Merge pull request #472 from srvrco/pre-2.15

timkimber · web-flow · commit 6444dfc42468 · 2020-01-10T19:26:13.000Z
Update templates to ACMEv2 endpoints
diff --git a/getssl b/getssl
@@ -193,7 +193,9 @@
 # 2019-11-22 #456 Fix shellcheck issues
 # 2019-11-23 #459 Fix missing chain.crt
 # 2019-12-18 #462 Use POST-as-GET for ACMEv2 endpoints
-# 2020-01-07 #464 and #486 "json was blank" (change all curl request to use POST-as-GET) (2.15)
+# 2020-01-07 #464 and #486 "json was blank" (change all curl request to use POST-as-GET)
+# 2020-01-08 Error and exit if rate limited, exit if curl returns nothing
+# 2020-01-10 Change domain and getssl templates to v2 (2.15)
 # ----------------------------------------------------------------------------------------
 
 PROGNAME=${0##*/}
@@ -212,7 +214,7 @@ CODE_LOCATION="https://raw.githubusercontent.com/srvrco/getssl/master/getssl"
 CSR_SUBJECT="/"
 CURL_USERAGENT="${PROGNAME}/${VERSION}"
 DEACTIVATE_AUTH="false"
-DEFAULT_REVOKE_CA="https://acme-v01.api.letsencrypt.org"
+DEFAULT_REVOKE_CA="https://acme-v02.api.letsencrypt.org"
 DNS_EXTRA_WAIT=""
 DNS_WAIT=10
 DOMAIN_KEY_LENGTH=4096
@@ -1566,7 +1568,7 @@ write_domain_template() { # write out a template file for a domain.
 	# The staging server is best for testing
 	#CA="https://acme-staging-v02.api.letsencrypt.org/directory"
 	# This server issues full certificates, however has rate limits
-	#CA="https://acme-v01.api.letsencrypt.org"
+	#CA="https://acme-v02.api.letsencrypt.org"
 
 	#PRIVATE_KEY_ALG="rsa"
 
@@ -1619,7 +1621,7 @@ write_getssl_template() { # write out the main template file
 	# The staging server is best for testing (hence set as default)
 	CA="https://acme-staging-v02.api.letsencrypt.org/directory"
 	# This server issues full certificates, however has rate limits
-	#CA="https://acme-v01.api.letsencrypt.org"
+	#CA="https://acme-v02.api.letsencrypt.org"
 
 	#AGREEMENT="$AGREEMENT"
 
@@ -2021,7 +2023,7 @@ if [[ -s "$CERT_FILE" ]]; then
     enddate_s=$(date_epoc "$enddate")
     if [[ $(date_renew) -lt "$enddate_s" ]] && [[ $_FORCE_RENEW -ne 1 ]]; then
       issuer=$(openssl x509 -in "$CERT_FILE" -noout -issuer 2>/dev/null)
-      if [[ "$issuer" == *"Fake LE Intermediate"* ]] && [[ "$CA" == "https://acme-v01.api.letsencrypt.org" ]]; then
+      if [[ "$issuer" == *"Fake LE Intermediate"* ]] && [[ "$CA" == "https://acme-v02.api.letsencrypt.org" ]]; then
         debug "upgrading from fake cert to real"
       else
         info "${DOMAIN}: certificate is valid for more than $RENEW_ALLOW days (until $enddate)"
diff --git a/test/Dockerfile-rhel6 b/test/Dockerfile-rhel6
@@ -20,8 +20,3 @@ EXPOSE 80 443
 
 # Run eternal loop - for testing
 CMD ["/bin/bash", "-c", "while :; do sleep 10; done"]
-
-# with Pebble
-# docker-compose -f "docker-compose.yml" up -d --build
-# docker exec -it getssl /bin/bash
-# /getssl/test/run-test.sh
diff --git a/test/Dockerfile-ubuntu b/test/Dockerfile-ubuntu
@@ -21,8 +21,3 @@ EXPOSE 80 443
 
 # Run eternal loop - for testing
 CMD ["/bin/bash", "-c", "while :; do sleep 10; done"]
-
-# with Pebble
-# docker-compose -f "docker-compose.yml" up -d --build
-# docker exec -it getssl /bin/bash
-# /getssl/test/run-test.sh
diff --git a/test/README.md b/test/README.md
@@ -0,0 +1,20 @@
+# Testing
+
+This directory contains a simple test script which tests creating certificates with Pebble (testing version of the LetsEncrypt server)
+
+Start up pebble, the challdnstest server for DNS challenges
+`docker-compose -f "docker-compose.yml" up -d --build`
+
+Run the tests
+`docker exec -it getssl /getssl/test/run-test.sh`
+
+Debug (need to set CURL_CA_BUNDLE as pebble uses a local certificate, otherwise you get a "unknown API version" error)
+`docker exec -it getssl /bin/bash`
+`export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt`
+`/getssl/getssl -d getssl`
+
+# TODO
+1. Move to BATS (bash automated testing) instead of run-test.sh
+2. Test RHEL6, Debian as well
+3. Test SSH, SFTP
+4. Test wildcards
diff --git a/test/run-test.sh b/test/run-test.sh
@@ -3,7 +3,9 @@
 set -e
 
 # Test setup
-rm -r /root/.getssl
+if [[ -d /root/.getssl ]]; then
+    rm -r /root/.getssl
+fi
 
 wget --no-clobber https://raw.githubusercontent.com/letsencrypt/pebble/master/test/certs/pebble.minica.pem
 # cat /etc/pki/tls/certs/ca-bundle.crt /root/pebble.minica.pem > /root/pebble-ca-bundle.crt
@@ -24,11 +26,12 @@ cp /getssl/test/test-config/getssl-http01.cfg /root/.getssl/getssl/getssl.cfg
 # Test #2 - http-01 forced renewal
 echo Test \#2 - http-01 forced renewal
 
-sleep 5  # There's a race condition if renew too soon (authlink returns "valid" instead of "pending")
+# There's a race condition if renew too soon (authlink returns "valid" instead of "pending")
+echo Sleeping 20s to allow previous validation to expire
+sleep 20
 /getssl/getssl getssl -f
 
 # Test cleanup
-
 rm -r /root/.getssl
 
 # Test #3 - dns-01 verification
@@ -43,5 +46,8 @@ cp /getssl/test/test-config/getssl-dns01.cfg /root/.getssl/getssl/getssl.cfg
 # Test #4 - dns-01 forced renewal
 echo Test \#4 - dns-01 forced renewal
 
-sleep 5  # There's a race condition if renew too soon (authlink returns "valid" instead of "pending")
+# There's a race condition if renew too soon (authlink returns "valid" instead of "pending")
+echo Sleeping 30s to allow previous validation to expire
+sleep 30
+
 /getssl/getssl getssl -f
