]>
Commit | Line | Data |
---|---|---|
1 | #!/usr/bin/env bash | |
2 | ||
3 | # Fail early | |
4 | set -eu -o pipefail | |
5 | ||
6 | # Check if running in CI environment | |
7 | if [[ ! "${CI:-false}" == "true" ]]; then | |
8 | echo "ERROR: Not running in CI environment!" | |
9 | exit 1 | |
10 | fi | |
11 | ||
12 | _TEST() { | |
13 | echo | |
14 | echo "${1} " | |
15 | } | |
16 | _SUBTEST() { | |
17 | echo -n " + ${1} " | |
18 | } | |
19 | _PASS() { | |
20 | echo -e "[\u001B[32mPASS\u001B[0m]" | |
21 | } | |
22 | _FAIL() { | |
23 | echo -e "[\u001B[31mFAIL\u001B[0m]" | |
24 | echo | |
25 | echo "Problem: ${@}" | |
26 | echo | |
27 | echo "STDOUT:" | |
28 | cat tmplog | |
29 | echo | |
30 | echo "STDERR:" | |
31 | cat errorlog | |
32 | exit 1 | |
33 | } | |
34 | _CHECK_FILE() { | |
35 | _SUBTEST "Checking if file '${1}' exists..." | |
36 | if [[ -e "${1}" ]]; then | |
37 | _PASS | |
38 | else | |
39 | _FAIL "Missing file: ${1}" | |
40 | fi | |
41 | } | |
42 | _CHECK_LOG() { | |
43 | _SUBTEST "Checking if log contains '${1}'..." | |
44 | if grep -- "${1}" tmplog > /dev/null; then | |
45 | _PASS | |
46 | else | |
47 | _FAIL "Missing in log: ${1}" | |
48 | fi | |
49 | } | |
50 | _CHECK_NOT_LOG() { | |
51 | _SUBTEST "Checking if log doesn't contain '${1}'..." | |
52 | if grep -- "${1}" tmplog > /dev/null; then | |
53 | _FAIL "Found in log: ${1}" | |
54 | else | |
55 | _PASS | |
56 | fi | |
57 | } | |
58 | _CHECK_ERRORLOG() { | |
59 | _SUBTEST "Checking if errorlog is empty..." | |
60 | if [[ -z "$(cat errorlog)" ]]; then | |
61 | _PASS | |
62 | else | |
63 | _FAIL "Non-empty errorlog" | |
64 | fi | |
65 | } | |
66 | ||
67 | # If not found (should be cached in travis) download ngrok | |
68 | if [[ ! -e "ngrok/ngrok" ]]; then | |
69 | ( | |
70 | mkdir -p ngrok | |
71 | cd ngrok | |
72 | wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip -O ngrok.zip | |
73 | unzip ngrok.zip ngrok | |
74 | chmod +x ngrok | |
75 | ) | |
76 | fi | |
77 | ||
78 | # Run ngrok and grab temporary url from logfile | |
79 | ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp.log & | |
80 | ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp2.log & | |
81 | ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp3.log & | |
82 | sleep 2 | |
83 | TMP_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp.log | head -1 | cut -d':' -f2)" | |
84 | TMP2_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp2.log | head -1 | cut -d':' -f2)" | |
85 | TMP3_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp3.log | head -1 | cut -d':' -f2)" | |
86 | if [[ -z "${TMP_URL}" ]] || [[ -z "${TMP2_URL}" ]] || [[ -z "${TMP3_URL}" ]]; then | |
87 | echo "Couldn't get an url from ngrok, not a dehydrated bug, tests can't continue." | |
88 | exit 1 | |
89 | fi | |
90 | ||
91 | # Run python webserver in .acme-challenges directory to serve challenge responses | |
92 | mkdir -p .acme-challenges/.well-known/acme-challenge | |
93 | ( | |
94 | cd .acme-challenges | |
95 | python -m SimpleHTTPServer 8080 > /dev/null 2> /dev/null | |
96 | ) & | |
97 | ||
98 | # Generate config and create empty domains.txt | |
99 | echo 'CA="https://testca.kurz.pw/directory"' > config | |
100 | echo 'LICENSE="https://testca.kurz.pw/terms/v1"' >> config | |
101 | echo 'WELLKNOWN=".acme-challenges/.well-known/acme-challenge"' >> config | |
102 | echo 'RENEW_DAYS="14"' >> config | |
103 | touch domains.txt | |
104 | ||
105 | # Check if help command is working | |
106 | _TEST "Checking if help command is working..." | |
107 | ./dehydrated --help > tmplog 2> errorlog || _FAIL "Script execution failed" | |
108 | _CHECK_LOG "Default command: help" | |
109 | _CHECK_LOG "--help (-h)" | |
110 | _CHECK_LOG "--domain (-d) domain.tld" | |
111 | _CHECK_ERRORLOG | |
112 | ||
113 | # Run in cron mode with empty domains.txt (should only generate private key and exit) | |
114 | _TEST "First run in cron mode, checking if private key is generated and registered" | |
115 | ./dehydrated --cron > tmplog 2> errorlog || _FAIL "Script execution failed" | |
116 | _CHECK_LOG "Registering account key" | |
117 | _CHECK_FILE accounts/*/account_key.pem | |
118 | _CHECK_ERRORLOG | |
119 | ||
120 | # Temporarily move config out of the way and try signing certificate by using temporary config location | |
121 | _TEST "Try signing using temporary config location and with domain as command line parameter" | |
122 | mv config tmp_config | |
123 | ./dehydrated --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" -f tmp_config > tmplog 2> errorlog || _FAIL "Script execution failed" | |
124 | _CHECK_NOT_LOG "Checking domain name(s) of existing cert" | |
125 | _CHECK_LOG "Generating private key" | |
126 | _CHECK_LOG "Requesting challenge for ${TMP_URL}" | |
127 | _CHECK_LOG "Requesting challenge for ${TMP2_URL}" | |
128 | _CHECK_LOG "Challenge is valid!" | |
129 | _CHECK_LOG "Creating fullchain.pem" | |
130 | _CHECK_LOG "Done!" | |
131 | _CHECK_ERRORLOG | |
132 | mv tmp_config config | |
133 | ||
134 | # Add third domain to command-lime, should force renewal. | |
135 | _TEST "Run in cron mode again, this time adding third domain, should force renewal." | |
136 | ./dehydrated --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" --domain "${TMP3_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed" | |
137 | _CHECK_LOG "Domain name(s) are not matching!" | |
138 | _CHECK_LOG "Forcing renew." | |
139 | _CHECK_LOG "Generating private key" | |
140 | _CHECK_LOG "Requesting challenge for ${TMP_URL}" | |
141 | _CHECK_LOG "Requesting challenge for ${TMP2_URL}" | |
142 | _CHECK_LOG "Requesting challenge for ${TMP3_URL}" | |
143 | _CHECK_LOG "Challenge is valid!" | |
144 | _CHECK_LOG "Creating fullchain.pem" | |
145 | _CHECK_LOG "Done!" | |
146 | _CHECK_ERRORLOG | |
147 | ||
148 | # Prepare domains.txt | |
149 | # Modify TMP3_URL to be uppercase to check for upper-lower-case mismatch bugs | |
150 | echo "${TMP_URL} ${TMP2_URL} $(tr 'a-z' 'A-Z' <<<"${TMP3_URL}")" >> domains.txt | |
151 | ||
152 | # Run in cron mode again (should find a non-expiring certificate and do nothing) | |
153 | _TEST "Run in cron mode again, this time with domain in domains.txt, should find non-expiring certificate" | |
154 | ./dehydrated --cron > tmplog 2> errorlog || _FAIL "Script execution failed" | |
155 | _CHECK_LOG "Checking domain name(s) of existing cert... unchanged." | |
156 | _CHECK_LOG "Skipping renew" | |
157 | _CHECK_ERRORLOG | |
158 | ||
159 | # Disable private key renew | |
160 | echo 'PRIVATE_KEY_RENEW="no"' >> config | |
161 | ||
162 | # Run in cron mode one last time, with domain in domains.txt and force-resign (should find certificate, resign anyway, and not generate private key) | |
163 | _TEST "Run in cron mode one last time, with domain in domains.txt and force-resign" | |
164 | ./dehydrated --cron --force > tmplog 2> errorlog || _FAIL "Script execution failed" | |
165 | _CHECK_LOG "Checking domain name(s) of existing cert... unchanged." | |
166 | _CHECK_LOG "Ignoring because renew was forced!" | |
167 | _CHECK_NOT_LOG "Generating private key" | |
168 | _CHECK_LOG "Requesting challenge for ${TMP_URL}" | |
169 | _CHECK_LOG "Requesting challenge for ${TMP2_URL}" | |
170 | _CHECK_LOG "Requesting challenge for ${TMP3_URL}" | |
171 | _CHECK_LOG "Challenge is valid!" | |
172 | _CHECK_LOG "Creating fullchain.pem" | |
173 | _CHECK_LOG "Done!" | |
174 | _CHECK_ERRORLOG | |
175 | ||
176 | # Check if signcsr command is working | |
177 | _TEST "Running signcsr command" | |
178 | ./dehydrated --signcsr certs/${TMP_URL}/cert.csr > tmplog 2> errorlog || _FAIL "Script execution failed" | |
179 | _CHECK_LOG "BEGIN CERTIFICATE" | |
180 | _CHECK_LOG "END CERTIFICATE" | |
181 | _CHECK_NOT_LOG "ERROR" | |
182 | ||
183 | # Check if renewal works | |
184 | _TEST "Run in cron mode again, to check if renewal works" | |
185 | echo 'RENEW_DAYS="300"' >> config | |
186 | ./dehydrated --cron > tmplog 2> errorlog || _FAIL "Script execution failed" | |
187 | _CHECK_LOG "Checking domain name(s) of existing cert... unchanged." | |
188 | _CHECK_LOG "Renewing!" | |
189 | _CHECK_ERRORLOG | |
190 | ||
191 | # Check if certificate is valid in various ways | |
192 | _TEST "Verifying certificate..." | |
193 | _SUBTEST "Verifying certificate on its own..." | |
194 | openssl x509 -in "certs/${TMP_URL}/cert.pem" -noout -text > tmplog 2> errorlog && _PASS || _FAIL | |
195 | _CHECK_LOG "CN=${TMP_URL}" | |
196 | _CHECK_LOG "${TMP2_URL}" | |
197 | _SUBTEST "Verifying file with full chain..." | |
198 | openssl x509 -in "certs/${TMP_URL}/fullchain.pem" -noout -text > /dev/null 2>> errorlog && _PASS || _FAIL | |
199 | _SUBTEST "Verifying certificate against CA certificate..." | |
200 | (openssl verify -verbose -CAfile "certs/${TMP_URL}/fullchain.pem" -purpose sslserver "certs/${TMP_URL}/fullchain.pem" 2>&1 || true) | (grep -v ': OK$' || true) >> errorlog 2>> errorlog && _PASS || _FAIL | |
201 | _CHECK_ERRORLOG | |
202 | ||
203 | # Revoke certificate using certificate key | |
204 | _TEST "Revoking certificate..." | |
205 | ./dehydrated --revoke "certs/${TMP_URL}/cert.pem" --privkey "certs/${TMP_URL}/privkey.pem" > tmplog 2> errorlog || _FAIL "Script execution failed" | |
206 | REAL_CERT="$(readlink -n "certs/${TMP_URL}/cert.pem")" | |
207 | _CHECK_LOG "Revoking certs/${TMP_URL}/${REAL_CERT}" | |
208 | _CHECK_LOG "Done." | |
209 | _CHECK_FILE "certs/${TMP_URL}/${REAL_CERT}-revoked" | |
210 | _CHECK_ERRORLOG | |
211 | ||
212 | # Enable private key renew | |
213 | echo 'PRIVATE_KEY_RENEW="yes"' >> config | |
214 | echo 'PRIVATE_KEY_ROLLOVER="yes"' >> config | |
215 | ||
216 | # Check if Rolloverkey creation works | |
217 | _TEST "Testing Rolloverkeys..." | |
218 | _SUBTEST "First Run: Creating rolloverkey" | |
219 | ./dehydrated --cron --domain "${TMP2_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed" | |
220 | CERT_ROLL_HASH=$(openssl rsa -in certs/${TMP2_URL}/privkey.roll.pem -outform DER -pubout 2>/dev/null | openssl sha256) | |
221 | _CHECK_LOG "Generating private key" | |
222 | _CHECK_LOG "Generating private rollover key" | |
223 | _SUBTEST "Second Run: Force Renew, Use rolloverkey" | |
224 | ./dehydrated --cron --force --domain "${TMP2_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed" | |
225 | CERT_NEW_HASH=$(openssl rsa -in certs/${TMP2_URL}/privkey.pem -outform DER -pubout 2>/dev/null | openssl sha256) | |
226 | _CHECK_LOG "Generating private key" | |
227 | _CHECK_LOG "Moving Rolloverkey into position" | |
228 | _SUBTEST "Verifying Hash Rolloverkey and private key second run" | |
229 | [[ "${CERT_ROLL_HASH}" = "${CERT_NEW_HASH}" ]] && _PASS || _FAIL | |
230 | _CHECK_ERRORLOG | |
231 | ||
232 | # Test cleanup command | |
233 | _TEST "Cleaning up certificates" | |
234 | ./dehydrated --cleanup > tmplog 2> errorlog || _FAIL "Script execution failed" | |
235 | _CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/cert-" | |
236 | _CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/chain-" | |
237 | _CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/fullchain-" | |
238 | _CHECK_ERRORLOG | |
239 | ||
240 | # All done | |
241 | exit 0 |