6 # Check if running in CI environment
7 if [[ ! "${CI:-false}" == "true" ]]; then
8 echo "ERROR: Not running in CI environment!"
20 echo -e "[\u001B[32mPASS\u001B[0m]"
23 echo -e "[\u001B[31mFAIL\u001B[0m]"
35 _SUBTEST "Checking if file '${1}' exists..."
36 if [[ -e "${1}" ]]; then
39 _FAIL "Missing file: ${1}"
43 _SUBTEST "Checking if log contains '${1}'..."
44 if grep -- "${1}" tmplog > /dev/null; then
47 _FAIL "Missing in log: ${1}"
51 _SUBTEST "Checking if log doesn't contain '${1}'..."
52 if grep -- "${1}" tmplog > /dev/null; then
53 _FAIL "Found in log: ${1}"
59 _SUBTEST "Checking if errorlog is empty..."
60 if [[ -z "$(cat errorlog)" ]]; then
63 _FAIL "Non-empty errorlog"
67 # If not found (should be cached in travis) download ngrok
68 if [[ ! -e "ngrok/ngrok" ]]; then
72 if [ "${TRAVIS_OS_NAME}" = "linux" ]; then
73 wget -O ngrok.zip https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip
74 elif [ "${TRAVIS_OS_NAME}" = "osx" ]; then
75 wget -O ngrok.zip https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-darwin-amd64.zip
77 echo "No ngrok for ${TRAVIS_OS_NAME}"
85 # Run ngrok and grab temporary url from logfile
86 ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp.log &
87 ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp2.log &
88 ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp3.log &
90 TMP_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp.log | head -1 | cut -d':' -f2)"
91 TMP2_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp2.log | head -1 | cut -d':' -f2)"
92 TMP3_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp3.log | head -1 | cut -d':' -f2)"
93 if [[ -z "${TMP_URL}" ]] || [[ -z "${TMP2_URL}" ]] || [[ -z "${TMP3_URL}" ]]; then
94 echo "Couldn't get an url from ngrok, not a dehydrated bug, tests can't continue."
98 # Run python webserver in .acme-challenges directory to serve challenge responses
99 mkdir -p .acme-challenges/.well-known/acme-challenge
102 python -m SimpleHTTPServer 8080 > /dev/null 2> /dev/null
105 # Generate config and create empty domains.txt
106 echo 'CA="https://testca.kurz.pw/directory"' > config
107 echo 'CA_TERMS="https://testca.kurz.pw/terms"' >> config
108 echo 'WELLKNOWN=".acme-challenges/.well-known/acme-challenge"' >> config
109 echo 'RENEW_DAYS="14"' >> config
112 # Check if help command is working
113 _TEST "Checking if help command is working..."
114 ./dehydrated --help > tmplog 2> errorlog || _FAIL "Script execution failed"
115 _CHECK_LOG "Default command: help"
116 _CHECK_LOG "--help (-h)"
117 _CHECK_LOG "--domain (-d) domain.tld"
120 # Register account key without LICENSE set
121 _TEST "Register account key without LICENSE set"
122 ./dehydrated --register > tmplog 2> errorlog && _FAIL "Script execution failed"
123 _CHECK_LOG "To accept these terms"
126 # Register account key and agreeing to terms
127 _TEST "Register account key without LICENSE set"
128 ./dehydrated --register --accept-terms > tmplog 2> errorlog || _FAIL "Script execution failed"
129 _CHECK_LOG "Registering account key"
130 _CHECK_FILE accounts/*/account_key.pem
133 # Delete accounts and add LICENSE to config for normal operation
135 echo 'LICENSE="https://testca.kurz.pw/terms/v1"' >> config
137 # Run in cron mode with empty domains.txt (should only generate private key and exit)
138 _TEST "First run in cron mode, checking if private key is generated and registered"
139 ./dehydrated --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
140 _CHECK_LOG "Registering account key"
141 _CHECK_FILE accounts/*/account_key.pem
144 # Temporarily move config out of the way and try signing certificate by using temporary config location
145 _TEST "Try signing using temporary config location and with domain as command line parameter"
147 ./dehydrated --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" --accept-terms -f tmp_config > tmplog 2> errorlog || _FAIL "Script execution failed"
148 _CHECK_NOT_LOG "Checking domain name(s) of existing cert"
149 _CHECK_LOG "Generating private key"
150 _CHECK_LOG "Requesting challenge for ${TMP_URL}"
151 _CHECK_LOG "Requesting challenge for ${TMP2_URL}"
152 _CHECK_LOG "Challenge is valid!"
153 _CHECK_LOG "Creating fullchain.pem"
158 # Add third domain to command-lime, should force renewal.
159 _TEST "Run in cron mode again, this time adding third domain, should force renewal."
160 ./dehydrated --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" --domain "${TMP3_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
161 _CHECK_LOG "Domain name(s) are not matching!"
162 _CHECK_LOG "Forcing renew."
163 _CHECK_LOG "Generating private key"
164 _CHECK_LOG "Requesting challenge for ${TMP_URL}"
165 _CHECK_LOG "Requesting challenge for ${TMP2_URL}"
166 _CHECK_LOG "Requesting challenge for ${TMP3_URL}"
167 _CHECK_LOG "Challenge is valid!"
168 _CHECK_LOG "Creating fullchain.pem"
172 # Prepare domains.txt
173 # Modify TMP3_URL to be uppercase to check for upper-lower-case mismatch bugs
174 echo "${TMP_URL} ${TMP2_URL} $(tr 'a-z' 'A-Z' <<<"${TMP3_URL}")" >> domains.txt
176 # Run in cron mode again (should find a non-expiring certificate and do nothing)
177 _TEST "Run in cron mode again, this time with domain in domains.txt, should find non-expiring certificate"
178 ./dehydrated --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
179 _CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
180 _CHECK_LOG "Skipping renew"
183 # Disable private key renew
184 echo 'PRIVATE_KEY_RENEW="no"' >> config
186 # Run in cron mode one last time, with domain in domains.txt and force-resign (should find certificate, resign anyway, and not generate private key)
187 _TEST "Run in cron mode one last time, with domain in domains.txt and force-resign"
188 ./dehydrated --cron --force > tmplog 2> errorlog || _FAIL "Script execution failed"
189 _CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
190 _CHECK_LOG "Ignoring because renew was forced!"
191 _CHECK_NOT_LOG "Generating private key"
192 _CHECK_LOG "Requesting challenge for ${TMP_URL}"
193 _CHECK_LOG "Requesting challenge for ${TMP2_URL}"
194 _CHECK_LOG "Requesting challenge for ${TMP3_URL}"
195 _CHECK_LOG "Already validated!"
196 _CHECK_LOG "Creating fullchain.pem"
200 # Check if signcsr command is working
201 _TEST "Running signcsr command"
202 ./dehydrated --signcsr certs/${TMP_URL}/cert.csr > tmplog 2> errorlog || _FAIL "Script execution failed"
203 _CHECK_LOG "BEGIN CERTIFICATE"
204 _CHECK_LOG "END CERTIFICATE"
205 _CHECK_NOT_LOG "ERROR"
207 # Check if renewal works
208 _TEST "Run in cron mode again, to check if renewal works"
209 echo 'RENEW_DAYS="300"' >> config
210 ./dehydrated --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
211 _CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
212 _CHECK_LOG "Renewing!"
215 # Check if certificate is valid in various ways
216 _TEST "Verifying certificate..."
217 _SUBTEST "Verifying certificate on its own..."
218 openssl x509 -in "certs/${TMP_URL}/cert.pem" -noout -text > tmplog 2> errorlog && _PASS || _FAIL
219 _CHECK_LOG "CN=${TMP_URL}"
220 _CHECK_LOG "${TMP2_URL}"
221 _SUBTEST "Verifying file with full chain..."
222 openssl x509 -in "certs/${TMP_URL}/fullchain.pem" -noout -text > /dev/null 2>> errorlog && _PASS || _FAIL
223 _SUBTEST "Verifying certificate against CA certificate..."
224 curl -s https://testca.kurz.pw/acme/issuer-cert | openssl x509 -inform DER -outform PEM > ca.pem
225 (openssl verify -verbose -CAfile "ca.pem" -purpose sslserver "certs/${TMP_URL}/fullchain.pem" 2>&1 || true) | (grep -v ': OK$' || true) >> errorlog 2>> errorlog && _PASS || _FAIL
228 # Revoke certificate using certificate key
229 _TEST "Revoking certificate..."
230 ./dehydrated --revoke "certs/${TMP_URL}/cert.pem" --privkey "certs/${TMP_URL}/privkey.pem" > tmplog 2> errorlog || _FAIL "Script execution failed"
231 REAL_CERT="$(readlink -n "certs/${TMP_URL}/cert.pem")"
232 _CHECK_LOG "Revoking certs/${TMP_URL}/${REAL_CERT}"
234 _CHECK_FILE "certs/${TMP_URL}/${REAL_CERT}-revoked"
237 # Enable private key renew
238 echo 'PRIVATE_KEY_RENEW="yes"' >> config
239 echo 'PRIVATE_KEY_ROLLOVER="yes"' >> config
241 # Check if Rolloverkey creation works
242 _TEST "Testing Rolloverkeys..."
243 _SUBTEST "First Run: Creating rolloverkey"
244 ./dehydrated --cron --domain "${TMP2_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
245 CERT_ROLL_HASH=$(openssl rsa -in certs/${TMP2_URL}/privkey.roll.pem -outform DER -pubout 2>/dev/null | openssl sha -sha256)
246 _CHECK_LOG "Generating private key"
247 _CHECK_LOG "Generating private rollover key"
248 _SUBTEST "Second Run: Force Renew, Use rolloverkey"
249 ./dehydrated --cron --force --domain "${TMP2_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
250 CERT_NEW_HASH=$(openssl rsa -in certs/${TMP2_URL}/privkey.pem -outform DER -pubout 2>/dev/null | openssl sha -sha256)
251 _CHECK_LOG "Generating private key"
252 _CHECK_LOG "Moving Rolloverkey into position"
253 _SUBTEST "Verifying Hash Rolloverkey and private key second run"
254 [[ "${CERT_ROLL_HASH}" = "${CERT_NEW_HASH}" ]] && _PASS || _FAIL
257 # Test cleanup command
258 _TEST "Cleaning up certificates"
259 ./dehydrated --cleanup > tmplog 2> errorlog || _FAIL "Script execution failed"
260 _CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/cert-"
261 _CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/chain-"
262 _CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/fullchain-"