From 17203b1ec1e9962d1fcbe88fa87a5efac73707a9 Mon Sep 17 00:00:00 2001 From: Juan Javier Baca Date: Thu, 16 Apr 2020 04:41:44 +0200 Subject: [PATCH 01/12] Add alternative working dirs Despite changing working dir from command line covers most usage cases, others defaults are also usefull like /etc/getssl, SCRIPTDIR/conf or SCRIPTDIR/.getssl. Last candidate (~/.getssl) is used if no config file was found in previous paths. --- getssl | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/getssl b/getssl index a0c530c..a465376 100755 --- a/getssl +++ b/getssl @@ -220,6 +220,7 @@ # 2020-03-23 Fix staging server URL in domain template (2.21) # 2020-03-30 Fix error message find_dns_utils from over version of "command" # 2020-03-30 Fix problems if domain name isn't in lowercase (2.22) +# 2020-04-16 Add alternative working dirs '/etc/getssl/' '${SCRIPTDIR}/conf' '${SCRIPTDIR}/.getssl' # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/} @@ -261,7 +262,7 @@ TEMP_UPGRADE_FILE="" TOKEN_USER_ID="" USE_SINGLE_ACL="false" VALIDATE_VIA_DNS="" -WORKING_DIR=~/.getssl +WORKING_DIR_CANDIDATES=('/etc/getssl/' '${SCRIPTDIR}/conf' '${SCRIPTDIR}/.getssl' '~/.getssl') _CHECK_ALL=0 _CREATE_CONFIG=0 _FORCE_RENEW=0 @@ -2179,6 +2180,7 @@ requires which requires openssl requires curl requires dig nslookup drill host DNS_CHECK_FUNC +requires dirname requires awk requires tr requires date @@ -2216,6 +2218,22 @@ if [[ -z "$DOMAIN" ]] && [[ ${_CHECK_ALL} -ne 1 ]]; then graceful_exit fi +# Test working directory candidates if unset. Last candidate defaults (~/getssl/) +if [[ -z "${WORKING_DIR}" ]] +then + SCRIPTDIR="$(cd "$(dirname "$0")"; pwd -P;)" + for WDCC in $(seq 0 $((${#WORKING_DIR_CANDIDATES[@]}-1)) ) + do + WORKING_DIR="$(eval echo "${WORKING_DIR_CANDIDATES[$WDCC]}")" + + debug "Testing working dir location '${WORKING_DIR}'" + if [[ -s "$WORKING_DIR/getssl.cfg" ]] + then + break + fi + done +fi + # if the "working directory" doesn't exist, then create it. if [[ ! -d "$WORKING_DIR" ]]; then debug "Making working directory - $WORKING_DIR" From 9dfff30b9d53e8271e1bc4908ad0704ac593ec5d Mon Sep 17 00:00:00 2001 From: Juan Javier Baca Date: Thu, 16 Apr 2020 04:44:16 +0200 Subject: [PATCH 02/12] Add -i|--install command line option While testing or setting up getssl the installation of certificates could fail. Option -i allows to copy and reload service quicker. --- getssl | 155 ++++++++++++++++++++++++++++++++------------------------- 1 file changed, 86 insertions(+), 69 deletions(-) diff --git a/getssl b/getssl index a465376..8251911 100755 --- a/getssl +++ b/getssl @@ -221,6 +221,7 @@ # 2020-03-30 Fix error message find_dns_utils from over version of "command" # 2020-03-30 Fix problems if domain name isn't in lowercase (2.22) # 2020-04-16 Add alternative working dirs '/etc/getssl/' '${SCRIPTDIR}/conf' '${SCRIPTDIR}/.getssl' +# 2020-04-16 Add -i|--install command line option # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/} @@ -305,6 +306,79 @@ cert_archive() { # Archive certificate file by copying files to dated archive d purge_archive "$DOMAIN_DIR" } +cert_install() { # copy certs to the correct location (creating concatenated files as required) + umask 077 + + copy_file_to_location "domain certificate" "$CERT_FILE" "$DOMAIN_CERT_LOCATION" + copy_file_to_location "private key" "$DOMAIN_DIR/${DOMAIN}.key" "$DOMAIN_KEY_LOCATION" + copy_file_to_location "CA certificate" "$CA_CERT" "$CA_CERT_LOCATION" + if [[ "$DUAL_RSA_ECDSA" == "true" ]]; then + if [[ -n "$DOMAIN_CERT_LOCATION" ]]; then + copy_file_to_location "ec domain certificate" \ + "${CERT_FILE%.*}.ec.crt" \ + "${DOMAIN_CERT_LOCATION}" \ + "ec" + fi + if [[ -n "$DOMAIN_KEY_LOCATION" ]]; then + copy_file_to_location "ec private key" \ + "$DOMAIN_DIR/${DOMAIN}.ec.key" \ + "${DOMAIN_KEY_LOCATION}" \ + "ec" + fi + if [[ -n "$CA_CERT_LOCATION" ]]; then + copy_file_to_location "ec CA certificate" \ + "${CA_CERT%.*}.ec.crt" \ + "${CA_CERT_LOCATION%.*}.crt" \ + "ec" + fi + fi + + # if DOMAIN_CHAIN_LOCATION is not blank, then create and copy file. + if [[ -n "$DOMAIN_CHAIN_LOCATION" ]]; then + if [[ "$(dirname "$DOMAIN_CHAIN_LOCATION")" == "." ]]; then + to_location="${DOMAIN_DIR}/${DOMAIN_CHAIN_LOCATION}" + else + to_location="${DOMAIN_CHAIN_LOCATION}" + fi + cat "$CERT_FILE" "$CA_CERT" > "$TEMP_DIR/${DOMAIN}_chain.pem" + copy_file_to_location "full chain" "$TEMP_DIR/${DOMAIN}_chain.pem" "$to_location" + if [[ "$DUAL_RSA_ECDSA" == "true" ]]; then + cat "${CERT_FILE%.*}.ec.crt" "${CA_CERT%.*}.ec.crt" > "$TEMP_DIR/${DOMAIN}_chain.pem.ec" + copy_file_to_location "full chain" "$TEMP_DIR/${DOMAIN}_chain.pem.ec" "${to_location}" "ec" + fi + fi + # if DOMAIN_KEY_CERT_LOCATION is not blank, then create and copy file. + if [[ -n "$DOMAIN_KEY_CERT_LOCATION" ]]; then + if [[ "$(dirname "$DOMAIN_KEY_CERT_LOCATION")" == "." ]]; then + to_location="${DOMAIN_DIR}/${DOMAIN_KEY_CERT_LOCATION}" + else + to_location="${DOMAIN_KEY_CERT_LOCATION}" + fi + cat "$DOMAIN_DIR/${DOMAIN}.key" "$CERT_FILE" > "$TEMP_DIR/${DOMAIN}_K_C.pem" + copy_file_to_location "private key and domain cert pem" "$TEMP_DIR/${DOMAIN}_K_C.pem" "$to_location" + if [[ "$DUAL_RSA_ECDSA" == "true" ]]; then + cat "$DOMAIN_DIR/${DOMAIN}.ec.key" "${CERT_FILE%.*}.ec.crt" > "$TEMP_DIR/${DOMAIN}_K_C.pem.ec" + copy_file_to_location "private ec key and domain cert pem" "$TEMP_DIR/${DOMAIN}_K_C.pem.ec" "${to_location}" "ec" + fi + fi + # if DOMAIN_PEM_LOCATION is not blank, then create and copy file. + if [[ -n "$DOMAIN_PEM_LOCATION" ]]; then + if [[ "$(dirname "$DOMAIN_PEM_LOCATION")" == "." ]]; then + to_location="${DOMAIN_DIR}/${DOMAIN_PEM_LOCATION}" + else + to_location="${DOMAIN_PEM_LOCATION}" + fi + cat "$DOMAIN_DIR/${DOMAIN}.key" "$CERT_FILE" "$CA_CERT" > "$TEMP_DIR/${DOMAIN}.pem" + copy_file_to_location "full key, cert and chain pem" "$TEMP_DIR/${DOMAIN}.pem" "$to_location" + if [[ "$DUAL_RSA_ECDSA" == "true" ]]; then + cat "$DOMAIN_DIR/${DOMAIN}.ec.key" "${CERT_FILE%.*}.ec.crt" "${CA_CERT%.*}.ec.crt" > "$TEMP_DIR/${DOMAIN}.pem.ec" + copy_file_to_location "full ec key, cert and chain pem" "$TEMP_DIR/${DOMAIN}.pem.ec" "${to_location}" "ec" + fi + fi + # end of copying certs. + umask "$ORIG_UMASK" +} + check_challenge_completion() { # checks with the ACME server if our challenge is OK uri=$1 domain=$2 @@ -1410,6 +1484,7 @@ help_message() { # print out the help message -c, --create Create default config files -f, --force Force renewal of cert (overrides expiry checks) -h, --help Display this help message and exit + -i, --install Install certificates and reload service -q, --quiet Quiet mode (only outputs on error, success of new cert, or getssl was upgraded) -Q, --mute Like -q, but also mute notification about successful upgrade -r, --revoke "cert" "key" [CA_server] Revoke a certificate (the cert and key are required) @@ -2146,6 +2221,8 @@ while [[ -n ${1+defined} ]]; do _UPGRADE=1 ;; -U | --nocheck) _UPGRADE_CHECK=0 ;; + -i | --install) + _CERT_INSTALL=1 ;; -w) shift; WORKING_DIR="$1" ;; -*) @@ -2369,6 +2446,14 @@ check_config # check what dns utils are installed find_dns_utils +# if -i|--install install certs, reload and exit +if [ "0${_CERT_INSTALL}" -eq 1 ] +then + cert_install + reload_service + graceful_exit +fi + if [[ -e "$DOMAIN_DIR/FORCE_RENEWAL" ]]; then rm -f "$DOMAIN_DIR/FORCE_RENEWAL" || error_exit "problem deleting file $DOMAIN_DIR/FORCE_RENEWAL" _FORCE_RENEW=1 @@ -2647,76 +2732,8 @@ cert_archive debug "Certificates obtained and archived locally, will now copy to specified locations" # copy certs to the correct location (creating concatenated files as required) -umask 077 - -copy_file_to_location "domain certificate" "$CERT_FILE" "$DOMAIN_CERT_LOCATION" -copy_file_to_location "private key" "$DOMAIN_DIR/${DOMAIN}.key" "$DOMAIN_KEY_LOCATION" -copy_file_to_location "CA certificate" "$CA_CERT" "$CA_CERT_LOCATION" -if [[ "$DUAL_RSA_ECDSA" == "true" ]]; then - if [[ -n "$DOMAIN_CERT_LOCATION" ]]; then - copy_file_to_location "ec domain certificate" \ - "${CERT_FILE%.*}.ec.crt" \ - "${DOMAIN_CERT_LOCATION}" \ - "ec" - fi - if [[ -n "$DOMAIN_KEY_LOCATION" ]]; then - copy_file_to_location "ec private key" \ - "$DOMAIN_DIR/${DOMAIN}.ec.key" \ - "${DOMAIN_KEY_LOCATION}" \ - "ec" - fi - if [[ -n "$CA_CERT_LOCATION" ]]; then - copy_file_to_location "ec CA certificate" \ - "${CA_CERT%.*}.ec.crt" \ - "${CA_CERT_LOCATION%.*}.crt" \ - "ec" - fi -fi +cert_install -# if DOMAIN_CHAIN_LOCATION is not blank, then create and copy file. -if [[ -n "$DOMAIN_CHAIN_LOCATION" ]]; then - if [[ "$(dirname "$DOMAIN_CHAIN_LOCATION")" == "." ]]; then - to_location="${DOMAIN_DIR}/${DOMAIN_CHAIN_LOCATION}" - else - to_location="${DOMAIN_CHAIN_LOCATION}" - fi - cat "$CERT_FILE" "$CA_CERT" > "$TEMP_DIR/${DOMAIN}_chain.pem" - copy_file_to_location "full chain" "$TEMP_DIR/${DOMAIN}_chain.pem" "$to_location" - if [[ "$DUAL_RSA_ECDSA" == "true" ]]; then - cat "${CERT_FILE%.*}.ec.crt" "${CA_CERT%.*}.ec.crt" > "$TEMP_DIR/${DOMAIN}_chain.pem.ec" - copy_file_to_location "full chain" "$TEMP_DIR/${DOMAIN}_chain.pem.ec" "${to_location}" "ec" - fi -fi -# if DOMAIN_KEY_CERT_LOCATION is not blank, then create and copy file. -if [[ -n "$DOMAIN_KEY_CERT_LOCATION" ]]; then - if [[ "$(dirname "$DOMAIN_KEY_CERT_LOCATION")" == "." ]]; then - to_location="${DOMAIN_DIR}/${DOMAIN_KEY_CERT_LOCATION}" - else - to_location="${DOMAIN_KEY_CERT_LOCATION}" - fi - cat "$DOMAIN_DIR/${DOMAIN}.key" "$CERT_FILE" > "$TEMP_DIR/${DOMAIN}_K_C.pem" - copy_file_to_location "private key and domain cert pem" "$TEMP_DIR/${DOMAIN}_K_C.pem" "$to_location" - if [[ "$DUAL_RSA_ECDSA" == "true" ]]; then - cat "$DOMAIN_DIR/${DOMAIN}.ec.key" "${CERT_FILE%.*}.ec.crt" > "$TEMP_DIR/${DOMAIN}_K_C.pem.ec" - copy_file_to_location "private ec key and domain cert pem" "$TEMP_DIR/${DOMAIN}_K_C.pem.ec" "${to_location}" "ec" - fi -fi -# if DOMAIN_PEM_LOCATION is not blank, then create and copy file. -if [[ -n "$DOMAIN_PEM_LOCATION" ]]; then - if [[ "$(dirname "$DOMAIN_PEM_LOCATION")" == "." ]]; then - to_location="${DOMAIN_DIR}/${DOMAIN_PEM_LOCATION}" - else - to_location="${DOMAIN_PEM_LOCATION}" - fi - cat "$DOMAIN_DIR/${DOMAIN}.key" "$CERT_FILE" "$CA_CERT" > "$TEMP_DIR/${DOMAIN}.pem" - copy_file_to_location "full key, cert and chain pem" "$TEMP_DIR/${DOMAIN}.pem" "$to_location" - if [[ "$DUAL_RSA_ECDSA" == "true" ]]; then - cat "$DOMAIN_DIR/${DOMAIN}.ec.key" "${CERT_FILE%.*}.ec.crt" "${CA_CERT%.*}.ec.crt" > "$TEMP_DIR/${DOMAIN}.pem.ec" - copy_file_to_location "full ec key, cert and chain pem" "$TEMP_DIR/${DOMAIN}.pem.ec" "${to_location}" "ec" - fi -fi -# end of copying certs. -umask "$ORIG_UMASK" # Run reload command to restart apache / nginx or whatever system reload_service From 17b13facdad9ed3cd74ee6da84dd3fb93501c009 Mon Sep 17 00:00:00 2001 From: Juan Javier Baca Date: Thu, 16 Apr 2020 04:45:08 +0200 Subject: [PATCH 03/12] Update revision history and version number --- getssl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/getssl b/getssl index 8251911..b278193 100755 --- a/getssl +++ b/getssl @@ -221,11 +221,11 @@ # 2020-03-30 Fix error message find_dns_utils from over version of "command" # 2020-03-30 Fix problems if domain name isn't in lowercase (2.22) # 2020-04-16 Add alternative working dirs '/etc/getssl/' '${SCRIPTDIR}/conf' '${SCRIPTDIR}/.getssl' -# 2020-04-16 Add -i|--install command line option +# 2020-04-16 Add -i|--install command line option (2.23) # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/} -VERSION="2.22" +VERSION="2.23" # defaults ACCOUNT_KEY_LENGTH=4096 From 7e575fb030bf29a544c4650400667f2be0df384e Mon Sep 17 00:00:00 2001 From: Juan Javier Baca Moreno-Torres Date: Sat, 18 Apr 2020 01:46:02 +0200 Subject: [PATCH 04/12] Update shell-linter to 0.3.0 --- .github/workflows/shellcheck.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index d5adbf5..37b9cad 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -12,6 +12,6 @@ jobs: steps: - uses: actions/checkout@v1 - name: Lint check - uses: azohra/shell-linter@v0.2.0 + uses: azohra/shell-linter@v0.3.0 with: path: "getssl" From adcb9752065880efc03da23ea03efa4acb176304 Mon Sep 17 00:00:00 2001 From: Juan Javier Baca Moreno-Torres Date: Sat, 18 Apr 2020 02:10:09 +0200 Subject: [PATCH 05/12] Fix shellcheck warning and failures Clean code, avoid indirect variables and single quotes for delayed expansion. --- getssl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/getssl b/getssl index b278193..bcaa37f 100755 --- a/getssl +++ b/getssl @@ -220,11 +220,12 @@ # 2020-03-23 Fix staging server URL in domain template (2.21) # 2020-03-30 Fix error message find_dns_utils from over version of "command" # 2020-03-30 Fix problems if domain name isn't in lowercase (2.22) -# 2020-04-16 Add alternative working dirs '/etc/getssl/' '${SCRIPTDIR}/conf' '${SCRIPTDIR}/.getssl' +# 2020-04-16 Add alternative working dirs '/etc/getssl/' '${PROGDIR}/conf' '${PROGDIR}/.getssl' # 2020-04-16 Add -i|--install command line option (2.23) # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/} +PROGDIR="$(cd "$(dirname "$0")" || exit; pwd -P;)" VERSION="2.23" # defaults @@ -263,7 +264,7 @@ TEMP_UPGRADE_FILE="" TOKEN_USER_ID="" USE_SINGLE_ACL="false" VALIDATE_VIA_DNS="" -WORKING_DIR_CANDIDATES=('/etc/getssl/' '${SCRIPTDIR}/conf' '${SCRIPTDIR}/.getssl' '~/.getssl') +WORKING_DIR_CANDIDATES=("/etc/getssl/" "${PROGDIR}/conf" "${PROGDIR}/.getssl" "${HOME}/.getssl") _CHECK_ALL=0 _CREATE_CONFIG=0 _FORCE_RENEW=0 @@ -2298,7 +2299,6 @@ fi # Test working directory candidates if unset. Last candidate defaults (~/getssl/) if [[ -z "${WORKING_DIR}" ]] then - SCRIPTDIR="$(cd "$(dirname "$0")"; pwd -P;)" for WDCC in $(seq 0 $((${#WORKING_DIR_CANDIDATES[@]}-1)) ) do WORKING_DIR="$(eval echo "${WORKING_DIR_CANDIDATES[$WDCC]}")" From 008a95dba778b2947c408444d93fb121a74621d3 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Sat, 18 Apr 2020 14:36:33 +0100 Subject: [PATCH 06/12] Make ubuntu-staging depend on centos7-staging so they don't run at same time causing spurious errors --- .github/workflows/run-all-tests.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/run-all-tests.yml b/.github/workflows/run-all-tests.yml index ff0e121..08fb41b 100644 --- a/.github/workflows/run-all-tests.yml +++ b/.github/workflows/run-all-tests.yml @@ -72,6 +72,7 @@ jobs: - name: Run test suite on Ubuntu18 run: test/run-test.sh ubuntu18 test-ubuntu-staging: + needs: test-centos7-staging runs-on: ubuntu-latest steps: - uses: actions/checkout@v1 From 3341f674d422bdbc1ce7b5012278ce62b58596c3 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Sat, 18 Apr 2020 14:36:59 +0100 Subject: [PATCH 07/12] Add tests for /etc/getssl and --install --- test/11-test--install.bats | 69 ++++++++++++++++++++++++ test/test-config/getssl-etc-template.cfg | 45 ++++++++++++++++ 2 files changed, 114 insertions(+) create mode 100644 test/11-test--install.bats create mode 100644 test/test-config/getssl-etc-template.cfg diff --git a/test/11-test--install.bats b/test/11-test--install.bats new file mode 100644 index 0000000..0b5bbc7 --- /dev/null +++ b/test/11-test--install.bats @@ -0,0 +1,69 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt +} + +@test "Check that config files in /etc/getssl works" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + + CONFIG_FILE="getssl-http01.cfg" + setup_environment + + # Create /etc/getssl/$DOMAIN + rm -rf /etc/getssl + mkdir -p /etc/getssl/${GETSSL_CMD_HOST} + + # Copy the config file to /etc/getssl + cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "/etc/getssl/${GETSSL_CMD_HOST}/getssl.cfg" + cp "${CODE_DIR}/test/test-config/getssl-etc-template.cfg" "/etc/getssl/getssl.cfg" + + # Run getssl + run ${CODE_DIR}/getssl "$GETSSL_CMD_HOST" + + assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' + assert_line 'Verification completed, obtaining certificate.' + assert_line 'Requesting certificate' + refute [ -d '$HOME/.getssl' ] +} + + +@test "Check that --install doesn't call the ACME server" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + + CONFIG_FILE="getssl-http01.cfg" + #setup_environment + + # Create /etc/getssl/$DOMAIN + #mkdir -p /etc/getssl/${GETSSL_CMD_HOST} + + # Copy the config file to /etc/getssl + #cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "/etc/getssl/${GETSSL_CMD_HOST}/getssl.cfg" + #cp "${CODE_DIR}/test/test-config/getssl-etc-template.cfg" "/etc/getssl/getssl.cfg" + + # Run getssl + run ${CODE_DIR}/getssl --install "$GETSSL_CMD_HOST" + + assert_success + refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' + refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]' + refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]' + refute_line 'Verification completed, obtaining certificate.' + refute_line 'Requesting certificate' + assert_line --partial 'copying domain certificate to' + assert_line --partial 'copying private key to' + assert_line --partial 'copying CA certificate to' +} diff --git a/test/test-config/getssl-etc-template.cfg b/test/test-config/getssl-etc-template.cfg new file mode 100644 index 0000000..6bfc8fd --- /dev/null +++ b/test/test-config/getssl-etc-template.cfg @@ -0,0 +1,45 @@ +# vim: filetype=sh +# +# This file is read first and is common to all domains +# +# Uncomment and modify any variables you need +# see https://github.com/srvrco/getssl/wiki/Config-variables for details +# +# The staging server is best for testing (hence set as default) +CA="https://acme-staging-v02.api.letsencrypt.org" +# This server issues full certificates, however has rate limits +#CA="https://acme-v02.api.letsencrypt.org" + +# The agreement that must be signed with the CA, if not defined the default agreement will be used +#AGREEMENT="" + +# Set an email address associated with your account - generally set at account level rather than domain. +#ACCOUNT_EMAIL="me@example.com" +ACCOUNT_KEY_LENGTH=4096 +ACCOUNT_KEY="/etc/getssl/account.key" + +# Account key and private key types - can be rsa, prime256v1, secp384r1 or secp521r1 +#ACCOUNT_KEY_TYPE="rsa" +PRIVATE_KEY_ALG="rsa" +#REUSE_PRIVATE_KEY="true" + +# The command needed to reload apache / nginx or whatever you use +#RELOAD_CMD="" + +# The time period within which you want to allow renewal of a certificate +# this prevents hitting some of the rate limits. +# Creating a file called FORCE_RENEWAL in the domain directory allows one-off overrides +# of this setting +RENEW_ALLOW="30" + +# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp, +# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which +# will be checked for certificate expiry and also will be checked after +# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true +SERVER_TYPE="https" +CHECK_REMOTE="true" + +# Use the following 3 variables if you want to validate via DNS +#VALIDATE_VIA_DNS="true" +#DNS_ADD_COMMAND= +#DNS_DEL_COMMAND= From 857ad87b4f21ca7a8f2c78fe727f620c9ad8c7f1 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Sat, 18 Apr 2020 14:37:33 +0100 Subject: [PATCH 08/12] Change bats-assert and bats-support to use bats-core repo --- test/Dockerfile-alpine | 4 ++-- test/Dockerfile-centos6 | 4 ++-- test/Dockerfile-centos7 | 4 ++-- test/Dockerfile-centos7-staging | 4 ++-- test/Dockerfile-debian | 4 ++-- test/Dockerfile-ubuntu | 4 ++-- test/Dockerfile-ubuntu-staging | 4 ++-- test/Dockerfile-ubuntu16 | 4 ++-- test/Dockerfile-ubuntu18 | 4 ++-- 9 files changed, 18 insertions(+), 18 deletions(-) diff --git a/test/Dockerfile-alpine b/test/Dockerfile-alpine index 0c166cb..caad22a 100644 --- a/test/Dockerfile-alpine +++ b/test/Dockerfile-alpine @@ -13,8 +13,8 @@ RUN mkdir /etc/nginx/pki/private # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core -RUN git clone https://github.com/jasonkarns/bats-support /bats-support -RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert +RUN git clone https://github.com/bats-core/bats-support /bats-support +RUN git clone https://github.com/bats-core/bats-assert /bats-assert RUN /bats-core/install.sh /usr/local # Use supervisord to run nginx in the background diff --git a/test/Dockerfile-centos6 b/test/Dockerfile-centos6 index 9149dad..61c8b6b 100644 --- a/test/Dockerfile-centos6 +++ b/test/Dockerfile-centos6 @@ -14,8 +14,8 @@ COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core -RUN git clone https://github.com/jasonkarns/bats-support /bats-support -RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert +RUN git clone https://github.com/bats-core/bats-support /bats-support +RUN git clone https://github.com/bats-core/bats-assert /bats-assert RUN /bats-core/install.sh /usr/local EXPOSE 80 443 diff --git a/test/Dockerfile-centos7 b/test/Dockerfile-centos7 index 8a34bc5..02fbcb7 100644 --- a/test/Dockerfile-centos7 +++ b/test/Dockerfile-centos7 @@ -15,6 +15,6 @@ COPY ./test/test-config/nginx-centos7.conf /etc/nginx/nginx.conf # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core -RUN git clone https://github.com/jasonkarns/bats-support /bats-support -RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert +RUN git clone https://github.com/bats-core/bats-support /bats-support +RUN git clone https://github.com/bats-core/bats-assert /bats-assert RUN /bats-core/install.sh /usr/local diff --git a/test/Dockerfile-centos7-staging b/test/Dockerfile-centos7-staging index 839ff76..899bf9b 100644 --- a/test/Dockerfile-centos7-staging +++ b/test/Dockerfile-centos7-staging @@ -18,8 +18,8 @@ COPY ./test/test-config/nginx-centos7.conf /etc/nginx/nginx.conf # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core -RUN git clone https://github.com/jasonkarns/bats-support /bats-support -RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert +RUN git clone https://github.com/bats-core/bats-support /bats-support +RUN git clone https://github.com/bats-core/bats-assert /bats-assert RUN /bats-core/install.sh /usr/local EXPOSE 80 443 diff --git a/test/Dockerfile-debian b/test/Dockerfile-debian index 95ebbac..b5da5dd 100644 --- a/test/Dockerfile-debian +++ b/test/Dockerfile-debian @@ -12,8 +12,8 @@ RUN mkdir /etc/nginx/pki/private # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core -RUN git clone https://github.com/jasonkarns/bats-support /bats-support -RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert +RUN git clone https://github.com/bats-core/bats-support /bats-support +RUN git clone https://github.com/bats-core/bats-assert /bats-assert RUN /bats-core/install.sh /usr/local # Run eternal loop - for testing diff --git a/test/Dockerfile-ubuntu b/test/Dockerfile-ubuntu index 290100d..720f0b0 100644 --- a/test/Dockerfile-ubuntu +++ b/test/Dockerfile-ubuntu @@ -15,8 +15,8 @@ RUN touch /root/.rnd # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core -RUN git clone https://github.com/jasonkarns/bats-support /bats-support -RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert +RUN git clone https://github.com/bats-core/bats-support /bats-support +RUN git clone https://github.com/bats-core/bats-assert /bats-assert RUN /bats-core/install.sh /usr/local # Run eternal loop - for testing diff --git a/test/Dockerfile-ubuntu-staging b/test/Dockerfile-ubuntu-staging index 0bdc1f8..84022ca 100644 --- a/test/Dockerfile-ubuntu-staging +++ b/test/Dockerfile-ubuntu-staging @@ -17,8 +17,8 @@ RUN touch /root/.rnd # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core -RUN git clone https://github.com/jasonkarns/bats-support /bats-support -RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert +RUN git clone https://github.com/bats-core/bats-assert /bats-assert +RUN git clone https://github.com/bats-core/bats-assert /bats-assert RUN /bats-core/install.sh /usr/local # Run eternal loop - for testing diff --git a/test/Dockerfile-ubuntu16 b/test/Dockerfile-ubuntu16 index 958bb6f..030d03a 100644 --- a/test/Dockerfile-ubuntu16 +++ b/test/Dockerfile-ubuntu16 @@ -17,8 +17,8 @@ COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core -RUN git clone https://github.com/jasonkarns/bats-support /bats-support -RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert +RUN git clone https://github.com/bats-core/bats-support /bats-support +RUN git clone https://github.com/bats-core/bats-assert /bats-assert RUN /bats-core/install.sh /usr/local # Run eternal loop - for testing diff --git a/test/Dockerfile-ubuntu18 b/test/Dockerfile-ubuntu18 index ebe7607..1d68cd3 100644 --- a/test/Dockerfile-ubuntu18 +++ b/test/Dockerfile-ubuntu18 @@ -17,8 +17,8 @@ RUN touch /root/.rnd # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core -RUN git clone https://github.com/jasonkarns/bats-support /bats-support -RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert +RUN git clone https://github.com/bats-core/bats-support /bats-support +RUN git clone https://github.com/bats-core/bats-assert /bats-assert RUN /bats-core/install.sh /usr/local EXPOSE 80 443 From ac5ef3301107a6e42ebfc105dac405d8bfaf7a52 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Sat, 18 Apr 2020 15:12:40 +0100 Subject: [PATCH 09/12] Cleanup after test succeeds --- test/11-test--install.bats | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/test/11-test--install.bats b/test/11-test--install.bats index 0b5bbc7..6949d25 100644 --- a/test/11-test--install.bats +++ b/test/11-test--install.bats @@ -18,8 +18,10 @@ setup() { CONFIG_FILE="getssl-http01.cfg" setup_environment + # Fail if not running in docker and /etc/getssl already exists + refute [ -d /etc/getssl ] + # Create /etc/getssl/$DOMAIN - rm -rf /etc/getssl mkdir -p /etc/getssl/${GETSSL_CMD_HOST} # Copy the config file to /etc/getssl @@ -40,19 +42,12 @@ setup() { @test "Check that --install doesn't call the ACME server" { + # NOTE that this test depends on the previous test! if [ -n "$STAGING" ]; then skip "Using staging server, skipping internal test" fi CONFIG_FILE="getssl-http01.cfg" - #setup_environment - - # Create /etc/getssl/$DOMAIN - #mkdir -p /etc/getssl/${GETSSL_CMD_HOST} - - # Copy the config file to /etc/getssl - #cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "/etc/getssl/${GETSSL_CMD_HOST}/getssl.cfg" - #cp "${CODE_DIR}/test/test-config/getssl-etc-template.cfg" "/etc/getssl/getssl.cfg" # Run getssl run ${CODE_DIR}/getssl --install "$GETSSL_CMD_HOST" @@ -66,4 +61,7 @@ setup() { assert_line --partial 'copying domain certificate to' assert_line --partial 'copying private key to' assert_line --partial 'copying CA certificate to' + + # Cleanup previous test + rm -rf /etc/getssl } From 43b82e4fc39f024d05a30abe36df62a9c10a430d Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Sat, 18 Apr 2020 15:31:48 +0100 Subject: [PATCH 10/12] Fix cut&paste error --- test/Dockerfile-ubuntu-staging | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/Dockerfile-ubuntu-staging b/test/Dockerfile-ubuntu-staging index 84022ca..552f096 100644 --- a/test/Dockerfile-ubuntu-staging +++ b/test/Dockerfile-ubuntu-staging @@ -17,7 +17,7 @@ RUN touch /root/.rnd # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core -RUN git clone https://github.com/bats-core/bats-assert /bats-assert +RUN git clone https://github.com/bats-core/bats-support /bats-support RUN git clone https://github.com/bats-core/bats-assert /bats-assert RUN /bats-core/install.sh /usr/local From d8bf2fa14936912071b6069705daf0d02066aabc Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Sun, 19 Apr 2020 14:13:29 +0100 Subject: [PATCH 11/12] Remove dependency on seq, ensure clean_up doesn't try to delete /tmp --- getssl | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/getssl b/getssl index bcaa37f..0fd4431 100755 --- a/getssl +++ b/getssl @@ -222,11 +222,12 @@ # 2020-03-30 Fix problems if domain name isn't in lowercase (2.22) # 2020-04-16 Add alternative working dirs '/etc/getssl/' '${PROGDIR}/conf' '${PROGDIR}/.getssl' # 2020-04-16 Add -i|--install command line option (2.23) +# 2020-04-19 Remove dependency on seq, ensure clean_up doesn't try to delete /tmp (2.24) # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/} PROGDIR="$(cd "$(dirname "$0")" || exit; pwd -P;)" -VERSION="2.23" +VERSION="2.24" # defaults ACCOUNT_KEY_LENGTH=4096 @@ -633,7 +634,11 @@ clean_up() { # Perform pre-exit housekeeping shopt -u nullglob fi if [[ -n "$DOMAIN_DIR" ]]; then - rm -rf "${TEMP_DIR:?}" + if [ "${TEMP_DIR}" -ef "/tmp" ]; then + info "Not going to delete TEMP_DIR ${TEMP_DIR} as it appears to be /tmp" + else + rm -rf "${TEMP_DIR:?}" + fi fi if [[ -n "$TEMP_UPGRADE_FILE" ]] && [[ -f "$TEMP_UPGRADE_FILE" ]]; then rm -f "$TEMP_UPGRADE_FILE" @@ -2299,10 +2304,8 @@ fi # Test working directory candidates if unset. Last candidate defaults (~/getssl/) if [[ -z "${WORKING_DIR}" ]] then - for WDCC in $(seq 0 $((${#WORKING_DIR_CANDIDATES[@]}-1)) ) + for WORKING_DIR in "${WORKING_DIR_CANDIDATES[@]}" do - WORKING_DIR="$(eval echo "${WORKING_DIR_CANDIDATES[$WDCC]}")" - debug "Testing working dir location '${WORKING_DIR}'" if [[ -s "$WORKING_DIR/getssl.cfg" ]] then From 462573c8ba17d82730ac69de9b201b377eb7f96d Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Sun, 19 Apr 2020 14:13:55 +0100 Subject: [PATCH 12/12] Test if DOMAIN_STORAGE is "/" clean_up doesn't delete /tmp --- test/11-test-no-domain-storage.bats | 19 ++++++++++++ .../getssl-http01-no-domain-storage.cfg | 31 +++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 test/11-test-no-domain-storage.bats create mode 100644 test/test-config/getssl-http01-no-domain-storage.cfg diff --git a/test/11-test-no-domain-storage.bats b/test/11-test-no-domain-storage.bats new file mode 100644 index 0000000..cefac3f --- /dev/null +++ b/test/11-test-no-domain-storage.bats @@ -0,0 +1,19 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +@test "Check that if domain storage isn't set getssl doesn't try to delete /tmp" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + CONFIG_FILE="getssl-http01-no-domain-storage.cfg" + setup_environment + mkdir ${INSTALL_DIR}/.getssl + cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/getssl.cfg" + run ${CODE_DIR}/getssl -a + assert_success + assert_line 'Not going to delete TEMP_DIR ///tmp as it appears to be /tmp' +} diff --git a/test/test-config/getssl-http01-no-domain-storage.cfg b/test/test-config/getssl-http01-no-domain-storage.cfg new file mode 100644 index 0000000..efa5318 --- /dev/null +++ b/test/test-config/getssl-http01-no-domain-storage.cfg @@ -0,0 +1,31 @@ +# Uncomment and modify any variables you need +# see https://github.com/srvrco/getssl/wiki/Config-variables for details +# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs +# +CA="https://pebble:14000/dir" + +# Additional domains - this could be multiple domains / subdomains in a comma separated list +SANS="" + +# Acme Challenge Location. +ACL=('/var/www/html/.well-known/acme-challenge') + +#Set USE_SINGLE_ACL="true" to use a single ACL for all checks +USE_SINGLE_ACL="false" + +# Location for all your certs, these can either be on the server (full path name) +# or using ssh /sftp as for the ACL +DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key" +CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" +DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert +DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert + +# The command needed to reload apache / nginx or whatever you use +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" + +# Define the server type and confirm correct certificate is installed +SERVER_TYPE="https" +CHECK_REMOTE="true" + +DOMAIN_STORAGE="/"