Merge branch 'master' of github.com:srvrco/getssl

test/5-secp384-http01.bats

@@ -0,0 +1,41 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+}
+
+
+@test "Create new secp384r1 certificate using HTTP-01 verification" {
+    CONFIG_FILE="getssl-http01-secp384.cfg"
+    setup_environment
+    init_getssl
+    create_certificate
+    assert_success
+}
+
+
+@test "Force renewal of secp384r1 certificate using HTTP-01" {
+    run ${CODE_DIR}/getssl -f $GETSSL_HOST
+    assert_success
+}
+
+
+@test "Create new secp521r1 certificate using HTTP-01 verification" {
+    CONFIG_FILE="getssl-http01-secp521.cfg"
+    setup_environment
+    init_getssl
+    create_certificate
+    assert_success
+}
+
+
+@test "Force renewal of secp521r1 certificate using HTTP-01" {
+    run ${CODE_DIR}/getssl -f $GETSSL_HOST
+    assert_success
+}

test/Dockerfile-debian

@@ -10,9 +10,6 @@ WORKDIR /root
 RUN mkdir /etc/nginx/pki
 RUN mkdir /etc/nginx/pki/private
 
-# Prevent "Can't load /root/.rnd into RNG" error from openssl
-# RUN touch /root/.rnd
-
 # BATS (Bash Automated Testings)
 RUN git clone https://github.com/bats-core/bats-core.git /bats-core
 RUN git clone https://github.com/jasonkarns/bats-support /bats-support

test/README.md

@@ -35,6 +35,6 @@ docker exec -it getssl-ubuntu18 /getssl/test/debug-test.sh getssl-http01.cfg
 
 ## TODO
 
-1. Test RHEL6, Debian as well
-2. Test SSH, SFTP
-3. Test wildcards
+1. Test wildcards
+2. Test SSH, SFTP, SCP
+3. Test change of key algorithm

test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg

@@ -2,10 +2,6 @@
 # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 #
-# The staging server is best for testing
-#CA="https://acme-staging.api.letsencrypt.org"
-# This server issues full certificates, however has rate limits
-#CA="https://acme-v01.api.letsencrypt.org"
 CA="https://pebble:14000/dir"
 
 VALIDATE_VIA_DNS=true
@@ -16,24 +12,11 @@ DUAL_RSA_ECDSA="true"
 ACCOUNT_KEY_TYPE="prime256v1"
 PRIVATE_KEY_ALG="prime256v1"
 
-#PRIVATE_KEY_ALG="rsa"
-
 # Additional domains - this could be multiple domains / subdomains in a comma separated list
-# Note: this is Additional domains - so should not include the primary domain.
 SANS=""
 
 # Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
-# If these start with ssh: then the next variable is assumed to be the hostname and the rest the location.
-# An ssh key will be needed to provide you with access to the remote server.
-# Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign.
-# If left blank, the username on the local server will be used to authenticate against the remote server.
-# If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location
-# These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge"
-# where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.
 ACL=('/var/www/html/.well-known/acme-challenge')
-#     'ssh:server5:/var/www/getssltest.hopto.org/web/.well-known/acme-challenge'
-#     'ssh:sshuserid@server5:/var/www/getssltest.hopto.org/web/.well-known/acme-challenge'
-#     'ftp:ftpuserid:ftppassword:getssltest.hopto.org:/web/.well-known/acme-challenge')
 
 #Set USE_SINGLE_ACL="true" to use a single ACL for all checks
 USE_SINGLE_ACL="false"
@@ -47,11 +30,8 @@ DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
 DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
 
 # The command needed to reload apache / nginx or whatever you use
-RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && service nginx restart >&3-"
-
-# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
-# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
-# will be checked for certificate expiry and also will be checked after
-# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
-#SERVER_TYPE="https"
-#CHECK_REMOTE="true"
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
+
+# Define the server type and confirm correct certificate is installed
+SERVER_TYPE="https"
+CHECK_REMOTE="true"

test/test-config/getssl-http01-dual-rsa-ecdsa.cfg

@@ -2,36 +2,17 @@
 # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 #
-# The staging server is best for testing
-#CA="https://acme-staging-v02.api.letsencrypt.org"
-# This server issues full certificates, however has rate limits
-#CA="https://acme-v02.api.letsencrypt.org"
 CA="https://pebble:14000/dir"
 
-#VALIDATE_VIA_DNS=true
-#DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
-#DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
-
 DUAL_RSA_ECDSA="true"
 ACCOUNT_KEY_TYPE="prime256v1"
 PRIVATE_KEY_ALG="prime256v1"
 
 # Additional domains - this could be multiple domains / subdomains in a comma separated list
-# Note: this is Additional domains - so should not include the primary domain.
 SANS=""
 
-# Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
-# If these start with ssh: then the next variable is assumed to be the hostname and the rest the location.
-# An ssh key will be needed to provide you with access to the remote server.
-# Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign.
-# If left blank, the username on the local server will be used to authenticate against the remote server.
-# If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location
-# These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge"
-# where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.
+# Acme Challenge Location.
 ACL=('/var/www/html/.well-known/acme-challenge')
-#     'ssh:server5:/var/www/getssltest.hopto.org/web/.well-known/acme-challenge'
-#     'ssh:sshuserid@server5:/var/www/getssltest.hopto.org/web/.well-known/acme-challenge'
-#     'ftp:ftpuserid:ftppassword:getssltest.hopto.org:/web/.well-known/acme-challenge')
 
 #Set USE_SINGLE_ACL="true" to use a single ACL for all checks
 USE_SINGLE_ACL="false"
@@ -45,11 +26,8 @@ DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
 DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
 
 # The command needed to reload apache / nginx or whatever you use
-RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && service nginx restart >&3-"
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
 
-# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
-# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
-# will be checked for certificate expiry and also will be checked after
-# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
-#SERVER_TYPE="https"
-#CHECK_REMOTE="true"
+# Define the server type and confirm correct certificate is installed
+SERVER_TYPE="https"
+CHECK_REMOTE="true"

test/test-config/getssl-http01-secp384.cfg

@@ -0,0 +1,32 @@
+# Uncomment and modify any variables you need
+# see https://github.com/srvrco/getssl/wiki/Config-variables for details
+# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
+#
+CA="https://pebble:14000/dir"
+
+ACCOUNT_KEY_TYPE="secp384r1"
+PRIVATE_KEY_ALG="secp384r1"
+
+# Additional domains - this could be multiple domains / subdomains in a comma separated list
+SANS=""
+
+# Acme Challenge Location.
+ACL=('/var/www/html/.well-known/acme-challenge')
+
+#Set USE_SINGLE_ACL="true" to use a single ACL for all checks
+USE_SINGLE_ACL="false"
+
+# Location for all your certs, these can either be on the server (full path name)
+# or using ssh /sftp as for the ACL
+DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
+DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
+CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
+DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
+DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
+
+# The command needed to reload apache / nginx or whatever you use
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
+
+# Define the server type and confirm correct certificate is installed
+SERVER_TYPE="https"
+CHECK_REMOTE="true"

test/test-config/getssl-http01-secp521.cfg

@@ -0,0 +1,32 @@
+# Uncomment and modify any variables you need
+# see https://github.com/srvrco/getssl/wiki/Config-variables for details
+# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
+#
+CA="https://pebble:14000/dir"
+
+ACCOUNT_KEY_TYPE="secp521r1"
+PRIVATE_KEY_ALG="secp521r1"
+
+# Additional domains - this could be multiple domains / subdomains in a comma separated list
+SANS=""
+
+# Acme Challenge Location.
+ACL=('/var/www/html/.well-known/acme-challenge')
+
+#Set USE_SINGLE_ACL="true" to use a single ACL for all checks
+USE_SINGLE_ACL="false"
+
+# Location for all your certs, these can either be on the server (full path name)
+# or using ssh /sftp as for the ACL
+DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
+DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
+CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
+DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
+DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
+
+# The command needed to reload apache / nginx or whatever you use
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
+
+# Define the server type and confirm correct certificate is installed
+SERVER_TYPE="https"
+CHECK_REMOTE="true"