]>
Commit | Line | Data |
---|---|---|
a4e7c43a LS |
1 | #!/bin/bash |
2 | ||
3 | # Fail early | |
4 | set -eu -o pipefail | |
5 | ||
6 | # Check if running in CI environment | |
7 | if [[ ! "${CI:-false}" == "true" ]]; then | |
8 | echo "ERROR: Not running in CI environment!" | |
9 | exit 1 | |
10 | fi | |
11 | ||
12 | _TEST() { | |
d3bc67eb | 13 | echo |
40556950 LS |
14 | echo "${1} " |
15 | } | |
16 | _SUBTEST() { | |
17 | echo -n " + ${1} " | |
a4e7c43a LS |
18 | } |
19 | _PASS() { | |
98fe9b34 LS |
20 | if [[ ! -z "$(cat errorlog)" ]]; then |
21 | _FAIL | |
22 | fi | |
40556950 | 23 | echo -e "[\u001B[32mPASS\u001B[0m]" |
a4e7c43a LS |
24 | } |
25 | _FAIL() { | |
26 | echo -e "[\u001B[31mFAIL\u001B[0m]" | |
27 | echo | |
28 | echo "Problem: ${@}" | |
29 | echo | |
30 | echo "STDOUT:" | |
31 | cat tmplog | |
32 | echo | |
33 | echo "STDERR:" | |
34 | cat errorlog | |
35 | exit 1 | |
36 | } | |
37 | _CHECK_FILE() { | |
d3bc67eb | 38 | _SUBTEST "Checking if file '${1}' exists..." |
40556950 LS |
39 | if [[ -e "${1}" ]]; then |
40 | _PASS | |
41 | else | |
42 | _FAIL "Missing file: ${1}" | |
43 | fi | |
a4e7c43a LS |
44 | } |
45 | _CHECK_LOG() { | |
d3bc67eb | 46 | _SUBTEST "Checking if log contains '${1}'..." |
40556950 LS |
47 | if grep -- "${1}" tmplog > /dev/null; then |
48 | _PASS | |
49 | else | |
50 | _FAIL "Missing in log: ${1}" | |
51 | fi | |
52 | } | |
341f5252 | 53 | _CHECK_NOT_LOG() { |
d3bc67eb | 54 | _SUBTEST "Checking if log doesn't contain '${1}'..." |
341f5252 LS |
55 | if grep -- "${1}" tmplog > /dev/null; then |
56 | _FAIL "Found in log: ${1}" | |
57 | else | |
58 | _PASS | |
59 | fi | |
60 | } | |
40556950 LS |
61 | _CHECK_ERRORLOG() { |
62 | _SUBTEST "Checking if errorlog is empty..." | |
63 | if [[ -z "$(cat errorlog)" ]]; then | |
64 | _PASS | |
65 | else | |
66 | _FAIL "Non-empty errorlog" | |
67 | fi | |
a4e7c43a LS |
68 | } |
69 | ||
70 | # If not found (should be cached in travis) download ngrok | |
71 | if [[ ! -e "ngrok/ngrok" ]]; then | |
72 | ( | |
73 | mkdir -p ngrok | |
ebe9ea3d | 74 | cd ngrok |
a4e7c43a LS |
75 | wget https://dl.ngrok.com/ngrok_2.0.19_linux_amd64.zip -O ngrok.zip |
76 | unzip ngrok.zip ngrok | |
77 | chmod +x ngrok | |
78 | ) | |
79 | fi | |
80 | ||
81 | # Run ngrok and grab temporary url from logfile | |
82 | ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp.log & | |
338ec308 | 83 | ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp2.log & |
a4e7c43a LS |
84 | sleep 2 |
85 | TMP_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp.log | head -1 | cut -d':' -f2)" | |
338ec308 LS |
86 | TMP2_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp2.log | head -1 | cut -d':' -f2)" |
87 | if [[ -z "${TMP_URL}" ]] || [[ -z "${TMP2_URL}" ]]; then | |
a4e7c43a LS |
88 | echo "Couldn't get an url from ngrok, not a letsencrypt.sh bug, tests can't continue." |
89 | exit 1 | |
90 | fi | |
91 | ||
92 | # Run python webserver in .acme-challenges directory to serve challenge responses | |
93 | mkdir -p .acme-challenges/.well-known/acme-challenge | |
94 | ( | |
95 | cd .acme-challenges | |
96 | python -m SimpleHTTPServer 8080 > /dev/null 2> /dev/null | |
97 | ) & | |
98 | ||
99 | # Generate config and create empty domains.txt | |
f6f77139 LS |
100 | echo 'CA="https://testca.kurz.pw/directory"' > config.sh |
101 | echo 'LICENSE="https://testca.kurz.pw/terms/v1"' >> config.sh | |
a4e7c43a | 102 | echo 'WELLKNOWN=".acme-challenges/.well-known/acme-challenge"' >> config.sh |
da2795d3 | 103 | echo 'RENEW_DAYS="14"' >> config.sh |
a4e7c43a LS |
104 | touch domains.txt |
105 | ||
106 | # Check if help command is working | |
107 | _TEST "Checking if help command is working..." | |
6a8f4482 | 108 | ./letsencrypt.sh --help > tmplog 2> errorlog || _FAIL "Script execution failed" |
a4e7c43a | 109 | _CHECK_LOG "Default command: help" |
40556950 LS |
110 | _CHECK_LOG "--help (-h)" |
111 | _CHECK_LOG "--domain (-d) domain.tld" | |
112 | _CHECK_ERRORLOG | |
a4e7c43a LS |
113 | |
114 | # Run in cron mode with empty domains.txt (should only generate private key and exit) | |
115 | _TEST "First run in cron mode, checking if private key is generated and registered" | |
6a8f4482 | 116 | ./letsencrypt.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed" |
a4e7c43a LS |
117 | _CHECK_LOG "Registering account key" |
118 | _CHECK_FILE "private_key.pem" | |
40556950 | 119 | _CHECK_ERRORLOG |
a4e7c43a LS |
120 | |
121 | # Temporarily move config out of the way and try signing certificate by using temporary config location | |
122 | _TEST "Try signing using temporary config location and with domain as command line parameter" | |
123 | mv config.sh tmp_config.sh | |
b57fd221 | 124 | ./letsencrypt.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" -f tmp_config.sh > tmplog 2> errorlog || _FAIL "Script execution failed" |
6a8f4482 | 125 | _CHECK_NOT_LOG "Checking domain name(s) of existing cert" |
a4e7c43a LS |
126 | _CHECK_LOG "Generating private key" |
127 | _CHECK_LOG "Requesting challenge for ${TMP_URL}" | |
338ec308 | 128 | _CHECK_LOG "Requesting challenge for ${TMP2_URL}" |
a4e7c43a LS |
129 | _CHECK_LOG "Challenge is valid!" |
130 | _CHECK_LOG "Creating fullchain.pem" | |
131 | _CHECK_LOG "Done!" | |
40556950 | 132 | _CHECK_ERRORLOG |
a4e7c43a LS |
133 | mv tmp_config.sh config.sh |
134 | ||
135 | # Move private key and add new location to config | |
136 | mv private_key.pem account_key.pem | |
137 | echo 'PRIVATE_KEY="./account_key.pem"' >> config.sh | |
138 | ||
139 | # Add domain to domains.txt and run in cron mode again (should find a non-expiring certificate and do nothing) | |
140 | _TEST "Run in cron mode again, this time with domain in domains.txt, should find non-expiring certificate" | |
338ec308 | 141 | echo "${TMP_URL} ${TMP2_URL}" >> domains.txt |
6a8f4482 LS |
142 | ./letsencrypt.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed" |
143 | _CHECK_LOG "Checking domain name(s) of existing cert... unchanged." | |
a4e7c43a | 144 | _CHECK_LOG "Skipping!" |
40556950 | 145 | _CHECK_ERRORLOG |
a4e7c43a | 146 | |
341f5252 LS |
147 | # Run in cron mode one last time, with domain in domains.txt and force-resign (should find certificate, resign anyway, and not generate private key) |
148 | _TEST "Run in cron mode one last time, with domain in domains.txt and force-resign" | |
6a8f4482 LS |
149 | ./letsencrypt.sh --cron --force > tmplog 2> errorlog || _FAIL "Script execution failed" |
150 | _CHECK_LOG "Checking domain name(s) of existing cert... unchanged." | |
2d097c92 | 151 | _CHECK_LOG "Ignoring because renew was forced!" |
341f5252 LS |
152 | _CHECK_NOT_LOG "Generating private key" |
153 | _CHECK_LOG "Requesting challenge for ${TMP_URL}" | |
338ec308 | 154 | _CHECK_LOG "Requesting challenge for ${TMP2_URL}" |
341f5252 LS |
155 | _CHECK_LOG "Challenge is valid!" |
156 | _CHECK_LOG "Creating fullchain.pem" | |
157 | _CHECK_LOG "Done!" | |
158 | _CHECK_ERRORLOG | |
159 | ||
a4e7c43a LS |
160 | # Delete account key (not needed anymore) |
161 | rm account_key.pem | |
162 | ||
85b3f191 LS |
163 | # Check if renewal works |
164 | _TEST "Run in cron mode again, to check if renewal works" | |
165 | echo 'RENEW_DAYS="300"' >> config.sh | |
166 | ./letsencrypt.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed" | |
167 | _CHECK_LOG "Checking domain name(s) of existing cert... unchanged." | |
168 | _CHECK_LOG "Renewing!" | |
169 | _CHECK_ERRORLOG | |
170 | ||
a4e7c43a LS |
171 | # Check if certificate is valid in various ways |
172 | _TEST "Verifying certificate..." | |
d3bc67eb LS |
173 | _SUBTEST "Verifying certificate on its own..." |
174 | openssl x509 -in "certs/${TMP_URL}/cert.pem" -noout -text > tmplog 2> errorlog && _PASS || _FAIL | |
a4e7c43a | 175 | _CHECK_LOG "CN=${TMP_URL}" |
338ec308 | 176 | _CHECK_LOG "${TMP2_URL}" |
d3bc67eb LS |
177 | _SUBTEST "Verifying file with full chain..." |
178 | openssl x509 -in "certs/${TMP_URL}/fullchain.pem" -noout -text > /dev/null 2>> errorlog && _PASS || _FAIL | |
179 | _SUBTEST "Verifying certificate against CA certificate..." | |
180 | (openssl verify -verbose -CAfile "certs/${TMP_URL}/fullchain.pem" -purpose sslserver "certs/${TMP_URL}/fullchain.pem" 2>&1 || true) | (grep -v ': OK$' || true) >> errorlog 2>> errorlog && _PASS || _FAIL | |
40556950 | 181 | _CHECK_ERRORLOG |
a4e7c43a LS |
182 | |
183 | # Revoke certificate using certificate key | |
184 | _TEST "Revoking certificate..." | |
6a8f4482 | 185 | ./letsencrypt.sh --revoke "certs/${TMP_URL}/cert.pem" --privkey "certs/${TMP_URL}/privkey.pem" > tmplog 2> errorlog || _FAIL "Script execution failed" |
c7018036 MG |
186 | REAL_CERT="$(readlink -n "certs/${TMP_URL}/cert.pem")" |
187 | _CHECK_LOG "Revoking certs/${TMP_URL}/${REAL_CERT}" | |
3dcfa8b4 | 188 | _CHECK_LOG "Done." |
c7018036 | 189 | _CHECK_FILE "certs/${TMP_URL}/${REAL_CERT}-revoked" |
40556950 | 190 | _CHECK_ERRORLOG |
a4e7c43a LS |
191 | |
192 | # All done | |
193 | exit 0 |