RuhNetConsulting
/
getssl
mirror of https://github.com/srvrco/getssl
1
0
Fork 0
Code Issues 0 Projects 0 Releases 51 Wiki Activity
Browse Source

Merge pull request #593 from srvrco/fix-add-sans 

Add more info to debug statements when running tests
pull/595/head
Tim Kimber 5 years ago
committed by GitHub
parent
4a16b39223 c6b75847a4
commit
e8d09c4df8
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 184 additions and 42 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +37
    -28
      getssl
  2. +61
    -0
      test/19-test-add-to-sans.bats
  3. +37
    -0
      test/test-config/getssl-dns01-add-to-sans-1.cfg
  4. +37
    -0
      test/test-config/getssl-dns01-add-to-sans-2.cfg
  5. +5
    -6
      test/test-config/getssl-staging-dns01-no-suffix.cfg
  6. +7
    -8
      test/test-config/getssl-staging-dns01.cfg

+ 37
- 28
getssl View File

@ -629,10 +629,10 @@ check_getssl_upgrade() { # check if a more recent version of code is available a
if [[ "${latestvdec:-0}" -gt "$localvdec" ]]; then
if [[ ${_UPGRADE} -eq 1 ]]; then
if ! install "$0" "${0}.v${VERSION}"; then
error_exit "problem renaming old version while updating, check permissions"
error_exit "problem renaming old version while updating, check permissions"
fi
if ! install -m 700 "$TEMP_UPGRADE_FILE" "$0"; then
error_exit "problem installing new version while updating, check permissions"
error_exit "problem installing new version while updating, check permissions"
fi
if [[ ${_MUTE} -eq 0 ]]; then
echo "Updated getssl from v${VERSION} to v${latestversion}"
@ -819,7 +819,7 @@ create_csr() { # create a csr using a given key (if it doesn't already exist)
for d in $alldomains; do
if [[ "$(echo "${domains_in_csr}"| grep "^${d}$")" != "${d}" ]]; then
info "existing csr at $csr_file does not contain ${d} - re-create-csr"\
".... $(echo "${domains_in_csr}"| grep "^${d}$")"
".... $(echo "${domains_in_csr}"| grep "^${d}$")"
_RECREATE_CSR=1
fi
done
@ -889,6 +889,7 @@ create_order() {
OrderLink=$(echo "$responseHeaders" | grep -i location | awk '{print $2}'| tr -d '\r\n ')
debug "Order link $OrderLink"
FinalizeLink=$(json_get "$response" "finalize")
debug "Finalize link $FinalizeLink"
if [[ $API -eq 1 ]]; then
dn=0
@ -915,6 +916,7 @@ create_order() {
d=$(echo "$d" | tr "[:upper:]" "[:lower:]")
if [ "$d" == "$authdomain" ]; then
debug "Saving authorization response for $authdomain for domain alldomains[$dn]"
debug "Response = ${response//[$'\t\r\n']}"
AuthLinkResponse[$dn]=$response
AuthLinkResponseHeader[$dn]=$responseHeaders
fi
@ -957,7 +959,7 @@ debug() { # write out debug info if the debug flag has been set
if [[ ${_USE_DEBUG} -eq 1 ]]; then
# If running tests then output in TAP format (for debugging tests)
if [[ ${_RUNNING_TEST} -eq 1 ]]; then
echo "#" "$@" >&3
echo "# $(date "+%b %d %T") ${FUNCNAME[1]}:${BASH_LINENO[1]}" "$@" >&3
else
echo " "
echo "$@"
@ -1047,7 +1049,7 @@ for d in $alldomains; do
uri=$(json_get "$response" "uri" "dns-01")
debug uri "$uri"
else # APIv2
debug "authlink response = $response"
debug "authlink response = ${response//[$'\t\r\n']}"
# get the token and uri from the dns-01 component
token=$(json_get "$response" "challenges" "type" "dns-01" "token")
uri=$(json_get "$response" "challenges" "type" "dns-01" "url")
@ -1058,10 +1060,11 @@ for d in $alldomains; do
debug keyauthorization "$keyauthorization"
#create signed authorization key from token.
auth_key=$(printf '%s' "$keyauthorization" | openssl dgst -sha256 -binary \
| openssl base64 -e \
| tr -d '\n\r' \
| sed -e 's:=*$::g' -e 'y:+/:-_:')
auth_key=$(printf '%s' "$keyauthorization" \
| openssl dgst -sha256 -binary \
| openssl base64 -e \
| tr -d '\n\r' \
| sed -e 's:=*$::g' -e 'y:+/:-_:')
debug auth_key "$auth_key"
# shellcheck disable=SC2018,SC2019
@ -1102,7 +1105,7 @@ for d in $alldomains; do
uri=$(json_get "$response" "uri" "http-01")
debug uri "$uri"
else # APIv2
debug "authlink response = $response"
debug "authlink response = ${response//[$'\t\r\n']}"
# get the token from the http-01 component
token=$(json_get "$response" "challenges" "type" "http-01" "token")
# get the uri from the http component
@ -1198,19 +1201,19 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then
while [[ "$check_dns" == "fail" ]]; do
if [[ "$os" == "cygwin" ]]; then
check_result=$(nslookup -type=txt "_acme-challenge.${lower_d}" "${ns}" \
| grep ^_acme -A2\
| grep '"'|awk -F'"' '{ print $2}')
| grep ^_acme -A2\
| grep '"'|awk -F'"' '{ print $2}')
elif [[ "$DNS_CHECK_FUNC" == "drill" ]] || [[ "$DNS_CHECK_FUNC" == "dig" ]]; then
debug "$DNS_CHECK_FUNC" TXT "_acme-challenge.${lower_d}" "@${ns}"
check_result=$($DNS_CHECK_FUNC TXT "_acme-challenge.${lower_d}" "@${ns}" \
| grep -i "^_acme-challenge.${lower_d}" \
| grep 'IN\WTXT'|awk -F'"' '{ print $2}')
| grep -i "^_acme-challenge.${lower_d}" \
| grep 'IN\WTXT'|awk -F'"' '{ print $2}')
elif [[ "$DNS_CHECK_FUNC" == "host" ]]; then
check_result=$($DNS_CHECK_FUNC -t TXT "_acme-challenge.${lower_d}" "${ns}" \
| grep 'descriptive text'|awk -F'"' '{ print $2}')
| grep 'descriptive text'|awk -F'"' '{ print $2}')
else
check_result=$(nslookup -type=txt "_acme-challenge.${lower_d}" "${ns}" \
| grep 'text ='|awk -F'"' '{ print $2}')
| grep 'text ='|awk -F'"' '{ print $2}')
fi
debug "expecting $auth_key"
debug "${ns} gave ... $check_result"
@ -1221,8 +1224,9 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then
if [[ $ntries -lt $DNS_WAIT_COUNT ]]; then
ntries=$(( ntries + 1 ))
if [[ $DNS_WAIT_RETRY_ADD == "true" && $(( ntries % 10 == 0 )) ]]; then
if [[ $DNS_WAIT_RETRY_ADD == "true" && $(( ntries % 10 )) == 0 ]]; then
debug "Retrying adding dns via command: $DNS_ADD_COMMAND $lower_d $auth_key"
eval "$DNS_DEL_COMMAND" "$lower_d" "$auth_key"
if ! eval "$DNS_ADD_COMMAND" "$lower_d" "$auth_key" ; then
error_exit "DNS_ADD_COMMAND failed for domain $d"
fi
@ -1516,7 +1520,7 @@ get_cr() { # get curl response
debug url "$url"
response=$(curl --user-agent "$CURL_USERAGENT" --silent "$url")
ret=$?
debug response "$response"
debug response "${response//[$'\t\r\n']}"
code=$(json_get "$response" status)
debug code "$code"
debug "get_cr return code $ret"
@ -1567,8 +1571,8 @@ get_signing_params() { # get signing parameters from key
crv="$(openssl ec -in "$skey" -noout -text 2>/dev/null | awk '$2 ~ "CURVE:" {print $3}')"
if [[ -z "$crv" ]]; then
gsp_keytype="$(openssl ec -in "$skey" -noout -text 2>/dev/null \
| grep "^ASN1 OID:" \
| awk '{print $3}')"
| grep "^ASN1 OID:" \
| awk '{print $3}')"
case "$gsp_keytype" in
prime256v1) crv="P-256" ;;
secp384r1) crv="P-384" ;;
@ -1583,8 +1587,8 @@ get_signing_params() { # get signing parameters from key
*) error_exit "invalid curve algorithm type $crv";;
esac
pubtext="$(openssl ec -in "$skey" -noout -text 2>/dev/null \
| awk '/^pub:/{p=1;next}/^ASN1 OID:/{p=0}p' \
| tr -d ": \n\r")"
| awk '/^pub:/{p=1;next}/^ASN1 OID:/{p=0}p' \
| tr -d ": \n\r")"
mid=$(( (${#pubtext} -2) / 2 + 2 ))
x64=$(echo "$pubtext" | cut -b 3-$mid | hex2bin | urlbase64)
y64=$(echo "$pubtext" | cut -b $((mid+1))-${#pubtext} | hex2bin | urlbase64)
@ -1635,6 +1639,11 @@ hex2bin() { # Remove spaces, add leading zero, escape as hex string ensuring no
info() { # write out info as long as the quiet flag has not been set.
if [[ ${_QUIET} -eq 0 ]]; then
# If running tests then output in TAP format as well (for debugging tests)
if [[ ${_RUNNING_TEST} -eq 1 ]]; then
echo "# $(date "+%b %d %T") ${FUNCNAME[1]}:${BASH_LINENO[1]}" "$@" >&3
fi
echo "$@"
fi
}
@ -2112,7 +2121,7 @@ send_signed_request() { # Sends a request to the ACME server, signed with your p
fi
debug responseHeaders "$responseHeaders"
debug response "$response"
debug response "${response//[$'\t\r\n']}"
code=$(awk ' $1 ~ "^HTTP" {print $2}' "$CURL_HEADER" | tail -1)
debug code "$code"
if [[ "$code" == 4* && $response != *"error:badNonce"* && "$code" != 409 ]]; then
@ -2224,9 +2233,9 @@ usage() { # echos out the program usage
write_domain_template() { # write out a template file for a domain.
if [[ -s "$WORKING_DIR/getssl_default.cfg" ]]; then
export DOMAIN="$DOMAIN"
export EX_SANS="$EX_SANS"
envsubst < "$WORKING_DIR/getssl_default.cfg" > "$1"
export DOMAIN="$DOMAIN"
export EX_SANS="$EX_SANS"
envsubst < "$WORKING_DIR/getssl_default.cfg" > "$1"
else
cat > "$1" <<- _EOF_domain_
# vim: filetype=sh
@ -2787,10 +2796,10 @@ fi
# if not reusing private key, then remove the old keys
if [[ "$REUSE_PRIVATE_KEY" != "true" ]]; then
if [[ -s "$DOMAIN_DIR/${DOMAIN}.key" ]]; then
rm -f "$DOMAIN_DIR/${DOMAIN}.key"
rm -f "$DOMAIN_DIR/${DOMAIN}.key"
fi
if [[ -s "$DOMAIN_DIR/${DOMAIN}.ec.key" ]]; then
rm -f "$DOMAIN_DIR/${DOMAIN}.ec.key"
rm -f "$DOMAIN_DIR/${DOMAIN}.ec.key"
fi
fi
# create new domain keys if they don't already exist


+ 61
- 0
test/19-test-add-to-sans.bats View File

@ -0,0 +1,61 @@
#! /usr/bin/env bats
load '/bats-support/load.bash'
load '/bats-assert/load.bash'
load '/getssl/test/test_helper.bash'
# This is run for every test
setup() {
export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
curl --silent -X POST -d '{"host":"b.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
}
teardown() {
curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
curl --silent -X POST -d '{"host":"b.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
}
@test "Create certificate to check can add to SANS" {
skip "FIXME: Certificate is not recreated when SANS is updated"
if [ -n "$STAGING" ]; then
skip "Not trying on staging server yet"
CONFIG_FILE="getssl-staging-dns01.cfg"
else
CONFIG_FILE="getssl-dns01-add-to-sans-1.cfg"
fi
. "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
setup_environment
init_getssl
create_certificate
assert_success
check_output_for_errors
}
@test "Check we can add a new domain to SANS" {
skip "FIXME: Certificate is not recreated when SANS is updated"
if [ -n "$STAGING" ]; then
skip "Not trying on staging server yet"
CONFIG_FILE="getssl-staging-dns01.cfg"
else
CONFIG_FILE="getssl-dns01-add-to-sans-2.cfg"
fi
# . "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
# CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
# KEY=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key
# cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl.cfg"
create_certificate
assert_success
check_output_for_errors
# As the SANS list changed, a new certificate is needed
assert_line --partial "certificate installed OK on server"
refute_line --partial 'certificate is valid for more than'
}

+ 37
- 0
test/test-config/getssl-dns01-add-to-sans-1.cfg View File

@ -0,0 +1,37 @@
# Uncomment and modify any variables you need
# see https://github.com/srvrco/getssl/wiki/Config-variables for details
# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
#
CA="https://pebble:14000/dir"
VALIDATE_VIA_DNS=true
DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
AUTH_DNS_SERVER=10.30.50.3
# Speed up the test by reducing the number or retries and the wait between retries.
DNS_WAIT=2
DNS_WAIT_COUNT=11
DNS_EXTRA_WAIT=0
# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS="a.${GETSSL_HOST}"
# Location for all your certs, these can either be on the server (full path name)
# or using ssh /sftp as for the ACL
DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
# The command needed to reload apache / nginx or whatever you use
RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
# Define the server type and confirm correct certificate is installed
SERVER_TYPE="https"
CHECK_REMOTE="true"
IGNORE_DIRECTORY_DOMAIN="true"
#_USE_DEBUG=1
#_RUNNING_TEST=1

+ 37
- 0
test/test-config/getssl-dns01-add-to-sans-2.cfg View File

@ -0,0 +1,37 @@
# Uncomment and modify any variables you need
# see https://github.com/srvrco/getssl/wiki/Config-variables for details
# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
#
CA="https://pebble:14000/dir"
VALIDATE_VIA_DNS=true
DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
AUTH_DNS_SERVER=10.30.50.3
# Speed up the test by reducing the number or retries and the wait between retries.
DNS_WAIT=2
DNS_WAIT_COUNT=11
DNS_EXTRA_WAIT=0
# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS="b.${GETSSL_HOST}, a.${GETSSL_HOST}"
# Location for all your certs, these can either be on the server (full path name)
# or using ssh /sftp as for the ACL
DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
# The command needed to reload apache / nginx or whatever you use
RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
# Define the server type and confirm correct certificate is installed
SERVER_TYPE="https"
CHECK_REMOTE="false"
IGNORE_DIRECTORY_DOMAIN="true"
#_USE_DEBUG=1
#_RUNNING_TEST=1

+ 5
- 6
test/test-config/getssl-staging-dns01-no-suffix.cfg View File

@ -9,18 +9,17 @@ PUBLIC_DNS_SERVER=ns2.duckdns.org
CHECK_ALL_AUTH_DNS=true
DNS_EXTRA_WAIT=120
# Speed up the test by reducing the number or retries and the wait between retries.
DNS_WAIT=2
DNS_WAIT_COUNT=11
DNS_WAIT_RETRY_ADD="true"
ACCOUNT_KEY_TYPE="rsa"
PRIVATE_KEY_ALG="rsa"
# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS=""
# Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
ACL=('/var/www/html/.well-known/acme-challenge')
#Set USE_SINGLE_ACL="true" to use a single ACL for all checks
USE_SINGLE_ACL="false"
# Location for all your certs, these can either be on the server (full path name)
# or using ssh /sftp as for the ACL
DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"


+ 7
- 8
test/test-config/getssl-staging-dns01.cfg View File

@ -5,22 +5,21 @@ CA="https://acme-staging-v02.api.letsencrypt.org/directory"
VALIDATE_VIA_DNS=true
DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_duckdns"
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns"
PUBLIC_DNS_SERVER=ns2.duckdns.org
CHECK_ALL_AUTH_DNS=true
PUBLIC_DNS_SERVER=1.1.1.1
CHECK_ALL_AUTH_DNS="false"
DNS_EXTRA_WAIT=120
# Speed up the test by reducing the number or retries and the wait between retries.
DNS_WAIT=2
DNS_WAIT_COUNT=11
DNS_WAIT_RETRY_ADD="true"
ACCOUNT_KEY_TYPE="rsa"
PRIVATE_KEY_ALG="rsa"
# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS=""
# Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
ACL=('/var/www/html/.well-known/acme-challenge')
#Set USE_SINGLE_ACL="true" to use a single ACL for all checks
USE_SINGLE_ACL="false"
# Location for all your certs, these can either be on the server (full path name)
# or using ssh /sftp as for the ACL
DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"


Write Preview
Loading…
Cancel
Save