Improved test script (http01 and dns01)

Author: timkimber

dns_scripts/dns_add_challtestsrv

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+# Simple script to update the challtestserv mock DNS server when testing DNS responses
+
+fulldomain="${1}"
+token="${2}"
+
+curl -X POST -d "{\"host\":\"_acme-challenge.${fulldomain}.\", \"value\": \"${token}\"}" http://10.30.50.3:8055/set-txt

dns_scripts/dns_del_challtestsrv

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+# Simple script to update the challtestserv mock DNS server when testing DNS responses
+
+fulldomain="${1}"
+
+curl -X POST -d "{\"host\":\"_acme-challenge.${fulldomain}.\"}" http://10.30.50.3:8055/clear-txt

docker-compose.yml

@@ -3,7 +3,7 @@ services:
   pebble:
     image: letsencrypt/pebble:latest
     # TODO enable -strict
-    command: pebble -config /test/config/pebble-config.json
+    command: pebble -config /test/config/pebble-config.json -dnsserver 10.30.50.3:8053
     environment:
       # with Go 1.13.x which defaults TLS 1.3 to on
       GODEBUG: "tls13=1"
@@ -13,10 +13,18 @@ services:
     networks:
       acmenet:
         ipv4_address: 10.30.50.2
+  challtestsrv:
+    image: letsencrypt/pebble-challtestsrv:latest
+    command: pebble-challtestsrv -defaultIPv6 "" -defaultIPv4 10.30.50.3
+    ports:
+      - 8055:8055  # HTTP Management API
+    networks:
+      acmenet:
+        ipv4_address: 10.30.50.3
   getssl:
     build:
       context: .
-      dockerfile: test/Dockerfile
+      dockerfile: test/Dockerfile-ubuntu
     container_name: getssl
     volumes:
       - .:/getssl

getssl

@@ -288,7 +288,8 @@ check_challenge_completion() { # checks with the ACME server if our challenge is
     fi
   else # APIv2
     if [[ -n "$code" ]] && [[ ! "$code" == '200' ]] ; then
-      error_exit "$domain:Challenge error: $code"
+      detail=$(json_get "$response" detail)
+      error_exit "$domain:Challenge error: $code:Detail: $detail"
     fi
   fi
 
@@ -1323,7 +1324,6 @@ set_server_type() { # uses SERVER_TYPE to set REMOTE_PORT and REMOTE_EXTRA
     REMOTE_PORT=636
   elif [[ ${SERVER_TYPE} =~ ^[0-9]+$ ]]; then
     REMOTE_PORT=${SERVER_TYPE}
-    REMOTE_EXTRA="CUSTOM-HTTP-PORT"
   else
     info "${DOMAIN}: unknown server type \"$SERVER_TYPE\" in SERVER_TYPE"
     config_errors=true
@@ -2282,11 +2282,7 @@ for d in $alldomains; do
       done
       umask "$ORIG_UMASK"
 
-      if [[ "$REMOTE_EXTRA" = "CUSTOM-HTTP-PORT" ]]; then
-        wellknown_url="${CHALLENGE_CHECK_TYPE}://${d}:${REMOTE_PORT}/.well-known/acme-challenge/$token"
-      else
-        wellknown_url="${CHALLENGE_CHECK_TYPE}://${d}/.well-known/acme-challenge/$token"
-      fi
+      wellknown_url="${CHALLENGE_CHECK_TYPE}://${d}/.well-known/acme-challenge/$token"
       debug wellknown_url "$wellknown_url"
 
       if [[ "$SKIP_HTTP_TOKEN_CHECK" == "true" ]]; then
@@ -2522,13 +2518,17 @@ fi
 if [[ ${CHECK_REMOTE} == "true" ]]; then
   sleep "$CHECK_REMOTE_WAIT"
   # shellcheck disable=SC2086
+  debug openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" ${REMOTE_EXTRA}
+
   CERT_REMOTE=$(echo \
     | openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" ${REMOTE_EXTRA} 2>/dev/null \
     | openssl x509 -noout -fingerprint 2>/dev/null)
   CERT_LOCAL=$(openssl x509 -noout -fingerprint < "$CERT_FILE" 2>/dev/null)
   if [[ "$CERT_LOCAL" == "$CERT_REMOTE" ]]; then
     info "${DOMAIN} - certificate installed OK on server"
   else
+    debug Fingerprint on server ${CERT_REMOTE}
+    debug Fingerprint in file ${CERT_LOCAL}
     error_exit "${DOMAIN} - certificate obtained but certificate on server is different from the new certificate"
   fi
 fi

test/Dockerfile-rhel6

@@ -0,0 +1,27 @@
+FROM roboxes/rhel6
+# FROM centos:centos6
+# bionic = latest 18 version
+
+# Update and install required software
+RUN yum -y update
+RUN yum -y install epel-release
+RUN yum -y install git curl dnsutils wget # nginx-light
+
+WORKDIR /root
+#RUN mkdir /etc/nginx/pki
+#RUN mkdir /etc/nginx/pki/private
+#COPY ./test/test-config/nginx-ubuntu-sites-enabled-default /etc/nginx/sites-enabled/default
+
+# BATS (Bash Automated Testings)
+# RUN git clone https://github.com/bats-core/bats-core.git
+# RUN bats-core/install.sh /usr/local
+
+EXPOSE 80 443
+
+# Run eternal loop - for testing
+CMD ["/bin/bash", "-c", "while :; do sleep 10; done"]
+
+# with Pebble
+# docker-compose -f "docker-compose.yml" up -d --build
+# docker exec -it getssl /bin/bash
+# /getssl/test/run-test.sh

test/Dockerfile test/Dockerfile-ubuntutest/Dockerfile renamed to test/Dockerfile-ubuntu

@@ -1,30 +1,28 @@
-FROM ubuntu:bionic
+FROM ubuntu:xenial
 # bionic = latest 18 version
 
 # Update and install required software
 RUN apt-get update
 # TODO work out why default version of awk fails
-RUN apt-get install -y git curl dnsutils wget linux-libc-dev make gcc binutils nginx-light gawk
+RUN apt-get install -y git curl dnsutils wget gawk nginx-light # linux-libc-dev make gcc binutils
 RUN apt-get install -y vim dos2unix # for debugging
 # TODO test with drill, dig, host
 
 WORKDIR /root
 RUN mkdir /etc/nginx/pki
 RUN mkdir /etc/nginx/pki/private
-COPY ./test/test-config/nginx-ubuntu-sites-enabled-default /etc/nginx/sites-enabled/default
+COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default
 
 # BATS (Bash Automated Testings)
 # RUN git clone https://github.com/bats-core/bats-core.git
 # RUN bats-core/install.sh /usr/local
 
-COPY test/test-config/getssl-ubuntu.cfg getssl.cfg
-
 EXPOSE 80 443
 
 # Run eternal loop - for testing
 CMD ["/bin/bash", "-c", "while :; do sleep 10; done"]
 
 # with Pebble
-# docker-compose -f "test\docker-compose.yml" up -d --build
-# docker exec -it test_getssl /bin/bash
+# docker-compose -f "docker-compose.yml" up -d --build
+# docker exec -it getssl /bin/bash
 # /getssl/test/run-test.sh

test/run-test.sh

@@ -1,9 +1,47 @@
-#! /bin/sh
+#! /bin/bash
+
+set -e
+
+# Test setup
+rm -r /root/.getssl
 
 wget --no-clobber https://raw.githubusercontent.com/letsencrypt/pebble/master/test/certs/pebble.minica.pem
-export CURL_CA_BUNDLE=/root/pebble.minica.pem
+# cat /etc/pki/tls/certs/ca-bundle.crt /root/pebble.minica.pem > /root/pebble-ca-bundle.crt
+cat /etc/ssl/certs/ca-certificates.crt /root/pebble.minica.pem > /root/pebble-ca-bundle.crt
+export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+
+curl -X POST -d '{"host":"getssl", "addresses":["10.30.50.4"]}' http://10.30.50.3:8055/add-a
+
+# Test #1 - http-01 verification
+echo Test \#1 - http-01 verification
 
-service nginx start
+cp /getssl/test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default
+service nginx restart
 /getssl/getssl -c getssl
-cp getssl.cfg /root/.getssl/getssl
+cp /getssl/test/test-config/getssl-http01.cfg /root/.getssl/getssl/getssl.cfg
+/getssl/getssl -f getssl
+
+# Test #2 - http-01 forced renewal
+echo Test \#2 - http-01 forced renewal
+
+sleep 5  # There's a race condition if renew too soon (authlink returns "valid" instead of "pending")
+/getssl/getssl getssl -f
+
+# Test cleanup
+
+rm -r /root/.getssl
+
+# Test #3 - dns-01 verification
+echo Test \#3 - dns-01 verification
+
+cp /getssl/test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default
+service nginx restart
+/getssl/getssl -c getssl
+cp /getssl/test/test-config/getssl-dns01.cfg /root/.getssl/getssl/getssl.cfg
 /getssl/getssl getssl
+
+# Test #4 - dns-01 forced renewal
+echo Test \#4 - dns-01 forced renewal
+
+sleep 5  # There's a race condition if renew too soon (authlink returns "valid" instead of "pending")
+/getssl/getssl getssl -f

test/test-config/getssl-dns01.cfg

@@ -0,0 +1,54 @@
+# Uncomment and modify any variables you need
+# see https://github.com/srvrco/getssl/wiki/Config-variables for details
+# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
+#
+# The staging server is best for testing
+#CA="https://acme-staging.api.letsencrypt.org"
+# This server issues full certificates, however has rate limits
+#CA="https://acme-v01.api.letsencrypt.org"
+CA="https://pebble:14000/dir"
+
+VALIDATE_VIA_DNS=true
+DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
+DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
+# AUTH_DNS_SERVER=10.30.50.3
+
+#PRIVATE_KEY_ALG="rsa"
+
+# Additional domains - this could be multiple domains / subdomains in a comma separated list
+# Note: this is Additional domains - so should not include the primary domain.
+SANS=""
+
+# Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
+# If these start with ssh: then the next variable is assumed to be the hostname and the rest the location.
+# An ssh key will be needed to provide you with access to the remote server.
+# Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign.
+# If left blank, the username on the local server will be used to authenticate against the remote server.
+# If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location
+# These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge"
+# where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.
+ACL=('/var/www/html/.well-known/acme-challenge')
+#     'ssh:server5:/var/www/getssltest.hopto.org/web/.well-known/acme-challenge'
+#     'ssh:sshuserid@server5:/var/www/getssltest.hopto.org/web/.well-known/acme-challenge'
+#     'ftp:ftpuserid:ftppassword:getssltest.hopto.org:/web/.well-known/acme-challenge')
+
+#Set USE_SINGLE_ACL="true" to use a single ACL for all checks
+USE_SINGLE_ACL="false"
+
+# Location for all your certs, these can either be on the server (full path name)
+# or using ssh /sftp as for the ACL
+DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
+DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
+CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
+DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
+DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
+
+# The command needed to reload apache / nginx or whatever you use
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl /etc/nginx/sites-enabled/default && service nginx restart"
+
+# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
+# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
+# will be checked for certificate expiry and also will be checked after
+# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
+#SERVER_TYPE="https"
+#CHECK_REMOTE="true"

test/test-config/getssl-ubuntu.cfg test/test-config/getssl-http01.cfgtest/test-config/getssl-ubuntu.cfg renamed to test/test-config/getssl-http01.cfg

@@ -7,7 +7,11 @@
 # This server issues full certificates, however has rate limits
 #CA="https://acme-v01.api.letsencrypt.org"
 CA="https://pebble:14000/dir"
-SERVER_TYPE="5002"
+
+#VALIDATE_VIA_DNS=true
+#DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
+#DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
+
 #PRIVATE_KEY_ALG="rsa"
 
 # Additional domains - this could be multiple domains / subdomains in a comma separated list
@@ -39,7 +43,7 @@ DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
 DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
 
 # The command needed to reload apache / nginx or whatever you use
-RELOAD_CMD="service nginx restart"
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl /etc/nginx/sites-enabled/default && service nginx restart"
 
 # Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
 # smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which

…onfig/nginx-ubuntu-sites-enabled-default test/test-config/nginx-ubuntu-no-ssltest/test-config/nginx-ubuntu-sites-enabled-default renamed to test/test-config/nginx-ubuntu-no-ssl test/test-config/nginx-ubuntu-sites-enabled-default renamed to test/test-config/nginx-ubuntu-no-ssl

@@ -14,13 +14,18 @@
 # Default server configuration
 #
 server {
+	listen 80 default_server;
 	listen 5002 default_server;
 	listen [::]:5002 default_server;
 
 	# SSL configuration
 	#
-	listen 5001 ssl default_server;
-	listen [::]:5001 ssl default_server;
+	listen 443 default_server;
+	listen [::]:443 default_server;
+
+	listen 5001 default_server;
+	listen [::]:5001 default_server;
+
 	#
 	# Note: You should disable gzip for SSL traffic.
 	# See: https://bugs.debian.org/773332