PATCH 03/23] Update Revision history as contribution guidelines suggest --- getssl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/getssl b/getssl index 70878d7..46764ca 100755 --- a/getssl +++ b/getssl @@ -184,10 +184,11 @@ # 2017-01-30 issue #243 compatibility with bash 3.0 (2.08) # 2017-01-30 issue #243 additional compatibility with bash 3.0 (2.09) # 2017-02-18 add OCSP Must-Staple to the domain csr generation (2.10) +# 2018-12-02 allow file transfer using WebDAV over HTTPS (2.11) # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/} -VERSION="2.10" +VERSION="2.11" # defaults ACCOUNT_KEY_LENGTH=4096 From d9669d240f67d4f5023b4d58ffeab86577671450 Mon Sep 17 00:00:00 2001 From: Yannic Haupenthal Date: Thu, 21 Nov 2019 16:05:37 +0100 Subject: [PATCH 04/23] * add IGNORE_PERIOD_CHECK flag --- getssl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/getssl b/getssl index f3e60a4..9d39c9e 100755 --- a/getssl +++ b/getssl @@ -226,6 +226,7 @@ SERVER_TYPE="https" SKIP_HTTP_TOKEN_CHECK="false" SSLCONF="$(openssl version -d 2>/dev/null| cut -d\" -f2)/openssl.cnf" OCSP_MUST_STAPLE="false" +IGNORE_PERIOD_CHECK="false" TEMP_UPGRADE_FILE="" TOKEN_USER_ID="" USE_SINGLE_ACL="false" @@ -1795,7 +1796,7 @@ if [[ ${_CHECK_ALL} -eq 1 ]]; then cmd="$cmd -q" fi # check if $dir looks like a domain name (contains a period) - if [[ $(basename "$dir") == *.* ]]; then + if [[ $(basename "$dir") == *.* || "$IGNORE_PERIOD_CHECK" == "true" ]]; then cmd="$cmd -w $WORKING_DIR $(basename "$dir")" debug "CMD: $cmd" eval "$cmd" From 813276ee80df41d934a462ea6a89340d6215e108 Mon Sep 17 00:00:00 2001 From: Tsaukpaetra Date: Tue, 31 Dec 2019 02:53:02 -0700 Subject: [PATCH 05/23] Create dns_freedns.sh Should probably be fixed up, I've only hacked up @dkerr64's version for acme.sh to work on my local instance. It assumes you're using curl, I didn't bother stealing acme.sh's whole library of functions. DNS_ADD_COMMAND="~/.getssl/dns_freedns.sh add" DNS_DEL_COMMAND="~/.getssl/dns_freedns.sh rm" --- dns_scripts/dns_freedns.sh | 702 +++++++++++++++++++++++++++++++++++++ 1 file changed, 702 insertions(+) create mode 100644 dns_scripts/dns_freedns.sh diff --git a/dns_scripts/dns_freedns.sh b/dns_scripts/dns_freedns.sh new file mode 100644 index 0000000..a6571e1 --- /dev/null +++ b/dns_scripts/dns_freedns.sh @@ -0,0 +1,702 @@ +#!/usr/bin/env sh + +#This file name is "dns_freedns.sh" +#So, here must be a method dns_freedns_add() +#Which will be called by acme.sh to add the txt record to your api system. +#returns 0 means success, otherwise error. +# +#Author: David Kerr +#Report Bugs here: https://github.com/dkerr64/acme.sh +#or here... https://github.com/Neilpang/acme.sh/issues/2305 +# +######## Public functions ##################### + +# Export FreeDNS userid and password in following variables... +# FREEDNS_User=username +# FREEDNS_Password=password +# login cookie is saved in acme account config file so userid / pw +# need to be set only when changed. + +#Usage: dns_freedns_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_freedns_add() { + fulldomain="_acme-challenge.$1" + txtvalue="$2" + FREEDNS_COOKIE="$(cat $(dirname "$(readlink -f "$0")")/freednscookie.dat)" + + echo "Info: Add TXT record using FreeDNS" + #echo "Debug: fulldomain: $fulldomain" + #echo "Debug: txtvalue: $txtvalue" + + if [ -z "$FREEDNS_User" ] || [ -z "$FREEDNS_Password" ]; then + FREEDNS_User="" + FREEDNS_Password="" + if [ -z "$FREEDNS_COOKIE" ]; then + echo "ERROR: You did not specify the FreeDNS username and password yet." + echo "ERROR: Please export as FREEDNS_User / FREEDNS_Password and try again." + return 1 + fi + using_cached_cookies="true" + else + FREEDNS_COOKIE="$(_freedns_login "$FREEDNS_User" "$FREEDNS_Password")" + if [ -z "$FREEDNS_COOKIE" ]; then + return 1 + fi + using_cached_cookies="false" + fi + + #echo "Debug: FreeDNS login cookies: $FREEDNS_COOKIE (cached = $using_cached_cookies)" + + echo "$FREEDNS_COOKIE">$(dirname "$(readlink -f "$0")")/freednscookie.dat + + # We may have to cycle through the domain name to find the + # TLD that we own... + i=1 + wmax="$(echo "$fulldomain" | tr '.' ' ' | wc -w)" + while [ "$i" -lt "$wmax" ]; do + # split our full domain name into two parts... + sub_domain="$(echo "$fulldomain" | cut -d. -f -"$i")" + i="$(_math "$i" + 1)" + top_domain="$(echo "$fulldomain" | cut -d. -f "$i"-100)" + #echo "Debug: sub_domain: $sub_domain" + #echo "Debug: top_domain: $top_domain" + + DNSdomainid="$(_freedns_domain_id "$top_domain")" + if [ "$?" = "0" ]; then + echo "Info:Domain $top_domain found at FreeDNS, domain_id $DNSdomainid" + break + else + echo "Info:Domain $top_domain not found at FreeDNS, try with next level of TLD" + fi + done + + if [ -z "$DNSdomainid" ]; then + # If domain ID is empty then something went wrong (top level + # domain not found at FreeDNS). + echo "ERROR: Domain $top_domain not found at FreeDNS" + return 1 + fi + + # Add in new TXT record with the value provided + #echo "Debug: Adding TXT record for $fulldomain, $txtvalue" + _freedns_add_txt_record "$FREEDNS_COOKIE" "$DNSdomainid" "$sub_domain" "$txtvalue" + return $? +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_freedns_rm() { + fulldomain="_acme-challenge.$1" + txtvalue="$2" + + echo "Info:Delete TXT record using FreeDNS" + #echo "Debug: fulldomain: $fulldomain" + #echo "Debug: txtvalue: $txtvalue" + + # Need to read cookie from conf file again in case new value set + # during login to FreeDNS when TXT record was created. + FREEDNS_COOKIE="$(cat $(dirname "$(readlink -f "$0")")/freednscookie.dat)" + #echo "Debug: FreeDNS login cookies: $FREEDNS_COOKIE" + + TXTdataid="$(_freedns_data_id "$fulldomain" "TXT")" + if [ "$?" != "0" ]; then + echo "Info:Cannot delete TXT record for $fulldomain, record does not exist at FreeDNS" + return 1 + fi + #echo "Debug: Data ID's found, $TXTdataid" + + # now we have one (or more) TXT record data ID's. Load the page + # for that record and search for the record txt value. If match + # then we can delete it. + lines="$(echo "$TXTdataid" | wc -l)" + #echo "Debug: Found $lines TXT data records for $fulldomain" + i=0 + while [ "$i" -lt "$lines" ]; do + i="$(_math "$i" + 1)" + dataid="$(echo "$TXTdataid" | sed -n "${i}p")" + #echo "Debug: $dataid" + + htmlpage="$(_freedns_retrieve_data_page "$FREEDNS_COOKIE" "$dataid")" + if [ "$?" != "0" ]; then + if [ "$using_cached_cookies" = "true" ]; then + echo "ERROR: Has your FreeDNS username and password changed? If so..." + echo "ERROR: Please export as FREEDNS_User / FREEDNS_Password and try again." + fi + return 1 + fi + + echo "$htmlpage" | grep "value=\""$txtvalue"\"" >/dev/null + if [ "$?" = "0" ]; then + # Found a match... delete the record and return + echo "Info:Deleting TXT record for $fulldomain, $txtvalue" + _freedns_delete_txt_record "$FREEDNS_COOKIE" "$dataid" + return $? + fi + done + + # If we get this far we did not find a match + # Not necessarily an error, but log anyway. + echo "Info:Cannot delete TXT record for $fulldomain, $txtvalue. Does not exist at FreeDNS" + return 0 +} + +#################### Private functions below ################################## + +# usage: _freedns_login username password +# print string "cookie=value" etc. +# returns 0 success +_freedns_login() { + export _H1="Accept-Language:en-US" + username="$1" + password="$2" + url="https://freedns.afraid.org/zc.php?step=2" + + #echo "Debug: Login to FreeDNS as user $username" + data="username=$(printf '%s' "$username" | _url_encode)&password=$(printf '%s' "$password" | _url_encode)&submit=Login&action=auth" + #echo "$data" + + if [ -z "$HTTP_HEADER" ] || ! touch "$HTTP_HEADER"; then + HTTP_HEADER="$(_mktemp)" + fi + htmlpage="$(curl -L --silent --dump-header $HTTP_HEADER -X POST -H "$_H1" -H "$_H2" --data "$data" "$url")" + + if [ "$?" != "0" ]; then + echo "ERROR: FreeDNS login failed for user $username bad RC from _post" + return 1 + fi + + cookies="$(grep -i '^Set-Cookie.*dns_cookie.*$' "$HTTP_HEADER" | _head_n 1 | tr -d "\r\n" | cut -d " " -f 2)" + + # if cookies is not empty then logon successful + if [ -z "$cookies" ]; then + #echo "Debug3: htmlpage: $htmlpage" + echo "ERROR: FreeDNS login failed for user $username. Check $HTTP_HEADER file" + return 1 + fi + + printf "%s" "$cookies" + return 0 +} + +# usage _freedns_retrieve_subdomain_page login_cookies +# echo page retrieved (html) +# returns 0 success +_freedns_retrieve_subdomain_page() { + export _H1="Cookie:$1" + export _H2="Accept-Language:en-US" + url="https://freedns.afraid.org/subdomain/" + + #echo "Debug: Retrieve subdomain page from FreeDNS" + + htmlpage="$(curl -L --silent -H "$_H1" -H "$_H2" "$url")" + + if [ "$?" != "0" ]; then + echo "ERROR: FreeDNS retrieve subdomains failed bad RC from _get" + return 1 + elif [ -z "$htmlpage" ]; then + echo "ERROR: FreeDNS returned empty subdomain page" + return 1 + fi + + #echo "Debug3: htmlpage: $htmlpage" + + printf "%s" "$htmlpage" + return 0 +} + +# usage _freedns_retrieve_data_page login_cookies data_id +# echo page retrieved (html) +# returns 0 success +_freedns_retrieve_data_page() { + export _H1="Cookie:$1" + export _H2="Accept-Language:en-US" + data_id="$2" + url="https://freedns.afraid.org/subdomain/edit.php?data_id=$2" + + #echo "Debug: Retrieve data page for ID $data_id from FreeDNS" + + htmlpage="$(curl -L --silent -H "$_H1" -H "$_H2" "$url")" + + if [ "$?" != "0" ]; then + echo "ERROR: FreeDNS retrieve data page failed bad RC from _get" + return 1 + elif [ -z "$htmlpage" ]; then + echo "ERROR: FreeDNS returned empty data page" + return 1 + fi + + #echo "Debug3: htmlpage: $htmlpage" + + printf "%s" "$htmlpage" + return 0 +} + +# usage _freedns_add_txt_record login_cookies domain_id subdomain value +# returns 0 success +_freedns_add_txt_record() { + export _H1="Cookie:$1" + export _H2="Accept-Language:en-US" + domain_id="$2" + subdomain="$3" + value="$(printf '%s' "$4" | _url_encode)" + url="https://freedns.afraid.org/subdomain/save.php?step=2" + + if [ -z "$HTTP_HEADER" ] || ! touch "$HTTP_HEADER"; then + HTTP_HEADER="$(_mktemp)" + fi + htmlpage="$(curl -L --silent --dump-header $HTTP_HEADER -X POST -H "$_H1" -H "$_H2" --data "type=TXT&domain_id=$domain_id&subdomain=$subdomain&address=%22$value%22&send=Save%21" "$url")" + + if [ "$?" != "0" ]; then + echo "ERROR: FreeDNS failed to add TXT record for $subdomain bad RC from _post" + return 1 + elif ! grep "200 OK" "$HTTP_HEADER" >/dev/null; then + #echo "Debug3: htmlpage: $(cat $HTTP_HEADER)" + echo "ERROR: FreeDNS failed to add TXT record for $subdomain. Check $HTTP_HEADER file" + return 1 + elif _contains "$htmlpage" "security code was incorrect"; then + #echo "Debug3: htmlpage: $htmlpage" + echo "ERROR: FreeDNS failed to add TXT record for $subdomain as FreeDNS requested security code" + echo "ERROR: Note that you cannot use automatic DNS validation for FreeDNS public domains" + return 1 + fi + + #echo "Debug3: htmlpage: $htmlpage" + echo "Info:Added acme challenge TXT record for $fulldomain at FreeDNS" + return 0 +} + +# usage _freedns_delete_txt_record login_cookies data_id +# returns 0 success +_freedns_delete_txt_record() { + export _H1="Cookie:$1" + export _H2="Accept-Language:en-US" + data_id="$2" + url="https://freedns.afraid.org/subdomain/delete2.php" + + htmlheader="$(curl -L --silent -I -H "$_H1" -H "$_H2" "$url?data_id%5B%5D=$data_id&submit=delete+selected")" + + if [ "$?" != "0" ]; then + echo "ERROR: FreeDNS failed to delete TXT record for $data_id bad RC from _get" + return 1 + elif ! _contains "$htmlheader" "200 OK"; then + #echo "Debug2: htmlheader: $htmlheader" + echo "ERROR: FreeDNS failed to delete TXT record $data_id" + return 1 + fi + + echo "Info:Deleted acme challenge TXT record for $fulldomain at FreeDNS" + return 0 +} + +# usage _freedns_domain_id domain_name +# echo the domain_id if found +# return 0 success +_freedns_domain_id() { + # Start by escaping the dots in the domain name + search_domain="$(echo "$1" | sed 's/\./\\./g')" + + # Sometimes FreeDNS does not return the subdomain page but rather + # returns a page regarding becoming a premium member. This usually + # happens after a period of inactivity. Immediately trying again + # returns the correct subdomain page. So, we will try twice to + # load the page and obtain our domain ID + attempts=2 + while [ "$attempts" -gt "0" ]; do + attempts="$(_math "$attempts" - 1)" + + htmlpage="$(_freedns_retrieve_subdomain_page "$FREEDNS_COOKIE")" + if [ "$?" != "0" ]; then + if [ "$using_cached_cookies" = "true" ]; then + echo "ERROR: Has your FreeDNS username and password changed? If so..." + echo "ERROR: Please export as FREEDNS_User / FREEDNS_Password and try again." + fi + return 1 + fi + + domain_id="$(echo "$htmlpage" | tr -d " \t\r\n\v\f" | sed 's//@/g' | tr '@' '\n' \ + | grep "$search_domain\|$search_domain(.*)" \ + | sed -n 's/.*\(edit\.php?edit_domain_id=[0-9a-zA-Z]*\).*/\1/p' \ + | cut -d = -f 2)" + # The above beauty extracts domain ID from the html page... + # strip out all blank space and new lines. Then insert newlines + # before each table row + # search for the domain within each row (which may or may not have + # a text string in brackets (.*) after it. + # And finally extract the domain ID. + if [ -n "$domain_id" ]; then + printf "%s" "$domain_id" + return 0 + fi + #echo "Debug:Domain $search_domain not found. Retry loading subdomain page ($attempts attempts remaining)" + done + #echo "Debug:Domain $search_domain not found after retry" + return 1 +} + +# usage _freedns_data_id domain_name record_type +# echo the data_id(s) if found +# return 0 success +_freedns_data_id() { + # Start by escaping the dots in the domain name + search_domain="$(echo "$1" | sed 's/\./\\./g')" + record_type="$2" + + # Sometimes FreeDNS does not return the subdomain page but rather + # returns a page regarding becoming a premium member. This usually + # happens after a period of inactivity. Immediately trying again + # returns the correct subdomain page. So, we will try twice to + # load the page and obtain our domain ID + attempts=2 + while [ "$attempts" -gt "0" ]; do + attempts="$(_math "$attempts" - 1)" + + htmlpage="$(_freedns_retrieve_subdomain_page "$FREEDNS_COOKIE")" + if [ "$?" != "0" ]; then + if [ "$using_cached_cookies" = "true" ]; then + echo "ERROR: Has your FreeDNS username and password changed? If so..." + echo "ERROR: Please export as FREEDNS_User / FREEDNS_Password and try again." + fi + return 1 + fi + + data_id="$(echo "$htmlpage" | tr -d " \t\r\n\v\f" | sed 's//@/g' | tr '@' '\n' \ + | grep "$record_type" \ + | grep "$search_domain" \ + | sed -n 's/.*\(edit\.php?data_id=[0-9a-zA-Z]*\).*/\1/p' \ + | cut -d = -f 2)" + # The above beauty extracts data ID from the html page... + # strip out all blank space and new lines. Then insert newlines + # before each table row + # search for the record type withing each row (e.g. TXT) + # search for the domain within each row (which is within a + # anchor. And finally extract the domain ID. + if [ -n "$data_id" ]; then + printf "%s" "$data_id" + return 0 + fi + #echo "Debug:Domain $search_domain not found. Retry loading subdomain page ($attempts attempts remaining)" + done + #echo "Debug:Domain $search_domain not found after retry" + return 1 +} + +#### BEGIN things shamefully ripped from https://github.com/Neilpang/acme.sh/blob/master/acme.sh + +#_ascii_hex str +#this can only process ascii chars, should only be used when od command is missing as a backup way. +_ascii_hex() { + _debug2 "Using _ascii_hex" + _str="$1" + _str_len=${#_str} + _h_i=1 + while [ "$_h_i" -le "$_str_len" ]; do + _str_c="$(printf "%s" "$_str" | cut -c "$_h_i")" + printf " %02x" "'$_str_c" + _h_i="$(_math "$_h_i" + 1)" + done +} + +#stdin output hexstr splited by one space +#input:"abc" +#output: " 61 62 63" +_hex_dump() { + if _exists od; then + od -A n -v -t x1 | tr -s " " | sed 's/ $//' | tr -d "\r\t\n" + elif _exists hexdump; then + hexdump -v -e '/1 ""' -e '/1 " %02x" ""' + elif _exists xxd; then + xxd -ps -c 20 -i | sed "s/ 0x/ /g" | tr -d ",\n" | tr -s " " + else + str=$(cat) + _ascii_hex "$str" + fi +} + +#url encode, no-preserved chars +#A B C D E F G H I J K L M N O P Q R S T U V W X Y Z +#41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a + +#a b c d e f g h i j k l m n o p q r s t u v w x y z +#61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a + +#0 1 2 3 4 5 6 7 8 9 - _ . ~ +#30 31 32 33 34 35 36 37 38 39 2d 5f 2e 7e + +#stdin stdout +_url_encode() { + _hex_str=$(_hex_dump) + for _hex_code in $_hex_str; do + #upper case + case "${_hex_code}" in + "41") + printf "%s" "A" + ;; + "42") + printf "%s" "B" + ;; + "43") + printf "%s" "C" + ;; + "44") + printf "%s" "D" + ;; + "45") + printf "%s" "E" + ;; + "46") + printf "%s" "F" + ;; + "47") + printf "%s" "G" + ;; + "48") + printf "%s" "H" + ;; + "49") + printf "%s" "I" + ;; + "4a") + printf "%s" "J" + ;; + "4b") + printf "%s" "K" + ;; + "4c") + printf "%s" "L" + ;; + "4d") + printf "%s" "M" + ;; + "4e") + printf "%s" "N" + ;; + "4f") + printf "%s" "O" + ;; + "50") + printf "%s" "P" + ;; + "51") + printf "%s" "Q" + ;; + "52") + printf "%s" "R" + ;; + "53") + printf "%s" "S" + ;; + "54") + printf "%s" "T" + ;; + "55") + printf "%s" "U" + ;; + "56") + printf "%s" "V" + ;; + "57") + printf "%s" "W" + ;; + "58") + printf "%s" "X" + ;; + "59") + printf "%s" "Y" + ;; + "5a") + printf "%s" "Z" + ;; + + #lower case + "61") + printf "%s" "a" + ;; + "62") + printf "%s" "b" + ;; + "63") + printf "%s" "c" + ;; + "64") + printf "%s" "d" + ;; + "65") + printf "%s" "e" + ;; + "66") + printf "%s" "f" + ;; + "67") + printf "%s" "g" + ;; + "68") + printf "%s" "h" + ;; + "69") + printf "%s" "i" + ;; + "6a") + printf "%s" "j" + ;; + "6b") + printf "%s" "k" + ;; + "6c") + printf "%s" "l" + ;; + "6d") + printf "%s" "m" + ;; + "6e") + printf "%s" "n" + ;; + "6f") + printf "%s" "o" + ;; + "70") + printf "%s" "p" + ;; + "71") + printf "%s" "q" + ;; + "72") + printf "%s" "r" + ;; + "73") + printf "%s" "s" + ;; + "74") + printf "%s" "t" + ;; + "75") + printf "%s" "u" + ;; + "76") + printf "%s" "v" + ;; + "77") + printf "%s" "w" + ;; + "78") + printf "%s" "x" + ;; + "79") + printf "%s" "y" + ;; + "7a") + printf "%s" "z" + ;; + #numbers + "30") + printf "%s" "0" + ;; + "31") + printf "%s" "1" + ;; + "32") + printf "%s" "2" + ;; + "33") + printf "%s" "3" + ;; + "34") + printf "%s" "4" + ;; + "35") + printf "%s" "5" + ;; + "36") + printf "%s" "6" + ;; + "37") + printf "%s" "7" + ;; + "38") + printf "%s" "8" + ;; + "39") + printf "%s" "9" + ;; + "2d") + printf "%s" "-" + ;; + "5f") + printf "%s" "_" + ;; + "2e") + printf "%s" "." + ;; + "7e") + printf "%s" "~" + ;; + #other hex + *) + printf '%%%s' "$_hex_code" + ;; + esac + done +} + +_exists() { + cmd="$1" + if [ -z "$cmd" ]; then + _usage "Usage: _exists cmd" + return 1 + fi + + if eval type type >/dev/null 2>&1; then + eval type "$cmd" >/dev/null 2>&1 + elif command >/dev/null 2>&1; then + command -v "$cmd" >/dev/null 2>&1 + else + which "$cmd" >/dev/null 2>&1 + fi + ret="$?" + #echo "Debug3: $cmd exists=$ret" + return $ret +} + +_head_n() { + head -n "$1" +} + +_mktemp() { + if _exists mktemp; then + if mktemp 2>/dev/null; then + return 0 + elif _contains "$(mktemp 2>&1)" "-t prefix" && mktemp -t "$PROJECT_NAME" 2>/dev/null; then + #for Mac osx + return 0 + fi + fi + if [ -d "/tmp" ]; then + echo "/tmp/${PROJECT_NAME}wefADf24sf.$(_time).tmp" + return 0 + elif [ "$LE_TEMP_DIR" ] && mkdir -p "$LE_TEMP_DIR"; then + echo "/$LE_TEMP_DIR/wefADf24sf.$(_time).tmp" + return 0 + fi + _err "Can not create temp file." +} + +#a + b +_math() { + _m_opts="$@" + printf "%s" "$(($_m_opts))" +} + +_contains() { + _str="$1" + _sub="$2" + echo "$_str" | grep -- "$_sub" >/dev/null 2>&1 +} + +##Now actually do something with that function +case "$1" in + + add) + dns_freedns_add $2 $3 + ;; + rm) + dns_freedns_rm $2 $3 + ;; +esac From 770277c7ad72b7c78ebcfdec8ba5a7ac4a5089c8 Mon Sep 17 00:00:00 2001 From: Radek SPRTA Date: Thu, 16 Jan 2020 18:27:11 +0100 Subject: [PATCH 06/23] Add support for CloudDNS --- dns_scripts/dns_add_clouddns | 94 ++++++++++++++++++++++++++++++++ dns_scripts/dns_del_clouddns | 101 +++++++++++++++++++++++++++++++++++ 2 files changed, 195 insertions(+) create mode 100755 dns_scripts/dns_add_clouddns create mode 100755 dns_scripts/dns_del_clouddns diff --git a/dns_scripts/dns_add_clouddns b/dns_scripts/dns_add_clouddns new file mode 100755 index 0000000..5236269 --- /dev/null +++ b/dns_scripts/dns_add_clouddns @@ -0,0 +1,94 @@ +#!/usr/bin/env bash +# Need to add your email address and API key to clouddns below or set as env variables +email=${CLOUDDNS_EMAIL:-''} +password=${CLOUDDNS_PASSWORD:-''} +client=${CLOUDDNS_CLIENT:-''} + +# This script adds a token to clouddns DNS for the ACME challenge +# usage dns_add_clouddns "domain name" "token" +# return codes are; +# 0 - success +# 1 - error in input +# 2 - error within internal processing +# 3 - error in result ( domain not found in clouddns etc) + +fulldomain="${1}" +token="${2}" +API='https://admin.vshosting.cloud/clouddns' +LOGIN_API='https://admin.vshosting.cloud/api/public/auth/login' + +# Check initial parameters +if [[ -z "$fulldomain" ]]; then + echo "DNS script requires full domain name as first parameter" + exit 1 +fi +if [[ -z "$token" ]]; then + echo "DNS script requires challenge token as second parameter" + exit 1 +fi +if [[ -z "$email" ]]; then + echo "CLOUDDNS_EMAIL (email) parameter not set" + exit 1 +fi +if [[ -z "$password" ]]; then + echo "CLOUDDNS_PASSWORD (password) parameter not set" + exit 1 +fi +if [[ -z "$client" ]]; then + echo "CLOUDDNS_CLIENT (id) parameter not set" + exit 1 +fi + +# Login to clouddns to get accessToken +resp=$(curl --silent -X POST -H 'Content-Type: application/json' "$LOGIN_API" \ + --data "{\"email\": \"$email\", \"password\": \"$password\"}") +re='"accessToken":"([^,]*)",' # Match access token +if [[ "${resp// }" =~ $re ]]; then + access_token="${BASH_REMATCH[1]}" +fi +if [[ -z "$access_token" ]]; then + echo 'Could not get access token; check your credentials' + exit 3 +fi +curl_params=( -H "Authorization: Bearer $access_token" -H 'Content-Type: application/json' ) + +# Get main domain +domain_root=$(echo "$fulldomain" | awk -F\. '{print $(NF-1) FS $NF}') + +# Get domain id +resp=$(curl --silent "${curl_params[@]}" -X POST "$API/domain/search" \ + --data "{\"search\": [{\"name\": \"clientId\", \"operator\": \"eq\", \"value\": \"$client\"}, {\"name\": \"domainName\", \"operator\": \"eq\", \"value\": \"$domain_root.\"}]}") +re='domainType":"[^"]*","id":"([^,]*)",' # Match domain id +if [[ "${resp//[$'\t\r\n ']}" =~ $re ]]; then + domain_id="${BASH_REMATCH[1]}" +fi + +if [[ -z "$domain_id" ]]; then + echo 'Domain name not found on your CloudDNS account' + exit 3 +fi + +# Add challenge record +txt_record="_acme-challenge.$domain_root." +resp=$(curl --silent "${curl_params[@]}" -X POST "$API/record-txt" \ + --data "{\"type\":\"TXT\",\"name\":\"$txt_record\",\"value\":\"$token\",\"domainId\":\"$domain_id\"}") + +# If adding record failed (error:) then print error message +if [[ "${resp// }" == *'"error"'* ]]; then + if [[ "${resp// }" == *'"code":4136'* ]]; then + echo "DNS challenge token already exists" + exit + fi + re='"message":"([^"]+)"' + if [[ "$resp" =~ $re ]]; then + echo "Error: DNS challenge not added: ${BASH_REMATCH[1]}" + exit 3 + else + echo "Error: DNS challenge not added: unknown error - ${resp}" + exit 3 + fi +fi + +# Publish challenge record +resp=$(curl --silent "${curl_params[@]}" -X PUT "$API/domain/$domain_id/publish" \ + --data "{\"soaTtl\":300}") diff --git a/dns_scripts/dns_del_clouddns b/dns_scripts/dns_del_clouddns new file mode 100755 index 0000000..ddac2b6 --- /dev/null +++ b/dns_scripts/dns_del_clouddns @@ -0,0 +1,101 @@ +#!/usr/bin/env bash +# Need to add your email address and API key to clouddns below or set as env variables +email=${CLOUDDNS_EMAIL:-''} +password=${CLOUDDNS_PASSWORD:-''} +client=${CLOUDDNS_CLIENT:-''} + +# This script adds a token to clouddns DNS for the ACME challenge +# usage dns_add_clouddns "domain name" "token" +# return codes are; +# 0 - success +# 1 - error in input +# 2 - error within internal processing +# 3 - error in result ( domain not found in clouddns etc) + +fulldomain="${1}" +token="${2}" +API='https://admin.vshosting.cloud/clouddns' +LOGIN_API='https://admin.vshosting.cloud/api/public/auth/login' + +# Check initial parameters +if [[ -z "$fulldomain" ]]; then + echo "DNS script requires full domain name as first parameter" + exit 1 +fi +if [[ -z "$token" ]]; then + echo "DNS script requires challenge token as second parameter" + exit 1 +fi +if [[ -z "$email" ]]; then + echo "CLOUDDNS_EMAIL (email) parameter not set" + exit 1 +fi +if [[ -z "$password" ]]; then + echo "CLOUDDNS_PASSWORD (password) parameter not set" + exit 1 +fi +if [[ -z "$client" ]]; then + echo "CLOUDDNS_CLIENT (id) parameter not set" + exit 1 +fi + +# Login to clouddns to get accessToken +resp=$(curl --silent -X POST -H 'Content-Type: application/json' "$LOGIN_API" \ + --data "{\"email\": \"$email\", \"password\": \"$password\"}") +re='"accessToken":"([^,]*)",' # Match access token +if [[ "${resp// }" =~ $re ]]; then + access_token="${BASH_REMATCH[1]}" +fi +if [[ -z "$access_token" ]]; then + echo 'Could not get access token; check your credentials' + exit 3 +fi +curl_params=( -H "Authorization: Bearer $access_token" -H 'Content-Type: application/json' ) + +# Get main domain and challenge record +domain_root=$(echo "$fulldomain" | awk -F\. '{print $(NF-1) FS $NF}') +txt_record="_acme-challenge.$domain_root." + +# Get domain id +curl_domainid_body="{\"search\": [{\"name\": \"clientId\", \"operator\": \"eq\", \"value\": \"$client\"}, {\"name\": \"domainName\", \"operator\": \"eq\", \"value\": \"$domain_root.\"}]}" +resp=$(curl --silent "${curl_params[@]}" -X POST -d "$curl_domainid_body" "$API/domain/search") +re='domainType":"[^"]*","id":"([^,]*)",' # Find result section +if [[ "${resp//[$'\t\r\n ']}" =~ $re ]]; then + domain_id="${BASH_REMATCH[1]}" +fi + +if [[ -z "$domain_id" ]]; then + echo 'Domain name not found on your CloudDNS account' + exit 3 +fi + +# Get challenge record ID +resp=$(curl --silent "${curl_params[@]}" -X GET "$API/domain/$domain_id" ) +re="\"lastDomainRecordList\".*\"id\":\"([^,]*)\"[^}]*\"name\":\"$txt_record\"," # Match domain id +if [[ "${resp//[$'\t\r\n ']}" =~ $re ]]; then + record_id="${BASH_REMATCH[1]}" +fi + +if [[ -z "$record_id" ]]; then + echo 'Challenge record does not exist' + exit 3 +fi + +# Remove challenge record +resp=$(curl --silent "${curl_params[@]}" -X DELETE "$API/record/$record_id") + +# If removing record failed (error:) then print error message +if [[ "${resp// }" == *'"error"'* ]]; then + re='"message":"([^"]+)"' + if [[ "$resp" =~ $re ]]; then + echo "Error: DNS challenge not removed: ${BASH_REMATCH[1]}" + exit 3 + else + echo "Error: DNS challenge not removed: unknown error - ${resp}" + exit 3 + fi +fi + +# Publish challenge record deletion +resp=$(curl --silent "${curl_params[@]}" -X PUT "$API/domain/$domain_id/publish" \ + --data "{\"soaTtl\":300}") From 6c9f0e7655beb760b33a764f60b4ebd5c49ee445 Mon Sep 17 00:00:00 2001 From: Radek SPRTA Date: Thu, 16 Jan 2020 18:30:24 +0100 Subject: [PATCH 07/23] Update changelog --- getssl | 1 + 1 file changed, 1 insertion(+) diff --git a/getssl b/getssl index e52b3d0..f1e2989 100755 --- a/getssl +++ b/getssl @@ -196,6 +196,7 @@ # 2020-01-07 #464 and #486 "json was blank" (change all curl request to use POST-as-GET) # 2020-01-08 Error and exit if rate limited, exit if curl returns nothing # 2020-01-10 Change domain and getssl templates to v2 (2.15) +# 2020-01-16 Add support for CloudDNS # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/} From b8b70f7ceea852bc6194a32cb9959d68c81efeb1 Mon Sep 17 00:00:00 2001 From: Radek SPRTA Date: Thu, 16 Jan 2020 18:49:08 +0100 Subject: [PATCH 08/23] Support certificates with SANs --- dns_scripts/dns_add_clouddns | 2 +- dns_scripts/dns_del_clouddns | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dns_scripts/dns_add_clouddns b/dns_scripts/dns_add_clouddns index 5236269..a4e3f81 100755 --- a/dns_scripts/dns_add_clouddns +++ b/dns_scripts/dns_add_clouddns @@ -69,7 +69,7 @@ if [[ -z "$domain_id" ]]; then fi # Add challenge record -txt_record="_acme-challenge.$domain_root." +txt_record="_acme-challenge.$fulldomain." resp=$(curl --silent "${curl_params[@]}" -X POST "$API/record-txt" \ --data "{\"type\":\"TXT\",\"name\":\"$txt_record\",\"value\":\"$token\",\"domainId\":\"$domain_id\"}") diff --git a/dns_scripts/dns_del_clouddns b/dns_scripts/dns_del_clouddns index ddac2b6..ec22c91 100755 --- a/dns_scripts/dns_del_clouddns +++ b/dns_scripts/dns_del_clouddns @@ -54,7 +54,7 @@ curl_params=( -H "Authorization: Bearer $access_token" -H 'Content-Type: applica # Get main domain and challenge record domain_root=$(echo "$fulldomain" | awk -F\. '{print $(NF-1) FS $NF}') -txt_record="_acme-challenge.$domain_root." +txt_record="_acme-challenge.$fulldomain." # Get domain id curl_domainid_body="{\"search\": [{\"name\": \"clientId\", \"operator\": \"eq\", \"value\": \"$client\"}, {\"name\": \"domainName\", \"operator\": \"eq\", \"value\": \"$domain_root.\"}]}" From 6138f4ab1f27908eca837e26f362f9e254a40f9e Mon Sep 17 00:00:00 2001 From: Yannic Haupenthal Date: Tue, 21 Jan 2020 09:42:05 +0100 Subject: [PATCH 09/23] make markdownlint happy --- test/README.md | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/test/README.md b/test/README.md index 9d0aedd..086c58a 100644 --- a/test/README.md +++ b/test/README.md @@ -1,19 +1,31 @@ # Testing -This directory contains a simple test script which tests creating certificates with Pebble (testing version of the LetsEncrypt server) +This directory contains a simple test script which tests creating +certificates with Pebble (testing version of the LetsEncrypt server) Start up pebble, the challdnstest server for DNS challenges -`docker-compose -f "docker-compose.yml" up -d --build` + +```sh +docker-compose -f "docker-compose.yml" up -d --build +``` Run the tests -`docker exec -it getssl /getssl/test/run-test.sh` -Debug (need to set CURL_CA_BUNDLE as pebble uses a local certificate, otherwise you get a "unknown API version" error) -`docker exec -it getssl /bin/bash` -`export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt` -`/getssl/getssl -d getssl` +```sh +docker exec -it getssl /getssl/test/run-test.sh +``` + +Debug (need to set `CURL_CA_BUNDLE` as pebble uses a local certificate, +otherwise you get a "unknown API version" error) + +```sh +docker exec -it getssl /bin/bash +export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt +/getssl/getssl -d getssl +``` + +## TODO -# TODO 1. Move to BATS (bash automated testing) instead of run-test.sh 2. Test RHEL6, Debian as well 3. Test SSH, SFTP From 8db7744b3ee20c1b204057b5bc1df3b7742817c3 Mon Sep 17 00:00:00 2001 From: Yannic Haupenthal Date: Tue, 21 Jan 2020 09:48:34 +0100 Subject: [PATCH 10/23] implement the suggested fix in #277 --- getssl | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/getssl b/getssl index 939b351..78e9df3 100755 --- a/getssl +++ b/getssl @@ -234,7 +234,6 @@ SERVER_TYPE="https" SKIP_HTTP_TOKEN_CHECK="false" SSLCONF="$(openssl version -d 2>/dev/null| cut -d\" -f2)/openssl.cnf" OCSP_MUST_STAPLE="false" -IGNORE_PERIOD_CHECK="false" TEMP_UPGRADE_FILE="" TOKEN_USER_ID="" USE_SINGLE_ACL="false" @@ -1831,8 +1830,8 @@ if [[ ${_CHECK_ALL} -eq 1 ]]; then if [[ ${_QUIET} -eq 1 ]]; then cmd="$cmd -q" fi - # check if $dir looks like a domain name (contains a period) - if [[ $(basename "$dir") == *.* || "$IGNORE_PERIOD_CHECK" == "true" ]]; then + # check if $dir is a directory with a getssl.cfg in it + if [[ -f "$dir/getssl.cfg" ]]; then cmd="$cmd -w $WORKING_DIR $(basename "$dir")" debug "CMD: $cmd" eval "$cmd" From 8c7cd703b583e4095c5e41f338388743e8b88c63 Mon Sep 17 00:00:00 2001 From: Yannic Haupenthal Date: Tue, 21 Jan 2020 10:06:47 +0100 Subject: [PATCH 11/23] lint CONTRIBUTING.md --- CONTRIBUTING.md | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 482a7aa..3c8242c 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,24 +1,31 @@ # How to contribute -If you are happy writing in bash, please create a PR for any changes you'd like to see included (or bug fixes). +If you are happy writing in bash, please create a PR for any changes +you'd like to see included (or bug fixes). -If you aren't happy writing in bash, please open an issue with as much detail as possible about the issue or what you'd like to see added / improved. +If you aren't happy writing in bash, please open an issue with as much +detail as possible about the issue or what you'd like to see added / +improved. ## Submitting changes -Please update the 'revision history' and version number at the top of the code (without this I can't easily do a merge) +Please update the 'revision history' and version number at the top of +the code (without this I can't easily do a merge) -Please update just one issue per PR. If there are multiple issues, please provide separate PR's one per issue. +Please update just one issue per PR. If there are multiple issues, +please provide separate PR's one per issue. ## Coding conventions -Please see the guidelines at https://github.com/srvrco/getssl/wiki/Bash-Style-guide +Please see the guidelines at ## Testing -Please test with [shellcheck](https://github.com/koalaman/shellcheck), although this will also be tested on github ( via travis) on all PRs. +Please test with [shellcheck](https://github.com/koalaman/shellcheck), +although this will also be tested on github (via travis) on all PRs. -Please remember that the system is used across a wide range of platforms, so if you have access to multiple operating systems, please test on all. +Please remember that the system is used across a wide range of +platforms, so if you have access to multiple operating systems, please +test on all. - -Thanks :) +Thanks :) From 2c1a894224ec57b674d367c5cbd5f0ee3ef70ab7 Mon Sep 17 00:00:00 2001 From: Yannic Haupenthal Date: Tue, 21 Jan 2020 10:07:08 +0100 Subject: [PATCH 12/23] lint bug_report.md --- .github/ISSUE_TEMPLATE/bug_report.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 116d2a5..135ea05 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -12,6 +12,7 @@ A clear and concise description of what the bug is. **To Reproduce** Steps to reproduce the behavior: + 1. Go to '...' 2. Click on '....' 3. Scroll down to '....' @@ -21,8 +22,9 @@ Steps to reproduce the behavior: A clear and concise description of what you expected to happen. **Operating system (please complete the following information):** - - OS: [e.g. Debian 9, Ubuntu 18.04, freeBSD ] - - Bash Version [e.g. GNU bash, version 4.4.12(1)-release (x86_64-pc-linux-gnu)] + +- OS: [e.g. Debian 9, Ubuntu 18.04, freeBSD ] +- Bash Version [e.g. GNU bash, version 4.4.12(1)-release (x86_64-pc-linux-gnu)] **Additional context** Add any other context about the problem here. From 0891d37372bbb86677108aae019c4e454ecf6e7f Mon Sep 17 00:00:00 2001 From: Yannic Haupenthal Date: Tue, 21 Jan 2020 10:07:18 +0100 Subject: [PATCH 13/23] lint README.md (and fix some punctuation) --- README.md | 170 ++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 121 insertions(+), 49 deletions(-) diff --git a/README.md b/README.md index 8549bda..1d0d3fc 100644 --- a/README.md +++ b/README.md @@ -1,44 +1,76 @@ # getssl -Obtain SSL certificates from the letsencrypt.org ACME server. Suitable for automating the process on remote servers. + +Obtain SSL certificates from the letsencrypt.org ACME server. Suitable +for automating the process on remote servers. ## Features -* **Bash** - It runs on virtually all unix machines, including BSD, most Linux distributions, macOS. -* **Get certificates for remote servers** - The tokens used to provide validation of domain ownership, and the certificates themselves can be automatically copied to remote servers (via ssh, sftp or ftp for tokens). The script doesn't need to run on the server itself. This can be useful if you don't have access to run such scripts on the server itself, e.g. if it's a shared server. -* **Runs as a daily cron** - so certificates will be automatically renewed when required. + +* **Bash** - It runs on virtually all unix machines, including BSD, most + Linux distributions, macOS. +* **Get certificates for remote servers** - The tokens used to provide + validation of domain ownership, and the certificates themselves can be + automatically copied to remote servers (via ssh, sftp or ftp for + tokens). The script doesn't need to run on the server itself. This can + be useful if you don't have access to run such scripts on the server + itself, e.g. if it's a shared server. +* **Runs as a daily cron** - so certificates will be automatically + renewed when required. * **Automatic certificate renewals** -* **Checks certificates are correctly loaded**. After installation of a new certificate it will test the port specified ( see [Server-Types](#server-types) for options ) that the certificate is actually being used correctly. -* **Automatically updates** - The script can automatically update itself with bug fixes etc if required. -* **Extensively configurable** - With a simple configuration file for each certificate it is possible to configure it exactly for your needs, whether a simple single domain or multiple domains across multiple servers on the same certificate. +* **Checks certificates are correctly loaded** - After installation of a + new certificate it will test the port specified ( see + [Server-Types](#server-types) for options ) that the certificate is + actually being used correctly. +* **Automatically updates** - The script can automatically update itself + with bug fixes etc if required. +* **Extensively configurable** - With a simple configuration file for + each certificate it is possible to configure it exactly for your + needs, whether a simple single domain or multiple domains across + multiple servers on the same certificate. * **Supports http and dns challenges** - Full ACME implementation * **Simple and easy to use** -* **Detailed debug info** - Whilst it shouldn't be needed, detailed debug information is available. -* **Reload services** - After a new certificate is obtained then the relevant services (e.g. apache/nginx/postfix) can be reloaded. +* **Detailed debug info** - Whilst it shouldn't be needed, detailed + debug information is available. +* **Reload services** - After a new certificate is obtained then the + relevant services (e.g. apache/nginx/postfix) can be reloaded. * **ACME v1 and V2** - Supports both ACME versions 1 and 2 ## Installation -Since the script is only one file, you can use the following command for a quick installation of GetSSL only: -``` + +Since the script is only one file, you can use the following command for +a quick installation of GetSSL only: + +```sh curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl ; chmod 700 getssl ``` -This will copy the getssl Bash script to the current location and change the permissions to make it executable for you. -For a more comprehensive installation (e.g. install also helper scripts) use the provided Makefile with each release tarball. Use the `install` target. +This will copy the getssl Bash script to the current location and change +the permissions to make it executable for you. + +For a more comprehensive installation (e.g. install also helper scripts) +use the provided Makefile with each release tarball. Use the `install` +target. You'll find the latest version in the git repository: -``` +```sh git clone https://github.com/srvrco/getssl.git ``` -For Arch Linux there are packages in the AUR, see [here](https://aur.archlinux.org/packages/getssl/) and [there](https://aur.archlinux.org/packages/getssl-git/). +For Arch Linux there are packages in the AUR, see +[here](https://aur.archlinux.org/packages/getssl/) and +[there](https://aur.archlinux.org/packages/getssl-git/). -If you use puppet, there is a [GetSSL Puppet module](https://github.com/dthielking/puppet_getssl) by dthielking +If you use puppet, there is a [GetSSL Puppet +module](https://github.com/dthielking/puppet_getssl) by dthielking ## Overview -GetSSL was written in standard bash ( so it can be run on a server, a desktop computer, or even a virtualbox) and add the checks, and certificates to a remote server ( providing you have a ssh with key, sftp or ftp access to the remote server). +GetSSL was written in standard bash ( so it can be run on a server, a +desktop computer, or even a virtualbox) and add the checks, and +certificates to a remote server ( providing you have a ssh with key, +sftp or ftp access to the remote server). -``` +```getssl getssl ver. 2.02 Obtain SSL certificates from the letsencrypt.org ACME server @@ -63,27 +95,36 @@ Options: Once you have obtained the script (see Installation above), the next step is to use -```./getssl -c yourdomain.com``` +```sh +./getssl -c yourdomain.com +``` -where yourdomain.com is the primary domain name that you want to create a certificate for. This will create the following folders and files. +where yourdomain.com is the primary domain name that you want to create +a certificate for. This will create the following folders and files. -``` +```sh ~/.getssl ~/.getssl/getssl.cfg ~/.getssl/yourdomain.com ~/.getssl/yourdomain.com/getssl.cfg ``` -You can then edit ~/.getssl/getssl.cfg to set the values you want as the default for the majority of your certificates. - -Then edit ~/.getssl/yourdomain.com/getssl.cfg to have the values you want for this specific domain (make sure to uncomment and specify correct `ACL` option, since it is required). +You can then edit `~/.getssl/getssl.cfg` to set the values you want as the +default for the majority of your certificates. -You can then just run; +Then edit `~/.getssl/yourdomain.com/getssl.cfg` to have the values you +want for this specific domain (make sure to uncomment and specify +correct `ACL` option, since it is required). -```getssl yourdomain.com ``` +You can then just run: -and it should run, providing output like; +```sh +getssl yourdomain.com ``` + +and it should run, providing output like: + +```sh Registering account Verify each domain Verifying yourdomain.com @@ -98,30 +139,41 @@ copying private key to ssh:server5:/home/yourdomain/ssl/domain.key copying CA certificate to ssh:server5:/home/yourdomain/ssl/chain.crt reloading SSL services ``` -**This will (by default) use the staging server, so should give you a certificate that isn't trusted ( Fake Let's Encrypt).** + +**This will (by default) use the staging server, so should give you a +certificate that isn't trusted ( Fake Let's Encrypt).** Change the server in your config file to get a fully valid certificate. -**Note:** Verification is done via port 80 (http), port 443 (https) or dns. The certificate can be used (and checked with getssl) on alternate ports. +**Note:** Verification is done via port 80 (http), port 443 (https) or +dns. The certificate can be used (and checked with getssl) on alternate +ports. ## Automating updates I use the following cron -``` + +```cron 23 5 * * * /root/scripts/getssl -u -a -q ``` -The cron will automatically update getssl and renew any certificates, only giving output if there are issues / errors. + +The cron will automatically update getssl and renew any certificates, +only giving output if there are issues / errors. * The -u flag updates getssl if there is a more recent version available. * The -a flag automatically renews any certificates that are due for renewal. -* The -q flag is "quiet" so that it only outputs and emails me if there was an error / issue. +* The -q flag is "quiet" so that it only outputs and emails me if there + was an error / issue. ## Structure -The design aim was to provide flexibility in running the code. The default working directory is ~/.getssl ( which can be modified via the command line) +The design aim was to provide flexibility in running the code. The +default working directory is `~/.getssl` (which can be modified via the +command line). -Within the **working directory** is a config file, getssl.cfg which is a simple bash file containing variables, an example of which is +Within the **working directory** is a config file `getssl.cfg` which is a +simple bash file containing variables, an example of which is: -``` +```getssl # Uncomment and modify any variables you need # The staging server is best for testing (hence set as default) CA="https://acme-staging.api.letsencrypt.org" @@ -143,9 +195,11 @@ RENEW_ALLOW="30" SSLCONF="/usr/lib/ssl/openssl.cnf" ``` -then, within the **working directory** there will be a folder for each certificate (based on its domain name). Within that folder will be a config file (again called getssl.cfg). An example of which is; +then, within the **working directory** there will be a folder for each +certificate (based on its domain name). Within that folder will be a +config file (again called `getssl.cfg`). An example of which is: -``` +```getssl # Uncomment and modify any variables you need # see https://github.com/srvrco/getssl/wiki/Config-variables for details # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs @@ -195,19 +249,27 @@ RELOAD_CMD="service apache2 reload" #CHECK_REMOTE="true" ``` -If a location for a file starts with ssh: it is assumed the next part of the file is the hostname, followed by a colon, and then the path. -Files will be securely copied using scp, and it assumes that you have a key on the server ( for passwordless access). You can set the user, port etc for the server in your .ssh/config file +If a location for a file starts with `ssh:` it is assumed the next part +of the file is the hostname, followed by a colon, and then the path. +Files will be securely copied using scp, and it assumes that you have a +key on the server (for passwordless access). You can set the user, +port etc for the server in your `.ssh/config` file. -If an ACL starts with ftp: or sftp: it as assumed that the line is in the format "ftp:UserID:Password:servername:/path/to/acme-challenge". sftp requires sshpass. -Note: FTP can be used for copying tokens only and can **not** be used for uploading private key or certificates as it's not a secure method of transfer. +If an ACL starts with `ftp:` or `sftp:` it as assumed that the line is +in the format "ftp:UserID:Password:servername:/path/to/acme-challenge". +sftp requires sshpass. +Note: FTP can be used for copying tokens only +and can **not** be used for uploading private key or certificates as +it's not a secure method of transfer. ssh can also be used for the reload command if using on remote servers. Multiple locations can be defined for a file by separating the locations with a semi-colon. +A typical config file for `example.com` and `www.example.com` on the +same server would be: -A typical config file for example.com and www.example.com on the same server would be -``` +```getssl # uncomment and modify any variables you need # The staging server is best for testing CA="https://acme-staging.api.letsencrypt.org" @@ -231,6 +293,7 @@ RELOAD_CMD="service apache2 reload" ``` ## Server-Types + OpenSSL has built-in support for getting the certificate from a number of SSL services these are available in getssl to check if the certificate is installed correctly @@ -252,23 +315,32 @@ these are available in getssl to check if the certificate is installed correctly | ldaps | 636 | | | port number | | | - ## Revoke a certificate In general revoking a certificate is not required. Usage: `getssl -r path/to/cert path/to/key [CA_server]` -You need to specify both the certificate you want to revoke, and the account or private domain key which was used to sign / obtain the original certificate. The CA_server is an optional parameter and defaults to Let's Encrypt ( "https://acme-v01.api.letsencrypt.org" ) as that is currently the only Certificate Authority using the ACME protocol. - +You need to specify both the certificate you want to revoke, and the +account or private domain key which was used to sign / obtain the +original certificate. The `CA_server` is an optional parameter and +defaults to Let's Encrypt ("") as +that is currently the only Certificate Authority using the ACME +protocol. ## Elliptic curve keys -You can use Elliptic curve keys for both the account key and the domain key (different of course, don't use the same key for both). prime256v1 (NIST P-256) and secp384r1 (NIST P-384) are both fully supported. secp521r1 (NIST P-521) is included in the code, but not currently supported by Let's Encrypt). +You can use Elliptic curve keys for both the account key and the domain +key (different of course, don't use the same key for both). prime256v1 +(NIST P-256) and secp384r1 (NIST P-384) are both fully supported. +secp521r1 (NIST P-521) is included in the code, but not currently +supported by Let's Encrypt). ## Issues / problems / help -If you have any issues, please log them at https://github.com/srvrco/getssl/issues + +If you have any issues, please log them at There are additional help pages on the [wiki](https://github.com/srvrco/getssl/wiki) -If you have any suggestions for improvements then pull requests are welcomed, or raise an issue. +If you have any suggestions for improvements then pull requests are +welcomed, or raise an issue. From b1e177f45ea50e84be5f979cad967d823c37a637 Mon Sep 17 00:00:00 2001 From: Radek SPRTA Date: Wed, 22 Jan 2020 05:26:01 +0100 Subject: [PATCH 14/23] Handle domains of .co.uk type --- dns_scripts/dns_add_clouddns | 11 ++++++++++- dns_scripts/dns_del_clouddns | 11 ++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/dns_scripts/dns_add_clouddns b/dns_scripts/dns_add_clouddns index a4e3f81..f20d1ab 100755 --- a/dns_scripts/dns_add_clouddns +++ b/dns_scripts/dns_add_clouddns @@ -53,7 +53,16 @@ fi curl_params=( -H "Authorization: Bearer $access_token" -H 'Content-Type: application/json' ) # Get main domain -domain_root=$(echo "$fulldomain" | awk -F\. '{print $(NF-1) FS $NF}') +resp=$(curl --silent "${curl_params[@]}" -X POST "$API/domain/search" \ + --data "{\"search\": [{\"name\": \"clientId\", \"operator\": \"eq\", \"value\": \"$client\"}]}") +domain_slice="$fulldomain" +while [[ -z "$domain_root" ]]; do + if [[ "${resp// }" =~ domainName\":\"$domain_slice ]]; then + domain_root="$domain_slice" + _debug domain_root "$domain_root" + fi + domain_slice="${domain_slice#[^\.]*.}" +done # Get domain id resp=$(curl --silent "${curl_params[@]}" -X POST "$API/domain/search" \ diff --git a/dns_scripts/dns_del_clouddns b/dns_scripts/dns_del_clouddns index ec22c91..0b25121 100755 --- a/dns_scripts/dns_del_clouddns +++ b/dns_scripts/dns_del_clouddns @@ -53,7 +53,16 @@ fi curl_params=( -H "Authorization: Bearer $access_token" -H 'Content-Type: application/json' ) # Get main domain and challenge record -domain_root=$(echo "$fulldomain" | awk -F\. '{print $(NF-1) FS $NF}') +resp=$(curl --silent "${curl_params[@]}" -X POST "$API/domain/search" \ + --data "{\"search\": [{\"name\": \"clientId\", \"operator\": \"eq\", \"value\": \"$client\"}]}") +domain_slice="$fulldomain" +while [[ -z "$domain_root" ]]; do + if [[ "${resp// }" =~ domainName\":\"$domain_slice ]]; then + domain_root="$domain_slice" + _debug domain_root "$domain_root" + fi + domain_slice="${domain_slice#[^\.]*.}" +done txt_record="_acme-challenge.$fulldomain." # Get domain id From 25ab41135d550c6e7313838a008dad850057807d Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Wed, 22 Jan 2020 22:38:45 +0000 Subject: [PATCH 15/23] Fix json_get for 6 parameters when >9 domains --- getssl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/getssl b/getssl index 8269195..0646ce4 100755 --- a/getssl +++ b/getssl @@ -1192,7 +1192,7 @@ json_get() { # get values from json if [[ -n "$6" ]]; then full=$(json_awk "$1") section=$(echo "$full" | grep "\"$2\"" | grep "\"$3\"" | grep "\"$4\"" | awk -F"," '{print $2}') - echo "$full" | grep "^..${5}\",$section" | awk '{print $2}' | tr -d '"' + echo "$full" | grep "^..${5}\",$section\]" | awk '{print $2}' | tr -d '"' elif [[ -n "$5" ]]; then full=$(json_awk "$1") section=$(echo "$full" | grep "\"$2\"" | grep "\"$3\"" | grep "\"$4\"" | awk -F"," '{print $2}') From 839209d5285e1b87093b934128cf9449095a4ec6 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Fri, 24 Jan 2020 18:58:20 +0000 Subject: [PATCH 16/23] Use urlbase64_decode instead of base64 -d --- getssl | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/getssl b/getssl index 8269195..48b2655 100755 --- a/getssl +++ b/getssl @@ -1445,7 +1445,7 @@ send_signed_request() { # Sends a request to the ACME server, signed with your p responseHeaders=$(cat "$CURL_HEADER") if [[ "$needbase64" && ${response##*()} != "{"* ]]; then # response is in base64 too, decode - response=$(echo "$response" | base64 -d 2>&1) + response=$(urlbase64_decode "$response") fi debug responseHeaders "$responseHeaders" @@ -1561,6 +1561,18 @@ urlbase64() { # urlbase64: base64 encoded string with '+' replaced with '-' and openssl base64 -e | tr -d '\n\r' | os_esed -e 's:=*$::g' -e 'y:+/:-_:' } +# base64url decode +# From: https://gist.github.com/alvis/89007e96f7958f2686036d4276d28e47 +urlbase64_decode() { + INPUT=$1 # $(if [ -z "$1" ]; then echo -n $(cat -); else echo -n "$1"; fi) + MOD=$(($(echo -n "$INPUT" | wc -c) % 4)) + PADDING=$(if [ $MOD -eq 2 ]; then echo -n '=='; elif [ $MOD -eq 3 ]; then echo -n '=' ; fi) + echo -n "$INPUT$PADDING" | + sed s/-/+/g | + sed s/_/\\//g | + openssl base64 -d -A +} + usage() { # echos out the program usage echo "Usage: $PROGNAME [-h|--help] [-d|--debug] [-c|--create] [-f|--force] [-a|--all] [-q|--quiet]"\ "[-Q|--mute] [-u|--upgrade] [-k|--keep #] [-U|--nocheck] [-r|--revoke cert key] [-w working_dir] domain" From 0040d84d22b4b6832c51855a96a78d6642377729 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Fri, 24 Jan 2020 19:05:18 +0000 Subject: [PATCH 17/23] Update revision history --- getssl | 1 + 1 file changed, 1 insertion(+) diff --git a/getssl b/getssl index 0646ce4..32df8d1 100755 --- a/getssl +++ b/getssl @@ -197,6 +197,7 @@ # 2020-01-08 Error and exit if rate limited, exit if curl returns nothing # 2020-01-10 Change domain and getssl templates to v2 (2.15) # 2020-01-17 #473 and #477 Don't use POST-as-GET when sending ready for challenge for ACMEv1 (2.16) +# 2020-01-22 #475 and #483 Fix grep regex for >9 subdomains in json_get # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/} From 52883615229334216d00507b0346fd04efba1310 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Fri, 24 Jan 2020 20:17:15 +0000 Subject: [PATCH 18/23] Test using BATS --- docker-compose.yml | 54 ++++++++++++++-- test/1-simple-http01.bats | 28 +++++++++ test/2-simple-dns01.bats | 28 +++++++++ test/4-more-than-10-hosts.bats | 39 ++++++++++++ test/Dockerfile-centos6 | 22 +++++++ test/Dockerfile-rhel6 | 22 ------- ...{Dockerfile-ubuntu => Dockerfile-ubuntu18} | 10 +-- test/README.md | 26 +++++--- test/run-test.sh | 47 +++----------- test/test-config/getssl-dns01.cfg | 2 +- test/test-config/getssl-http01-10-hosts.cfg | 28 +++++++++ test/test-config/getssl-http01.cfg | 6 +- test/test-config/nginx-ubuntu-no-ssl | 63 ------------------- test/test_helper.bash | 44 +++++++++++++ 14 files changed, 274 insertions(+), 145 deletions(-) create mode 100644 test/1-simple-http01.bats create mode 100644 test/2-simple-dns01.bats create mode 100644 test/4-more-than-10-hosts.bats create mode 100644 test/Dockerfile-centos6 delete mode 100644 test/Dockerfile-rhel6 rename test/{Dockerfile-ubuntu => Dockerfile-ubuntu18} (66%) create mode 100644 test/test-config/getssl-http01-10-hosts.cfg create mode 100644 test/test_helper.bash diff --git a/docker-compose.yml b/docker-compose.yml index f4b3567..cbe52e2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,8 +7,8 @@ services: environment: # with Go 1.13.x which defaults TLS 1.3 to on GODEBUG: "tls13=1" - # don't reuse authorizations (breaks testing force renew) - PEBBLE_AUTHZREUSE: 0 + # Don't re-use authorisations (breaks force renew test scripts) + # PEBBLE_AUTHZREUSE: "0" ports: - 14000:14000 # HTTPS ACME API - 15000:15000 # HTTPS Management API @@ -23,16 +23,60 @@ services: networks: acmenet: ipv4_address: 10.30.50.3 - getssl: + getssl-ubuntu18: build: context: . - dockerfile: test/Dockerfile-ubuntu - container_name: getssl + dockerfile: test/Dockerfile-ubuntu18 + container_name: getssl-ubuntu18 volumes: - .:/getssl + environment: + GETSSL_HOST: ubuntu18.getssl.test + GETSSL_IP: 10.30.50.4 + NGINX_CONFIG: /etc/nginx/sites-enabled/default networks: acmenet: ipv4_address: 10.30.50.4 + aliases: + - ubuntu18.getssl.test + - a.ubuntu18.getssl.test + - b.ubuntu18.getssl.test + - c.ubuntu18.getssl.test + - d.ubuntu18.getssl.test + - e.ubuntu18.getssl.test + - f.ubuntu18.getssl.test + - g.ubuntu18.getssl.test + - h.ubuntu18.getssl.test + - i.ubuntu18.getssl.test + - j.ubuntu18.getssl.test + - k.ubuntu18.getssl.test + getssl-centos6: + build: + context: . + dockerfile: test/Dockerfile-centos6 + container_name: getssl-centos6 + volumes: + - .:/getssl + environment: + GETSSL_HOST: centos6.getssl.test + GETSSL_IP: 10.30.50.5 + NGINX_CONFIG: /etc/nginx/conf.d/default.conf + networks: + acmenet: + ipv4_address: 10.30.50.5 + aliases: + - centos6.getssl.test + - a.centos6.getssl.test + - b.centos6.getssl.test + - c.centos6.getssl.test + - d.centos6.getssl.test + - e.centos6.getssl.test + - f.centos6.getssl.test + - g.centos6.getssl.test + - h.centos6.getssl.test + - i.centos6.getssl.test + - j.centos6.getssl.test + - k.centos6.getssl.test networks: acmenet: diff --git a/test/1-simple-http01.bats b/test/1-simple-http01.bats new file mode 100644 index 0000000..40416b2 --- /dev/null +++ b/test/1-simple-http01.bats @@ -0,0 +1,28 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt +} + + +@test "Create new certificate using HTTP-01 verification" { + CONFIG_FILE="getssl-http01.cfg" + setup_environment + init_getssl + create_certificate + assert_success +} + + +@test "Force renewal of certificate using HTTP-01" { + #!FIXME test certificate has been updated + run ${CODE_DIR}/getssl -f $GETSSL_HOST + assert_success + cleanup_environment +} diff --git a/test/2-simple-dns01.bats b/test/2-simple-dns01.bats new file mode 100644 index 0000000..e1a37ec --- /dev/null +++ b/test/2-simple-dns01.bats @@ -0,0 +1,28 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt +} + + +@test "Create new certificate using DNS-01 verification" { + CONFIG_FILE="getssl-dns01.cfg" + setup_environment + init_getssl + create_certificate + assert_success +} + + +@test "Force renewal of certificate using DNS-01" { + #!FIXME test certificate has been updated + run ${CODE_DIR}/getssl -f $GETSSL_HOST + assert_success + cleanup_environment +} diff --git a/test/4-more-than-10-hosts.bats b/test/4-more-than-10-hosts.bats new file mode 100644 index 0000000..0493197 --- /dev/null +++ b/test/4-more-than-10-hosts.bats @@ -0,0 +1,39 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt +} + + +@test "Create certificates for more than 10 hosts using HTTP-01 verification" { + CONFIG_FILE="getssl-http01-10-hosts.cfg" + setup_environment + + # Add 11 hosts to DNS (also need to be added as aliases in docker-compose.yml) + for prefix in a b c d e f g h i j k; do + curl -X POST -d '{"host":"'$prefix.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a + done + + init_getssl + create_certificate + assert_success +} + + +@test "Force renewal of more than 10 certificates using HTTP-01" { + #!FIXME test certificate has been updated + run ${CODE_DIR}/getssl -f $GETSSL_HOST + assert_success + + # Remove all the dns aliases + cleanup_environment + for prefix in a b c d e f g h i j k; do + curl -X POST -d '{"host":"'$prefix.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/del-a + done +} diff --git a/test/Dockerfile-centos6 b/test/Dockerfile-centos6 new file mode 100644 index 0000000..f370a0b --- /dev/null +++ b/test/Dockerfile-centos6 @@ -0,0 +1,22 @@ +FROM centos:centos6 + +# Update and install required software +RUN yum -y update +RUN yum -y install epel-release +RUN yum -y install git curl dnsutils wget nginx + +WORKDIR /root +RUN mkdir /etc/nginx/pki +RUN mkdir /etc/nginx/pki/private +COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf + +# BATS (Bash Automated Testings) +RUN git clone https://github.com/bats-core/bats-core.git /bats-core +RUN git clone https://github.com/jasonkarns/bats-support /bats-support +RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert +RUN /bats-core/install.sh /usr/local + +EXPOSE 80 443 + +# Run eternal loop - for testing +CMD ["/bin/bash", "-c", "while :; do sleep 10; done"] diff --git a/test/Dockerfile-rhel6 b/test/Dockerfile-rhel6 deleted file mode 100644 index 019da84..0000000 --- a/test/Dockerfile-rhel6 +++ /dev/null @@ -1,22 +0,0 @@ -FROM roboxes/rhel6 -# FROM centos:centos6 -# bionic = latest 18 version - -# Update and install required software -RUN yum -y update -RUN yum -y install epel-release -RUN yum -y install git curl dnsutils wget # nginx-light - -WORKDIR /root -#RUN mkdir /etc/nginx/pki -#RUN mkdir /etc/nginx/pki/private -#COPY ./test/test-config/nginx-ubuntu-sites-enabled-default /etc/nginx/sites-enabled/default - -# BATS (Bash Automated Testings) -# RUN git clone https://github.com/bats-core/bats-core.git -# RUN bats-core/install.sh /usr/local - -EXPOSE 80 443 - -# Run eternal loop - for testing -CMD ["/bin/bash", "-c", "while :; do sleep 10; done"] diff --git a/test/Dockerfile-ubuntu b/test/Dockerfile-ubuntu18 similarity index 66% rename from test/Dockerfile-ubuntu rename to test/Dockerfile-ubuntu18 index b0f09f8..6dd92c6 100644 --- a/test/Dockerfile-ubuntu +++ b/test/Dockerfile-ubuntu18 @@ -1,8 +1,8 @@ -FROM ubuntu:xenial +FROM ubuntu:bionic # bionic = latest 18 version # Update and install required software -RUN apt-get update +RUN apt-get update --fix-missing # TODO work out why default version of awk fails RUN apt-get install -y git curl dnsutils wget gawk nginx-light # linux-libc-dev make gcc binutils RUN apt-get install -y vim dos2unix # for debugging @@ -14,8 +14,10 @@ RUN mkdir /etc/nginx/pki/private COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default # BATS (Bash Automated Testings) -# RUN git clone https://github.com/bats-core/bats-core.git -# RUN bats-core/install.sh /usr/local +RUN git clone https://github.com/bats-core/bats-core.git /bats-core +RUN git clone https://github.com/jasonkarns/bats-support /bats-support +RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert +RUN /bats-core/install.sh /usr/local EXPOSE 80 443 diff --git a/test/README.md b/test/README.md index 086c58a..9157aa8 100644 --- a/test/README.md +++ b/test/README.md @@ -12,21 +12,29 @@ docker-compose -f "docker-compose.yml" up -d --build Run the tests ```sh -docker exec -it getssl /getssl/test/run-test.sh +docker exec -it getssl bats /getssl/test ``` -Debug (need to set `CURL_CA_BUNDLE` as pebble uses a local certificate, +Run individual test + +```sh +docker exec -it getssl bats /getssl/test/ +``` + +Debug (uses helper script to set `CURL_CA_BUNDLE` as pebble uses a local certificate, otherwise you get a "unknown API version" error) ```sh -docker exec -it getssl /bin/bash -export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt -/getssl/getssl -d getssl +docker exec -it getssl- /getssl/test/run-test.sh ` + +eg. + +```sh +docker exec -it getssl-ubuntu18 /getssl/test/run-test.sh getssl-http01.cfg ``` ## TODO -1. Move to BATS (bash automated testing) instead of run-test.sh -2. Test RHEL6, Debian as well -3. Test SSH, SFTP -4. Test wildcards +1. Test RHEL6, Debian as well +2. Test SSH, SFTP +3. Test wildcards diff --git a/test/run-test.sh b/test/run-test.sh index 8051922..b6f7c72 100644 --- a/test/run-test.sh +++ b/test/run-test.sh @@ -1,43 +1,14 @@ -#! /bin/bash +#!/usr/bin/env bash -set -e +# This runs getssl outside of the BATS framework for debugging, etc, against pebble +# Usage: /getssl/test/run-test.sh getssl-http01.cfg -# Test setup -if [[ -d /root/.getssl ]]; then - rm -r /root/.getssl -fi +CONFIG_FILE=$1 +source /getssl/test/test_helper.bash -wget --no-clobber https://raw.githubusercontent.com/letsencrypt/pebble/master/test/certs/pebble.minica.pem -# cat /etc/pki/tls/certs/ca-bundle.crt /root/pebble.minica.pem > /root/pebble-ca-bundle.crt -cat /etc/ssl/certs/ca-certificates.crt /root/pebble.minica.pem > /root/pebble-ca-bundle.crt +setup_environment 3>&1 export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt -curl -X POST -d '{"host":"getssl", "addresses":["10.30.50.4"]}' http://10.30.50.3:8055/add-a - -# Test #1 - http-01 verification -echo Test \#1 - http-01 verification - -cp /getssl/test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default -service nginx restart -/getssl/getssl -c getssl -cp /getssl/test/test-config/getssl-http01.cfg /root/.getssl/getssl/getssl.cfg -/getssl/getssl -f getssl - -# Test #2 - http-01 forced renewal -echo Test \#2 - http-01 forced renewal -/getssl/getssl getssl -f - -# Test cleanup -rm -r /root/.getssl - -# Test #3 - dns-01 verification -echo Test \#3 - dns-01 verification -cp /getssl/test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default -service nginx restart -/getssl/getssl -c getssl -cp /getssl/test/test-config/getssl-dns01.cfg /root/.getssl/getssl/getssl.cfg -/getssl/getssl getssl - -# Test #4 - dns-01 forced renewal -echo Test \#4 - dns-01 forced renewal -/getssl/getssl getssl -f +"${CODE_DIR}/getssl" -c "$GETSSL_HOST" 3>&1 +cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg" +"${CODE_DIR}/getssl" -f -d "$GETSSL_HOST" 3>&1 diff --git a/test/test-config/getssl-dns01.cfg b/test/test-config/getssl-dns01.cfg index 49c58b5..790dee2 100644 --- a/test/test-config/getssl-dns01.cfg +++ b/test/test-config/getssl-dns01.cfg @@ -44,7 +44,7 @@ DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert # The command needed to reload apache / nginx or whatever you use -RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl /etc/nginx/sites-enabled/default && service nginx restart" +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && service nginx restart >&3-" # Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp, # smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which diff --git a/test/test-config/getssl-http01-10-hosts.cfg b/test/test-config/getssl-http01-10-hosts.cfg new file mode 100644 index 0000000..f521d52 --- /dev/null +++ b/test/test-config/getssl-http01-10-hosts.cfg @@ -0,0 +1,28 @@ +# Uncomment and modify any variables you need +# see https://github.com/srvrco/getssl/wiki/Config-variables for details +# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs + +CA="https://pebble:14000/dir" + +# Additional domains - this could be multiple domains / subdomains in a comma separated list +# Note: this is Additional domains - so should not include the primary domain. +SANS="a.${GETSSL_HOST},b.${GETSSL_HOST},c.${GETSSL_HOST},d.${GETSSL_HOST},e.${GETSSL_HOST},f.${GETSSL_HOST},g.${GETSSL_HOST},h.${GETSSL_HOST},i.${GETSSL_HOST},j.${GETSSL_HOST},k.${GETSSL_HOST}" + +# Acme Challenge Location. +ACL=('/var/www/html/.well-known/acme-challenge') + +# Use a single ACL for all checks +USE_SINGLE_ACL="true" + +# Location for all your certs, these can either be on the server (full path name) +DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key" +CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" +DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert +DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert + +# The command needed to reload apache / nginx or whatever you use +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && service nginx restart >&3-" + +#SERVER_TYPE="https" +#CHECK_REMOTE="true" diff --git a/test/test-config/getssl-http01.cfg b/test/test-config/getssl-http01.cfg index f3dc5ad..305dd49 100644 --- a/test/test-config/getssl-http01.cfg +++ b/test/test-config/getssl-http01.cfg @@ -43,11 +43,11 @@ DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert # The command needed to reload apache / nginx or whatever you use -RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl /etc/nginx/sites-enabled/default && service nginx restart" +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && service nginx restart >&3-" # Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp, # smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which # will be checked for certificate expiry and also will be checked after # an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true -#SERVER_TYPE="https" -#CHECK_REMOTE="true" +SERVER_TYPE="https" +CHECK_REMOTE="true" diff --git a/test/test-config/nginx-ubuntu-no-ssl b/test/test-config/nginx-ubuntu-no-ssl index c78d646..e7b046e 100644 --- a/test/test-config/nginx-ubuntu-no-ssl +++ b/test/test-config/nginx-ubuntu-no-ssl @@ -1,16 +1,3 @@ -## -# You should look at the following URL's in order to grasp a solid understanding -# of Nginx configuration files in order to fully unleash the power of Nginx. -# http://wiki.nginx.org/Pitfalls -# http://wiki.nginx.org/QuickStart -# http://wiki.nginx.org/Configuration -# -# Generally, you will want to move this file somewhere, and start with a clean -# file but keep this around for reference. Or just disable in sites-enabled. -# -# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. -## - # Default server configuration # server { @@ -26,18 +13,6 @@ server { listen 5001 default_server; listen [::]:5001 default_server; - # - # Note: You should disable gzip for SSL traffic. - # See: https://bugs.debian.org/773332 - # - # Read up on ssl_ciphers to ensure a secure configuration. - # See: https://bugs.debian.org/765782 - # - # Self signed certs generated by the ssl-cert package - # Don't use them in a production server! - # - # include snippets/snakeoil.conf; - root /var/www/html; # Add index.php to the list if you are using PHP @@ -52,42 +27,4 @@ server { # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } - - # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # - #location ~ \.php$ { - # include snippets/fastcgi-php.conf; - # - # # With php7.0-cgi alone: - # fastcgi_pass 127.0.0.1:9000; - # # With php7.0-fpm: - # fastcgi_pass unix:/run/php/php7.0-fpm.sock; - #} - - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - # - #location ~ /\.ht { - # deny all; - #} } - - -# Virtual Host configuration for example.com -# -# You can move that to a different file under sites-available/ and symlink that -# to sites-enabled/ to enable it. -# -#server { -# listen 80; -# listen [::]:80; -# -# server_name example.com; -# -# root /var/www/example.com; -# index index.html; -# -# location / { -# try_files $uri $uri/ =404; -# } -#} diff --git a/test/test_helper.bash b/test/test_helper.bash new file mode 100644 index 0000000..6f506fd --- /dev/null +++ b/test/test_helper.bash @@ -0,0 +1,44 @@ +INSTALL_DIR=/root +CODE_DIR=/getssl + + +setup_environment() { + # One-off test setup + if [[ -d ${INSTALL_DIR}/.getssl ]]; then + rm -r ${INSTALL_DIR}/.getssl + fi + + if [ ! -f ${INSTALL_DIR}/pebble.minica.pem ]; then + wget --no-clobber https://raw.githubusercontent.com/letsencrypt/pebble/master/test/certs/pebble.minica.pem 2>&1 + CERT_FILE=/etc/ssl/certs/ca-certificates.crt + if [ ! -f $CERT_FILE ]; then + CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt + fi + cat $CERT_FILE ${INSTALL_DIR}/pebble.minica.pem > ${INSTALL_DIR}/pebble-ca-bundle.crt + fi + + curl -X POST -d '{"host":"'"$GETSSL_HOST"'", "addresses":["'"$GETSSL_IP"'"]}' http://10.30.50.3:8055/add-a + cp ${CODE_DIR}/test/test-config/nginx-ubuntu-no-ssl ${NGINX_CONFIG} + service nginx restart >&3- +} + + +cleanup_environment() { + curl -X POST -d '{"host":"'"$GETSSL_HOST"'", "addresses":["'"$GETSSL_IP"'"]}' http://10.30.50.3:8055/del-a +} + + +init_getssl() { + # Run initialisation (create account key, etc) + run ${CODE_DIR}/getssl -c "$GETSSL_HOST" + assert_success + [ -d "$INSTALL_DIR/.getssl" ] +} + + +create_certificate() { + # Create certificate + cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg" + run ${CODE_DIR}/getssl "$GETSSL_HOST" + #!FIXME test certificate has been placed in the expected location +} From b3480db63b498798de9295c8d1153eb145c7dbd9 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Fri, 24 Jan 2020 20:17:52 +0000 Subject: [PATCH 19/23] Fix for "already verified" problem seen with ACMEv2 during testing --- getssl | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/getssl b/getssl index 622fcb1..a542c0b 100755 --- a/getssl +++ b/getssl @@ -1608,13 +1608,13 @@ write_domain_template() { # write out a template file for a domain. # If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location # These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge" # where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain. - # You can also user WebDAV over HTTPS as transport mechanism. To do so, start with davs: followed by username, - # password, host, port (explicitly needed even if using default port 443) and path on the server. + # You can also user WebDAV over HTTPS as transport mechanism. To do so, start with davs: followed by username, + # password, host, port (explicitly needed even if using default port 443) and path on the server. #ACL=('/var/www/${DOMAIN}/web/.well-known/acme-challenge' # 'ssh:server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge' # 'ssh:sshuserid@server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge' # 'ftp:ftpuserid:ftppassword:${DOMAIN}:/web/.well-known/acme-challenge' - # 'davs:davsuserid:davspassword:{DOMAIN}:443:/web/.well-known/acme-challenge') + # 'davs:davsuserid:davspassword:{DOMAIN}:443:/web/.well-known/acme-challenge') #Set USE_SINGLE_ACL="true" to use a single ACL for all checks #USE_SINGLE_ACL="false" @@ -2212,7 +2212,7 @@ for d in $alldomains; do error_exit "new-authz error: $response" fi else - response_status="" + send_signed_request "${AuthLink[$dn]}" "" fi if [[ $response_status == "valid" ]]; then @@ -2237,7 +2237,6 @@ for d in $alldomains; do uri=$(json_get "$response" "uri" "dns-01") debug uri "$uri" else # APIv2 - send_signed_request "${AuthLink[$dn]}" "" debug "authlink response = $response" # get the token from the http-01 component token=$(json_get "$response" "challenges" "type" "dns-01" "token") From 08a6485911c22d71adc561d9331f7008a98ee1a7 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Sun, 26 Jan 2020 14:09:39 +0000 Subject: [PATCH 20/23] Update revision history --- getssl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/getssl b/getssl index 6c3870f..763677f 100755 --- a/getssl +++ b/getssl @@ -200,6 +200,8 @@ # 2020-01-22 #475 and #483 Fix grep regex for >9 subdomains in json_get # 2020-01-24 Add support for CloudDNS # 2020-01-24 allow file transfer using WebDAV over HTTPS +# 2020-01-26 Use urlbase64_decode() instead of base64 -d +# 2020-01-26 Fix "already verified" error for ACMEv2 # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/} From d8a0e4ca237545b6515d29beba193c9edf4d07c4 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Tue, 28 Jan 2020 19:47:15 +0100 Subject: [PATCH 21/23] Check output for "Error", "Failed" and "Warning" --- test/1-simple-http01.bats | 6 ++++++ test/2-simple-dns01.bats | 6 ++++++ test/4-more-than-10-hosts.bats | 7 ++++++- test/Dockerfile-ubuntu18 | 3 +++ test/README.md | 6 +++--- test/{run-test.sh => debug-test.sh} | 4 ++-- test/run-all-tests.sh | 4 ++++ 7 files changed, 30 insertions(+), 6 deletions(-) rename test/{run-test.sh => debug-test.sh} (79%) create mode 100644 test/run-all-tests.sh diff --git a/test/1-simple-http01.bats b/test/1-simple-http01.bats index 40416b2..4c55304 100644 --- a/test/1-simple-http01.bats +++ b/test/1-simple-http01.bats @@ -17,6 +17,9 @@ setup() { init_getssl create_certificate assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' } @@ -24,5 +27,8 @@ setup() { #!FIXME test certificate has been updated run ${CODE_DIR}/getssl -f $GETSSL_HOST assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' cleanup_environment } diff --git a/test/2-simple-dns01.bats b/test/2-simple-dns01.bats index e1a37ec..9d9f44b 100644 --- a/test/2-simple-dns01.bats +++ b/test/2-simple-dns01.bats @@ -17,6 +17,9 @@ setup() { init_getssl create_certificate assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' } @@ -24,5 +27,8 @@ setup() { #!FIXME test certificate has been updated run ${CODE_DIR}/getssl -f $GETSSL_HOST assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' cleanup_environment } diff --git a/test/4-more-than-10-hosts.bats b/test/4-more-than-10-hosts.bats index 0493197..01e364d 100644 --- a/test/4-more-than-10-hosts.bats +++ b/test/4-more-than-10-hosts.bats @@ -23,6 +23,9 @@ setup() { init_getssl create_certificate assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' } @@ -30,7 +33,9 @@ setup() { #!FIXME test certificate has been updated run ${CODE_DIR}/getssl -f $GETSSL_HOST assert_success - + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' # Remove all the dns aliases cleanup_environment for prefix in a b c d e f g h i j k; do diff --git a/test/Dockerfile-ubuntu18 b/test/Dockerfile-ubuntu18 index 6dd92c6..1b3765c 100644 --- a/test/Dockerfile-ubuntu18 +++ b/test/Dockerfile-ubuntu18 @@ -13,6 +13,9 @@ RUN mkdir /etc/nginx/pki RUN mkdir /etc/nginx/pki/private COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default +# Prevent "Can't load /root/.rnd into RNG" error from openssl +RUN touch /root/.rnd + # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core RUN git clone https://github.com/jasonkarns/bats-support /bats-support diff --git a/test/README.md b/test/README.md index 9157aa8..98ff929 100644 --- a/test/README.md +++ b/test/README.md @@ -12,7 +12,7 @@ docker-compose -f "docker-compose.yml" up -d --build Run the tests ```sh -docker exec -it getssl bats /getssl/test +test/run-all-tests.sh ``` Run individual test @@ -25,12 +25,12 @@ Debug (uses helper script to set `CURL_CA_BUNDLE` as pebble uses a local certifi otherwise you get a "unknown API version" error) ```sh -docker exec -it getssl- /getssl/test/run-test.sh ` +docker exec -it getssl- /getssl/test/debug-test.sh ` eg. ```sh -docker exec -it getssl-ubuntu18 /getssl/test/run-test.sh getssl-http01.cfg +docker exec -it getssl-ubuntu18 /getssl/test/debug-test.sh getssl-http01.cfg ``` ## TODO diff --git a/test/run-test.sh b/test/debug-test.sh similarity index 79% rename from test/run-test.sh rename to test/debug-test.sh index b6f7c72..23d1983 100644 --- a/test/run-test.sh +++ b/test/debug-test.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # This runs getssl outside of the BATS framework for debugging, etc, against pebble -# Usage: /getssl/test/run-test.sh getssl-http01.cfg +# Usage: /getssl/test/debug-test.sh getssl-http01.cfg CONFIG_FILE=$1 source /getssl/test/test_helper.bash @@ -11,4 +11,4 @@ export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt "${CODE_DIR}/getssl" -c "$GETSSL_HOST" 3>&1 cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg" -"${CODE_DIR}/getssl" -f -d "$GETSSL_HOST" 3>&1 +"${CODE_DIR}/getssl" -f "$GETSSL_HOST" 3>&1 diff --git a/test/run-all-tests.sh b/test/run-all-tests.sh new file mode 100644 index 0000000..d0749e1 --- /dev/null +++ b/test/run-all-tests.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash + +docker exec -it getssl-centos6 bats /getssl/test +docker exec -it getssl-ubuntu18 bats /getssl/test From 2a5824afeff449e35d513a457f0f1ea8560bd78c Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Wed, 29 Jan 2020 15:27:57 +0100 Subject: [PATCH 22/23] Show error message if awk doesn't support json_awk --- docker-compose.yml | 16 ++++++++++++++++ getssl | 11 +++++++++++ test/5-old-awk-error.bats | 25 +++++++++++++++++++++++++ test/Dockerfile-ubuntu18-no-gawk | 17 +++++++++++++++++ test/run-all-tests.sh | 1 + 5 files changed, 70 insertions(+) create mode 100644 test/5-old-awk-error.bats create mode 100644 test/Dockerfile-ubuntu18-no-gawk diff --git a/docker-compose.yml b/docker-compose.yml index cbe52e2..d031d30 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -77,6 +77,22 @@ services: - i.centos6.getssl.test - j.centos6.getssl.test - k.centos6.getssl.test + getssl-ubuntu18-no-gawk: + build: + context: . + dockerfile: test/Dockerfile-ubuntu18-no-gawk + container_name: getssl-ubuntu18-no-gawk + volumes: + - .:/getssl + environment: + GETSSL_HOST: ubuntu18-no-gawk.getssl.test + GETSSL_IP: 10.30.50.6 + NGINX_CONFIG: /etc/nginx/sites-enabled/default + networks: + acmenet: + ipv4_address: 10.30.50.6 + aliases: + - ubuntu18-no-gawk.getssl.test networks: acmenet: diff --git a/getssl b/getssl index 763677f..810a30a 100755 --- a/getssl +++ b/getssl @@ -15,6 +15,8 @@ # For usage, run "getssl -h" or see https://github.com/srvrco/getssl +# ACMEv2 process is documented at https://tools.ietf.org/html/rfc8555#section-7.4 + # Revision history: # 2016-01-08 Created (v0.1) # 2016-01-11 type correction and upload to github (v0.2) @@ -202,6 +204,7 @@ # 2020-01-24 allow file transfer using WebDAV over HTTPS # 2020-01-26 Use urlbase64_decode() instead of base64 -d # 2020-01-26 Fix "already verified" error for ACMEv2 +# 2020-01-29 Check awk new enough to support json_awk # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/} @@ -1982,6 +1985,14 @@ else fi debug "Using API v$API" +# Check if awk supports json_awk (required for ACMEv2) +if [[ $API -eq 2 ]]; then + json_awk_test=$(json_awk '{ "test": "1" }' 2>/dev/null) + if [[ "${json_awk_test}" == "" ]]; then + error_exit "Your version of awk does not work with json_awk (see http://github.com/step-/JSON.awk/issues/6), please install a newer version of mawk or gawk" + fi +fi + # if check_remote is true then connect and obtain the current certificate (if not forcing renewal) if [[ "${CHECK_REMOTE}" == "true" ]] && [[ $_FORCE_RENEW -eq 0 ]]; then debug "getting certificate for $DOMAIN from remote server" diff --git a/test/5-old-awk-error.bats b/test/5-old-awk-error.bats new file mode 100644 index 0000000..4a00b31 --- /dev/null +++ b/test/5-old-awk-error.bats @@ -0,0 +1,25 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt +} + + +@test "Check getssl fails if an old version of awk is installed" { + CONFIG_FILE="getssl-http01.cfg" + # Make sure this test only runs on an image running an old version of awk + awk_version=$(awk -V 2>/dev/null) || true + if [[ "$awk_version" == "" ]]; then + setup_environment + init_getssl + create_certificate + assert_failure + assert_output "getssl: Your version of awk does not work with json_awk (see http://github.com/step-/JSON.awk/issues/6), please install a newer version of mawk or gawk" + fi +} diff --git a/test/Dockerfile-ubuntu18-no-gawk b/test/Dockerfile-ubuntu18-no-gawk new file mode 100644 index 0000000..809708a --- /dev/null +++ b/test/Dockerfile-ubuntu18-no-gawk @@ -0,0 +1,17 @@ +FROM ubuntu:bionic +# bionic = latest 18 version + +# Update and install required software +RUN apt-get update --fix-missing +RUN apt-get install -y git curl dnsutils wget nginx-light + +WORKDIR /root + +# BATS (Bash Automated Testings) +RUN git clone https://github.com/bats-core/bats-core.git /bats-core +RUN git clone https://github.com/jasonkarns/bats-support /bats-support +RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert +RUN /bats-core/install.sh /usr/local + +# Run eternal loop - for testing +CMD ["/bin/bash", "-c", "while :; do sleep 10; done"] diff --git a/test/run-all-tests.sh b/test/run-all-tests.sh index d0749e1..7372e5b 100644 --- a/test/run-all-tests.sh +++ b/test/run-all-tests.sh @@ -2,3 +2,4 @@ docker exec -it getssl-centos6 bats /getssl/test docker exec -it getssl-ubuntu18 bats /getssl/test +docker exec -it getssl-ubuntu18-no-gawk bats /getssl/test/5-old-awk-error.bats From b785c42bab857d1f5f041dbe969cd443433b096f Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Wed, 29 Jan 2020 18:04:51 +0100 Subject: [PATCH 23/23] Less fragile way of deciding whether to run old awk test --- docker-compose.yml | 1 + test/5-old-awk-error.bats | 3 +-- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index d031d30..97bb1e5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -88,6 +88,7 @@ services: GETSSL_HOST: ubuntu18-no-gawk.getssl.test GETSSL_IP: 10.30.50.6 NGINX_CONFIG: /etc/nginx/sites-enabled/default + TEST_AWK: "yes" networks: acmenet: ipv4_address: 10.30.50.6 diff --git a/test/5-old-awk-error.bats b/test/5-old-awk-error.bats index 4a00b31..0f234a2 100644 --- a/test/5-old-awk-error.bats +++ b/test/5-old-awk-error.bats @@ -14,8 +14,7 @@ setup() { @test "Check getssl fails if an old version of awk is installed" { CONFIG_FILE="getssl-http01.cfg" # Make sure this test only runs on an image running an old version of awk - awk_version=$(awk -V 2>/dev/null) || true - if [[ "$awk_version" == "" ]]; then + if [[ "$TEST_AWK" != "" ]]; then setup_environment init_getssl create_certificate