├── .editorconfig
├── CONTRIBUTING.md
├── LICENSE
├── Makefile
├── README
├── README.md
├── RELEASE.md
├── common.shrc
├── debbuild.patch
├── dns_scripts
    ├── Azure-README.txt
    ├── Cloudflare-README.md
    ├── DNS_IONOS.md
    ├── DNS_ROUTE53.md
    ├── GoDaddy-README.txt
    ├── INWX-README.md
    ├── Route53-README.md
    ├── dns_add_acmedns
    ├── dns_add_azure
    ├── dns_add_challtestsrv
    ├── dns_add_clouddns
    ├── dns_add_cloudflare
    ├── dns_add_cpanel
    ├── dns_add_del_aliyun.sh
    ├── dns_add_dnsmasq
    ├── dns_add_dnspod
    ├── dns_add_duckdns
    ├── dns_add_dynu
    ├── dns_add_godaddy
    ├── dns_add_hetzner
    ├── dns_add_hostway
    ├── dns_add_inwx.py
    ├── dns_add_ionos
    ├── dns_add_ispconfig
    ├── dns_add_joker
    ├── dns_add_lexicon
    ├── dns_add_linode
    ├── dns_add_manual
    ├── dns_add_ns1
    ├── dns_add_nsupdate
    ├── dns_add_ovh
    ├── dns_add_pdns-mysql
    ├── dns_add_route53
    ├── dns_add_vultr
    ├── dns_add_windows_dns_server
    ├── dns_del_acmedns
    ├── dns_del_azure
    ├── dns_del_challtestsrv
    ├── dns_del_clouddns
    ├── dns_del_cloudflare
    ├── dns_del_cpanel
    ├── dns_del_dnsmasq
    ├── dns_del_dnspod
    ├── dns_del_duckdns
    ├── dns_del_dynu
    ├── dns_del_godaddy
    ├── dns_del_hetzner
    ├── dns_del_hostway
    ├── dns_del_inwx.py
    ├── dns_del_ionos
    ├── dns_del_ispconfig
    ├── dns_del_joker
    ├── dns_del_lexicon
    ├── dns_del_linode
    ├── dns_del_manual
    ├── dns_del_ns1
    ├── dns_del_nsupdate
    ├── dns_del_ovh
    ├── dns_del_pdns-mysql
    ├── dns_del_route53
    ├── dns_del_vultr
    ├── dns_del_windows_dns_server
    ├── dns_freedns.sh
    ├── dns_godaddy
    ├── dns_route53
    ├── dns_route53.py
    └── ispconfig_soap.php
├── docker-compose.yml
├── getssl
├── getssl.crontab
├── getssl.logrotate
├── getssl.spec
├── other_scripts
    ├── cpanel_cert_upload
    └── iis_install_certeficate.ps1
└── test
    ├── 0-test-curl-error.bats
    ├── 0-test-usage.bats
    ├── 1-simple-http01-dig.bats
    ├── 1-simple-http01-nslookup.bats
    ├── 1-simple-http01-two-acl.bats
    ├── 1-simple-http01.bats
    ├── 10-mixed-case.bats
    ├── 11-test--install.bats
    ├── 11-test-no-domain-storage.bats
    ├── 12-auto-upgrade-v1.bats
    ├── 13-notify-valid.bats
    ├── 14-test-revoke.bats
    ├── 15-test-revoke-no-suffix.bats
    ├── 16-test-bad-acl.bats
    ├── 17-test-spaces-in-sans-dns01.bats
    ├── 17-test-spaces-in-sans-http01.bats
    ├── 18-retry-dns-add.bats
    ├── 19-test-add-to-sans.bats
    ├── 2-simple-dns01-dig.bats
    ├── 2-simple-dns01-nslookup.bats
    ├── 20-wildcard-simple.bats
    ├── 21-wildcard-dual-rsa.bats
    ├── 22-wildcard-dual-rsa-ecdsa-copy-2-locations.bats
    ├── 23-wildcard-check-globbing.bats
    ├── 24-wildcard-sans.bats
    ├── 25-wildcard-all.bats
    ├── 26-wildcard-revoke.bats
    ├── 27-wildcard-existing-cert.bats
    ├── 28-wildcard-error-http01-validation.bats
    ├── 29-check-mktemp-failure.bats
    ├── 3-dual-rsa-ecdsa.bats
    ├── 30-handle-dig-failure.bats
    ├── 31-test-posix-error.bats
    ├── 32-test-upgrade.bats
    ├── 33-ftp.bats
    ├── 34-ftp-passive.bats
    ├── 34-ftp-ports.bats
    ├── 35-preferred-chain.bats
    ├── 36-full-chain-inc-root.bats
    ├── 37-idn.bats
    ├── 38-idn-http01-check-noidnout.bats
    ├── 39-private-key-alg-changed.bats
    ├── 4-more-than-10-hosts.bats
    ├── 40-cname-dns01-dig.bats
    ├── 40-cname-dns01-nslookup.bats
    ├── 41-show-account-id.bats
    ├── 5-secp384-http01.bats
    ├── 6-dual-rsa-ecdsa-copy-2-locations.bats
    ├── 7-test-renewal.bats
    ├── 8-staging-ecdsa.bats
    ├── 9-multiple-domains-dns01.bats
    ├── 9-test--all.bats
    ├── Dockerfile-alpine
    ├── Dockerfile-bash4-0
    ├── Dockerfile-bash4-2
    ├── Dockerfile-bash5-0
    ├── Dockerfile-centos6
    ├── Dockerfile-centos7
    ├── Dockerfile-centos7-duckdns
    ├── Dockerfile-centos7-dynu
    ├── Dockerfile-centos8
    ├── Dockerfile-debian
    ├── Dockerfile-rockylinux8
    ├── Dockerfile-ubuntu
    ├── Dockerfile-ubuntu-acmedns
    ├── Dockerfile-ubuntu-duckdns
    ├── Dockerfile-ubuntu-dynu
    ├── Dockerfile-ubuntu14
    ├── Dockerfile-ubuntu16
    ├── Dockerfile-ubuntu18
    ├── README-Testing.md
    ├── debug-test.sh
    ├── dns_add_fail
    ├── idn-domain.md
    ├── restart-ftpd
    ├── restart-nginx
    ├── run-test.cmd
    ├── run-test.sh
    ├── test-config
        ├── alpine-supervisord.conf
        ├── getssl-dns01-dual-rsa-ecdsa-2-locations.cfg
        ├── getssl-dns01-dual-rsa-ecdsa-old-nginx.cfg
        ├── getssl-dns01-dual-rsa-ecdsa.cfg
        ├── getssl-dns01-ignore-directory-domain.cfg
        ├── getssl-dns01-multiple-domains.cfg
        ├── getssl-dns01-secp384.cfg
        ├── getssl-dns01-spaces-and-commas-sans.cfg
        ├── getssl-dns01-spaces-sans-and-ignore-dir-domain.cfg
        ├── getssl-dns01-spaces-sans.cfg
        ├── getssl-dns01.cfg
        ├── getssl-etc-template.cfg
        ├── getssl-http01-10-hosts.cfg
        ├── getssl-http01-bad-acl.cfg
        ├── getssl-http01-dual-rsa-ecdsa-2-locations-old-nginx.cfg
        ├── getssl-http01-dual-rsa-ecdsa-2-locations-wrong-nginx.cfg
        ├── getssl-http01-dual-rsa-ecdsa-2-locations.cfg
        ├── getssl-http01-dual-rsa-ecdsa-old-nginx.cfg
        ├── getssl-http01-dual-rsa-ecdsa.cfg
        ├── getssl-http01-no-domain-storage.cfg
        ├── getssl-http01-no-suffix.cfg
        ├── getssl-http01-secp384.cfg
        ├── getssl-http01-secp521.cfg
        ├── getssl-http01-spaces-and-commas-sans.cfg
        ├── getssl-http01-spaces-sans-and-ignore-dir-domain.cfg
        ├── getssl-http01-spaces-sans.cfg
        ├── getssl-http01-two-acl.cfg
        ├── getssl-http01.cfg
        ├── getssl-upgrade-test-pebble.cfg
        ├── getssl-upgrade-test-v1-prod.cfg
        ├── getssl-upgrade-test-v1-staging.cfg
        ├── getssl-upgrade-test-v2-prod.cfg
        ├── getssl-upgrade-test-v2-staging.cfg
        ├── nginx-centos7.conf
        ├── nginx-ubuntu-dual-certs
        ├── nginx-ubuntu-no-ssl
        ├── nginx-ubuntu-ssl
        ├── vsftpd.conf
        └── vsftpd.initd
    ├── test_helper.bash
    ├── u1-test-get_auth_dns-dig.bats
    ├── u10-test-json_get.bats
    ├── u11-test-ignore-dns-error-in-output.bats
    ├── u2-test-get_auth_dns-drill.bats
    ├── u3-mktemp-template.bats
    ├── u4-create-csr-and-ifs.bats
    ├── u5-test-get_auth_dns-no-root-servers.bats
    ├── u6-test-combined-directory.bats
    ├── u7-test-get_auth_dns-nslookup.bats
    ├── u8-test-get_auth_dns-cname-nslookup.bats
    └── u9-test-ca-newlines.bats


/.editorconfig:
--------------------------------------------------------------------------------
 1 | # http://EditorConfig.org
 2 | 
 3 | root = true
 4 | 
 5 | [*]
 6 | end_of_line = lf
 7 | insert_final_newline = true
 8 | indent_style = space
 9 | indent_size = 2
10 | 
11 | [Makefile]
12 | indent_style = tab
13 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # How to contribute
 2 | 
 3 | If you are happy writing in bash, please create a PR for any changes
 4 | you'd like to see included (or bug fixes).
 5 | 
 6 | If you aren't happy writing in bash, please open an issue with as much
 7 | detail as possible about the issue or what you'd like to see added /
 8 | improved.
 9 | 
10 | ## Submitting changes
11 | 
12 | Please update the 'revision history' and version number at the top of
13 | the code (without this I can't easily do a merge)
14 | 
15 | Please update just one issue per PR. If there are multiple issues,
16 | please provide separate PR's one per issue.
17 | 
18 | ## Coding conventions
19 | 
20 | Please see the guidelines at <https://github.com/srvrco/getssl/wiki/Bash-Style-guide>
21 | 
22 | ## Testing
23 | 
24 | Please test with [shellcheck](https://github.com/koalaman/shellcheck),
25 | although this will also be tested on github (via travis) on all PRs.
26 | 
27 | Please remember that the system is used across a wide range of
28 | platforms, so if you have access to multiple operating systems, please
29 | test on all.
30 | 
31 | Thanks :)
32 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | # Copyright (c) 2016 Karol Babioch <karol@babioch.de>
 2 | #
 3 | # This program is free software: you can redistribute it and/or modify
 4 | # it under the terms of the GNU General Public License as published by
 5 | # the Free Software Foundation, either version 3 of the License, or
 6 | # (at your option) any later version.
 7 | #
 8 | # This program is distributed in the hope that it will be useful,
 9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program.  If not, see <http://www.gnu.org/licenses/>.
15 | 
16 | install:
17 | 
18 | ifneq ($(strip $(DESTDIR)),)
19 | 	mkdir -p $(DESTDIR)
20 | endif
21 | 
22 | 	install -Dvm755 getssl $(DESTDIR)/usr/bin/getssl
23 | 	install -dvm755 $(DESTDIR)/usr/share/getssl
24 | 	for dir in *_scripts; do install -dv $(DESTDIR)/usr/share/getssl/$$dir; install -pv $$dir/* $(DESTDIR)/usr/share/getssl/$$dir/; done
25 | 
26 | .PHONY: install
27 | 
28 | 


--------------------------------------------------------------------------------
/RELEASE.md:
--------------------------------------------------------------------------------
 1 | # How to do a release of getssl
 2 | 
 3 | ## Update the version and tag the release
 4 | 
 5 | 1. git pull
 6 | 2. git branch -c release_2_nn
 7 | 3. git switch release_2_nn
 8 | 4. update VERSION in `getssl` and `getssl.spec`
 9 | 5. git commit -m"Update version to v2.nn"
10 | 6. git tag -a v2.nn
11 | 7. git push origin release_2_nn
12 | 8. git push --tags
13 | 
14 | ## Manually start the github release-and-package action
15 | 
16 | 1. Build the .deb and .rpm packages
17 | 2. create a draft release containing the packages and the release note
18 | 3. **IMPORTANT** make sure that the release references tag **v**N.NN otherwise getssl -u fails!
19 | 
20 | ## Can test the .deb file using the following steps
21 | 
22 | 1. Change the status from draft to pre-release
23 | 2. Test that the package can be installed using a cloud instance
24 |    1. Start an Ubuntu ec2 instance from AWS Console (or Azure or Google Cloud)
25 |    2. Or use the instant-ec2.sh script from my Github gist to start an Ubuntu ec2 instance
26 |       1. `git clone git@gist.github.com:12c297e0645920c413273c9d15edbc68.git instant-ec2`
27 |       2. `./instant-ec2/instant-ec2.sh`
28 | 3. download the deb package
29 |    `wget https://github.com/srvrco/getssl/releases/download/v2.nn/getssl_2.nn-1_all.deb`
30 | 4. install the deb package
31 |    `dpkg -i getssl_2.nn-1_all.deb`
32 | 5. Check it's installed correctly
33 |    `getssl --version`
34 | 
35 | ## Update the latest tag post-release
36 | 
37 | 1. git tag -f -a latest
38 | 2. git push --force --tags
39 | 


--------------------------------------------------------------------------------
/common.shrc:
--------------------------------------------------------------------------------
 1 | # Simple cURL wrapper to manage nicely error handling:
 2 | #
 3 | # * In case of success, just read body from stdout
 4 | # * In case of HTTP error (status >= 400), first stderr contains "HTTP status: XXX", then body
 5 | # * In case of other error, just print cURL error on stderr
 6 | #
 7 | # This function requires a temporary file. It's created under ${TEMP_DIR} if defined and not empty.
 8 | # Otherwise, it relies on `mktemp` defaults.
 9 | #
10 | curl.do() {
11 |   local rc=0
12 | 
13 |   local mktemp_opts=( '--suffix=.curl' )
14 |   [[ -z "${TEMP_DIR}" ]] || mktemp_opts+=( "--tempdir=${TEMP_DIR}" )
15 |   local curl_body_file=''
16 |   curl_body_file="$(mktemp "${mktemp_opts[@]}")" || {
17 |     rc=$?
18 |     echo "Unable to create temporary file for cURL output"
19 |     return $rc
20 |   } >&2
21 | 
22 |   local curl_opts=(
23 |     --output "${curl_body_file}"
24 |     --write-out '%{http_code}'
25 |     --silent
26 |     --show-error
27 |     "$@"
28 |   )
29 |   local http_code=''
30 |   http_code="$(curl "${curl_opts[@]}")" || rc=$?
31 | 
32 |   (( http_code < 400 )) || {
33 |     (( rc == 0 )) || rc=1
34 |     echo "HTTP status: ${http_code}"
35 |   } >&2
36 | 
37 |   if [[ $rc == 0 ]]; then
38 |     cat "${curl_body_file}" || rc=$?
39 |   else
40 |     cat "${curl_body_file}" >&2
41 |   fi
42 | 
43 |   rm -rf "${curl_body_file}" || {
44 |     (( rc == 0 )) || rc=1
45 |     echo "Unable to clear temporary file '${curl_body_file}'"
46 |   } >&2
47 |   return $rc
48 | }
49 | 


--------------------------------------------------------------------------------
/debbuild.patch:
--------------------------------------------------------------------------------
 1 | --- /usr/bin/debbuild	2022-11-11 15:34:22.529876000 +0000
 2 | +++ /usr/bin/debbuild.fix	2022-11-11 15:34:53.137410000 +0000
 3 | @@ -1956,7 +1956,7 @@
 4 |    my $srcpkg = shift;
 5 |    die _('Can\'t install ').$srcpkg."\n" unless $srcpkg =~ /\.sdeb$/;
 6 |    $srcpkg = abs_path($srcpkg);
 7 | -  system(expandmacros("cd %{_topdir}; %{__pax} -r -f $srcpkg)")) == 0 and
 8 | +  system(expandmacros("cd %{_topdir}; %{__pax} -r -f $srcpkg")) == 0 and
 9 |    $finalmessages .= _('Extracted source package ').$srcpkg.
10 |      _(" to %{_topdir}.\n");
11 |  } # end install_sdeb()
12 | 


--------------------------------------------------------------------------------
/dns_scripts/Azure-README.txt:
--------------------------------------------------------------------------------
 1 | Using Azure for LetsEncrypt domain verification
 2 | 
 3 | Guide for using Azure for LetsEncrypt domain verification.
 4 | 
 5 | Prerequisites:
 6 | - Azure CLI tools installed - see https://docs.microsoft.com/en-us/cli/azure/install-azure-cli
 7 | - Logged in with azure-cli - i.e. azure login
 8 | 
 9 | Ensure dns_add_azure and dns_del_azure scripts are called when the DNS is validated by modifying the .getssl.cfg:
10 | 
11 | VALIDATE_VIA_DNS=true
12 | DNS_ADD_COMMAND=dns_scripts/dns_add_azure # n.b use valid path
13 | DNS_DEL_COMMAND=dns_scripts/dns_del_azure
14 | 
15 | The dns_add_azure and dns_del_azure scripts assume that the following environment variables are added to the configuration file:
16 | 
17 | - AZURE_RESOURCE_GROUP - the name of the resource group that contains the DNS zone 
18 | - AZURE_ZONE_ID - a comma-separated list of valid DNS zones. this allows the same certificate to be used across multiple top-level domains
19 | - AZURE_SUBSCRIPTION_ID - the name or ID of the subscription that AZURE_RESOURCE_GROUP is part of
20 | 
21 | Each of these variables can be included in the .getssl.cfg, e.g:
22 | 
23 | export AZURE_RESOURCE_GROUP=my-resource-group
24 | export AZURE_ZONE_ID=example.com,anotherdomain.com
25 | export AZURE_SUBSCRIPTION_ID=my-azure-subscriptin 
26 | 
27 | 


--------------------------------------------------------------------------------
/dns_scripts/Cloudflare-README.md:
--------------------------------------------------------------------------------
 1 | ## Using Cloudflare DNS for LetsEncrypt domain validation
 2 | 
 3 | ### Enabling the scripts
 4 | 
 5 | Set the following options in `getssl.cfg` (either global or domain-specific):
 6 | 
 7 | ```
 8 | VALIDATE_VIA_DNS="true"
 9 | DNS_ADD_COMMAND="/usr/share/getssl/dns_scripts/dns_add_cloudflare"
10 | DNS_DEL_COMMAND="/usr/share/getssl/dns_scripts/dns_del_cloudflare"
11 | ```
12 | 
13 | ### Authentication
14 | 
15 | There are 2 methods of authenticating with Cloudflare:
16 | 
17 | 1. API Keys - Account level, all-purpose tokens
18 | 2. API Tokens - Scoped and permissioned access to resources
19 | 
20 | Both are configured from your profile in the [Cloudflare dashboard][1]
21 | 
22 | [1]: https://dash.cloudflare.com/profile/api-tokens
23 | 
24 | #### API Keys
25 | 
26 | The **Zone ID** for the domain will be searched for programmatically.
27 | 
28 | Set the following options in `getssl.cfg`:
29 | 
30 | ```
31 | export CF_EMAIL="..." # Cloudflare account email address
32 | export CF_KEY="..."   # Global API Key
33 | ```
34 | 
35 | #### API Tokens
36 | 
37 | Cloudflare provides a template for creating an API Token with access to edit
38 | zone records.  Tokens must be created with at least '**DNS:Edit** permissions
39 | for the domain to add/delete records.
40 | 
41 | Set the following options in the domain-specific `getssl.cfg`
42 | 
43 | ```
44 | export CF_API_TOKEN="..."
45 | ```
46 | 
47 | By default, the associated **Zone ID** is searched automatically. However, it
48 | is also possible to configure the Zone ID manually. This might be necessary
49 | if there are a lot of zones. You can find the Zone ID at the Overview tab in
50 | the Cloudflare Dashboard.
51 | 
52 | ```
53 | export CF_ZONE_ID="..."
54 | ```
55 | 
56 | __Note__: API Keys will be used instead if also configured 
57 | 


--------------------------------------------------------------------------------
/dns_scripts/DNS_IONOS.md:
--------------------------------------------------------------------------------
 1 | # Do DNS-01 verification using IONOS DNS API
 2 | 
 3 | The getting started guide explains how to obtain API Keys https://developer.hosting.ionos.de/docs/getstarted
 4 | 
 5 | All API Documentation can be found here https://developer.hosting.ionos.de/docs/dns
 6 | 
 7 | JSON processing in bash is ... hard. So I choose `jq` to do the heavylifting. Other authors choose python so if
 8 | you think I did a bad decision feel free to implement this whith python/perl/ruby...
 9 | 
10 | 


--------------------------------------------------------------------------------
/dns_scripts/DNS_ROUTE53.md:
--------------------------------------------------------------------------------
 1 | # Do DNS-01 verification using Route53
 2 | 
 3 | I was not about to implement this in BASH, sorry guys. I'd like you to have it, however.
 4 | 
 5 | It's pretty simple to use.
 6 | 
 7 | 1. pip install boto3 dnspython
 8 | 2. ln -s dns_route53.py dns_add_route53
 9 | 3. ln -s dns_route53.py dns_del_route53
10 | 4. Use it just like the other scripts
11 | 


--------------------------------------------------------------------------------
/dns_scripts/INWX-README.md:
--------------------------------------------------------------------------------
 1 | ## Using INWX DNS for LetsEncrypt domain validation
 2 | 
 3 | ### Install Requirements
 4 | 
 5 | The INWX API Python3 script requires two Python packages:
 6 | 
 7 | ```bash
 8 | pip3 install INWX.Domrobot tldextract
 9 | ```
10 | 
11 | You could install it for the user running getssl, or you could create a python3 venv.
12 | 
13 | ```bash
14 | # install python3 venv apt packages
15 | sudo apt install python3 python3-venv
16 | 
17 | # Create venv
18 | python3 -m venv venv
19 | 
20 | # activate venv
21 | source venv/bin/activate
22 | 
23 | # install requirements
24 | pip3 install INWX.Domrobot tldextract
25 | ```
26 | 
27 | If you are installing the Python packages in venv, you should make sure that you either
28 | you either enable the venv before running getssl, or you
29 | add the venv to the ``DNS_ADD_COMMAND'' and ``DNS_DEL_COMMAND'' commands.
30 | See example below.
31 | 
32 | ### Enabling the scripts
33 | 
34 | Set the following options in `getssl.cfg` (either global or domain-specific):
35 | 
36 | ```
37 | VALIDATE_VIA_DNS="true"
38 | DNS_ADD_COMMAND="/usr/share/getssl/dns_scripts/dns_add_inwx.py"
39 | DNS_DEL_COMMAND="/usr/share/getssl/dns_scripts/dns_del_inwx.py"
40 | ```
41 | 
42 | If you are using a python3 venv as described above, this is an example of how to include it:
43 | 
44 | ```
45 | VALIDATE_VIA_DNS="true"
46 | DNS_ADD_COMMAND="/path/to/venv/bin/python3 /usr/share/getssl/dns_scripts/dns_add_inwx.py"
47 | DNS_DEL_COMMAND="/path/to/venv/bin/python3 /usr/share/getssl/dns_scripts/dns_del_inwx.py"
48 | ```
49 | 
50 | *Obviously the "/path/to/venv" needs to be replaced with the actual path to your venv, e.g. "/home/getssl/venv".*
51 | 
52 | ### Authentication
53 | 
54 | Your INWX credentials will be used to authenticate to INWX.
55 | If you are using a second factor, please have a look at the [INWX Domrobot Pthon3 Client](https://github.com/inwx/python-client) as it is currently not implemented in the inwx api script.
56 | 
57 | Set the following options in the domain-specific `getssl.cfg` or make sure these enviroment variables are present.
58 | 
59 | ```
60 | export INWX_USERNAME="your_inwx_username"
61 | export INWX_PASSWORD="..."
62 | ```
63 | 


--------------------------------------------------------------------------------
/dns_scripts/Route53-README.md:
--------------------------------------------------------------------------------
 1 | # Using Route53 BASH scripts for LetsEncrypt domain validation.
 2 | 
 3 | ## Quick guide to setting up getssl for domain validation of Route53 DNS domains.
 4 | 
 5 | There a few prerequisites to using getssl with Route53 DNS:
 6 | 
 7 | 1. You will need to set up an IAM user with the necessary permissions to modify resource records in the hosted zone.
 8 | 
 9 |    - route53:ListHostedZones
10 |    - route53:ChangeResourceRecordSets
11 | 
12 | 1. You will need the AWS CLI Client installed on your machine.
13 | 
14 | 1. You will need to configure the client for the IAM user that has permission to modify the resource records.
15 | 
16 | With those in hand, the installation procedure is:
17 | 
18 | 1. Open your config file (the global file in ~/.getssl/getssl.cfg
19 |    or the per-account file in ~/.getssl/example.net/getssl.cfg)
20 | 
21 | 1. Set the following options:
22 | 
23 |    - VALIDATE_VIA_DNS="true"
24 |    - DNS_ADD_COMMAND="/usr/share/getssl/dns_scripts/dns_add_route53"
25 |    - DNS_DEL_COMMAND="/usr/share/getssl/dns_scripts/dns_del_route53"
26 | 
27 |    The AWS CLI profile to use (will use _default_ if not specified)
28 | 
29 |    - export AWS*CLI_PROFILE="\_profile name*"
30 | 
31 | 1. Set any other options that you wish (per the standard
32 |    directions.) Use the test CA to make sure that
33 |    everything is setup correctly.
34 | 
35 | That's it. getssl example.net will now validate with DNS.
36 | 
37 | There are additional options, which are documented in `dns_route53 -h`
38 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_acmedns:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | . "$(dirname "${BASH_SOURCE}")/../common.shrc" || {
 4 |   echo "Unable to load shared Bash code"
 5 |   exit 1
 6 | } >&2
 7 | 
 8 | # ACMEDNS env variables can be set in a config file at domain level
 9 | acme_config="$DOMAIN_DIR/acme-dns.cfg"
10 | [ -s "$acme_config" ] && . "$acme_config"
11 | 
12 | # Need to add your API user and key below or set as env variable
13 | apiuser=${ACMEDNS_API_USER:-''}
14 | apikey=${ACMEDNS_API_KEY:-''}
15 | apisubdomain=${ACMEDNS_SUBDOMAIN:-''}
16 | 
17 | # This script adds a token to an ACME DNS (default to acme-dns.io) for the ACME challenge
18 | # usage: dns_add_acme-dns "domain name" "token"
19 | # return codes are:
20 | # 0 - success
21 | # 1 - error returned from server
22 | 
23 | fulldomain="${1}"
24 | token="${2}"
25 | 
26 | # You can set the env var ACMEDNS_URL to use a specific ACME-DNS server
27 | # Otherwise we use acme-dns.io
28 | API=${ACMEDNS_URL:-'https://auth.acme-dns.io'}/update
29 | 
30 | # Check initial parameters
31 | if [[ -z "$fulldomain" ]]; then
32 |   echo "DNS script requires full domain name as first parameter"
33 |   exit 1
34 | fi
35 | if [[ -z "$token" ]]; then
36 |   echo "DNS script requires challenge token as second parameter"
37 |   exit 1
38 | fi
39 | 
40 | curl_params=(
41 |   -H "accept: application/json"
42 |   -H "X-Api-Key: $apikey"
43 |   -H "X-Api-User: $apiuser"
44 |   -H 'Content-Type: application/json'
45 | )
46 | 
47 | generate_post_data()
48 | {
49 |   cat <<EOF
50 | {
51 |   "subdomain": "$apisubdomain",
52 |   "txt": "$token"
53 | }
54 | EOF
55 | }
56 | 
57 | curl.do \
58 |   "${curl_params[@]}" \
59 |   -X POST "${API}" \
60 |   --data "$(generate_post_data)" \
61 |   >/dev/null || {
62 |   echo 'Error: DNS challenge not added: unknown error'
63 |   exit 1
64 | } >&2
65 | exit 0
66 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_azure:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | # Set the TXT DNS record with azure-cli
 3 | fulldomain="${1}"
 4 | token="${2}"
 5 | 
 6 | if [[ -z "$AZURE_RESOURCE_GROUP" ]]; then
 7 |   echo "AZURE_RESOURCE_GROUP is not set. Unable to set TXT records."
 8 |   exit 2
 9 | fi
10 | if [[ -z "$AZURE_ZONE_ID" ]]; then
11 |   echo "AZURE_ZONE_ID is not set. Unable to set TXT records."
12 |   exit 2
13 | fi
14 | if [[ -z "$AZURE_SUBSCRIPTION_ID" ]]; then 
15 |   echo "AZURE_SUBSCRIPTION_ID is not set. Unable to set TXT records."
16 |   exit 2
17 | fi
18 | 
19 | # Determine which zone ID to use from AZURE_ZONE_IDs
20 | # Convert the comma-separated list of AZURE_ZONE_IDs into an array and loop
21 | IFS=',' read -ra zone_ids <<< "$AZURE_ZONE_ID"
22 | for item in "${zone_ids[@]}"; do 
23 |   # If the full domain ends with the current zone ID
24 |   [[ "$fulldomain" =~ .*"${item}"$ ]] && zone_id="$item"
25 | done
26 | 
27 | if [ -z "$zone_id" ]; then 
28 |   echo "${fulldomain} does not match any of the zone IDs specified by ${AZURE_ZONE_ID[@]}"
29 |   exit 2
30 | fi
31 | 
32 | az account set --subscription "$AZURE_SUBSCRIPTION_ID"
33 | # Determine the recordset by removing the zone_id from the full domain and prefixing
34 | # with _acme-challenge.
35 | recordset="_acme-challenge.${fulldomain/.$zone_id/}"
36 | # The fulldomain should not be included in the recordset. It is used for subdomains.
37 | # E.g. domain = *.sub.example.com the recordset is _acme-challenge.sub
38 | #      domain = example.com the record set is _acme-challenge
39 | [[ "$recordset" == "_acme-challenge.$fulldomain" ]] && recordset="_acme-challenge"
40 | az network dns record-set txt add-record -g "$AZURE_RESOURCE_GROUP" -z "$zone_id" -n "$recordset" --value="$token"
41 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_challtestsrv:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | # Simple script to update the challtestserv mock DNS server when testing DNS responses
3 | 
4 | fulldomain="${1}"
5 | token="${2}"
6 | 
7 | curl --silent -X POST -d "{\"host\":\"_acme-challenge.${fulldomain}.\", \"value\": \"${token}\"}" http://10.30.50.3:8055/set-txt
8 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_dnsmasq:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | 
3 | # Make sure you enable in the /etc/dnsmasq.conf this line conf-dir=/etc/dnsmasq.d/,*.conf
4 | 
5 | echo "txt-record=_acme-challenge.\${1},\$2" > /etc/dnsmasq.d/acme-challenge.conf
6 | 
7 | systemctl restart dnsmasq
8 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_dnspod:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # need to add your email address and key to dnspod below
 4 | key=${DNSPOD_API_KEY:-}
 5 | 
 6 | fulldomain="$1"
 7 | token="$2"
 8 | 
 9 | NumParts=$(echo "$fulldomain" | awk -F"." '{print NF}')
10 | if [[ $NumParts -gt 2 ]]; then
11 |   domain=$(echo "$fulldomain" | awk -F\. '{print $(NF-1) FS $NF}')
12 |   txtname="_acme-challenge$(echo "$fulldomain" | awk -F\. '{for (i=1; i<NF-1; i++) printf "." $i}')"
13 | else
14 |   domain=$fulldomain
15 |   txtname="_acme-challenge"
16 | fi
17 | 
18 | response=$(curl --silent -X POST "https://dnsapi.cn/Domain.List" \
19 |   -H "Accept: application/json" -H "User-Agent: getssl/0.1" -H "application/x-www-form-urlencoded" \
20 |   -d "login_token=${key}&format=json" )
21 | 
22 | domain_id=$(echo "$response" | egrep -o  "[^{]*\"name\":\"${domain}\"[^}]*"|grep -oP '\"id\":\K[^,]+')
23 | 
24 | response=$(curl --silent -X POST "https://dnsapi.cn/Record.Create" \
25 |   -H "Accept: application/json" -H "User-Agent: getssl/0.1" -H "application/x-www-form-urlencoded" \
26 |   -d "login_token=${key}&format=json&domain_id=${domain_id}&record_type=TXT&sub_domain=${txtname}&value=$token&ttl=600&record_line=默认")
27 | 
28 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_duckdns:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # need to add your Token for duckdns below
 4 | token=${DUCKDNS_TOKEN:-}
 5 | 
 6 | if [ -z "$token" ]; then
 7 |     echo "DUCKDNS_TOKEN not set"
 8 |     exit 1
 9 | fi
10 | 
11 | domain="$1"
12 | txtvalue="$2"
13 | i=1
14 | 
15 | response=$(curl --retry 5 --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=${txtvalue}")
16 | 
17 | while [[ "${response}" == *"502 Bad Gateway"* ]] && [ $i -le 5 ]; do
18 |     echo "Retrying Bad Gateway response (attempt $i of 5)"
19 |     sleep 5
20 |     i=$((i+1))
21 |     response=$(curl --retry 5 --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=${txtvalue}")
22 | done
23 | 
24 | if [ "$response" != "OK" ]; then
25 |     echo "Failed to update TXT record for ${domain} at duckdns.org (is the TOKEN valid?)"
26 |     echo "Response: $response"
27 |     exit 1
28 | fi
29 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_godaddy:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # Copyright (C) 2017, 2018 Timothe Litt  litt at acm _dot org
 4 | 
 5 | # Add token to GoDaddy dns using dns_godaddy
 6 | 
 7 | # You do not have to customize this script.
 8 | #
 9 | # Obtain the Key and Secret from https://developer.godaddy.com/getstarted
10 | # You must obtain a "Production" key - NOT the "Test" key you're required
11 | # to get first.
12 | #
13 | # Obtain JSON.sh from https://github.com/dominictarr/JSON.sh
14 | # Place it in (or softlink it to) the same directory as $GODADDY_SCRIPT,
15 | # or specify its location with GODADDY_JSON  The default is
16 | # /usr/share/getssl/dns_scripts/
17 | #
18 | # Define GODADDY_KEY and GO_DADDY_SECRET in your account or domain getssl.cfg
19 | #
20 | # See GoDaddy-README.txt for complete instructions.
21 | 
22 | fulldomain="$1"
23 | token="$2"
24 | 
25 | [ -z "$GODADDY_SCRIPT" ] && GODADDY_SCRIPT="/usr/share/getssl/dns_scripts/dns_godaddy"
26 | [[ "$GODADDY_SCRIPT" =~ ^~ ]] && \
27 |     eval 'GODADDY_SCRIPT=`readlink -nf ' $GODADDY_SCRIPT '`'
28 | 
29 | if [ ! -x "$GODADDY_SCRIPT" ]; then
30 |     echo "$GODADDY_SCRIPT: not found.  Please install, softlink or set GODADDY_SCRIPT to its full path"
31 |     echo "See GoDaddy-README.txt for complete instructions."
32 |     exit 3
33 | fi
34 | 
35 | # JSON.sh is not (currently) used by add
36 | 
37 | export GODADDY_KEY
38 | export GODADDY_SECRET
39 | export GODADDY_BASE
40 | 
41 | $GODADDY_SCRIPT -q add "_acme-challenge.${fulldomain}." "${token}"
42 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_hetzner:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | fulldomain="${1}"
 4 | token="${2}"
 5 | api_url="https://dns.hetzner.com/api/v1"
 6 | api_key=${HETZNER_KEY:-''}
 7 | zone_id=${HETZNER_ZONE_ID:-''}
 8 | zone_name=${HETZNER_ZONE_NAME:-''}
 9 | 
10 | # Verify that required parameters are set
11 | if [[ -z "$fulldomain" ]]; then
12 |   echo "DNS script requires full domain name as first parameter"
13 |   exit 1
14 | fi
15 | if [[ -z "$token" ]]; then
16 |   echo "DNS script requires challenge token as second parameter"
17 |   exit 1
18 | fi
19 | if [[ -z "$HETZNER_KEY" ]]; then
20 |   echo "HETZNER_KEY variable not set"
21 |   exit 1
22 | fi
23 | if [[ -z "$HETZNER_ZONE_ID" && -z "$HETZNER_ZONE_NAME" ]] ; then
24 |   echo "HETZNER_ZONE_ID and HETZNER_ZONE_NAME variables not set"
25 |   exit 1
26 | fi
27 | 
28 | # Get Zone ID if not set
29 | if [[ -z "$HETZNER_ZONE_ID" ]] ; then
30 |   zone_id=$(curl --silent -X GET "$api_url/zones?name=$zone_name" -H 'Auth-API-Token: '"$api_key"'' | jq -r '.zones[0].id')
31 |   if [[ "$zone_id" == "null" ]] ; then
32 |     echo "Zone ID not found"
33 |     exit 1
34 |   fi
35 | fi
36 | 
37 | txtname="_acme-challenge.$fulldomain."
38 | 
39 | # Create TXT record
40 | response=$(curl --silent -X POST "$api_url/records" \
41 |      -H 'Content-Type: application/json' \
42 |      -H "Auth-API-Token: $api_key" \
43 |      -d '{"value": "'"$token"'","ttl": 60,"type": "TXT","name": "'"$txtname"'","zone_id": "'"$zone_id"'"}' \
44 |      -o /dev/null -w '%{http_code}')
45 | 
46 | if [[ "$response" != "200" ]] ; then
47 |   echo "Record not created"
48 |   echo "Response code: $response"
49 |   exit 1
50 | fi
51 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_ionos:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | #
 3 | # Called as
 4 | #
 5 | #  eval "${DNS_ADD_COMMAND}" "${lower_d}" "${auth_key}"
 6 | #
 7 | 
 8 | # See https://developer.hosting.ionos.de/docs/getstarted how to generate
 9 | # an API Key consisting of prefix and key
10 | #
11 | # see DNS API Doc here https://developer.hosting.ionos.de/docs/dns
12 | #
13 | 
14 | API_KEY="X-API-Key: <prefix>.<key>"
15 | API_URL="https://api.hosting.ionos.com/dns/v1"
16 | 
17 | # TODO: check $1,$2 not empty
18 | 
19 | DNS_RR=$1
20 | DNS_SECRET=$2
21 | 
22 | 
23 | # get zone id:
24 | curl -s -X GET "$API_URL/zones" -H "accept: application/json" -H "Content-Type: application/json" -H "$API_KEY" \
25 |        	| jq -r 'map([.name, .id] | join (";")) | .[]' >/tmp/$$.zones
26 | 
27 | ZONE=$DNS_RR
28 | 
29 | do=true
30 | while $do; do
31 |   ZONE_ID=$(awk -F\; '/^'"$ZONE"';/{print $2}' </tmp/$$.zones)
32 |   if [  -z "$ZONE_ID" ]; then
33 |     ZONE=$(echo "$ZONE" | cut -d'.' -f2-)
34 |     # check that it has at minimum one '.'. This check is incomplete
35 |     # when dealing with .co.nz etc Zones
36 |     DOTS=$(echo "$ZONE" | awk -F. '{ print NF -1 }')
37 |     if [ $DOTS -le 0 ]; then
38 |       echo "No ZoneID found for $1"
39 |       echo "Zones found with API"
40 |       cat /tmp/$$.zones
41 |       rm -f /tmp/$$.zones
42 |       exit 1
43 |     fi
44 |   else
45 |     break
46 |     do=false  # Never reached
47 |   fi
48 | done
49 | 
50 | 
51 | # create record
52 | curl -X POST "$API_URL/zones/$ZONE_ID/records" -H "accept: application/json" -H "Content-Type: application/json" -H "$API_KEY" -d '[ { "name": "_acme-challenge.'$DNS_RR'", "type": "TXT", "content": "'$DNS_SECRET'", "ttl": 60, "prio": 100, "disabled": false } ]'
53 | 
54 | rm -f /tmp/$$.zones
55 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_ispconfig:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | # Need to add your API key below or set as env variable
 3 | CURR_PATH="`dirname \"$0\"`"
 4 | 
 5 | ispconfig_user="$ISPCONFIG_REMOTE_USER_NAME"
 6 | ispconfig_pass="$ISPCONFIG_REMOTE_USER_PASSWORD"
 7 | 
 8 | soap_location="$ISPCONFIG_SOAP_LOCATION"
 9 | soap_uri="$ISPCONFIG_SOAP_URL"
10 | 
11 | # This script adds a token to ispconfig database DNS for the ACME challenge
12 | # usage dns_add_ispconfig "domain name" "token"
13 | # return codes are;
14 | # 0 - success
15 | # 1 - error in input
16 | # 2 - error within internal processing
17 | # 3 - error in result ( domain not found in dynu.com etc)
18 | 
19 | fulldomain="${1}"
20 | token="${2}"
21 | 
22 | # Check initial parameters
23 | if [[ -z "$fulldomain" ]]; then
24 |   echo "DNS script requires full domain name as first parameter"
25 |   exit 1
26 | fi
27 | 
28 | if [[ -z "$token" ]]; then
29 |   echo "DNS script requires challenge token as second parameter"
30 |   exit 1
31 | fi
32 | 
33 | response=$(php $CURR_PATH/ispconfig_soap.php \
34 |   --action="add" \
35 |   --domain="$fulldomain" \
36 |   --token="$token" \
37 |   --ispconfig_user="$ispconfig_user" \
38 |   --ispconfig_pass="$ispconfig_pass" \
39 |   --soap_location="$soap_location" \
40 |   --soap_uri="$soap_uri")
41 | 
42 | echo $response
43 | 
44 | exit 0


--------------------------------------------------------------------------------
/dns_scripts/dns_add_joker:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | FULLDOMAIN=$1
 4 | TOKEN=$2
 5 | TMPFILE=$(mktemp /tmp/dns_add_joker.XXXXXXX)
 6 | 
 7 | USERNAME="youruser"
 8 | PASSWORD="yourpassword"
 9 | 
10 | # Verify that required parameters are set
11 | if [[ -z "${FULLDOMAIN}" ]]; then
12 |   echo "DNS script requires full domain name as first parameter"
13 |   exit 1
14 | fi
15 | 
16 | if [[ -z "${TOKEN}" ]]; then
17 |   echo "DNS script requires challenge token as second parameter"
18 |   exit 1
19 | fi
20 | 
21 | DOMAIN_ROOT=$(echo "${FULLDOMAIN}" | awk -F\. '{print $(NF-1) FS $NF}')
22 | 
23 | SID=$(curl --silent -X POST https://dmapi.joker.com/request/login \
24 | 	-H "Accept: application/json" -H "User-Agent: getssl/0.1" \
25 | 	-H "application/x-www-form-urlencoded" -d "username=${USERNAME}&password=${PASSWORD}" \
26 | 	-i -k 2>/dev/null | grep Auth-Sid | awk '{ print $2 }')
27 | 
28 | ## put zone data in tempfile
29 | curl --silent -X POST https://dmapi.joker.com/request/dns-zone-get \
30 | 	-H "Accept: application/json" -H "User-Agent: getssl/0.1" \
31 | 	-H "application/x-www-form-urlencoded" -d "domain=${DOMAIN_ROOT}&auth-sid=${SID}" | \
32 | 	tail -n +7 >"${TMPFILE}"
33 | 
34 | ## add txt record
35 | printf "_acme-challenge.%s. TXT 0  \"%s \" 300\n\n" "${FULLDOMAIN}" "${TOKEN}" >>"${TMPFILE}"
36 | 
37 | ## generate encoded url data
38 | URLDATA=$(cat "${TMPFILE}" | sed 's/ /%20/g' | sed 's/"/%22/g' | sed ':a;N;$!ba;s/\n/%0A/g')
39 | 
40 | ## write new zonefile to joker
41 | curl --silent --output /dev/null "https://dmapi.joker.com/request/dns-zone-put?domain=${DOMAIN_ROOT}&zone=${URLDATA}&auth-sid=${SID}" 2>&1
42 | 
43 | ## remove tempfile
44 | rm -f "${TMPFILE}"
45 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_lexicon:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # a simple wrapper for Lexicon - https://github.com/AnalogJ/lexicon - a python script which can
 4 | # Manipulate DNS records on various DNS providers in a standardized way.
 5 | # You need to define the following environmental variables
 6 | # LEXICON_PROVIDER
 7 | # Every DNS service and auth flag maps to an Environmental Variable as follows: LEXICON_{DNS Provider Name}_{Auth Type}
 8 | # eg LEXICON_CLOUDFLARE_USERNAME and LEXICON_CLOUDFLARE_TOKEN or LEXICON_DIGITALOCEAN_TOKEN
 9 | 
10 | fulldomain="${1}"
11 | token="${2}"
12 | 
13 |   lexicon "$LEXICON_PROVIDER" \
14 |           create "$fulldomain" TXT \
15 |           --name="_acme-challenge.${fulldomain}." \
16 |           --content="$token"
17 | 
18 | exit
19 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_linode:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | fulldomain="${1}"
 4 | token="${2}"
 5 | api_url="https://api.linode.com/v4"
 6 | api_key=${LINODE_KEY:-''}
 7 | 
 8 | # Verify that required parameters are set
 9 | if [[ -z "$fulldomain" ]]; then
10 |   echo "DNS script requires full domain name as first parameter"
11 |   exit 1
12 | fi
13 | if [[ -z "$token" ]]; then
14 |   echo "DNS script requires challenge token as second parameter"
15 |   exit 1
16 | fi
17 | if [[ -z "$LINODE_KEY" ]]; then
18 |   echo "LINODE_KEY variable not set"
19 |   exit 1
20 | fi
21 | 
22 | # Get Domain List
23 | response=$(curl --silent ${api_url}/domains \
24 |   -H "User-Agent: getssl/0.1" -H "Authorization: Bearer ${api_key}")
25 | 
26 | # Get Domain ID for longest match
27 | domain_root="$fulldomain"
28 | domain=""
29 | 
30 | while [[ "$domain_root" == *.* ]] ; do
31 | 	domain_id=$(echo "$response" | jq ".data[]? | select (.domain==\"$domain_root\") | .id")
32 | 	if [[ "$domain_id" != "" ]] ; then
33 | 		break
34 | 	fi
35 | 	domain_root=${domain_root#*.}
36 | 	domain=${fulldomain%.$domain_root}
37 | done
38 | 
39 | if [[ "$domain_id" == "" ]]; then
40 |   echo "Failed to fetch DomainID"
41 |   exit 1
42 | fi
43 | 
44 | txtname="_acme-challenge${domain:+.$domain}"
45 | 
46 | # Create TXT record
47 | 
48 | response=$(curl --silent -X POST ${api_url}/domains/${domain_id}/records \
49 |   -H "Content-Type: application/json" -H "User-Agent: getssl/0.1" -H "Authorization: Bearer ${api_key}" \
50 |   -d '{"type": "TXT", "name": "'${txtname}'", "target": "'$token'", "ttl_sec": 30}')
51 | errors=$(echo "$response" | jq ".errors[]?.reason")
52 | if [[ "$errors" != "" ]]; then
53 |     echo "Something went wrong: $errors"
54 |     exit 1
55 | fi
56 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_manual:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | 
3 | echo "In the DNS, a new TXT record needs to be created for;"
4 | echo "_acme-challenge.${1}"
5 | echo "containing the following value"
6 | echo "$2"
7 | 
8 | read -r -p "Press any key to obtain the certificate once the records have been updated..."
9 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_ns1:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bash
 2 | # NS1 Add DNS Record
 3 | 
 4 | if [[ -z "$NS1_API_KEY" ]]; then
 5 |   echo "NS1_API_KEY variable not set"
 6 |   exit 1
 7 | fi
 8 | 
 9 | api_url="https://api.nsone.net/v1/"
10 | api_key=${NS1_API_KEY:-''}
11 | 
12 | domain="$1"
13 | challenge="$2"
14 | 
15 | root=$(echo "$domain" | awk -F\. '{print $(NF-1) FS $NF}')
16 | subdomain="_acme-challenge.${domain%}"
17 | 
18 | function create {
19 | 
20 | curl "${api_url}/zones/${root}/${subdomain}/TXT" -X DELETE \
21 |   --header "X-NSONE-Key: $api_key"
22 | 
23 | curl "${api_url}/zones/${root}/${subdomain}/TXT" -X PUT \
24 |   --header "X-NSONE-Key: $api_key" \
25 |   --header "Content-Type: application/json" \
26 |   --data "{ \"zone\": \"${root}\", \"domain\": \"${subdomain}\", \"type\": \"TXT\", \"answers\": [ { \"answer\": [ \"${challenge}\" ] } ] }"
27 | 
28 | }
29 | 
30 | create $root $subdomain
31 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_nsupdate:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # example of script to add token to local dns using nsupdate
 4 | 
 5 | fulldomain="$1"
 6 | token="$2"
 7 | 
 8 | # VARIABLES:
 9 | #
10 | # DNS_NSUPDATE_KEYFILE - path to a TSIG key file, if required
11 | # DNS_NSUPDATE_GETKEY  - command to execute if access to the key file requires
12 | #                        some special action: mounting a disk, decrypting a file..
13 | #                        Called with the operation 'add' and action 'open" / 'close'
14 | 
15 | 
16 | if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then
17 |   if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! ${DNS_NSUPDATE_KEY_HOOK} 'add' 'open' "${fulldomain}" ; then
18 |     exit $(( $? + 128 ))
19 |   fi
20 | 
21 |   options="-k ${DNS_NSUPDATE_KEYFILE}"
22 | fi
23 | 
24 | cmd=
25 | if [ -n "${DNS_SERVER}" ]; then
26 |   cmd+="server ${DNS_SERVER}\n"
27 | fi
28 | 
29 | cmd+="update add  ${DNS_ZONE:-"_acme-challenge.${fulldomain}."} 300 in TXT \"${token}\"\n"
30 | cmd+="\n" # blank line is a "send" command to nsupdate
31 | 
32 | printf "$cmd" | nsupdate ${options} -v
33 | 
34 | sts=$?
35 | 
36 | if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then
37 |   if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! ${DNS_NSUPDATE_KEY_HOOK} 'add' 'close'  "${fulldomain}"; then
38 |     exit $(( sts + ( $? * 10 ) ))
39 |   fi
40 | fi
41 | 
42 | exit ${sts}
43 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_ovh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | domains=($(echo "$1"|sed -e 's/^\(\([a-zA-Z0-9.-]*\?\)\.\)*\([a-zA-Z0-9-]\+\.[a-zA-Z-]\+\)$/"\1" _acme-challenge.\2 \3/g'))
 4 | challenge="$2"
 5 | 
 6 | # Please, do not forget to ask for your credentials at https://eu.api.ovh.com/createToken/
 7 | # permissions needed are /domain/zone/* in GET,POST,DELETE
 8 | applicationKey=${OVH_APPLICATION_KEY:-''}
 9 | applicationSecret=${OVH_APPLICATION_SECRET:-''}
10 | consumerKey=${OVH_CONSUMER_KEY:-''}
11 | 
12 | topDomain=${domains[2]}
13 | subDomain=${domains[1]%%.}
14 | 
15 | function send
16 | {
17 |         method=$1
18 |         url=$2
19 |         body=$3
20 |         ts=$(date +%s)
21 | 
22 |         sign=\$1\$$(echo -n "${applicationSecret}+${consumerKey}+${method}+https://eu.api.ovh.com/1.0${url}+${body}+${ts}"|sha1sum|cut -d" " -f1)
23 |         curl -X "${method}" -H "Content-Type: application/json" -H "X-Ovh-Application: ${applicationKey}" -H "X-Ovh-Timestamp: ${ts}" -H "X-Ovh-Signature: ${sign}" -H "X-Ovh-Consumer: ${consumerKey}" -d "${body}" "https://eu.api.ovh.com/1.0${url}"
24 | }
25 | 
26 | # Creation request
27 | send POST "/domain/zone/${topDomain}/record" "{\"fieldType\":\"TXT\",\"subDomain\":\"$subDomain\",\"ttl\":60,\"target\":\"$challenge\"}"
28 | 
29 | # Refresh request
30 | send POST "/domain/zone/${topDomain}/refresh" ""
31 | 
32 | # Pause for 10 seconds, for DNS propagation
33 | sleep 10
34 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_pdns-mysql:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # You must either have a suitable ~/.my.cnf containing a user / pass
 4 | # for your mysql / mariadb database, OR you must uncomment the next line
 5 | # (which is a security risk; don't do it!) and adjust accordingly.
 6 | 
 7 | #CREDENTIALS="-uUSERNAME -pPASSWORD"
 8 | 
 9 | FQDN=$1
10 | TOKEN=$2
11 | 
12 | # If your database name is not powerdns, change it here.
13 | DB="powerdns"
14 | 
15 | DOMAIN=${FQDN}
16 | 
17 | # Iterate over the database, checking for a match. Keep stripping
18 | # subdomains off 1 by 1 until we find one, or exit with an error.
19 | while [[ -z "${DOMAIN_ID}" ]]; do
20 | 	DOMAIN_ID=$(mysql -ss "${CREDENTIALS}" -e "SELECT id FROM ${DB}.domains WHERE name='${DOMAIN}'")
21 | 	if [[ -z "${DOMAIN_ID}" ]]; then
22 | 		DOMAIN="$(echo "${DOMAIN}"|cut -d. -f1 --complement)"
23 | 	fi
24 | 	if [[ ${DOMAIN} != *"."* ]]; then
25 | 		echo "Cannot find matching domain record! ABORT!"
26 | 		exit 1
27 | 	fi
28 | done
29 | 
30 | echo "Domain ID: ${DOMAIN_ID} | FQDN: ${FQDN} | Domain: ${DOMAIN}"
31 | 
32 | mysql -ss "${CREDENTIALS}" -e "INSERT INTO ${DB}.records \
33 |  (domain_id, name, content, type,ttl,prio) VALUES \
34 |  (${DOMAIN_ID},'_acme-challenge.${FQDN}','${TOKEN}','TXT',120,NULL);"
35 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_route53:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Add token to Route53 dns using dns_route53 bash version
 4 | 
 5 | fulldomain="$1"
 6 | token="$2"
 7 | 
 8 | [ -z "$ROUTE53_SCRIPT" ] && ROUTE53_SCRIPT="/usr/share/getssl/dns_scripts/dns_route53"
 9 | [[ "$ROUTE53_SCRIPT" =~ ^~ ]] && \
10 |     eval 'ROUTE53_SCRIPT=`readlink -nf ' $ROUTE53_SCRIPT '`'
11 | 
12 | if [ ! -x "$ROUTE53_SCRIPT" ]; then
13 |     echo "$ROUTE53_SCRIPT: not found.  Please install, softlink or set ROUTE53_SCRIPT to its full path"
14 |     echo "See ROUTE53-README.txt for complete instructions."
15 |     exit 3
16 | fi
17 | 
18 | $ROUTE53_SCRIPT -q add "${fulldomain}." "${token}"
19 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_vultr:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bash
 2 | # Vultr Add DNS Record 
 3 | 
 4 | api_url="https://api.vultr.com/v2"
 5 | api_key=${VULTR_API_KEY:-''}
 6 | 
 7 | 
 8 | domain="$1"
 9 | challenge="$2"
10 | 
11 | root=$(echo "$domain" | awk -F\. '{print $(NF-1) FS $NF}')
12 | subdomain="_acme-challenge.${domain%.$root}"
13 | 
14 | if [[ -z "$VULTR_API_KEY" ]]; then
15 |   echo "VULTR_API_KEY variable not set"
16 |   exit 1
17 | fi
18 | 
19 | function create {
20 | curl "${api_url}/domains/$1/records" -s -o /dev/null -X POST -H "Authorization: Bearer ${VULTR_API_KEY}" -H "Content-Type: application/json" \
21 |   --data "{
22 |     \"name\" : \"$2\",
23 |     \"type\" : \"TXT\",
24 |     \"data\" : \"${challenge}\",
25 |     \"ttl\" : 300,
26 |     \"priority\" : 0
27 |   }"
28 | }
29 | 
30 | create $root $subdomain
31 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_add_windows_dns_server:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # Windows DNS server using powershell - dnscmd is going to be deprecated 
 4 | # Using Windows Sublinux for executing windows commands
 5 | # dnscmd command will be depricated use powershell instead
 6 | 
 7 | regexp='[A-z0-9]+(\.(co|com))?\.\w+$'
 8 | 
 9 | fulldomain=${1}
10 | # Get root domain api.[domain|.co|.uk]
11 | rootdomain=$(echo "${fulldomain}" | grep -Eo "${regexp}")
12 | # Exlude root domain [api].domain.com
13 | subdomain=$(result=$(echo "${fulldomain}" | grep -Po '(.*)(?=\.[A-z0-9]+(\.(co|com))?\.\w+$)') && if [[ ${#result} -gt 0 ]]; then echo ".${result}"; else echo ""; fi)
14 | token=${2}
15 | 
16 | nloop=1
17 | retries=15 # Sometimes it fails
18 | while [[ ${nloop} -le ${retries} ]]; do
19 | 
20 |     # Add TXT record
21 |     echo "Tries ${nloop} out of ${retries}" 
22 |     
23 |     echo "Adding acme challenge record for ${fulldomain} with token ${token}"
24 |     cmd=(powershell.exe Add-DnsServerResourceRecord -DescriptiveText \'"${token}"\' -Name \'"_acme-challenge${subdomain}"\' -Txt -ZoneName \'"${rootdomain}"\' -TimeToLive 0:0:0:1)
25 |     echo "${cmd[@]}"
26 | 
27 |     result_stderr=$({ "${cmd[@]}" ;} 2>&1)
28 | 
29 |     if [[ ${#result_stderr} -eq 0 ]]; then
30 |         break
31 |     else
32 |         echo "${result_stderr}"
33 |     fi
34 | 
35 |     nloop=$((nloop+1))
36 | 
37 |     echo "Sleeping 5 seconds"
38 |     sleep 5
39 | done
40 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_acmedns:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # This script aims to delete a token to acme-dns DNS for the ACME challenge
 4 | # However, for now, acme-dns does not provide a delete API service.
 5 | # Its strategy is to update an existing record.
 6 | # So this call isn't relevant and must be neutral.
 7 | 
 8 | # usage dns_del_acmedns "domain name" "token"
 9 | # return codes are;
10 | # 0 - success
11 | # 1 - error returned from server
12 | 
13 | fulldomain="${1}"
14 | token="${2}"
15 | 
16 | # Check initial parameters
17 | if [[ -z "$fulldomain" ]]; then
18 |   echo "DNS script requires full domain name as first parameter"
19 |   exit 1
20 | fi
21 | if [[ -z "$token" ]]; then
22 |   echo "DNS script requires challenge token as second parameter"
23 |   exit 1
24 | fi
25 | 
26 | # nothing to do
27 | 
28 | exit 0
29 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_azure:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | # Remove the TXT DNS record with azure-cli
 3 | fulldomain="${1}"
 4 | if [[ -z "$AZURE_RESOURCE_GROUP" ]]; then
 5 |   echo "AZURE_RESOURCE_GROUP is not set. Unable to set TXT records."
 6 |   exit 2
 7 | fi
 8 | if [[ -z "$AZURE_ZONE_ID" ]]; then
 9 |   echo "AZURE_ZONE_ID is not set. Unable to set TXT records."
10 |   exit 2
11 | fi
12 | if [[ -z "$AZURE_SUBSCRIPTION_ID" ]]; then 
13 |   echo "AZURE_SUBSCRIPTION_ID is not set. Unable to set TXT records."
14 |   exit 2
15 | fi
16 | 
17 | # Determine which zone ID to use from AZURE_ZONE_IDs
18 | # Convert the comma-separated list of AZURE_ZONE_IDs into an array and loop
19 | IFS=',' read -ra zone_ids <<< "$AZURE_ZONE_ID"
20 | for item in "${zone_ids[@]}"; do 
21 |   # If the full domain ends with the current zone ID
22 |   [[ "$fulldomain" =~ .*"${item}"$ ]] && zone_id="$item"
23 | done
24 | 
25 | if [ -z "$zone_id" ]; then 
26 |   echo "${fulldomain} does not match any of the zone IDs specified by ${AZURE_ZONE_ID[@]}"
27 |   exit 2
28 | fi
29 | 
30 | az account set --subscription "$AZURE_SUBSCRIPTION_ID"
31 | # Determine the recordset by removing the zone_id from the full domain and prefixing
32 | # with _acme-challenge.
33 | recordset="_acme-challenge.${fulldomain/.$zone_id/}"
34 | # The fulldomain should not be included in the recordset. It is used for subdomains.
35 | # E.g. domain = *.sub.example.com the recordset is _acme-challenge.sub
36 | #      domain = example.com the record set is _acme-challenge
37 | [[ "$recordset" == "_acme-challenge.$fulldomain" ]] && recordset="_acme-challenge"
38 | az network dns record-set txt delete --yes -g "$AZURE_RESOURCE_GROUP" -z "$zone_id" -n "$recordset"
39 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_challtestsrv:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | # Simple script to update the challtestserv mock DNS server when testing DNS responses
3 | 
4 | fulldomain="${1}"
5 | 
6 | curl -X POST -d "{\"host\":\"_acme-challenge.${fulldomain}.\"}" http://10.30.50.3:8055/clear-txt
7 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_cpanel:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # Need to add your email address and API key to cpanel below or set as env variables
 4 | user=${CPANEL_USERNAME:-''}
 5 | password=${CPANEL_PASSWORD:-''}
 6 | url=${CPANEL_URL:-''} # e.g. https://www.cpanel-host.test:2083
 7 | apitoken=${CPANEL_APITOKEN:-''}
 8 | 
 9 | fulldomain="${1}"
10 | 
11 | # Check initial parameters
12 | if [[ -z "$fulldomain" ]]; then
13 |     echo "DNS script requires full domain name as first parameter"
14 |     exit 1
15 | fi
16 | if [[ -z "$user" ]]; then
17 |     echo "CPANEL_USERNAME (username) parameter not set"
18 |     exit 1
19 | fi
20 | if [[ -z "$apitoken" ]] && [[ -z "$password" ]]; then
21 |     echo "Must set either CPANEL_APITOKEN or CPANEL_PASSWORD in dns script, environment variable or getssl.cfg"
22 |     exit 1
23 | fi
24 | if [[ -z "$url" ]]; then
25 |     echo "CPANEL_URL (url) parameter not set"
26 |     exit 1
27 | fi
28 | 
29 | # Setup
30 | request_func="${url}/json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit"
31 | if [[ -n $apitoken ]]; then
32 |   curl_params=( -H "Authorization: cpanel $user:$apitoken" )
33 | else
34 |   auth_string=$(echo -ne "$user:$password" | base64 --wrap 0)
35 |   curl_params=( -H "Authorization: Basic $auth_string" )
36 | fi
37 | 
38 | # Check if domain is a CNAME
39 | res=$(dig CNAME "$fulldomain")
40 | domain=$(echo "$res"| awk '$4 ~ "CNAME" {print $5}' |sed 's/\.$//g')
41 | if [[ -n "$domain" ]]; then
42 |   name=".${fulldomain%.$domain}"
43 | else
44 |   domain=$fulldomain
45 |   name=""
46 | fi
47 | 
48 | # Find line number of existing record
49 | request_params="&cpanel_jsonapi_func=fetchzone_records&domain=${domain}&type=TXT&name=_acme-challenge.${fulldomain}."
50 | resp=$(curl --silent "${curl_params[@]}" "$request_func$request_params")
51 | if [[ "$resp" = *\"error\":* ]]; then
52 |   echo -n "cpanel fetchzone records failed: "
53 |   echo "$resp" | awk -F"error" '{ print $2 }' | awk -F\" '{ print $3 }'
54 |   exit 1
55 | fi
56 | 
57 | # shellcheck disable=SC2001
58 | line=$(echo "$resp" | sed -e 's/.*line":\([0-9]*\),.*/\1/')
59 | if [[ "$line" != "" ]]; then
60 |   # Delete the challenge token
61 |   request_params="&cpanel_jsonapi_func=remove_zone_record&domain=$domain&type=TXT&name=_acme-challenge$name&line=$line"
62 |   resp=$(curl --silent "${curl_params[@]}" "$request_func$request_params")
63 | fi
64 | 
65 | if [[ "$resp" = *\"status\":0* ]]; then
66 |   echo -n "cpanel remove zone record failed: "
67 |   echo "$resp" | awk -F"statusmsg" '{ print $2 }' | awk -F\" '{ print $3 }'
68 |   exit 1
69 | fi
70 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_dnsmasq:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | 
3 | # Make sure you enable in the /etc/dnsmasq.conf this line conf-dir=/etc/dnsmasq.d/,*.conf
4 | 
5 | echo "" > /etc/dnsmasq.d/acme-challenge.conf
6 | 
7 | systemctl restart dnsmasq
8 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_dnspod:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # need to add your email address and key to dnspod below
 4 | key=${DNSPOD_API_KEY:-}
 5 | 
 6 | fulldomain="$1"
 7 | 
 8 | NumParts=$(echo "$fulldomain" | awk -F"." '{print NF}')
 9 | if [[ $NumParts -gt 2 ]]; then
10 |   domain=$(echo "$fulldomain" | awk -F\. '{print $(NF-1) FS $NF}')
11 | #  txtname="_acme-challenge$(echo "$fulldomain" | awk -F\. '{for (i=1; i<NF-1; i++) printf "." $i}')"
12 | else
13 |   domain=$fulldomain
14 | #  txtname="_acme-challenge"
15 | fi
16 | 
17 | response=$(curl --silent -X POST "https://dnsapi.cn/Domain.List" \
18 |   -H "Accept: application/json" -H "User-Agent: getssl/0.1" -H "application/x-www-form-urlencoded" \
19 |   -d "login_token=${key}&format=json" )
20 | 
21 | domain_id=$(echo "$response" | egrep -o  "[^{]*\"name\":\"${domain}\"[^}]*"|grep -oP '\"id\":\K[^,]+')
22 | 
23 | response=$(curl --silent -X POST "https://dnsapi.cn/Record.List" \
24 |   -H "Accept: application/json" -H "User-Agent: getssl/0.1" -H "application/x-www-form-urlencoded" \
25 |   -d "login_token=${key}&format=json&domain_id=${domain_id}" )
26 | 
27 | zone_ids=$(echo "$response" | egrep -o  "[^{]*\"type\":\"TXT\"[^}]*" | grep -oP '\"id\":"\K[^"]+')
28 | 
29 | ids=( $zone_ids )
30 | 
31 | # loop though all IDs ( if more than one )
32 | for id in "${ids[@]}"; do
33 |   response=$(curl --silent -X POST "https://dnsapi.cn/Record.Remove" \
34 |     -H "Accept: application/json" -H "User-Agent: getssl/0.1" -H "application/x-www-form-urlencoded" \
35 |     -d "login_token=${key}&format=json&domain_id=${domain_id}&record_id=${id}")
36 | done
37 | 
38 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_duckdns:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # need to add your Token for duckdns below
 4 | token=${DUCKDNS_TOKEN:-}
 5 | domain="$1"
 6 | i=1
 7 | 
 8 | response=$(curl --retry 5 --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=&clear=true")
 9 | 
10 | while [[ "${response}" == *"502 Bad Gateway"* ]] && [ $i -le 5 ]; do
11 |     echo "Retrying Bad Gateway response (attempt $i of 5)"
12 |     sleep 5
13 |     i=$((i+1))
14 |     response=$(curl --retry 5 --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=&clear=true")
15 | done
16 | 
17 | if [ "$response" != "OK" ]; then
18 |     echo "Failed to update TXT record for ${domain} at duckdns.org (is the TOKEN valid?)"
19 |     echo "$response"
20 |     exit 1
21 | fi
22 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_dynu:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | # Need to add your API key below or set as env variable
 3 | apikey=${DYNU_API_KEY:-''}
 4 | 
 5 | # This script deletes the _acme-challenge TXT record from the dynu.com DNS entry for the domain
 6 | # usage dns_del_dynu "domain name"
 7 | # return codes are;
 8 | # 0 - success
 9 | # 1 - error in input
10 | # 2 - error within internal processing
11 | # 3 - error in result ( domain not found in dynu.com etc)
12 | 
13 | # After deleting the TXT record from Dynu.com it takes over 30 minutes to add a new TXT record!
14 | # This doesn't happen when updating the TXT record, just for delete then add
15 | # As this is used for testing, changed the delete to a no-op.
16 | 
17 | exit 0
18 | 
19 | fulldomain="${1}"
20 | 
21 | API='https://api.dynu.com/v2/dns'
22 | 
23 | # Check initial parameters
24 | if [[ -z "$fulldomain" ]]; then
25 |   echo "DNS script requires full domain name as first parameter"
26 |   exit 1
27 | fi
28 | if [[ -z "$apikey" ]]; then
29 |   echo "DNS script requires apikey environment variable to be set"
30 |   exit 1
31 | fi
32 | 
33 | curl_params=( -H "accept: application/json" -H "API-Key: $apikey" -H 'Content-Type: application/json' )
34 | 
35 | # Get domain id
36 | # curl -X GET https://api.dynu.com/v2/dns/getroot/ubuntu-getssl.freeddns.org
37 | resp=$(curl --silent "${curl_params[@]}" -X GET "$API/getroot/${fulldomain}")
38 | 
39 | # Match domain id
40 | re="\"id\":([^,]*),\"domainName\":\"${fulldomain}\""
41 | if [[ "$resp" =~ $re ]]; then
42 |   domain_id="${BASH_REMATCH[1]}"
43 | fi
44 | 
45 | if [[ -z "$domain_id" ]]; then
46 |   echo 'Domain name not found on your Dynu account'
47 |   exit 3
48 | fi
49 | 
50 | # Check for existing _acme-challenge TXT record
51 | # curl -X GET "https://api.dynu.com/v2/dns/record/_acme-challenge.ubuntu-getssl.freeddns.org?recordType=TXT"
52 | resp=$(curl --silent "${curl_params[@]}" -X GET "${API}/record/_acme-challenge.${fulldomain}?recordType=TXT")
53 | re="\"id\":([^,]*)"
54 | if [[ "$resp" =~ $re ]]; then
55 |   record_id="${BASH_REMATCH[1]}"
56 | fi
57 | 
58 | if [[ -z "$record_id" ]]; then
59 |   echo "No _acme-challenge.${fulldomain} TXT record found"
60 |   exit 0
61 | fi
62 | 
63 | resp=$(curl --silent \
64 |   "${curl_params[@]}" \
65 |   -X DELETE "${API}/${domain_id}/record/${record_id}")
66 | 
67 | # If adding record failed (exception:) then print error message
68 | if [[ "$resp" != *"\"statusCode\":200"* ]]; then
69 |   echo "Error: DNS challenge not added: unknown error - ${resp}"
70 |   exit 3
71 | fi
72 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_godaddy:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # Copyright (C) 2017,2018 Timothe Litt  litt at acm _dot org
 4 | 
 5 | # Remove token from GoDaddy dns using dns_godaddy
 6 | 
 7 | # You do not have to customize this script.
 8 | #
 9 | # Obtain the Key and Secret from https://developer.godaddy.com/getstarted
10 | # You must obtain a "Production" key - NOT the "Test" key you're required
11 | # to get first.
12 | #
13 | # Obtain JSON.sh from https://github.com/dominictarr/JSON.sh
14 | # Place it in (or softlink it to) the same directory as $GODADDY_SCRIPT,
15 | # or specify its location with GODADDY_JSON  The default is
16 | # /usr/share/getssl/dns_scripts/
17 | #
18 | # Define GODADDY_KEY and GO_DADDY_SECRET in your account or domain getssl.cfg
19 | #
20 | # See GoDaddy-README.txt for complete instructions.
21 | 
22 | fulldomain="$1"
23 | token="$2"
24 | 
25 | [ -z "$GODADDY_SCRIPT" ] && GODADDY_SCRIPT="/usr/share/getssl/dns_scripts/dns_godaddy"
26 | [[ "$GODADDY_SCRIPT" =~ ^~ ]] && \
27 |     eval 'GODADDY_SCRIPT=`readlink -nf ' $GODADDY_SCRIPT '`'
28 | 
29 | if ! [ -x "$GODADDY_SCRIPT" ]; then
30 |     echo "$GODADDY_SCRIPT: not found.  Please install, softlink or set GODADDY_SCRIPT to its full path"
31 |     echo "See GoDaddy-README.txt for complete instructions."
32 |     exit 3
33 | fi
34 | 
35 | export GODADDY_KEY
36 | export GODADDY_SECRET
37 | export GODADDY_BASE
38 | 
39 | $GODADDY_SCRIPT -q del "_acme-challenge.${fulldomain}." "${token}"
40 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_hetzner:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | fulldomain="${1}"
 4 | token="${2}"
 5 | api_url="https://dns.hetzner.com/api/v1"
 6 | api_key=${HETZNER_KEY:-''}
 7 | zone_id=${HETZNER_ZONE_ID:-''}
 8 | zone_name=${HETZNER_ZONE_NAME:-''}
 9 | 
10 | # Verify that required parameters are set
11 | if [[ -z "$fulldomain" ]]; then
12 |   echo "DNS script requires full domain name as first parameter"
13 |   exit 1
14 | fi
15 | if [[ -z "$token" ]]; then
16 |   echo "DNS script requires challenge token as second parameter"
17 |   exit 1
18 | fi
19 | if [[ -z "$HETZNER_KEY" ]]; then
20 |   echo "HETZNER_KEY variable not set"
21 |   exit 1
22 | fi
23 | if [[ -z "$HETZNER_ZONE_ID" && -z "$HETZNER_ZONE_NAME" ]] ; then
24 |   echo "HETZNER_ZONE_ID and HETZNER_ZONE_NAME variables not set"
25 |   exit 1
26 | fi
27 | 
28 | # Get Zone ID if not set
29 | if [[ -z "$HETZNER_ZONE_ID" ]] ; then
30 |   zone_id=$(curl --silent -X GET "$api_url/zones?name=$zone_name" -H 'Auth-API-Token: '"$api_key"'' | jq -r '.zones[0].id')
31 |   if [[  "$zone_id" == "null" ]] ; then
32 |     echo "Zone by name not found"
33 |     exit 1
34 |   fi
35 | fi
36 | 
37 | # domain_root=$(echo "$fulldomain" | awk -F\. '{print $(NF-1) FS $NF FS}')
38 | # domain=${fulldomain%.$domain_root}
39 | txtname="_acme-challenge.$fulldomain."
40 | 
41 | 
42 | record_id=$(curl --silent -X GET "$api_url/records?zone_id=$zone_id" -H "Auth-API-Token: $api_key" | jq -r '.records[] | select(.name=="'"$txtname"'") | .id')
43 | 
44 | if [[ "$record_id" == "null" ]] ; then
45 |   echo "Record not found"
46 |   exit 1
47 | fi
48 | 
49 | # Create TXT record
50 | response=$(curl --silent -X DELETE "$api_url/records/$record_id" -H "Auth-API-Token: $api_key" -o /dev/null -w '%{http_code}')
51 | 
52 | if [[ "$response" != "200" ]] ; then
53 |   echo "Record not deleted"
54 |   echo "Response code: $response"
55 |   exit 1
56 | fi
57 | 
58 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_hostway:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | # Need to add your API key below or set as env variable
 3 | apikey="$HOSTWAY_API_KEY"
 4 | 
 5 | # This script adds a token to dynu.com DNS for the ACME challenge
 6 | # usage dns_add_dynu "domain name" "token"
 7 | # return codes are;
 8 | # 0 - success
 9 | # 1 - error in input
10 | # 2 - error within internal processing
11 | # 3 - error in result ( domain not found in dynu.com etc)
12 | 
13 | fulldomain="${1}"
14 | token="${2}"
15 | 
16 | API='https://api.hostway.com/dns'
17 | 
18 | # Check initial parameters
19 | if [[ -z "$fulldomain" ]]; then
20 |   echo "DNS script requires full domain name as first parameter"
21 |   exit 1
22 | fi
23 | if [[ -z "$token" ]]; then
24 |   echo "DNS script requires challenge token as second parameter"
25 |   exit 1
26 | fi
27 | 
28 | curl_params=( -H "accept: application/json" -H "Authorization: Basic $apikey" -H 'Content-Type: application/json charset=utf-8')
29 | 
30 | # Get domain id
31 | # curl -X GET "https://api.hostway.com/dns/domain/"
32 | resp=$(curl --silent "${curl_params[@]}" -X GET "$API/${fulldomain}")
33 | 
34 | # Match domain id
35 | re="\"serial\":\s?([^}]*)"
36 | if [[ "$resp" =~ $re ]]; then
37 |   domain_id="${BASH_REMATCH[1]}"
38 | fi
39 | 
40 | if [[ -z "$domain_id" ]]; then
41 |   echo 'Domain name not found on your Hostway account'
42 |   exit 3
43 | fi
44 | 
45 | # Check for existing _acme-challenge TXT record
46 | # curl -X GET "https://api.hostway.com/dns/domain/records?filterType=TXT&page=1&pageSize=100"
47 | resp=$(curl --silent "${curl_params[@]}" -X GET "$API/${fulldomain}/records?filterType=TXT")
48 | #re="\"id\":\s?([^}]*)"
49 | re="(?<=_acme(.*)\"id\":\s?)[0-9]+(?=\})"
50 | if [[ "$resp" =~ $re ]]; then
51 |     record_id="${BASH_REMATCH[1]}"
52 | fi
53 | 
54 | if [[ -z "$record_id" ]]; then
55 |     echo "Not able to find a record to delete"
56 | else
57 |   # Delete existing record
58 |   # curl -X DELETE https://api.hostway.com/dns/{domain}/records/{record_id}
59 |   resp=$(curl --silent \
60 |     "${curl_params[@]}" \
61 |     -X DELETE "${API}/${fulldomain}/records/${record_id}")
62 | 
63 |     if [[ "$resp" == "" ]]; then
64 |         echo "Record deleted successfully for ${fulldomain}"
65 |     fi
66 | fi


--------------------------------------------------------------------------------
/dns_scripts/dns_del_ionos:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | #
 3 | # Called as
 4 | #
 5 | # eval "${DNS_DEL_COMMAND}" "${lower_d}" "${auth_key}"
 6 | #
 7 | # See https://developer.hosting.ionos.de/docs/getstarted how to generate
 8 | # an API Key consisting of prefix and key
 9 | #
10 | # see DNS API Doc here https://developer.hosting.ionos.de/docs/dns
11 | #
12 | 
13 | API_KEY="X-API-Key: <prefix>.<key>"
14 | API_URL="https://api.hosting.ionos.com/dns/v1"
15 | 
16 | # get zone id:
17 | ZONE_ID=$(curl -s -X GET "$API_URL/zones" -H "accept: application/json" -H "Content-Type: application/json" -H "$API_KEY" | jq -r '.[].id')
18 | 
19 | RECORD_ID=$(curl -s -X GET "$API_URL/zones/$ZONE_ID?recordName=_acme-challenge.$1&recordType=TXT" -H "$API_KEY" -H "Accept: application/json" | jq -r '.["records"][]["id"]')
20 | 
21 | # delete record
22 | curl -X DELETE "$API_URL/zones/$ZONE_ID/records/$RECORD_ID" -H "accept: application/json" -H "Content-Type: application/json" -H "$API_KEY"
23 | 
24 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_ispconfig:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | # Need to add your API key below or set as env variable
 3 | CURR_PATH="`dirname \"$0\"`"
 4 | 
 5 | ispconfig_user="$ISPCONFIG_REMOTE_USER_NAME"
 6 | ispconfig_pass="$ISPCONFIG_REMOTE_USER_PASSWORD"
 7 | 
 8 | soap_location="$ISPCONFIG_SOAP_LOCATION"
 9 | soap_uri="$ISPCONFIG_SOAP_URL"
10 | 
11 | # This script adds a token to ispconfig database DNS for the ACME challenge
12 | # usage dns_add_ispconfig "domain name" "token"
13 | # return codes are;
14 | # 0 - success
15 | # 1 - error in input
16 | # 2 - error within internal processing
17 | # 3 - error in result ( domain not found in dynu.com etc)
18 | 
19 | fulldomain="${1}"
20 | token="${2}"
21 | 
22 | # Check initial parameters
23 | if [[ -z "$fulldomain" ]]; then
24 |   echo "DNS script requires full domain name as first parameter"
25 |   exit 1
26 | fi
27 | 
28 | if [[ -z "$token" ]]; then
29 |   echo "DNS script requires challenge token as second parameter"
30 |   exit 1
31 | fi
32 | 
33 | response=$(php $CURR_PATH/ispconfig_soap.php \
34 |   --action="del" \
35 |   --domain="$fulldomain" \
36 |   --token="$token" \
37 |   --ispconfig_user="$ispconfig_user" \
38 |   --ispconfig_pass="$ispconfig_pass" \
39 |   --soap_location="$soap_location" \
40 |   --soap_uri="$soap_uri")
41 | 
42 | echo $response
43 | 
44 | exit 0


--------------------------------------------------------------------------------
/dns_scripts/dns_del_joker:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | FULLDOMAIN=$1
 4 | TOKEN=$2
 5 | TMPFILE=$(mktemp /tmp/dns_add_joker.XXXXXXX)
 6 | 
 7 | USERNAME="youruser"
 8 | PASSWORD="yourpassword"
 9 | 
10 | # Verify that required parameters are set
11 | if [[ -z "${FULLDOMAIN}" ]]; then
12 |   echo "DNS script requires full domain name as first parameter"
13 |   exit 1
14 | fi
15 | 
16 | if [[ -z "${TOKEN}" ]]; then
17 |   echo "DNS script requires challenge token as second parameter"
18 |   exit 1
19 | fi
20 | 
21 | DOMAIN_ROOT=$(echo "${FULLDOMAIN}" | awk -F\. '{print $(NF-1) FS $NF}')
22 | 
23 | SID=$(curl --silent -X POST https://dmapi.joker.com/request/login \
24 | 	-H "Accept: application/json" -H "User-Agent: getssl/0.1" \
25 | 	-H "application/x-www-form-urlencoded" -d "username=${USERNAME}&password=${PASSWORD}" \
26 | 	-i -k 2>/dev/null | grep Auth-Sid | awk '{ print $2 }')
27 | 
28 | ## put zone data in tempfile
29 | curl --silent -X POST https://dmapi.joker.com/request/dns-zone-get \
30 | 	-H "Accept: application/json" -H "User-Agent: getssl/0.1" \
31 | 	-H "application/x-www-form-urlencoded" -d "domain=${DOMAIN_ROOT}&auth-sid=${SID}" | \
32 | 	tail -n +7 >"${TMPFILE}"
33 | 
34 | ## remove txt record
35 | sed -i "/_acme-challenge.${FULLDOMAIN}.*${TOKEN}.*/d" "${TMPFILE}"
36 | 
37 | ## generate encoded url data
38 | URLDATA=$(cat "${TMPFILE}" | sed 's/ /%20/g' | sed 's/"/%22/g' | sed ':a;N;$!ba;s/\n/%0A/g')
39 | 
40 | ## write new zonefile to joker
41 | curl --silent --output /dev/null "https://dmapi.joker.com/request/dns-zone-put?domain=${DOMAIN_ROOT}&zone=${URLDATA}&auth-sid=${SID}" 2>&1
42 | 
43 | ## remove tempfile
44 | rm -f "${TMPFILE}"
45 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_lexicon:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # a simple wrapper for Lexicon - https://github.com/AnalogJ/lexicon - a python script which can
 4 | # Manipulate DNS records on various DNS providers in a standardized way.
 5 | # You need to define the following environmental variables
 6 | # LEXICON_PROVIDER
 7 | # Every DNS service and auth flag maps to an Environmental Variable as follows: LEXICON_{DNS Provider Name}_{Auth Type}
 8 | # eg LEXICON_CLOUDFLARE_USERNAME and LEXICON_CLOUDFLARE_TOKEN or LEXICON_DIGITALOCEAN_TOKEN
 9 | 
10 | fulldomain="${1}"
11 | token="${2}"
12 | 
13 |   lexicon "$LEXICON_PROVIDER" \
14 |           delete "$fulldomain" TXT \
15 |           --name="_acme-challenge.${fulldomain}." \
16 |           --content="$token"
17 | 
18 | exit
19 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_linode:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | fulldomain="${1}"
 4 | api_url="https://api.linode.com/v4"
 5 | api_key=${LINODE_KEY:-''}
 6 | 
 7 | # Verify that required parameters are set
 8 | if [[ -z "$fulldomain" ]]; then
 9 |   echo "DNS script requires full domain name as first parameter"
10 |   exit 1
11 | fi
12 | if [[ -z "$LINODE_KEY" ]]; then
13 |   echo "LINODE_KEY variable not set"
14 |   exit 1
15 | fi
16 | 
17 | # Get Domain List
18 | response=$(curl --silent ${api_url}/domains \
19 |   -H "User-Agent: getssl/0.1" -H "Authorization: Bearer ${api_key}")
20 | 
21 | # Get Domain ID for longest match
22 | domain_root="$fulldomain"
23 | domain=""
24 | 
25 | while [[ "$domain_root" == *.* ]] ; do
26 | 	domain_id=$(echo "$response" | jq ".data[]? | select (.domain==\"$domain_root\") | .id")
27 | 	if [[ "$domain_id" != "" ]] ; then
28 | 		break
29 | 	fi
30 | 	domain_root=${domain_root#*.}
31 | 	domain=${fulldomain%.$domain_root}
32 | done
33 | 
34 | if [[ "$domain_id" == "" ]]; then
35 |   echo "Failed to fetch DomainID"
36 |   exit 1
37 | fi
38 | 
39 | txtname="_acme-challenge${domain:+.$domain}"
40 | 
41 | # Get Resource ID
42 | response=$(curl --silent ${api_url}/domains/${domain_id}/records \
43 |   -H "User-Agent: getssl/0.1" -H "Authorization: Bearer ${api_key}")
44 | resource_id=$(echo "$response" |  jq ".data[] | select (.name==\"$txtname\") | .id")
45 | if [[ "$resource_id" == "" ]]; then
46 |   echo "Failed to fetch ResourceID"
47 |   exit 1
48 | fi
49 | 
50 | # Delete TXT record
51 | response=$(curl --silent -X DELETE ${api_url}/domains/${domain_id}/records/${resource_id} \
52 |   -H "User-Agent: getssl/0.1" -H "Authorization: Bearer ${api_key}")
53 | errors=$(echo "$response" | jq ".errors[]?.reason")
54 | if [[ "$errors" != "" ]]; then
55 |     echo "Something went wrong: $errors"
56 |     exit 1
57 | fi
58 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_manual:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | 
3 | echo "In the DNS, the following DNS record should be deleted ;"
4 | echo "_acme-challenge.${1}"
5 | 
6 | read -r -p "Press any key to obtain the certificate once the records have been updated..."
7 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_ns1:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bash
 2 | # NS1 Add DNS Record
 3 | 
 4 | if [[ -z "$NS1_API_KEY" ]]; then
 5 |   echo "NS1_API_KEY variable not set"
 6 |   exit 1
 7 | fi
 8 | 
 9 | api_url="https://api.nsone.net/v1/"
10 | api_key=${NS1_API_KEY:-''}
11 | 
12 | domain="$1"
13 | challenge="$2"
14 | 
15 | root=$(echo "$domain" | awk -F\. '{print $(NF-1) FS $NF}')
16 | subdomain="_acme-challenge.${domain%}"
17 | 
18 | function delete {
19 | 
20 | curl "${api_url}/zones/${root}/${subdomain}/TXT" -X DELETE \
21 |   --header "X-NSONE-Key: $api_key"
22 | 
23 | }
24 | 
25 | delete $root $subdomain
26 | 
27 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_nsupdate:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # example of script to remove token from local dns using nsupdate
 4 | 
 5 | fulldomain="$1"
 6 | token="$2"
 7 | 
 8 | # VARIABLES:
 9 | #
10 | # DNS_NSUPDATE_KEYFILE - path to a TSIG key file, if required
11 | # DNS_NSUPDATE_GETKEY  - command to execute if access to the key file requires
12 | #                        some special action: dismounting a disk, encrypting a
13 | #                         file... Called with the operation 'del' and action
14 | #                          'open" / 'close'
15 | 
16 | if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then
17 |   if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! "${DNS_NSUPDATE_KEY_HOOK}" 'del' 'open' "${fulldomain}" ; then
18 |     exit $(( $? + 128 ))
19 |   fi
20 | 
21 |   options="-k ${DNS_NSUPDATE_KEYFILE}"
22 | fi
23 | 
24 | cmd=
25 | if [ -n "${DNS_SERVER}" ]; then
26 |   cmd+="server ${DNS_SERVER}\n"
27 | fi
28 | 
29 | cmd+="update delete  ${DNS_ZONE:-"_acme-challenge.${fulldomain}."} 300 in TXT \"${token}\"\n"
30 | cmd+="\n" # blank line is a "send" command to nsupdate
31 | 
32 | printf "$cmd" | nsupdate ${options} -v
33 | 
34 | sts=$?
35 | 
36 | if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then
37 |   if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! "${DNS_NSUPDATE_KEY_HOOK}" 'del' 'close'  "${fulldomain}" ; then
38 |       exit $(( sts + ( $? * 10 ) ))
39 |   fi
40 | fi
41 | 
42 | exit ${sts}
43 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_ovh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | domains=($(echo "$1"|sed -e 's/^\(\([a-zA-Z0-9.-]*\?\)\.\)*\([a-zA-Z0-9-]\+\.[a-zA-Z-]\+\)$/"\1" _acme-challenge.\2 \3/g'))
 4 | #challenge="$2"
 5 | 
 6 | # Please, do not forget to ask for your credentials at https://eu.api.ovh.com/createToken/
 7 | # permissions needed are /domain/zone/* in GET,POST,DELETE
 8 | applicationKey=${OVH_APPLICATION_KEY:-''}
 9 | applicationSecret=${OVH_APPLICATION_SECRET:-''}
10 | consumerKey=${OVH_CONSUMER_KEY:-''}
11 | 
12 | topDomain=${domains[2]}
13 | subDomain=${domains[1]%%.}
14 | 
15 | function send
16 | {
17 |         method=$1
18 |         url=$2
19 |         body=$3
20 |         ts=$(date +%s)
21 | 
22 |         sign=\$1\$$(echo -n "${applicationSecret}+${consumerKey}+${method}+https://eu.api.ovh.com/1.0${url}+${body}+${ts}"|sha1sum|cut -d" " -f1)
23 |         curl -X "${method}" -H "Content-Type: application/json" -H "X-Ovh-Application: ${applicationKey}" -H "X-Ovh-Timestamp: ${ts}" -H "X-Ovh-Signature: ${sign}" -H "X-Ovh-Consumer: ${consumerKey}" -d "${body}" "https://eu.api.ovh.com/1.0${url}"
24 | }
25 | 
26 | # Creation request
27 | oldResult=$(send GET "/domain/zone/${topDomain}/record?fieldType=TXT&subDomain=${subDomain}" ""|sed -e 's/\[//' -e 's/\]//')
28 | 
29 | for num in ${oldResult//,/ }
30 | do
31 |         send DELETE "/domain/zone/${topDomain}/record/${num}" ""
32 | done
33 | 
34 | # Refresh request
35 | send POST "/domain/zone/${topDomain}/refresh" ""
36 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_pdns-mysql:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # You must either have a suitable ~/.my.cnf containing a user / pass
 4 | # for your mysql / mariadb database, OR you must uncomment the next line
 5 | # (which is a security risk; don't do it!) and adjust accordingly.
 6 | 
 7 | #CREDENTIALS="-uUSERNAME -pPASSWORD"
 8 | 
 9 | FQDN=$1
10 | 
11 | # If your database name is not powerdns, change it here.
12 | DB="powerdns"
13 | 
14 | mysql -ss "${CREDENTIALS}" -e "DELETE FROM ${DB}.records WHERE \
15 |  name = '_acme-challenge.${FQDN}';"
16 | 
17 | echo "DELETE FROM ${DB}.records WHERE name = '_acme-challenge.${FQDN}';"
18 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_route53:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Delete token from Route53 dns using dns_route53 bash version
 4 | 
 5 | fulldomain="$1"
 6 | token="$2"
 7 | 
 8 | [ -z "$ROUTE53_SCRIPT" ] && ROUTE53_SCRIPT="/usr/share/getssl/dns_scripts/dns_route53"
 9 | [[ "$ROUTE53_SCRIPT" =~ ^~ ]] && \
10 |     eval 'ROUTE53_SCRIPT=`readlink -nf ' $ROUTE53_SCRIPT '`'
11 | 
12 | if [ ! -x "$ROUTE53_SCRIPT" ]; then
13 |     echo "$ROUTE53_SCRIPT: not found.  Please install, softlink or set ROUTE53_SCRIPT to its full path"
14 |     echo "See ROUTE53-README.txt for complete instructions."
15 |     exit 3
16 | fi
17 | 
18 | $ROUTE53_SCRIPT -q del "${fulldomain}." "${token}"
19 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_vultr:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bash
 2 | # Vultr Delete DNS Record 
 3 | # This script requires jq to be installed on the machine running it
 4 | 
 5 | api_url="https://api.vultr.com/v2"
 6 | api_key=${VULTR_API_KEY:-''}
 7 | 
 8 | 
 9 | domain="$1"
10 | 
11 | root=$(echo "$domain" | awk -F\. '{print $(NF-1) FS $NF}')
12 | subdomain="_acme-challenge.${domain%.$root}"
13 | 
14 | if [[ -z "$VULTR_API_KEY" ]]; then
15 |   echo "VULTR_API_KEY variable not set"
16 |   exit 1
17 | fi
18 | 
19 | function delete {
20 |   recordID=$(curl "${api_url}/domains/$1/records" --silent -X GET -H "Authorization: Bearer ${VULTR_API_KEY}" | jq -r ".records[] | select(.name==\"$2\").id")
21 | 
22 |   curl "${api_url}/domains/$1/records/$recordID" -X DELETE -H "Authorization: Bearer ${VULTR_API_KEY}" 
23 | }
24 | 
25 | 
26 | delete $root $subdomain
27 | 


--------------------------------------------------------------------------------
/dns_scripts/dns_del_windows_dns_server:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # Windows DNS server using powershell - dnscmd is going to be deprecated 
 4 | # Using Windows Sublinux for executing windows commands
 5 | # dnscmd command will be depricated use powershell instead
 6 | 
 7 | regexp='[A-z0-9]+(\.(co|com))?\.\w+$'
 8 | 
 9 | fulldomain=${1}
10 | # Get root domain api.[domain|.co|.uk]
11 | rootdomain=$(echo "${fulldomain}" | grep -Eo "${regexp}")
12 | # Exlude root domain [api].domain.com
13 | subdomain=$(result=$(echo "${fulldomain}" | grep -Po '(.*)(?=\.[A-z0-9]+(\.(co|com))?\.\w+$)') && if [[ ${#result} -gt 0 ]]; then echo ".${result}"; else echo ""; fi)
14 | token=${2}
15 | 
16 | nloop=1
17 | retries=15 # Sometimes it fails
18 | while [[ ${nloop} -le ${retries} ]]; do
19 | 
20 |     # Delete TXT record
21 |     echo "Tries ${nloop} out of ${retries}" 
22 |     
23 |     echo "Deleting acme challenge record for ${fulldomain} with token ${token}"
24 |     cmd=(powershell.exe Remove-DnsServerResourceRecord -RRType TXT -Name \'"_acme-challenge${subdomain}"\' -ZoneName \'"${rootdomain}"\' -RecordData \'"${token}"\' -Force)
25 |     echo "${cmd[@]}"
26 | 
27 |     result_stderr=$({ "${cmd[@]}" ;} 2>&1)
28 | 
29 |     if [[ ${#result_stderr} -eq 0 ]]; then
30 |         break
31 |     else
32 |         echo "${result_stderr}"
33 |     fi
34 | 
35 |     nloop=$((nloop+1))
36 | 
37 |     echo "Sleeping 5 seconds"
38 |     sleep 5
39 | done


--------------------------------------------------------------------------------
/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | services:
 2 |   pebble:
 3 |     image: ghcr.io/letsencrypt/pebble:latest
 4 |     # TODO enable -strict
 5 |     command: -dnsserver 10.30.50.3:53
 6 |     environment:
 7 |       # with Go 1.13.x which defaults TLS 1.3 to on
 8 |       GODEBUG: "tls13=1"
 9 |       PEBBLE_ALTERNATE_ROOTS: 2
10 |     ports:
11 |       - 14000:14000  # HTTPS ACME API
12 |       - 15000:15000  # HTTPS Management API
13 |     networks:
14 |       acmenet:
15 |         ipv4_address: 10.30.50.2
16 |   challtestsrv:
17 |     image: ghcr.io/letsencrypt/pebble-challtestsrv:latest
18 |     command: -defaultIPv6 "" -defaultIPv4 10.30.50.3 -dns01 ":53"
19 |     ports:
20 |       - 8055:8055  # HTTP Management API
21 |     networks:
22 |       acmenet:
23 |         ipv4_address: 10.30.50.3
24 | 
25 | 
26 | networks:
27 |   acmenet:
28 |     driver: bridge
29 |     ipam:
30 |       driver: default
31 |       config:
32 |         - subnet: 10.30.50.0/24
33 | 


--------------------------------------------------------------------------------
/getssl.crontab:
--------------------------------------------------------------------------------
1 | # 0 18 1 */1 * means run at 18:00 on day-of-month 1 in every month
2 | # uncomment the line below to activate cron getssl service
3 | # 0 18 1 */1 * root /usr/bin/getssl -u -a &>> /var/log/getssl.log
4 | 


--------------------------------------------------------------------------------
/getssl.logrotate:
--------------------------------------------------------------------------------
 1 | /var/log/getssl.log {
 2 |     monthly
 3 |     rotate 10
 4 |     copytruncate
 5 |     delaycompress
 6 |     compress
 7 |     notifempty
 8 |     missingok
 9 | }
10 | 


--------------------------------------------------------------------------------
/getssl.spec:
--------------------------------------------------------------------------------
 1 | %define _build_id_links none
 2 | %define debug_package %{nil}
 3 | 
 4 | # set this to true or the rpmbuild will fail with errors due to shebang defines
 5 | # in some of the dns scripts for python
 6 | %global __brp_mangle_shebangs /usr/bin/true
 7 | 
 8 | Summary:          getssl ACME Scripts for managing Let's Encrypt certificates
 9 | License:          GPL
10 | Packager:         getssl developers <https://github.com/srvrco/getssl>
11 | Name:             getssl
12 | Version:          2.49
13 | Release:          1
14 | 
15 | URL:              http://github.com/srvrco/getssl/
16 | Source0:          %{name}-%{version}.tar.gz
17 | Source1:          getssl.crontab
18 | Source2:          getssl.logrotate
19 | BuildArch:        noarch
20 | 
21 | Requires:         bash
22 | BuildRequires:    bash
23 | 
24 | %description
25 | The %{name} package contains the getssl scripts, crontab files, and logrotate files for implementing automated creation and installation of SSL certificates from the Let's Encrypt ACME website.
26 | 
27 | %prep
28 | %setup -q -n %{name}-%{version}
29 | 
30 | %build
31 | 
32 | %install
33 | [ -n "%{buildroot}" -a "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
34 | %{__mkdir_p} %{buildroot}%{_bindir}
35 | %{__mkdir_p} %{buildroot}%{_datadir}/getssl/dns_scripts
36 | %{__mkdir_p} %{buildroot}%{_datadir}/getssl/other_scripts
37 | %{__make} \
38 | 	DESTDIR=%{buildroot} \
39 | 	install
40 | install -Dpm 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/cron.d/getssl
41 | install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/logrotate.d/getssl
42 | 
43 | %pre
44 | 
45 | %post
46 | 
47 | %preun
48 | 
49 | %postun
50 | 
51 | %files
52 | %defattr(-,root,root)
53 | %{_bindir}/getssl
54 | %{_datadir}/getssl/dns_scripts/*
55 | %{_datadir}/getssl/other_scripts/*
56 | %{_sysconfdir}/cron.d/getssl
57 | %{_sysconfdir}/logrotate.d/getssl
58 | 
59 | %changelog
60 | 


--------------------------------------------------------------------------------
/other_scripts/cpanel_cert_upload:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | #
 3 | # a simple script for use on shared cpanel server to automatically add the
 4 | # the certificates to cpanel if the uapi function is available
 5 | # use with RELOAD_CMD="${HOME}/cpanel_cert_upload domain.com"
 6 | 
 7 | domain="$1"
 8 | 
 9 | rawurlencode() {
10 |   local string
11 |   string=$(cat "${1}")
12 |   local strlen=${#string}
13 |   local encoded=""
14 |   local pos c o
15 | 
16 |   for (( pos=0 ; pos<strlen ; pos++ )); do
17 |     c=${string:$pos:1}
18 |     case "$c" in
19 |       [-_.~a-zA-Z0-9] ) o="${c}" ;;
20 |       * )               printf -v o '%%%02x' "'$c"
21 |     esac
22 |     encoded+="${o}"
23 |   done
24 |   echo "${encoded}"
25 | }
26 | 
27 | ecert=$( rawurlencode "${HOME}/.getssl/${domain}/${domain}.crt" )
28 | ekey=$( rawurlencode "${HOME}/.getssl/${domain}/${domain}.key" )
29 | echain=$( rawurlencode "${HOME}/.getssl/${domain}/chain.crt" )
30 | 
31 | uapi SSL install_ssl domain="${domain}" cert="${ecert}" key="${ekey}" cabundle="${echain}"
32 | 


--------------------------------------------------------------------------------
/test/0-test-curl-error.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     #export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
16 | }
17 | 
18 | 
19 | @test "Run getssl without pebble certificates to check the error message" {
20 |     if [ -n "$STAGING" ]; then
21 |         skip "Using staging server, skipping internal test"
22 |     fi
23 |     CONFIG_FILE="getssl-http01.cfg"
24 |     setup_environment
25 |     init_getssl
26 |     create_certificate
27 |     refute_line "getssl: unknown API version"
28 |     assert_failure
29 | }
30 | 


--------------------------------------------------------------------------------
/test/0-test-usage.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     #export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
16 | }
17 | 
18 | 
19 | @test "Run getssl without any arguments to verify the usage message is shown" {
20 |     if [ -n "$STAGING" ]; then
21 |         skip "Using staging server, skipping internal test"
22 |     fi
23 |     run ${CODE_DIR}/getssl
24 |     assert_line --partial "Usage: getssl"
25 |     assert_success
26 | }
27 | 
28 | 
29 | @test "Run getssl with --nocheck and verify the usage message is shown" {
30 |     if [ -n "$STAGING" ]; then
31 |         skip "Using staging server, skipping internal test"
32 |     fi
33 |     run ${CODE_DIR}/getssl --nocheck
34 |     assert_line --partial "Usage: getssl"
35 |     assert_success
36 | }
37 | 
38 | 
39 | @test "Run getssl with --upgrade and verify the usage message is NOT shown" {
40 |     if [ -n "$STAGING" ]; then
41 |         skip "Using staging server, skipping internal test"
42 |     fi
43 | 
44 |     # Feb-23 Getting semi-repeatable "can't check for upgrades: ''" errors which are because the limit is being exceeded (re-use of github action ip?)
45 |     check_github_quota 7
46 |     run ${CODE_DIR}/getssl --upgrade
47 |     refute_output
48 |     assert_success
49 | }
50 | 


--------------------------------------------------------------------------------
/test/1-simple-http01-dig.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | setup() {
10 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
11 |     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
12 |     if [ -f /usr/bin/host ]; then
13 |         mv /usr/bin/host /usr/bin/host.getssl.bak
14 |     fi
15 |     if [ -f /usr/bin/nslookup ]; then
16 |         mv /usr/bin/nslookup /usr/bin/nslookup.getssl.bak
17 |     fi
18 | }
19 | 
20 | 
21 | teardown() {
22 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
23 |     if [ -f /usr/bin/host.getssl.bak ]; then
24 |         mv /usr/bin/host.getssl.bak /usr/bin/host
25 |     fi
26 |     if [ -f /usr/bin/nslookup.getssl.bak ]; then
27 |         mv /usr/bin/nslookup.getssl.bak /usr/bin/nslookup
28 |     fi
29 | }
30 | 
31 | 
32 | @test "Create new certificate using HTTP-01 verification (dig)" {
33 |     if [ -n "$STAGING" ]; then
34 |         skip "Using staging server, skipping internal test"
35 |     fi
36 |     CONFIG_FILE="getssl-http01.cfg"
37 |     setup_environment
38 |     init_getssl
39 |     create_certificate
40 |     assert_success
41 |     check_output_for_errors
42 | }
43 | 


--------------------------------------------------------------------------------
/test/1-simple-http01-nslookup.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | setup() {
10 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
11 |     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
12 |     if [ -f /usr/bin/dig ]; then
13 |         mv /usr/bin/dig /usr/bin/dig.getssl.bak
14 |     fi
15 |     if [ -f /usr/bin/host ]; then
16 |         mv /usr/bin/host /usr/bin/host.getssl.bak
17 |     fi
18 | }
19 | 
20 | 
21 | teardown() {
22 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
23 |     if [ -f /usr/bin/dig.getssl.bak ]; then
24 |         mv /usr/bin/dig.getssl.bak /usr/bin/dig
25 |     fi
26 |     if [ -f /usr/bin/host.getssl.bak ]; then
27 |         mv /usr/bin/host.getssl.bak /usr/bin/host
28 |     fi
29 | }
30 | 
31 | 
32 | @test "Create new certificate using HTTP-01 verification (nslookup)" {
33 |     if [ -n "$STAGING" ]; then
34 |         skip "Using staging server, skipping internal test"
35 |     fi
36 |     CONFIG_FILE="getssl-http01.cfg"
37 |     setup_environment
38 |     init_getssl
39 |     create_certificate
40 |     assert_success
41 |     check_output_for_errors
42 | }
43 | 


--------------------------------------------------------------------------------
/test/1-simple-http01-two-acl.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
16 | }
17 | 
18 | 
19 | @test "Check that can install challenge token to multiple locations when using HTTP-01 verification" {
20 |     if [ -n "$STAGING" ]; then
21 |         skip "Using staging server, skipping internal test"
22 |     fi
23 |     CONFIG_FILE="getssl-http01-two-acl.cfg"
24 |     setup_environment
25 |     init_getssl
26 |     create_certificate
27 |     assert_success
28 |     assert_output --partial "to /var/www/html/.well-known/acme-challenge"
29 |     assert_output --partial "to /var/webroot/html/.well-known/acme-challenge"
30 |     check_output_for_errors
31 | }
32 | 


--------------------------------------------------------------------------------
/test/1-simple-http01.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
16 | }
17 | 
18 | 
19 | @test "Create new certificate using HTTP-01 verification (any dns tool)" {
20 |     if [ -n "$STAGING" ]; then
21 |         skip "Using staging server, skipping internal test"
22 |     fi
23 |     CONFIG_FILE="getssl-http01.cfg"
24 |     setup_environment
25 |     init_getssl
26 |     create_certificate
27 |     assert_success
28 |     check_output_for_errors
29 | }
30 | 
31 | 
32 | @test "Force renewal of certificate using HTTP-01 (any dns tool)" {
33 |     if [ -n "$STAGING" ]; then
34 |         skip "Using staging server, skipping internal test"
35 |     fi
36 |     run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
37 |     assert_success
38 |     check_output_for_errors
39 |     cleanup_environment
40 | }
41 | 


--------------------------------------------------------------------------------
/test/10-mixed-case.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     if [ -z "$STAGING" ]; then
16 |         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
17 |     fi
18 | }
19 | 
20 | @test "Check that HTTP-01 verification works if the domain is not lowercase" {
21 |     if [ -n "$STAGING" ]; then
22 |         skip "Using staging server, skipping internal test"
23 |     fi
24 | 
25 |     CONFIG_FILE="getssl-http01.cfg"
26 |     GETSSL_CMD_HOST=$(echo $GETSSL_HOST | tr a-z A-Z)
27 | 
28 |     setup_environment
29 |     init_getssl
30 |     create_certificate
31 | 
32 |     assert_success
33 |     check_output_for_errors
34 | }
35 | 
36 | @test "Check that DNS-01 verification works if the domain is not lowercase" {
37 |     CONFIG_FILE="getssl-dns01.cfg"
38 | 
39 |     GETSSL_CMD_HOST=$(echo $GETSSL_HOST | tr a-z A-Z)
40 |     setup_environment
41 | 
42 |     init_getssl
43 |     create_certificate
44 |     assert_success
45 |     check_output_for_errors
46 | }
47 | 


--------------------------------------------------------------------------------
/test/11-test--install.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
16 | }
17 | 
18 | setup_file() {
19 |     # Fail if not running in docker and /etc/getssl already exists
20 |     TEST_FAILED=0
21 |     if [ -d /etc/getssl  ]; then
22 |         echo "Test failed: /etc/getssl already exists" >&3
23 |         TEST_FAILED=1
24 |         touch $BATS_RUN_TMPDIR/failed.skip
25 |         return 1
26 |     fi
27 | }
28 | 
29 | teardown_file() {
30 |     # Cleanup after tests
31 |     if [ ${TEST_FAILED} == 0 ] && [ -d /etc/getssl  ]; then
32 |         rm -rf /etc/getssl
33 |     fi
34 | }
35 | 
36 | @test "Check that config files in /etc/getssl works" {
37 |     if [ -n "$STAGING" ]; then
38 |         skip "Using staging server, skipping internal test"
39 |     fi
40 | 
41 |     CONFIG_FILE="getssl-http01.cfg"
42 |     setup_environment
43 | 
44 |     # Create /etc/getssl/$DOMAIN
45 |     mkdir -p /etc/getssl/${GETSSL_CMD_HOST}
46 | 
47 |     # Copy the config file to /etc/getssl
48 |     cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "/etc/getssl/${GETSSL_CMD_HOST}/getssl.cfg"
49 |     cp "${CODE_DIR}/test/test-config/getssl-etc-template.cfg" "/etc/getssl/getssl.cfg"
50 | 
51 |     # Run getssl
52 |     run ${CODE_DIR}/getssl -U -d "$GETSSL_CMD_HOST"
53 | 
54 |     assert_success
55 |     check_output_for_errors
56 |     assert_line --partial 'Verification completed, obtaining certificate.'
57 |     assert_line --partial 'Requesting certificate'
58 |     refute [ -d '$HOME/.getssl' ]
59 | }
60 | 
61 | 
62 | @test "Check that --install doesn't call the ACME server" {
63 |     # NOTE that this test depends on the previous test!
64 |     if [ -n "$STAGING" ]; then
65 |         skip "Using staging server, skipping internal test"
66 |     fi
67 | 
68 |     CONFIG_FILE="getssl-http01.cfg"
69 | 
70 |     # Run getssl
71 |     run ${CODE_DIR}/getssl -U -d --install "$GETSSL_CMD_HOST"
72 | 
73 |     assert_success
74 |     check_output_for_errors
75 |     refute_line --partial 'Verification completed, obtaining certificate.'
76 |     refute_line --partial 'Requesting certificate'
77 |     assert_line --partial 'copying domain certificate to'
78 |     assert_line --partial 'copying private key to'
79 |     assert_line --partial 'copying CA certificate to'
80 | }
81 | 


--------------------------------------------------------------------------------
/test/11-test-no-domain-storage.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | setup() {
 9 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
10 | }
11 | teardown() {
12 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
13 | }
14 | 
15 | @test "Check that if domain storage isn't set getssl doesn't try to delete /tmp" {
16 |     if [ -n "$STAGING" ]; then
17 |         skip "Using staging server, skipping internal test"
18 |     fi
19 |     CONFIG_FILE="getssl-http01-no-domain-storage.cfg"
20 |     setup_environment
21 |     mkdir ${INSTALL_DIR}/.getssl
22 |     cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/getssl.cfg"
23 |     run ${CODE_DIR}/getssl -U -d -a
24 |     assert_success
25 |     check_output_for_errors
26 |     assert_line --partial 'Not going to delete TEMP_DIR ///tmp as it appears to be /tmp'
27 | }
28 | 


--------------------------------------------------------------------------------
/test/13-notify-valid.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
16 | }
17 | 
18 | 
19 | @test "Create certificate to check valid exit code" {
20 |     if [ -n "$STAGING" ]; then
21 |         skip "Using staging server, skipping internal test"
22 |     fi
23 |     CONFIG_FILE="getssl-http01.cfg"
24 |     setup_environment
25 |     init_getssl
26 |     create_certificate
27 |     assert_success
28 |     check_output_for_errors
29 | }
30 | 
31 | 
32 | @test "Check no-renewal needed exits with normal exit code" {
33 |     if [ -n "$STAGING" ]; then
34 |         skip "Using staging server, skipping internal test"
35 |     fi
36 |     run ${CODE_DIR}/getssl -U -d $GETSSL_HOST
37 |     assert_success
38 |     check_output_for_errors
39 | }
40 | 
41 | 
42 | @test "Check no-renewal needed returns 2 if requested" {
43 |     if [ -n "$STAGING" ]; then
44 |         skip "Using staging server, skipping internal test"
45 |     fi
46 |     run ${CODE_DIR}/getssl -U -d --notify-valid $GETSSL_HOST
47 |     assert [ $status == 2 ]
48 |     check_output_for_errors
49 |     cleanup_environment
50 | }
51 | 


--------------------------------------------------------------------------------
/test/14-test-revoke.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     if [ -z "$STAGING" ]; then
16 |         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
17 |     fi
18 | }
19 | 
20 | 
21 | @test "Create certificate to check revoke" {
22 |     if [ -n "$STAGING" ]; then
23 |         CONFIG_FILE="getssl-dns01.cfg"
24 |     else
25 |         CONFIG_FILE="getssl-http01.cfg"
26 |     fi
27 |     . "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
28 |     setup_environment
29 |     init_getssl
30 |     create_certificate
31 |     assert_success
32 |     check_output_for_errors
33 | }
34 | 
35 | 
36 | @test "Check we can revoke a certificate" {
37 |     if [ -n "$STAGING" ]; then
38 |         CONFIG_FILE="getssl-dns01.cfg"
39 |     else
40 |         CONFIG_FILE="getssl-http01.cfg"
41 |     fi
42 |     . "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
43 |     CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
44 |     KEY=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key
45 | 
46 |     run ${CODE_DIR}/getssl -U -d --revoke $CERT $KEY $CA
47 |     assert_success
48 |     check_output_for_errors
49 | }
50 | 


--------------------------------------------------------------------------------
/test/15-test-revoke-no-suffix.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     if [ -z "$STAGING" ]; then
16 |         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
17 |     fi
18 | }
19 | 
20 | 
21 | @test "Create certificate to check revoke (no suffix)" {
22 |     if [ -n "$STAGING" ]; then
23 |         CONFIG_FILE="getssl-dns01.cfg"
24 |     else
25 |         CONFIG_FILE="getssl-http01-no-suffix.cfg"
26 |     fi
27 | 
28 |     . "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
29 |     setup_environment
30 |     init_getssl
31 | 
32 |     echo 'CA="https://acme-staging-v02.api.letsencrypt.org"' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
33 | 
34 |     create_certificate
35 |     assert_success
36 |     check_output_for_errors
37 | }
38 | 
39 | 
40 | @test "Check we can revoke a certificate (no suffix)" {
41 |     if [ -n "$STAGING" ]; then
42 |         CONFIG_FILE="getssl-dns01.cfg"
43 |     else
44 |         CONFIG_FILE="getssl-http01.cfg"
45 |     fi
46 |     echo 'CA="https://acme-staging-v02.api.letsencrypt.org"' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
47 | 
48 |     . "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
49 |     CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
50 |     KEY=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key
51 | 
52 |     run ${CODE_DIR}/getssl -U -d --revoke $CERT $KEY $CA
53 |     assert_success
54 |     check_output_for_errors
55 | }
56 | 


--------------------------------------------------------------------------------
/test/16-test-bad-acl.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
16 | }
17 | 
18 | 
19 | @test "Test behaviour if ACL= line has a space" {
20 |     if [ -n "$STAGING" ]; then
21 |         skip "Using staging server, skipping internal test"
22 |     fi
23 |     CONFIG_FILE="getssl-http01-bad-acl.cfg"
24 |     setup_environment
25 |     init_getssl
26 |     create_certificate
27 |     assert_failure
28 | }
29 | 


--------------------------------------------------------------------------------
/test/18-retry-dns-add.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | # This is run for every test
 8 | teardown() {
 9 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
10 | }
11 | 
12 | setup() {
13 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
14 |     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
15 | }
16 | 
17 | 
18 | @test "Check retry add dns command if dns isn't updated" {
19 |     if [ -n "$STAGING" ]; then
20 |         skip "Running internal tests, skipping external test"
21 |     fi
22 | 
23 |     CONFIG_FILE="getssl-dns01.cfg"
24 | 
25 |     setup_environment
26 |     init_getssl
27 | 
28 |     cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
29 | DNS_ADD_COMMAND="/getssl/test/dns_add_fail"
30 | 
31 | # Speed up the test by reducing the number or retries and the wait between retries.
32 | DNS_WAIT=2
33 | DNS_WAIT_COUNT=11
34 | DNS_EXTRA_WAIT=0
35 | CHECK_ALL_AUTH_DNS="false"
36 | CHECK_PUBLIC_DNS_SERVER="false"
37 | DNS_WAIT_RETRY_ADD="true"
38 | EOF
39 |     create_certificate
40 |     assert_failure
41 |     assert_line --partial "Retrying adding DNS via command"
42 | }
43 | 


--------------------------------------------------------------------------------
/test/2-simple-dns01-dig.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | setup_file() {
 9 |     if [ -z "$STAGING" ]; then
10 |         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
11 |     fi
12 |     if [ -f /usr/bin/host ]; then
13 |         mv /usr/bin/host /usr/bin/host.getssl.bak
14 |     fi
15 |     if [ -f /usr/bin/nslookup ]; then
16 |         mv /usr/bin/nslookup /usr/bin/nslookup.getssl.bak
17 |     fi
18 | }
19 | 
20 | 
21 | teardown_file() {
22 |     if [ -f /usr/bin/host.getssl.bak ]; then
23 |         mv /usr/bin/host.getssl.bak /usr/bin/host
24 |     fi
25 |     if [ -f /usr/bin/nslookup.getssl.bak ]; then
26 |         mv /usr/bin/nslookup.getssl.bak /usr/bin/nslookup
27 |     fi
28 | }
29 | 
30 | 
31 | setup() {
32 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
33 | }
34 | 
35 | 
36 | teardown() {
37 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
38 | }
39 | 
40 | 
41 | @test "Create new certificate using DNS-01 verification (dig)" {
42 |     CONFIG_FILE="getssl-dns01.cfg"
43 | 
44 |     setup_environment
45 |     init_getssl
46 |     create_certificate
47 |     assert_success
48 |     assert_output --partial "dig"
49 |     check_output_for_errors
50 | }
51 | 
52 | 
53 | @test "Force renewal of certificate using DNS-01 (dig)" {
54 |     run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
55 |     assert_success
56 |     assert_output --partial "dig"
57 |     check_output_for_errors
58 |     cleanup_environment
59 | }
60 | 


--------------------------------------------------------------------------------
/test/2-simple-dns01-nslookup.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | setup() {
10 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
11 |     if [ -z "$STAGING" ]; then
12 |         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
13 |     fi
14 |     if [ -f /usr/bin/dig ]; then
15 |         mv /usr/bin/dig /usr/bin/dig.getssl.bak
16 |     fi
17 |     if [ -f /usr/bin/drill ]; then
18 |         mv /usr/bin/drill /usr/bin/drill.getssl.bak
19 |     fi
20 |     if [ -f /usr/bin/host ]; then
21 |         mv /usr/bin/host /usr/bin/host.getssl.bak
22 |     fi
23 | }
24 | 
25 | 
26 | teardown() {
27 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
28 |     if [ -f /usr/bin/dig.getssl.bak ]; then
29 |         mv /usr/bin/dig.getssl.bak /usr/bin/dig
30 |     fi
31 |     if [ -f /usr/bin/drill.getssl.bak ]; then
32 |         mv /usr/bin/drill.getssl.bak /usr/bin/drill
33 |     fi
34 |     if [ -f /usr/bin/host.getssl.bak ]; then
35 |         mv /usr/bin/host.getssl.bak /usr/bin/host
36 |     fi
37 | }
38 | 
39 | 
40 | @test "Create new certificate using DNS-01 verification (nslookup)" {
41 |     CONFIG_FILE="getssl-dns01.cfg"
42 | 
43 |     setup_environment
44 |     init_getssl
45 |     create_certificate
46 |     assert_success
47 |     assert_output --partial "nslookup"
48 |     check_output_for_errors "debug"
49 | }
50 | 


--------------------------------------------------------------------------------
/test/20-wildcard-simple.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     if [ -z "$STAGING" ]; then
16 |         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
17 |     fi
18 | }
19 | 
20 | 
21 | @test "Create wildcard certificate" {
22 |     CONFIG_FILE="getssl-dns01.cfg"
23 | 
24 |     GETSSL_CMD_HOST="*.${GETSSL_HOST}"
25 |     setup_environment
26 |     init_getssl
27 |     create_certificate
28 |     assert_success
29 |     check_output_for_errors
30 | }
31 | 
32 | 
33 | @test "Check CHECK_REMOTE works for wildcard certificates" {
34 |     if [ -n "$STAGING" ]; then
35 |         skip "Using staging server, skipping internal test"
36 |     fi
37 | 
38 |     run ${CODE_DIR}/getssl -U -d "*.$GETSSL_HOST"
39 |     assert_success
40 |     assert_line --partial "certificate is valid for more than"
41 |     check_output_for_errors
42 | }
43 | 
44 | 
45 | @test "Force renewal of wildcard certificate" {
46 |     if [ -n "$STAGING" ]; then
47 |         skip "Using staging server, skipping internal test"
48 |     fi
49 | 
50 |     run ${CODE_DIR}/getssl -U -d -f "*.$GETSSL_HOST"
51 |     assert_success
52 |     refute_line --partial "certificate is valid for more than"
53 |     check_output_for_errors
54 | }
55 | 
56 | 
57 | @test "Check renewal of near-expiration wildcard certificate" {
58 |     if [ -n "$STAGING" ]; then
59 |         skip "Using staging server, skipping internal test"
60 |     fi
61 | 
62 |     echo "RENEW_ALLOW=2000" >> "${INSTALL_DIR}/.getssl/*.${GETSSL_HOST}/getssl.cfg"
63 | 
64 |     run ${CODE_DIR}/getssl -U -d "*.$GETSSL_HOST"
65 |     assert_success
66 |     refute_line --partial "certificate is valid for more than"
67 |     check_output_for_errors
68 |     cleanup_environment
69 | }
70 | 


--------------------------------------------------------------------------------
/test/22-wildcard-dual-rsa-ecdsa-copy-2-locations.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # These are run for every test, not once per file
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     if [ -z "$STAGING" ]; then
16 |         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
17 |     fi
18 | }
19 | 
20 | 
21 | @test "Create dual certificates (one wildcard) and copy RSA and ECDSA chain and key to two locations" {
22 |     CONFIG_FILE="getssl-dns01.cfg"
23 | 
24 |     GETSSL_CMD_HOST="*.${GETSSL_HOST}"
25 | 
26 |     setup_environment
27 |     init_getssl
28 | 
29 |     cat <<- 'EOF' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
30 | DUAL_RSA_ECDSA="true"
31 | ACCOUNT_KEY_TYPE="prime256v1"
32 | PRIVATE_KEY_ALG="prime256v1"
33 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key;/root/a.${GETSSL_HOST}/server.key"
34 | DOMAIN_CHAIN_LOCATION="/etc/nginx/pki/domain-chain.crt;/root/a.${GETSSL_HOST}/domain-chain.crt" # this is the domain cert and CA cert
35 | EOF
36 | 
37 |     check_nginx
38 |     if [ "$OLD_NGINX" = "false" ]; then
39 |         echo 'RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-dual-certs ${NGINX_CONFIG} && /getssl/test/restart-nginx"' >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
40 |     else
41 |         echo 'CHECK_REMOTE="false"' >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
42 |     fi
43 | 
44 |     create_certificate
45 |     assert_success
46 |     check_output_for_errors
47 | 
48 |     if [ "$OLD_NGINX" = "false" ]; then
49 |         assert_line --partial "rsa certificate installed OK on server"
50 |         assert_line --partial "prime256v1 certificate installed OK on server"
51 |     fi
52 | 
53 |     # Check that the RSA chain and key have been copied to both locations
54 |     assert [ -e "/etc/nginx/pki/domain-chain.crt" ]
55 |     assert [ -e "/root/a.${GETSSL_HOST}/domain-chain.crt" ]
56 |     assert [ -e "/etc/nginx/pki/private/server.key" ]
57 |     assert [ -e "/root/a.${GETSSL_HOST}/server.key" ]
58 | 
59 |     # Check that the ECDSA chain and key have been copied to both locations
60 |     assert [ -e "/etc/nginx/pki/domain-chain.ec.crt" ]
61 |     assert [ -e "/root/a.${GETSSL_HOST}/domain-chain.ec.crt" ]
62 |     assert [ -e "/etc/nginx/pki/private/server.ec.key" ]
63 |     assert [ -e "/root/a.${GETSSL_HOST}/server.ec.key" ]
64 | 
65 |     cleanup_environment
66 | }
67 | 


--------------------------------------------------------------------------------
/test/23-wildcard-check-globbing.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     if [ -z "$STAGING" ]; then
16 |         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
17 |     fi
18 | }
19 | 
20 | 
21 | @test "Check for globbing for wildcard domains" {
22 |     if [ -n "$STAGING" ]; then
23 |         skip "Using staging server, skipping internal test"
24 |     else
25 |         CONFIG_FILE="getssl-dns01.cfg"
26 |     fi
27 | 
28 |     GETSSL_CMD_HOST="*.${GETSSL_HOST}"
29 |     setup_environment
30 | 
31 |     init_getssl
32 | 
33 |     # Create a directory in /root which looks like a domain so that if glob expansion is performed a certificate for the wrong domain will be created
34 |     mkdir -p "${INSTALL_DIR}/a.${GETSSL_HOST}"
35 | 
36 |     create_certificate
37 |     assert_success
38 |     check_output_for_errors
39 | }
40 | 
41 | 
42 | @test "Force renewal of wildcard certificate" {
43 |     if [ -n "$STAGING" ]; then
44 |         skip "Not trying on staging server yet"
45 |     fi
46 | 
47 |     run ${CODE_DIR}/getssl -U -d -f "*.$GETSSL_HOST"
48 |     assert_success
49 |     refute_line --partial "certificate is valid for more than"
50 |     check_output_for_errors
51 | }
52 | 


--------------------------------------------------------------------------------
/test/25-wildcard-all.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     if [ -z "$STAGING" ]; then
16 |         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
17 |     fi
18 | }
19 | 
20 | 
21 | @test "Check can create certificate for wildcard domain using --all" {
22 |     if [ -n "$STAGING" ]; then
23 |         skip "Using staging server, skipping internal test"
24 |     else
25 |         CONFIG_FILE="getssl-dns01.cfg"
26 |     fi
27 | 
28 |     GETSSL_CMD_HOST="*.${GETSSL_HOST}"
29 |     setup_environment
30 |     # Create .getssl directory and .getssl/*.{host} directory
31 |     init_getssl
32 |     cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/*.${GETSSL_HOST}/getssl.cfg"
33 | 
34 |     # create another domain in the .getssl directory
35 |     run ${CODE_DIR}/getssl -U -d -c "a.${GETSSL_HOST}"
36 |     cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/a.${GETSSL_HOST}/getssl.cfg"
37 | 
38 |     # Create a directory in /root which looks like a domain so that if glob expansion is performed the wildcard certificate won't be created
39 |     mkdir -p "${INSTALL_DIR}/a.${GETSSL_HOST}"
40 | 
41 |     run ${CODE_DIR}/getssl -U -d --all
42 | 
43 |     assert_success
44 |     assert_line --partial "Certificate saved in /root/.getssl/*.${GETSSL_HOST}/*.${GETSSL_HOST}"
45 |     assert_line --partial "Certificate saved in /root/.getssl/a.${GETSSL_HOST}/a.${GETSSL_HOST}"
46 |     check_output_for_errors
47 | }
48 | 


--------------------------------------------------------------------------------
/test/26-wildcard-revoke.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     if [ -z "$STAGING" ]; then
16 |         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
17 |     fi
18 | }
19 | 
20 | 
21 | @test "Create certificate to check wildcard revoke" {
22 |     CONFIG_FILE="getssl-dns01.cfg"
23 | 
24 |     GETSSL_CMD_HOST="*.${GETSSL_HOST}"
25 |     setup_environment
26 |     init_getssl
27 |     create_certificate
28 |     assert_success
29 |     check_output_for_errors
30 | }
31 | 
32 | 
33 | @test "Check we can revoke a wildcard certificate" {
34 |     CONFIG_FILE="getssl-dns01.cfg"
35 |     . "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
36 | 
37 |     GETSSL_CMD_HOST="*.${GETSSL_HOST}"
38 | 
39 |     CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
40 |     KEY=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key
41 | 
42 |     run ${CODE_DIR}/getssl -U -d --revoke $CERT $KEY $CA
43 |     assert_line --partial "certificate revoked"
44 |     assert_success
45 |     check_output_for_errors
46 | }
47 | 


--------------------------------------------------------------------------------
/test/27-wildcard-existing-cert.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     if [ -z "$STAGING" ]; then
16 |         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
17 |     fi
18 | }
19 | 
20 | 
21 | @test "Check that new creating a new configuration files uses details from existing certificate" {
22 |     if [ -n "$STAGING" ]; then
23 |         skip "Using staging server, skipping internal test"
24 |     else
25 |         CONFIG_FILE="getssl-dns01.cfg"
26 |     fi
27 | 
28 |     # Create and install certificate for wildcard + another domain
29 |     GETSSL_CMD_HOST="*.${GETSSL_HOST}"
30 |     setup_environment
31 |     init_getssl
32 | 
33 |     echo 'SANS="a.${GETSSL_HOST}"' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
34 | 
35 |     create_certificate
36 |     assert_success
37 |     check_output_for_errors
38 | 
39 |     # Delete configuration
40 |     rm -r ${INSTALL_DIR}/.getssl
41 | 
42 |     # Create configuration
43 |     run ${CODE_DIR}/getssl -U -d -c "${GETSSL_CMD_HOST}"
44 | 
45 |     # Assert that the newly created configuration contains the additional domain in SANS
46 |     # if this fails then error in tests will be "grep failed" - this means SANS did not hold the expected value
47 |     # eg   SANS="a.centos7.getssl.test"
48 |     grep -q "SANS=\"a.${GETSSL_HOST}\"" ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl.cfg
49 |     assert_success
50 | }
51 | 


--------------------------------------------------------------------------------
/test/28-wildcard-error-http01-validation.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     if [ -z "$STAGING" ]; then
16 |         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
17 |     fi
18 | }
19 | 
20 | 
21 | @test "Check that trying to create a wildcard certificate using http-01 validation shows an error message" {
22 |     if [ -n "$STAGING" ]; then
23 |         skip "Internal test, no need to test on staging server"
24 |     else
25 |         CONFIG_FILE="getssl-http01.cfg"
26 |     fi
27 | 
28 |     # Try and create a wildcard certificate using http-01 validation
29 |     GETSSL_CMD_HOST="*.${GETSSL_HOST}"
30 |     setup_environment
31 |     init_getssl
32 | 
33 |     create_certificate
34 |     assert_failure
35 |     assert_line --partial "cannot use http-01 validation for wildcard domains"
36 | }
37 | 


--------------------------------------------------------------------------------
/test/29-check-mktemp-failure.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     if [ -z "$STAGING" ]; then
16 |         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
17 |     fi
18 | }
19 | 
20 | 
21 | @test "Check that getssl -c fails with an error message if mktemp fails" {
22 |     if [ -n "$STAGING" ]; then
23 |         skip "Internal test, no need to test on staging server"
24 |     else
25 |         CONFIG_FILE="getssl-http01.cfg"
26 |     fi
27 | 
28 |     # set TMPDIR to an invalid directory and check for failure
29 |     export TMPDIR=/getssl.invalid.directory
30 |     setup_environment
31 |     run ${CODE_DIR}/getssl -U -d -c "$GETSSL_CMD_HOST"
32 |     assert_failure
33 |     assert_line --partial "mktemp failed"
34 | }
35 | 
36 | 
37 | @test "Check that getssl fails with an error message if mktemp fails" {
38 |     if [ -n "$STAGING" ]; then
39 |         skip "Internal test, no need to test on staging server"
40 |     else
41 |         CONFIG_FILE="getssl-http01.cfg"
42 |     fi
43 | 
44 |     setup_environment
45 |     init_getssl
46 | 
47 |     # set TMPDIR to an invalid directory and check for failure
48 |     export TMPDIR=/getssl.invalid.directory
49 |     create_certificate
50 |     assert_failure
51 |     assert_line --partial "mktemp failed"
52 | }
53 | 


--------------------------------------------------------------------------------
/test/30-handle-dig-failure.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | setup() {
10 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
11 |     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
12 |     if [ -f /usr/bin/drill ]; then
13 |         mv /usr/bin/drill /usr/bin/drill.getssl.bak
14 |     fi
15 |     if [ -f /usr/bin/dig ]; then
16 |         chmod -x /usr/bin/dig
17 |     fi
18 | }
19 | 
20 | 
21 | teardown() {
22 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
23 |     if [ -f /usr/bin/drill.getssl.bak ]; then
24 |         mv /usr/bin/drill.getssl.bak /usr/bin/drill
25 |     fi
26 |     if [ -f /usr/bin/dig ]; then
27 |         chmod +x /usr/bin/dig
28 |     fi
29 | }
30 | 
31 | 
32 | @test "Test that if dig exists but errors HAS_DIG is not set" {
33 |     if [ -n "$STAGING" ]; then
34 |         skip "Using staging server, skipping internal test"
35 |     fi
36 |     if [ ! -f /usr/bin/dig ]; then
37 |         skip "dig not installed, skipping dig test"
38 |     fi
39 |     CONFIG_FILE="getssl-http01.cfg"
40 |     setup_environment
41 |     init_getssl
42 |     create_certificate
43 |     assert_success
44 |     refute_line --partial "HAS DIG_OR_DRILL=dig"
45 |     check_output_for_errors
46 | }
47 | 


--------------------------------------------------------------------------------
/test/31-test-posix-error.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
16 | }
17 | 
18 | 
19 | @test "Test that running in POSIX mode shows an error" {
20 |     # v2.31 uses read to create an array in the get_auth_dns function which causes a parse error in posix mode
21 |     # Could be re-written to not use this functionality if it causes for required.
22 |     if [ -n "$STAGING" ]; then
23 |         skip "Using staging server, skipping internal test"
24 |     fi
25 | 
26 |     run bash --posix "${CODE_DIR}/getssl" -U -d
27 |     assert_failure
28 |     assert_line --partial "getssl: Running with POSIX mode enabled is not supported"
29 |     check_output_for_errors
30 | }
31 | 


--------------------------------------------------------------------------------
/test/33-ftp.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | setup() {
10 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
11 |     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
12 |     if [ -n "${VSFTPD_CONF}" ]; then
13 |         cp $VSFTPD_CONF ${VSFTPD_CONF}.getssl
14 | 
15 |         # enable passive and disable active mode
16 |         # https://www.pixelstech.net/article/1364817664-FTP-active-mode-and-passive-mode
17 |         cat <<- _FTP >> $VSFTPD_CONF
18 | pasv_enable=NO
19 | _FTP
20 | 
21 |         ${CODE_DIR}/test/restart-ftpd start
22 |     fi
23 | }
24 | 
25 | 
26 | teardown() {
27 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
28 |     if [ -n "${VSFTPD_CONF}" ]; then
29 |         cp ${VSFTPD_CONF}.getssl $VSFTPD_CONF
30 |         ${CODE_DIR}/test/restart-ftpd stop
31 |     fi
32 | }
33 | 
34 | 
35 | @test "Use FTP to create challenge file" {
36 |     if [ -n "$STAGING" ]; then
37 |         skip "Using staging server, skipping internal test"
38 |     fi
39 | 
40 |     if [[ ! -d /var/www/html/.well-known/acme-challenge ]]; then
41 |         mkdir -p /var/www/html/.well-known/acme-challenge
42 |     fi
43 | 
44 |     # Always change ownership and permissions in case previous tests created the directories as root
45 |     chgrp -R www-data /var/www/html/.well-known
46 |     chmod -R g+w /var/www/html/.well-known
47 | 
48 |     CONFIG_FILE="getssl-http01.cfg"
49 |     setup_environment
50 |     init_getssl
51 | 
52 |     cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
53 | ACL="ftp:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge"
54 | EOF
55 | 
56 |     if [[ "$GETSSL_OS" = "alpine" ]]; then
57 |         cat <<- EOF2 >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
58 | FTP_OPTIONS="set ftp:passive-mode off"
59 | EOF2
60 |     elif [[ "$FTP_PASSIVE_DEFAULT" == "true" ]]; then
61 |         cat <<- EOF3 >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
62 | FTP_OPTIONS="passive"
63 | EOF3
64 |     fi
65 | 
66 |     create_certificate
67 |     assert_success
68 |     assert_line --partial "ftp:ftpuser:ftpuser:"
69 |     if [[ "$GETSSL_OS" != "alpine" ]] && [[ "$FTP_PASSIVE_DEFAULT" == "true" ]]; then
70 |         assert_line --partial "Passive mode off"
71 |     fi
72 |     check_output_for_errors
73 | }
74 | 


--------------------------------------------------------------------------------
/test/37-idn.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | # This is run for every test
 8 | setup() {
 9 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
10 |     GETSSL_CMD_HOST=${GETSSL_IDN_HOST}
11 | 
12 |     # use the test description to move tools we don't want to test out of the way
13 |     DNS_TOOL=${BATS_TEST_DESCRIPTION##*:}
14 |     for tool in dig drill host nslookup
15 |     do
16 |         if [[ "$tool" != "$DNS_TOOL" && -f /usr/bin/$tool ]]; then
17 |             mv /usr/bin/$tool /usr/bin/${tool}.getssl
18 |         fi
19 |     done
20 | }
21 | 
22 | teardown() {
23 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
24 |     # use the test description to move tools we didn't want to test back
25 |     DNS_TOOL=${BATS_TEST_DESCRIPTION##*-}
26 |     for tool in dig drill host nslookup
27 |     do
28 |         if [[ "$tool" != "$DNS_TOOL" && -f /usr/bin/${tool}.getssl ]]; then
29 |             mv /usr/bin/${tool}.getssl /usr/bin/${tool}
30 |         fi
31 |     done
32 | }
33 | 
34 | setup_file() {
35 |     if [ -z "$STAGING" ]; then
36 |         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
37 |         curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
38 |     fi
39 | }
40 | 
41 | teardown_file() {
42 |     if [ -z "$STAGING" ]; then
43 |         curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
44 |     fi
45 | }
46 | 
47 | @test "Check that DNS-01 verification works if the domain is idn:dig" {
48 |     if [ -n "$STAGING" ]; then
49 |         skip "Using staging server, skipping internal test"
50 |     fi
51 | 
52 |     CONFIG_FILE="getssl-dns01.cfg"
53 | 
54 |     setup_environment
55 |     init_getssl
56 |     create_certificate
57 | 
58 |     assert_success
59 |     assert_output --partial "dig"
60 |     check_output_for_errors
61 | }
62 | 
63 | @test "Check that DNS-01 verification works if the domain is idn:drill" {
64 |     if [ -n "$STAGING" ]; then
65 |         skip "Using staging server, skipping internal test"
66 |     fi
67 |     if [ ! -f /usr/bin/drill ]; then
68 |         # Can't find drill package for centos8 / rockylinux8
69 |         skip "Drill not installed on this system"
70 |     fi
71 | 
72 |     CONFIG_FILE="getssl-dns01.cfg"
73 | 
74 |     setup_environment
75 |     init_getssl
76 |     create_certificate
77 | 
78 |     assert_success
79 |     assert_output --partial "drill"
80 |     check_output_for_errors
81 | }
82 | 


--------------------------------------------------------------------------------
/test/38-idn-http01-check-noidnout.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | setup() {
 8 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
 9 |     GETSSL_CMD_HOST=$GETSSL_IDN_HOST
10 | }
11 | 
12 | teardown() {
13 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
14 | }
15 | 
16 | setup_file() {
17 |     if [ -z "$STAGING" ]; then
18 |         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
19 |         curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
20 |     fi
21 | }
22 | 
23 | teardown_file() {
24 |     if [ -z "$STAGING" ]; then
25 |         curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
26 | 
27 |     fi
28 | }
29 | 
30 | @test "Ensure noidnout in check_config isn't passed to host and nslookup (HTTP-01)" {
31 |     if [ -n "$STAGING" ]; then
32 |         skip "Using staging server, skipping internal test"
33 |     fi
34 |     CONFIG_FILE="getssl-http01.cfg"
35 |     setup_environment
36 |     init_getssl
37 |     cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
38 | SANS="${GETSSL_HOST}"
39 | USE_SINGLE_ACL="true"
40 | EOF
41 | 
42 |     create_certificate --check-config
43 | 
44 |     assert_success
45 |     refute_output --partial "DNS lookup using host  +noidnout"
46 |     refute_output --partial "DNS lookup using nslookup  +noidnout"
47 |     refute_output --partial "+noidnout $GETSSL_HOST"
48 |     check_output_for_errors
49 | }
50 | 


--------------------------------------------------------------------------------
/test/4-more-than-10-hosts.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | 
14 | setup() {
15 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
16 | }
17 | 
18 | 
19 | setup_file() {
20 |     if [ -z "$STAGING" ]; then
21 |         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
22 |         # Add 11 hosts to DNS (also need to be added as aliases in docker-compose.yml)
23 |         for prefix in a b c d e f g h i j k; do
24 |             curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
25 |         done
26 |     fi
27 | }
28 | 
29 | 
30 | teardown_file() {
31 |     # Remove all the dns aliases
32 |     if [ -n "$STAGING" ]; then
33 |         for prefix in a b c d e f g h i j k; do
34 |             curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'"}' http://10.30.50.3:8055/clear-a
35 |         done
36 |     fi
37 | }
38 | 
39 | 
40 | @test "Create certificates for more than 10 hosts using HTTP-01 verification" {
41 |     if [ -n "$STAGING" ]; then
42 |         skip "Using staging server, skipping internal test"
43 |     fi
44 |     CONFIG_FILE="getssl-http01-10-hosts.cfg"
45 |     setup_environment
46 | 
47 |     init_getssl
48 |     create_certificate
49 |     assert_success
50 |     check_output_for_errors
51 | }
52 | 
53 | 
54 | @test "Force renewal of more than 10 certificates using HTTP-01" {
55 |     if [ -n "$STAGING" ]; then
56 |         skip "Using staging server, skipping internal test"
57 |     fi
58 |     run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
59 |     assert_success
60 |     check_output_for_errors
61 |     cleanup_environment
62 | }
63 | 


--------------------------------------------------------------------------------
/test/40-cname-dns01-dig.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | setup_file() {
 9 |     if [ -z "$STAGING" ]; then
10 |         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
11 |     fi
12 |     if [ -f /usr/bin/host ]; then
13 |         mv /usr/bin/host /usr/bin/host.getssl.bak
14 |     fi
15 |     if [ -f /usr/bin/nslookup ]; then
16 |         mv /usr/bin/nslookup /usr/bin/nslookup.getssl.bak
17 |     fi
18 | }
19 | 
20 | 
21 | teardown_file() {
22 |     if [ -f /usr/bin/host.getssl.bak ]; then
23 |         mv /usr/bin/host.getssl.bak /usr/bin/host
24 |     fi
25 |     if [ -f /usr/bin/nslookup.getssl.bak ]; then
26 |         mv /usr/bin/nslookup.getssl.bak /usr/bin/nslookup
27 |     fi
28 | }
29 | 
30 | 
31 | setup() {
32 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
33 | }
34 | 
35 | 
36 | teardown() {
37 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
38 | }
39 | 
40 | 
41 | @test "Check CNAME _acme-challenge works if AUTH_DNS specified (dig)" {
42 |     if [ -z "$STAGING" ]; then
43 |         skip "Running local tests this is a staging server test"
44 |     fi
45 |     CONFIG_FILE="getssl-dns01.cfg"
46 | 
47 |     setup_environment
48 |     init_getssl
49 | 
50 |     cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
51 | PUBLIC_DNS_SERVER=
52 | AUTH_DNS_SERVER="8.8.8.8"
53 | CHECK_ALL_AUTH_DNS="false"
54 | CHECK_PUBLIC_DNS_SERVER="false"
55 | EOF
56 |     create_certificate
57 |     assert_success
58 |     assert_output --partial "dig"
59 |     check_output_for_errors
60 | }
61 | 


--------------------------------------------------------------------------------
/test/41-show-account-id.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
16 | }
17 | 
18 | 
19 | @test "Create new certificate using HTTP-01 verification (any dns tool)" {
20 |     if [ -n "$STAGING" ]; then
21 |         skip "Using staging server, skipping internal test"
22 |     fi
23 |     CONFIG_FILE="getssl-http01.cfg"
24 |     setup_environment
25 |     init_getssl
26 |     create_certificate
27 |     assert_success
28 | 
29 |     run ${CODE_DIR}/getssl --account-id ${GETSSL_HOST}
30 |     assert_line --partial "Account Id is:"
31 |     assert_success
32 | }
33 | 


--------------------------------------------------------------------------------
/test/5-secp384-http01.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
16 | }
17 | 
18 | 
19 | @test "Create new secp384r1 certificate using HTTP-01 verification" {
20 |     if [ -n "$STAGING" ]; then
21 |         skip "Using staging server, skipping internal test"
22 |     fi
23 |     CONFIG_FILE="getssl-http01-secp384.cfg"
24 |     setup_environment
25 |     init_getssl
26 |     create_certificate
27 |     assert_success
28 |     check_output_for_errors
29 | }
30 | 
31 | 
32 | @test "Force renewal of secp384r1 certificate using HTTP-01" {
33 |     if [ -n "$STAGING" ]; then
34 |         skip "Using staging server, skipping internal test"
35 |     fi
36 |     run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
37 |     assert_success
38 |     check_output_for_errors
39 | }
40 | 
41 | 
42 | @test "Create new secp521r1 certificate using HTTP-01 verification" {
43 |     if [ -n "$STAGING" ]; then
44 |         skip "Using staging server, skipping internal test"
45 |     fi
46 |     CONFIG_FILE="getssl-http01-secp521.cfg"
47 |     setup_environment
48 |     init_getssl
49 |     create_certificate
50 |     assert_success
51 |     check_output_for_errors
52 | }
53 | 
54 | 
55 | @test "Force renewal of secp521r1 certificate using HTTP-01" {
56 |     if [ -n "$STAGING" ]; then
57 |         skip "Using staging server, skipping internal test"
58 |     fi
59 |     run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
60 |     assert_success
61 |     check_output_for_errors
62 | }
63 | 


--------------------------------------------------------------------------------
/test/8-staging-ecdsa.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | setup() {
 9 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
10 | }
11 | 
12 | 
13 | teardown() {
14 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
15 | }
16 | 
17 | 
18 | @test "Create new certificate using staging server and prime256v1" {
19 |     if [ -z "$STAGING" ]; then
20 |         skip "Running local tests this is a staging server test"
21 |     fi
22 |     CONFIG_FILE="getssl-dns01.cfg"
23 | 
24 |     setup_environment
25 |     init_getssl
26 |     sed -e 's/rsa/prime256v1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
27 |     run ${CODE_DIR}/getssl -U -d "$GETSSL_HOST"
28 |     assert_success
29 |     check_output_for_errors
30 | }
31 | 
32 | 
33 | @test "Force renewal of certificate using staging server and prime256v1" {
34 |     if [ -z "$STAGING" ]; then
35 |         skip "Running local tests this is a staging server test"
36 |     fi
37 |     run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
38 |     assert_success
39 |     check_output_for_errors
40 |     cleanup_environment
41 | }
42 | 
43 | 
44 | @test "Create new certificate using staging server and secp384r1" {
45 |     if [ -z "$STAGING" ]; then
46 |         skip "Running local tests this is a staging server test"
47 |     fi
48 |     CONFIG_FILE="getssl-dns01.cfg"
49 | 
50 |     setup_environment
51 |     init_getssl
52 |     sed -e 's/rsa/secp384r1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
53 |     run ${CODE_DIR}/getssl -U -d "$GETSSL_HOST"
54 |     assert_success
55 |     check_output_for_errors
56 | }
57 | 
58 | 
59 | @test "Force renewal of certificate using staging server and secp384r1" {
60 |     if [ -z "$STAGING" ]; then
61 |         skip "Running local tests this is a staging server test"
62 |     fi
63 |     run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
64 |     assert_success
65 |     check_output_for_errors
66 |     cleanup_environment
67 | }
68 | 
69 | 
70 | # Note letsencrypt doesn't support ECDSA curve P-521 as it's being deprecated
71 | 


--------------------------------------------------------------------------------
/test/9-multiple-domains-dns01.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | setup() {
10 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
11 | }
12 | 
13 | teardown() {
14 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
15 | }
16 | 
17 | 
18 | setup_file() {
19 |     # Add top level domain from SANS to DNS
20 |     if [ -z "$STAGING" ]; then
21 |         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
22 |         curl --silent -X POST -d '{"host":"getssl.test", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
23 |     fi
24 | }
25 | 
26 | 
27 | teardown_file() {
28 |     if [ -z "$STAGING" ]; then
29 |         curl --silent -X POST -d '{"host":"getssl.tst"}' http://10.30.50.3:8055/clear-a
30 |     fi
31 | }
32 | 
33 | 
34 | @test "Create certificates for multi-level domains using DNS-01 verification" {
35 |     # This tests we can create a certificate for <os>.getssl.test and getssl.test (in SANS)
36 |     if [ -n "$STAGING" ]; then
37 |         skip "Using staging server, skipping internal test"
38 |     fi
39 |     CONFIG_FILE="getssl-dns01-multiple-domains.cfg"
40 |     setup_environment
41 | 
42 |     init_getssl
43 |     create_certificate
44 |     assert_success
45 |     check_output_for_errors
46 | }
47 | 
48 | 
49 | @test "Force renewal of multi-level domains using DNS-01" {
50 |     # This tests we can renew a certificate for <os>.getssl.test and getssl.test (in SANS)
51 |     if [ -n "$STAGING" ]; then
52 |         skip "Using staging server, skipping internal test"
53 |     fi
54 |     run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
55 |     assert_success
56 |     check_output_for_errors
57 |     cleanup_environment
58 | }
59 | 
60 | 
61 | @test "Test IGNORE_DIRECTORY_DOMAIN using DNS-01 verification" {
62 |     # This tests we can create a certificate for getssl.test and <os>.getssl.test (*both* in SANS)
63 |     if [ -n "$STAGING" ]; then
64 |         skip "Using staging server, skipping internal test"
65 |     fi
66 |     CONFIG_FILE="getssl-dns01-ignore-directory-domain.cfg"
67 |     setup_environment
68 | 
69 |     init_getssl
70 |     create_certificate
71 |     assert_success
72 |     check_output_for_errors
73 | }
74 | 


--------------------------------------------------------------------------------
/test/9-test--all.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
16 |     export PATH=$PATH:/getssl
17 | }
18 | 
19 | 
20 | @test "Create new certificate using --all" {
21 |     if [ -n "$STAGING" ]; then
22 |         skip "Using staging server, skipping internal test"
23 |     fi
24 | 
25 |     # Setup
26 |     CONFIG_FILE="getssl-http01.cfg"
27 |     setup_environment
28 |     init_getssl
29 |     cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
30 | 
31 |     # Run test
32 |     run ${CODE_DIR}/getssl -U -d --all
33 | 
34 |     # Check success conditions
35 |     assert_success
36 |     check_output_for_errors
37 | }
38 | 


--------------------------------------------------------------------------------
/test/Dockerfile-alpine:
--------------------------------------------------------------------------------
 1 | FROM alpine:latest
 2 | 
 3 | # Note this image uses busybox awk instead of gawk
 4 | 
 5 | RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx bash lftp vsftpd openssh-server jq
 6 | 
 7 | WORKDIR /root
 8 | 
 9 | # Create nginx directories in standard places
10 | RUN mkdir -p /run/nginx
11 | RUN mkdir -p /etc/nginx/pki/private
12 | 
13 | # Setup ftp
14 | ENV VSFTPD_CONF=/etc/vsftpd.conf
15 | ENV FTP_PASSIVE_DEFAULT=true
16 | COPY ./test/test-config/vsftpd.conf /etc/vsftpd.conf
17 | RUN echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf
18 | RUN adduser -D ftpuser
19 | RUN echo 'ftpuser:ftpuser' | chpasswd
20 | RUN adduser ftpuser www-data
21 | RUN adduser root www-data
22 | RUN chown -R ftpuser.www-data /var/www
23 | RUN chmod g+w -R /var/www
24 | 
25 | # BATS (Bash Automated Testings)
26 | RUN git clone --depth 1 https://github.com/bats-core/bats-core.git /bats-core
27 | RUN git clone --depth 1 https://github.com/bats-core/bats-support /bats-support
28 | RUN git clone --depth 1 https://github.com/bats-core/bats-assert /bats-assert
29 | RUN /bats-core/install.sh /usr/local
30 | 
31 | # Use supervisord to run nginx in the background
32 | COPY ./test/test-config/alpine-supervisord.conf /etc/supervisord.conf
33 | CMD [ "tail", "-f", "/dev/null" ]
34 | 


--------------------------------------------------------------------------------
/test/Dockerfile-bash4-0:
--------------------------------------------------------------------------------
 1 | FROM bash:4.0
 2 | 
 3 | # https://hub.docker.com/_/bash
 4 | 
 5 | RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx lftp vsftpd openssh-server jq
 6 | 
 7 | WORKDIR /root
 8 | 
 9 | # Create nginx directories in standard places
10 | RUN mkdir -p /run/nginx
11 | RUN mkdir -p /etc/nginx/pki
12 | RUN mkdir -p /etc/nginx/pki/private
13 | 
14 | # Setup ftp
15 | ENV VSFTPD_CONF=/etc/vsftpd.conf
16 | ENV FTP_PASSIVE_DEFAULT=true
17 | COPY ./test/test-config/vsftpd.conf /etc/vsftpd.conf
18 | RUN echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf
19 | RUN adduser -D ftpuser
20 | RUN echo 'ftpuser:ftpuser' | chpasswd
21 | RUN adduser ftpuser www-data
22 | RUN adduser root www-data
23 | RUN chown -R ftpuser.www-data /var/www
24 | RUN chmod g+w -R /var/www
25 | 
26 | # BATS (Bash Automated Testings)
27 | RUN git clone https://github.com/bats-core/bats-core.git /bats-core
28 | RUN git clone https://github.com/bats-core/bats-support /bats-support
29 | RUN git clone https://github.com/bats-core/bats-assert /bats-assert
30 | RUN /bats-core/install.sh /usr/local
31 | 
32 | # Use supervisord to run nginx in the background
33 | COPY ./test/test-config/alpine-supervisord.conf /etc/supervisord.conf
34 | CMD tail -f /dev/null
35 | 


--------------------------------------------------------------------------------
/test/Dockerfile-bash4-2:
--------------------------------------------------------------------------------
 1 | FROM bash:4.2
 2 | 
 3 | # https://hub.docker.com/_/bash
 4 | 
 5 | RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx lftp vsftpd openssh-server jq
 6 | 
 7 | WORKDIR /root
 8 | 
 9 | # Create nginx directories in standard places
10 | RUN mkdir -p /run/nginx
11 | RUN mkdir -p /etc/nginx/pki
12 | RUN mkdir -p /etc/nginx/pki/private
13 | 
14 | # Setup ftp
15 | ENV VSFTPD_CONF=/etc/vsftpd.conf
16 | ENV FTP_PASSIVE_DEFAULT=true
17 | COPY ./test/test-config/vsftpd.conf /etc/vsftpd.conf
18 | RUN echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf
19 | RUN adduser -D ftpuser
20 | RUN echo 'ftpuser:ftpuser' | chpasswd
21 | RUN adduser ftpuser www-data
22 | RUN adduser root www-data
23 | RUN chown -R ftpuser.www-data /var/www
24 | RUN chmod g+w -R /var/www
25 | 
26 | # BATS (Bash Automated Testings)
27 | RUN git clone https://github.com/bats-core/bats-core.git /bats-core
28 | RUN git clone https://github.com/bats-core/bats-support /bats-support
29 | RUN git clone https://github.com/bats-core/bats-assert /bats-assert
30 | RUN /bats-core/install.sh /usr/local
31 | 
32 | # Use supervisord to run nginx in the background
33 | COPY ./test/test-config/alpine-supervisord.conf /etc/supervisord.conf
34 | CMD tail -f /dev/null
35 | 


--------------------------------------------------------------------------------
/test/Dockerfile-bash5-0:
--------------------------------------------------------------------------------
 1 | FROM bash:5.0
 2 | 
 3 | # https://hub.docker.com/_/bash
 4 | 
 5 | RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx lftp vsftpd openssh-server jq
 6 | 
 7 | WORKDIR /root
 8 | 
 9 | # Create nginx directories in standard places
10 | RUN mkdir -p /run/nginx
11 | RUN mkdir -p /etc/nginx/pki
12 | RUN mkdir -p /etc/nginx/pki/private
13 | 
14 | # Setup ftp
15 | ENV VSFTPD_CONF=/etc/vsftpd.conf
16 | ENV FTP_PASSIVE_DEFAULT=true
17 | COPY ./test/test-config/vsftpd.conf /etc/vsftpd.conf
18 | RUN echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf
19 | RUN adduser -D ftpuser
20 | RUN echo 'ftpuser:ftpuser' | chpasswd
21 | RUN adduser ftpuser www-data
22 | RUN adduser root www-data
23 | RUN chown -R ftpuser.www-data /var/www
24 | RUN chmod g+w -R /var/www
25 | 
26 | # BATS (Bash Automated Testings)
27 | RUN git clone https://github.com/bats-core/bats-core.git /bats-core
28 | RUN git clone https://github.com/bats-core/bats-support /bats-support
29 | RUN git clone https://github.com/bats-core/bats-assert /bats-assert
30 | RUN /bats-core/install.sh /usr/local
31 | 
32 | # Use supervisord to run nginx in the background
33 | COPY ./test/test-config/alpine-supervisord.conf /etc/supervisord.conf
34 | CMD tail -f /dev/null
35 | 


--------------------------------------------------------------------------------
/test/Dockerfile-centos6:
--------------------------------------------------------------------------------
 1 | FROM centos:centos6
 2 | 
 3 | # Note this image uses gawk
 4 | # Note if you are running this using WSL2 you need to put the following lines in %userprofile%\.wslconfig
 5 | # [wsl2]
 6 | # kernelCommandLine = vsyscall=emulate
 7 | 
 8 | # Centos 6 is EOL and is no longer available from the usual mirrors, so switch to https://vault.centos.org
 9 | RUN sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf && \
10 |     sed -i 's/^mirrorlist/#mirrorlist/g' /etc/yum.repos.d/*.repo && \
11 |     sed -i 's;^#baseurl=http://mirror;baseurl=https://vault;g' /etc/yum.repos.d/*.repo
12 | 
13 | # Update and install required software
14 | RUN yum -y install epel-release
15 | RUN yum -y install git curl dnsutils ldns wget nginx jq
16 | RUN yum -y install ftp vsftpd
17 | RUN yum -y install openssh-server
18 | 
19 | # Setup ftp
20 | ENV VSFTPD_CONF=/etc/vsftpd/vsftpd.conf
21 | ENV FTP_PASSIVE_DEFAULT=true
22 | COPY test/test-config/vsftpd.conf /etc/vsftpd/vsftpd.conf
23 | RUN adduser ftpuser
24 | RUN echo 'ftpuser:ftpuser' | chpasswd
25 | RUN adduser www-data
26 | RUN usermod -G www-data ftpuser
27 | RUN usermod -G www-data root
28 | RUN mkdir -p /var/www/.well-known/acme-challenge
29 | RUN chown -R www-data.www-data /var/www
30 | RUN chmod g+w -R /var/www
31 | 
32 | WORKDIR /root
33 | RUN mkdir -p /etc/nginx/pki/private
34 | COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf
35 | 
36 | # BATS (Bash Automated Testings)
37 | RUN git clone https://github.com/bats-core/bats-core.git /bats-core # --branch v1.2.1
38 | RUN git clone https://github.com/bats-core/bats-support /bats-support
39 | RUN git clone https://github.com/bats-core/bats-assert /bats-assert
40 | RUN /bats-core/install.sh /usr/local
41 | # Hack to disable BATS pretty formatter which stopped working on centos6
42 | ENV CI=yes
43 | 
44 | EXPOSE 80 443
45 | 
46 | # Run eternal loop - for testing
47 | CMD [ "tail", "-f", "/dev/null" ]
48 | 


--------------------------------------------------------------------------------
/test/Dockerfile-centos7:
--------------------------------------------------------------------------------
 1 | FROM centos:centos7
 2 | 
 3 | # Centos 7 is EOL and is no longer available from the usual mirrors, so switch to https://vault.centos.org
 4 | RUN sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf && \
 5 |     sed -i 's/^mirrorlist/#mirrorlist/g' /etc/yum.repos.d/*.repo && \
 6 |     sed -i 's;^#baseurl=http://mirror;baseurl=https://vault;g' /etc/yum.repos.d/*.repo
 7 | 
 8 | # Update and install required software
 9 | RUN yum -y update
10 | RUN yum -y install epel-release
11 | RUN yum -y install git curl ldns bind-utils wget which nginx jq
12 | RUN yum -y install ftp vsftpd
13 | RUN yum -y install openssh-server
14 | 
15 | # Set locale
16 | ENV LANG=en_US.UTF-8
17 | ENV LANGUAGE=en_US:en
18 | ENV LC_ALL=en_US.UTF-8
19 | 
20 | WORKDIR /root
21 | RUN mkdir -p /etc/nginx/pki/private
22 | COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf
23 | COPY ./test/test-config/nginx-centos7.conf /etc/nginx/nginx.conf
24 | 
25 | # Setup ftp
26 | ENV VSFTPD_CONF=/etc/vsftpd/vsftpd.conf
27 | ENV FTP_PASSIVE_DEFAULT=true
28 | COPY test/test-config/vsftpd.conf /etc/vsftpd/vsftpd.conf
29 | RUN adduser ftpuser
30 | RUN echo 'ftpuser:ftpuser' | chpasswd
31 | RUN adduser www-data
32 | RUN usermod -G www-data ftpuser
33 | RUN usermod -G www-data root
34 | RUN mkdir -p /var/www/.well-known/acme-challenge
35 | RUN chown -R www-data.www-data /var/www
36 | RUN chmod g+w -R /var/www
37 | 
38 | # BATS (Bash Automated Testings)
39 | RUN git clone --depth 1 https://github.com/bats-core/bats-core.git /bats-core
40 | RUN git clone --depth 1 https://github.com/bats-core/bats-support /bats-support
41 | RUN git clone --depth 1 https://github.com/bats-core/bats-assert /bats-assert
42 | RUN /bats-core/install.sh /usr/local
43 | 


--------------------------------------------------------------------------------
/test/Dockerfile-centos7-duckdns:
--------------------------------------------------------------------------------
 1 | FROM centos:centos7
 2 | 
 3 | # Note this image uses gawk
 4 | 
 5 | # Update and install required software
 6 | RUN yum -y update
 7 | RUN yum -y install epel-release
 8 | RUN yum -y install git curl bind-utils ldns wget which nginx jq
 9 | 
10 | # Set locale
11 | ENV LANG=en_US.UTF-8
12 | ENV LANGUAGE=en_US:en
13 | ENV LC_ALL=en_US.UTF-8
14 | 
15 | ENV staging="true"
16 | ENV dynamic_dns="dynu"
17 | 
18 | WORKDIR /root
19 | RUN mkdir -p /etc/nginx/pki/private
20 | COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf
21 | COPY ./test/test-config/nginx-centos7.conf /etc/nginx/nginx.conf
22 | 
23 | # BATS (Bash Automated Testings)
24 | RUN git clone --depth 1 https://github.com/bats-core/bats-core.git /bats-core
25 | RUN git clone --depth 1 https://github.com/bats-core/bats-support /bats-support
26 | RUN git clone --depth 1 https://github.com/bats-core/bats-assert /bats-assert
27 | RUN /bats-core/install.sh /usr/local
28 | 
29 | EXPOSE 80 443
30 | 
31 | # Run eternal loop - for testing
32 | CMD [ "tail", "-f", "/dev/null" ]
33 | 


--------------------------------------------------------------------------------
/test/Dockerfile-centos7-dynu:
--------------------------------------------------------------------------------
 1 | FROM centos:centos7
 2 | 
 3 | # Note this image uses gawk
 4 | 
 5 | # Update and install required software
 6 | RUN yum -y update
 7 | RUN yum -y install epel-release
 8 | RUN yum -y install git curl bind-utils ldns wget which nginx jq
 9 | 
10 | # Set locale
11 | ENV LANG=en_US.UTF-8
12 | ENV LANGUAGE=en_US:en
13 | ENV LC_ALL=en_US.UTF-8
14 | 
15 | ENV staging="true"
16 | ENV dynamic_dns="duckdns"
17 | 
18 | WORKDIR /root
19 | RUN mkdir -p /etc/nginx/pki
20 | RUN mkdir -p /etc/nginx/pki/private
21 | COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf
22 | COPY ./test/test-config/nginx-centos7.conf /etc/nginx/nginx.conf
23 | 
24 | # BATS (Bash Automated Testings)
25 | RUN git clone https://github.com/bats-core/bats-core.git /bats-core
26 | RUN git clone https://github.com/bats-core/bats-support /bats-support
27 | RUN git clone https://github.com/bats-core/bats-assert /bats-assert
28 | RUN /bats-core/install.sh /usr/local
29 | 
30 | EXPOSE 80 443
31 | 
32 | # Run eternal loop - for testing
33 | CMD tail -f /dev/null
34 | 


--------------------------------------------------------------------------------
/test/Dockerfile-centos8:
--------------------------------------------------------------------------------
 1 | FROM centos:centos8
 2 | 
 3 | # Note this image does not have drill
 4 | 
 5 | # Centos 8 is EOL and is no longer available from the usual mirrors, so switch to https://vault.centos.org
 6 | RUN sed -i 's/^mirrorlist/#mirrorlist/g' /etc/yum.repos.d/*.repo && \
 7 |     sed -i 's;^#baseurl=http://mirror;baseurl=https://vault;g' /etc/yum.repos.d/*.repo
 8 | 
 9 | # Update and install required software
10 | RUN yum -y update
11 | RUN yum -y install glibc-all-langpacks
12 | RUN yum -y install epel-release
13 | RUN yum -y install git curl bind-utils wget which nginx jq
14 | RUN yum -y install ftp vsftpd
15 | RUN yum -y install openssh-server
16 | 
17 | # Set locale
18 | ENV LANG=en_US.UTF-8
19 | ENV LANGUAGE=en_US:en
20 | ENV LC_ALL=en_US.UTF-8
21 | 
22 | WORKDIR /root
23 | RUN mkdir -p /etc/nginx/pki/private
24 | COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf
25 | COPY ./test/test-config/nginx-centos7.conf /etc/nginx/nginx.conf
26 | 
27 | # Setup ftp
28 | ENV VSFTPD_CONF=/etc/vsftpd/vsftpd.conf
29 | ENV FTP_PASSIVE_DEFAULT=true
30 | COPY test/test-config/vsftpd.conf /etc/vsftpd/vsftpd.conf
31 | RUN adduser ftpuser
32 | RUN echo 'ftpuser:ftpuser' | chpasswd
33 | RUN adduser www-data
34 | RUN usermod -G www-data ftpuser
35 | RUN usermod -G www-data root
36 | RUN mkdir -p /var/www/.well-known/acme-challenge
37 | RUN chown -R www-data.www-data /var/www
38 | RUN chmod g+w -R /var/www
39 | 
40 | # BATS (Bash Automated Testings)
41 | RUN git clone --depth 1 https://github.com/bats-core/bats-core.git /bats-core
42 | RUN git clone --depth 1 https://github.com/bats-core/bats-support /bats-support
43 | RUN git clone --depth 1 https://github.com/bats-core/bats-assert /bats-assert
44 | RUN /bats-core/install.sh /usr/local
45 | 


--------------------------------------------------------------------------------
/test/Dockerfile-debian:
--------------------------------------------------------------------------------
 1 | FROM debian:latest
 2 | 
 3 | # Note this image uses mawk 1.3
 4 | 
 5 | # Update and install required software
 6 | RUN apt-get update --fix-missing
 7 | RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light jq
 8 | RUN apt-get install -y ftp vsftpd
 9 | RUN apt-get install -y openssh-server
10 | RUN apt-get install -y locales # for idn testing
11 | 
12 | # Set locale
13 | RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
14 | ENV LANG=en_US.UTF-8
15 | ENV LANGUAGE=en_US:en
16 | ENV LC_ALL=en_US.UTF-8
17 | 
18 | WORKDIR /root
19 | RUN mkdir -p /etc/nginx/pki/private
20 | 
21 | # Setup ftp
22 | ENV VSFTPD_CONF=/etc/vsftpd.conf
23 | ENV FTP_PASSIVE_DEFAULT=false
24 | COPY test/test-config/vsftpd.conf /etc/vsftpd.conf
25 | RUN adduser ftpuser
26 | RUN echo 'ftpuser:ftpuser' | chpasswd
27 | RUN adduser ftpuser www-data
28 | RUN adduser root www-data
29 | RUN chown -R www-data.www-data /var/www
30 | RUN chmod g+w -R /var/www
31 | 
32 | # BATS (Bash Automated Testings)
33 | RUN git clone --depth 1 https://github.com/bats-core/bats-core.git /bats-core
34 | RUN git clone --depth 1 https://github.com/bats-core/bats-support /bats-support
35 | RUN git clone --depth 1 https://github.com/bats-core/bats-assert /bats-assert
36 | RUN /bats-core/install.sh /usr/local
37 | 
38 | # Run eternal loop - for testing
39 | CMD [ "tail", "-f", "/dev/null" ]
40 | 


--------------------------------------------------------------------------------
/test/Dockerfile-rockylinux8:
--------------------------------------------------------------------------------
 1 | FROM rockylinux/rockylinux:8
 2 | 
 3 | # Update and install required software
 4 | RUN yum -y update && \
 5 |     yum -y install \
 6 |         epel-release \
 7 |         git curl bind-utils wget which nginx jq procps findutils \
 8 |         ftp vsftpd \
 9 |         openssh-server \
10 |         glibc-locale-source glibc-langpack-en # for en_US.UTF-8 support
11 | 
12 | # Set locale
13 | ENV LANG=en_US.UTF-8
14 | ENV LANGUAGE=en_US:en
15 | ENV LC_ALL=en_US.UTF-8
16 | 
17 | WORKDIR /root
18 | RUN mkdir -p /etc/nginx/pki/private
19 | COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf
20 | COPY ./test/test-config/nginx-centos7.conf /etc/nginx/nginx.conf
21 | 
22 | # Setup ftp
23 | ENV VSFTPD_CONF=/etc/vsftpd/vsftpd.conf
24 | ENV FTP_PASSIVE_DEFAULT=true
25 | COPY test/test-config/vsftpd.conf /etc/vsftpd/vsftpd.conf
26 | RUN adduser ftpuser
27 | RUN echo 'ftpuser:ftpuser' | chpasswd
28 | RUN adduser www-data
29 | RUN usermod -G www-data ftpuser
30 | RUN usermod -G www-data root
31 | RUN mkdir -p /var/www/.well-known/acme-challenge
32 | RUN chown -R www-data.www-data /var/www
33 | RUN chmod g+w -R /var/www
34 | 
35 | # BATS (Bash Automated Testings)
36 | RUN git clone --depth 1 https://github.com/bats-core/bats-core.git /bats-core
37 | RUN git clone --depth 1 https://github.com/bats-core/bats-support /bats-support
38 | RUN git clone --depth 1 https://github.com/bats-core/bats-assert /bats-assert
39 | RUN /bats-core/install.sh /usr/local
40 | 


--------------------------------------------------------------------------------
/test/Dockerfile-ubuntu:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:latest
 2 | 
 3 | # Note this image uses mawk1.3
 4 | 
 5 | # Set noninteractive otherwise tzdata hangs
 6 | ENV DEBIAN_FRONTEND=noninteractive
 7 | 
 8 | # Update and install required software
 9 | RUN apt-get update --fix-missing
10 | RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light jq
11 | RUN apt-get install -y vim dos2unix # for debugging
12 | RUN apt-get install -y ftp vsftpd
13 | RUN apt-get install -y openssh-server
14 | RUN apt-get install -y locales # for idn testing
15 | 
16 | # Set locale
17 | RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
18 | ENV LANG=en_US.UTF-8
19 | ENV LANGUAGE=en_US:en
20 | ENV LC_ALL=en_US.UTF-8
21 | 
22 | # Setup ftp
23 | ENV VSFTPD_CONF=/etc/vsftpd.conf
24 | ENV FTP_PASSIVE_DEFAULT=false
25 | COPY test/test-config/vsftpd.conf /etc/vsftpd.conf
26 | RUN adduser ftpuser
27 | RUN echo 'ftpuser:ftpuser' | chpasswd
28 | RUN adduser ftpuser www-data
29 | RUN adduser root www-data
30 | RUN chown -R www-data.www-data /var/www
31 | RUN chmod g+w -R /var/www
32 | 
33 | WORKDIR /root
34 | 
35 | # Prevent "Can't load /root/.rnd into RNG" error from openssl
36 | RUN touch /root/.rnd
37 | 
38 | # BATS (Bash Automated Testings)
39 | RUN git clone --depth 1 https://github.com/bats-core/bats-core.git /bats-core
40 | RUN git clone --depth 1 https://github.com/bats-core/bats-support /bats-support
41 | RUN git clone --depth 1 https://github.com/bats-core/bats-assert /bats-assert
42 | RUN /bats-core/install.sh /usr/local
43 | 
44 | # Run eternal loop - for testing
45 | CMD [ "tail", "-f", "/dev/null" ]
46 | 


--------------------------------------------------------------------------------
/test/Dockerfile-ubuntu-acmedns:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:latest
 2 | 
 3 | # Note this image uses mawk1.3
 4 | 
 5 | # Set noninteractive otherwise tzdata hangs
 6 | ENV DEBIAN_FRONTEND=noninteractive
 7 | 
 8 | # Ensure tests in this image use the staging server
 9 | ENV staging="true"
10 | # 2016ENV dynamic_dns "acme-dns"
11 | ENV ACMEDNS_API_USER=49ac5f6d-74cd-4aca-acfe-f9457af7894c
12 | ENV ACMEDNS_API_KEY=2NPGF8cH7PeTrHZWXImi1prhTsQGz2pdCC7Za5zE
13 | ENV ACMEDNS_SUBDOMAIN=7268181b-7075-4dce-be51-9c20c205cf6e
14 | 
15 | # Update and install required software
16 | RUN apt-get update --fix-missing
17 | RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light
18 | RUN apt-get install -y vim dos2unix # for debugging
19 | RUN apt-get install -y locales # for idn testing
20 | 
21 | # Set locale
22 | RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
23 | ENV LANG=en_US.UTF-8
24 | ENV LANGUAGE=en_US:en
25 | ENV LC_ALL=en_US.UTF-8
26 | 
27 | WORKDIR /root
28 | 
29 | # Prevent "Can't load /root/.rnd into RNG" error from openssl
30 | RUN touch /root/.rnd
31 | 
32 | # BATS (Bash Automated Testings)
33 | RUN git clone https://github.com/bats-core/bats-core.git /bats-core
34 | RUN git clone https://github.com/bats-core/bats-support /bats-support
35 | RUN git clone https://github.com/bats-core/bats-assert /bats-assert
36 | RUN /bats-core/install.sh /usr/local
37 | 
38 | # Run eternal loop - for testing
39 | CMD tail -f /dev/null
40 | 


--------------------------------------------------------------------------------
/test/Dockerfile-ubuntu-duckdns:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:latest
 2 | 
 3 | # Note this image uses mawk1.3
 4 | 
 5 | # Set noninteractive otherwise tzdata hangs
 6 | ENV DEBIAN_FRONTEND=noninteractive
 7 | 
 8 | # Ensure tests in this image use the staging server
 9 | ENV staging="true"
10 | ENV dynamic_dns="duckdns"
11 | 
12 | # Update and install required software
13 | RUN apt-get update --fix-missing
14 | RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light jq
15 | RUN apt-get install -y vim dos2unix # for debugging
16 | RUN apt-get install -y locales # for idn testing
17 | 
18 | # Set locale
19 | RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
20 | ENV LANG=en_US.UTF-8
21 | ENV LANGUAGE=en_US:en
22 | ENV LC_ALL=en_US.UTF-8
23 | 
24 | WORKDIR /root
25 | 
26 | # Prevent "Can't load /root/.rnd into RNG" error from openssl
27 | RUN touch /root/.rnd
28 | 
29 | # BATS (Bash Automated Testings)
30 | RUN git clone --depth 1 https://github.com/bats-core/bats-core.git /bats-core
31 | RUN git clone --depth 1 https://github.com/bats-core/bats-support /bats-support
32 | RUN git clone --depth 1 https://github.com/bats-core/bats-assert /bats-assert
33 | RUN /bats-core/install.sh /usr/local
34 | 
35 | # Run eternal loop - for testing
36 | CMD [ "tail", "-f", "/dev/null" ]
37 | 


--------------------------------------------------------------------------------
/test/Dockerfile-ubuntu-dynu:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:latest
 2 | 
 3 | # Note this image uses mawk1.3
 4 | 
 5 | # Set noninteractive otherwise tzdata hangs
 6 | ENV DEBIAN_FRONTEND=noninteractive
 7 | 
 8 | # Ensure tests in this image use the staging server
 9 | ENV staging="true"
10 | ENV dynamic_dns="dynu"
11 | 
12 | # Update and install required software
13 | RUN apt-get update --fix-missing
14 | RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light jq
15 | RUN apt-get install -y vim dos2unix # for debugging
16 | RUN apt-get install -y locales # for idn testing
17 | 
18 | # Set locale
19 | RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
20 | ENV LANG=en_US.UTF-8
21 | ENV LANGUAGE=en_US:en
22 | ENV LC_ALL=en_US.UTF-8
23 | 
24 | WORKDIR /root
25 | 
26 | # Prevent "Can't load /root/.rnd into RNG" error from openssl
27 | RUN touch /root/.rnd
28 | 
29 | # BATS (Bash Automated Testings)
30 | RUN git clone https://github.com/bats-core/bats-core.git /bats-core
31 | RUN git clone https://github.com/bats-core/bats-support /bats-support
32 | RUN git clone https://github.com/bats-core/bats-assert /bats-assert
33 | RUN /bats-core/install.sh /usr/local
34 | 
35 | # Run eternal loop - for testing
36 | CMD tail -f /dev/null
37 | 


--------------------------------------------------------------------------------
/test/Dockerfile-ubuntu14:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:trusty
 2 | # trusty = 14
 3 | 
 4 | # Note this image uses mawk
 5 | 
 6 | # Update and install required software
 7 | RUN apt-get update --fix-missing && \
 8 |     apt-get install -y \
 9 |         git curl dnsutils ldnsutils wget nginx-light jq \
10 |         ftp vsftpd \
11 |         openssh-server \
12 |         locales # for idn testing
13 | 
14 | # Set locale
15 | RUN locale-gen en_US.UTF-8
16 | ENV LANG=en_US.UTF-8
17 | ENV LANGUAGE=en_US:en
18 | ENV LC_ALL=en_US.UTF-8
19 | 
20 | WORKDIR /root
21 | RUN mkdir -p /etc/nginx/pki/private
22 | COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default
23 | 
24 | # Setup ftp
25 | ENV VSFTPD_CONF=/etc/vsftpd.conf
26 | ENV FTP_PASSIVE_DEFAULT=false
27 | COPY test/test-config/vsftpd.conf /etc/vsftpd.conf
28 | # The default init.d script seems to have an incorrect check that vsftpd has started
29 | COPY test/test-config/vsftpd.initd /etc/init.d/vsftpd
30 | RUN adduser ftpuser
31 | RUN echo 'ftpuser:ftpuser' | chpasswd
32 | RUN adduser ftpuser www-data
33 | RUN adduser root www-data
34 | RUN mkdir -p /var/www
35 | RUN chown -R www-data.www-data /var/www
36 | RUN chmod g+w -R /var/www
37 | 
38 | # BATS (Bash Automated Testings)
39 | RUN git clone --depth 1 https://github.com/bats-core/bats-core.git /bats-core
40 | RUN git clone --depth 1 https://github.com/bats-core/bats-support /bats-support
41 | RUN git clone --depth 1 https://github.com/bats-core/bats-assert /bats-assert
42 | RUN /bats-core/install.sh /usr/local
43 | 
44 | # Run eternal loop - for testing
45 | CMD [ "tail", "-f", "/dev/null" ]
46 | 


--------------------------------------------------------------------------------
/test/Dockerfile-ubuntu16:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:xenial
 2 | # xenial = 16
 3 | 
 4 | # Note this image uses mawk
 5 | 
 6 | # Update and install required software
 7 | RUN apt-get update --fix-missing
 8 | RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light jq
 9 | RUN apt-get install -y ftp vsftpd
10 | RUN apt-get install -y openssh-server
11 | RUN apt-get install -y locales # for idn testing
12 | 
13 | # Set locale
14 | RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
15 | ENV LANG=en_US.UTF-8
16 | ENV LANGUAGE=en_US:en
17 | ENV LC_ALL=en_US.UTF-8
18 | 
19 | WORKDIR /root
20 | RUN mkdir -p /etc/nginx/pki/private
21 | COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default
22 | 
23 | # Setup ftp
24 | ENV VSFTPD_CONF=/etc/vsftpd.conf
25 | ENV FTP_PASSIVE_DEFAULT=false
26 | COPY test/test-config/vsftpd.conf /etc/vsftpd.conf
27 | # The default init.d script seems to have an incorrect check that vsftpd has started
28 | COPY test/test-config/vsftpd.initd /etc/init.d/vsftpd
29 | RUN adduser ftpuser
30 | RUN echo 'ftpuser:ftpuser' | chpasswd
31 | RUN adduser ftpuser www-data
32 | RUN adduser root www-data
33 | RUN chown -R www-data.www-data /var/www
34 | RUN chmod g+w -R /var/www
35 | 
36 | # BATS (Bash Automated Testings)
37 | RUN git clone --depth 1 https://github.com/bats-core/bats-core.git /bats-core
38 | RUN git clone --depth 1 https://github.com/bats-core/bats-support /bats-support
39 | RUN git clone --depth 1 https://github.com/bats-core/bats-assert /bats-assert
40 | RUN /bats-core/install.sh /usr/local
41 | 
42 | # Run eternal loop - for testing
43 | CMD [ "tail", "-f", "/dev/null" ]
44 | 


--------------------------------------------------------------------------------
/test/Dockerfile-ubuntu18:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:bionic
 2 | # bionic = 18 LTS (long term support)
 3 | 
 4 | # Note this image uses gawk
 5 | 
 6 | # Update and install required software
 7 | RUN apt-get update --fix-missing
 8 | RUN apt-get install -y git curl dnsutils ldnsutils wget gawk nginx-light jq
 9 | RUN apt-get install -y ftp vsftpd
10 | RUN apt-get install -y openssh-server
11 | RUN apt-get install -y locales # for idn testing
12 | 
13 | # Set locale
14 | RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
15 | ENV LANG=en_US.UTF-8
16 | ENV LANGUAGE=en_US:en
17 | ENV LC_ALL=en_US.UTF-8
18 | 
19 | WORKDIR /root
20 | RUN mkdir -p /etc/nginx/pki/private
21 | COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default
22 | 
23 | # Setup ftp
24 | ENV VSFTPD_CONF=/etc/vsftpd.conf
25 | ENV FTP_PASSIVE_DEFAULT=false
26 | COPY test/test-config/vsftpd.conf /etc/vsftpd.conf
27 | # The default init.d script seems to have an incorrect check that vsftpd has started
28 | COPY test/test-config/vsftpd.initd /etc/init.d/vsftpd
29 | RUN adduser ftpuser
30 | RUN echo 'ftpuser:ftpuser' | chpasswd
31 | RUN adduser ftpuser www-data
32 | RUN adduser root www-data
33 | RUN chown -R www-data.www-data /var/www
34 | RUN chmod g+w -R /var/www
35 | 
36 | # Prevent "Can't load /root/.rnd into RNG" error from openssl
37 | RUN touch /root/.rnd
38 | 
39 | # BATS (Bash Automated Testings)
40 | RUN git clone --depth 1 https://github.com/bats-core/bats-core.git /bats-core
41 | RUN git clone --depth 1 https://github.com/bats-core/bats-support /bats-support
42 | RUN git clone --depth 1 https://github.com/bats-core/bats-assert /bats-assert
43 | RUN /bats-core/install.sh /usr/local
44 | 
45 | EXPOSE 80 443
46 | 
47 | # Run eternal loop - for testing
48 | CMD [ "tail", "-f", "/dev/null" ]
49 | 


--------------------------------------------------------------------------------
/test/debug-test.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # This runs getssl outside of the BATS framework for debugging, etc, against pebble
 4 | # Usage: /getssl/test/debug-test.sh getssl-http01.cfg
 5 | 
 6 | DEBUG=""
 7 | if [ $# -eq 2 ]; then
 8 |     DEBUG=$1
 9 |     shift
10 | fi
11 | 
12 | #shellcheck disable=SC1091
13 | source /getssl/test/test_helper.bash 3>&1
14 | 
15 | CONFIG_FILE=$1
16 | if [ ! -e "$CONFIG_FILE" ]; then
17 |     CONFIG_FILE=${CODE_DIR}/test/test-config/${CONFIG_FILE}
18 | fi
19 | 
20 | setup_environment 3>&1
21 | 
22 | # Only add the pebble CA to the cert bundle if using pebble
23 | if grep -q pebble "${CONFIG_FILE}"; then
24 |     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
25 | fi
26 | 
27 | "${CODE_DIR}/getssl" -U -c "$GETSSL_HOST" 3>&1
28 | cp "${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
29 | # shellcheck disable=SC2086
30 | "${CODE_DIR}/getssl" -U ${DEBUG} -f "$GETSSL_HOST" 3>&1
31 | #bash
32 | 


--------------------------------------------------------------------------------
/test/dns_add_fail:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | 
3 | # Special test script which will always fail to update dns
4 | 
5 | echo "dns_add_fail: This is a test script to check retry works if DNS isn't updated"
6 | exit 0
7 | 


--------------------------------------------------------------------------------
/test/idn-domain.md:
--------------------------------------------------------------------------------
 1 | # Convert getssl.test into IDN version using confusable letters
 2 | 
 3 | <https://util.unicode.org/UnicodeJsps/confusables.jsp?a=getssl&r=IDNA2008>
 4 | 
 5 | ## Unicode characters
 6 | 
 7 | * ɡ   0261    LATIN SMALL LETTER SCRIPT G
 8 | * е   0435    CYRILLIC SMALL LETTER IE
 9 | * t
10 | * ѕ   0455    CYRILLIC SMALL LETTER DZE
11 | * ꜱ    A731   LATIN LETTER SMALL CAPITAL S
12 | * ᛁ   16C1    RUNIC LETTER ISAZ IS ISS I
13 | 
14 | ## IDN version of getssl.test
15 | 
16 | ɡеtѕꜱᛁ.test
17 | 
18 | ## ACE version of IDN ɡеtѕꜱᛁ.test
19 | 
20 | <https://www.verisign.com/en_US/channel-resources/domain-registry-products/idn/idn-conversion-tool/index.xhtml>
21 | 
22 | xn--t-r1a81lydm69gz81r.test
23 | 


--------------------------------------------------------------------------------
/test/restart-ftpd:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | if [ -z "$1" ]; then
 4 |   arg="restart"
 5 | else
 6 |   arg=$1
 7 | fi
 8 | 
 9 | if [ "$GETSSL_OS" = "alpine" ]; then
10 |     # Switch to supervisorctl as killall -HUP won't change the listen port
11 |     supervisorctl restart vsftpd:
12 | elif [[ "$GETSSL_OS" == "centos"[78] || "$GETSSL_OS" == "rockylinux"* ]]; then
13 |     # Hard restart the service as using -HUP won't change the listening port
14 |     if pgrep vsftpd; then
15 |       pgrep vsftpd | head -1 | xargs kill
16 |       vsftpd 3>&- 4>&-
17 |     fi
18 | elif [[ "$GETSSL_OS" == "centos6" ]]; then
19 |     service vsftpd "$arg" 3>&- 4>&-
20 | else
21 |     service vsftpd restart >/dev/null 3>&- 4>&-
22 | fi
23 | 


--------------------------------------------------------------------------------
/test/restart-nginx:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | if [ "$GETSSL_OS" = "alpine" ]; then
 4 |     killall -HUP nginx
 5 |     sleep 5
 6 | elif [[ "$GETSSL_OS" == "centos"[78] || "$GETSSL_OS" == "rockylinux"* ]]; then
 7 |     pgrep nginx | head -1 | xargs kill -HUP
 8 |     sleep 5
 9 | elif [[ "$GETSSL_OS" == "centos6" ]]; then
10 |     service nginx restart 3>&- 4>&-
11 |     # service nginx restart
12 | else
13 |     service nginx restart >/dev/null 3>&- 4>&-
14 | fi
15 | 


--------------------------------------------------------------------------------
/test/test-config/alpine-supervisord.conf:
--------------------------------------------------------------------------------
 1 | [unix_http_server]
 2 | file=/etc/supervisor.sock
 3 | 
 4 | [supervisorctl]
 5 | serverurl=unix:///etc/supervisor.sock
 6 | 
 7 | [rpcinterface:supervisor]
 8 | supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
 9 | 
10 | [supervisord]
11 | nodaemon=false
12 | logfile=/tmp/supervisord.log
13 | childlogdir=/tmp
14 | pidfile = /tmp/supervisord.pid
15 | 
16 | [program:nginx]
17 | command=nginx
18 | stdout_logfile=/dev/stdout
19 | stdout_logfile_maxbytes=0
20 | stderr_logfile=/dev/stderr
21 | stderr_logfile_maxbytes=0
22 | autorestart=false
23 | startretries=0
24 | 
25 | [program:vsftpd]
26 | command=vsftpd
27 | stdout_logfile=/dev/stdout
28 | stdout_logfile_maxbytes=0
29 | stderr_logfile=/dev/stderr
30 | stderr_logfile_maxbytes=0
31 | autorestart=false
32 | startretries=0
33 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-dns01-dual-rsa-ecdsa-2-locations.cfg:
--------------------------------------------------------------------------------
 1 | # Test that more than one location can be specified for CERT and KEY locations and that the
 2 | # files are copied to both locations when both RSA and ECDSA certificates are created
 3 | #
 4 | CA="https://pebble:14000/dir"
 5 | 
 6 | VALIDATE_VIA_DNS=true
 7 | DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
 8 | DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
 9 | AUTH_DNS_SERVER=10.30.50.3
10 | 
11 | # Speed up the test by reducing the number or retries and the wait between retries.
12 | DNS_WAIT=2
13 | DNS_WAIT_COUNT=11
14 | DNS_EXTRA_WAIT=0
15 | 
16 | DUAL_RSA_ECDSA="true"
17 | ACCOUNT_KEY_TYPE="prime256v1"
18 | PRIVATE_KEY_ALG="prime256v1"
19 | 
20 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
21 | SANS=""
22 | # SANS="a.${GETSSL_HOST}"
23 | 
24 | # Location for all your certs, these can either be on the server (full path name)
25 | # or using ssh /sftp as for the ACL
26 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
27 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key;/root/a.${GETSSL_HOST}/server.key"
28 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
29 | DOMAIN_CHAIN_LOCATION="/etc/nginx/pki/domain-chain.crt;/root/a.${GETSSL_HOST}/domain-chain.crt" # this is the domain cert and CA cert
30 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
31 | 
32 | # The command needed to reload apache / nginx or whatever you use
33 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-dual-certs ${NGINX_CONFIG} && /getssl/test/restart-nginx"
34 | 
35 | # Define the server type and confirm correct certificate is installed
36 | SERVER_TYPE="https"
37 | CHECK_REMOTE="true"
38 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-dns01-dual-rsa-ecdsa-old-nginx.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | #
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | VALIDATE_VIA_DNS=true
 8 | DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
 9 | DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
10 | AUTH_DNS_SERVER=10.30.50.3
11 | DNS_EXTRA_WAIT=0
12 | 
13 | DUAL_RSA_ECDSA="true"
14 | ACCOUNT_KEY_TYPE="prime256v1"
15 | PRIVATE_KEY_ALG="prime256v1"
16 | 
17 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
18 | SANS=""
19 | 
20 | # Location for all your certs, these can either be on the server (full path name)
21 | # or using ssh /sftp as for the ACL
22 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.ec.crt"
23 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.ec.key"
24 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
25 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
26 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
27 | 
28 | # The command needed to reload apache / nginx or whatever you use
29 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
30 | 
31 | # Define the server type and confirm correct certificate is installed
32 | SERVER_TYPE="https"
33 | CHECK_REMOTE="false"
34 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | #
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | VALIDATE_VIA_DNS=true
 8 | DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
 9 | DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
10 | AUTH_DNS_SERVER=10.30.50.3
11 | DNS_EXTRA_WAIT=0
12 | 
13 | DUAL_RSA_ECDSA="true"
14 | ACCOUNT_KEY_TYPE="prime256v1"
15 | PRIVATE_KEY_ALG="prime256v1"
16 | 
17 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
18 | SANS=""
19 | 
20 | # Location for all your certs, these can either be on the server (full path name)
21 | # or using ssh /sftp as for the ACL
22 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
23 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
24 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
25 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
26 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
27 | 
28 | # The command needed to reload apache / nginx or whatever you use
29 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-dual-certs ${NGINX_CONFIG} && /getssl/test/restart-nginx"
30 | 
31 | # Define the server type and confirm correct certificate is installed
32 | SERVER_TYPE="https"
33 | CHECK_REMOTE="true"
34 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-dns01-ignore-directory-domain.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | #
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | VALIDATE_VIA_DNS=true
 8 | DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
 9 | DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
10 | AUTH_DNS_SERVER=10.30.50.3
11 | DNS_EXTRA_WAIT=0
12 | 
13 | # Ignore directory domain (i.e. the domain passed on the command line), and just use the domains in the SANS list
14 | IGNORE_DIRECTORY_DOMAIN="true"
15 | SANS="getssl.test,$GETSSL_HOST"
16 | 
17 | # Location for all your certs, these can either be on the server (full path name)
18 | # or using ssh /sftp as for the ACL
19 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
20 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
21 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
22 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
23 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
24 | 
25 | # The command needed to reload apache / nginx or whatever you use
26 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
27 | 
28 | # Define the server type and confirm correct certificate is installed
29 | SERVER_TYPE="https"
30 | CHECK_REMOTE="true"
31 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-dns01-multiple-domains.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | #
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | VALIDATE_VIA_DNS=true
 8 | DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
 9 | DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
10 | AUTH_DNS_SERVER=10.30.50.3
11 | DNS_EXTRA_WAIT=0
12 | 
13 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
14 | SANS="getssl.test"
15 | 
16 | # Location for all your certs, these can either be on the server (full path name)
17 | # or using ssh /sftp as for the ACL
18 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
19 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
20 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
21 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
22 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
23 | 
24 | # The command needed to reload apache / nginx or whatever you use
25 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
26 | 
27 | # Define the server type and confirm correct certificate is installed
28 | SERVER_TYPE="https"
29 | CHECK_REMOTE="true"
30 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-dns01-secp384.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | #
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | VALIDATE_VIA_DNS=true
 8 | DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
 9 | DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
10 | AUTH_DNS_SERVER=10.30.50.3
11 | 
12 | # Speed up the test by reducing the number or retries and the wait between retries.
13 | DNS_WAIT=2
14 | DNS_WAIT_COUNT=11
15 | DNS_EXTRA_WAIT=0
16 | 
17 | ACCOUNT_KEY_TYPE="secp384r1"
18 | PRIVATE_KEY_ALG="secp384r1"
19 | 
20 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
21 | SANS=""
22 | 
23 | # Location for all your certs, these can either be on the server (full path name)
24 | # or using ssh /sftp as for the ACL
25 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
26 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
27 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
28 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
29 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
30 | 
31 | # The command needed to reload apache / nginx or whatever you use
32 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
33 | 
34 | # Define the server type and confirm correct certificate is installed
35 | SERVER_TYPE="https"
36 | CHECK_REMOTE="true"
37 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-dns01-spaces-and-commas-sans.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | 
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | VALIDATE_VIA_DNS=true
 8 | DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
 9 | DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
10 | AUTH_DNS_SERVER=10.30.50.3
11 | DNS_EXTRA_WAIT=0
12 | 
13 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
14 | SANS="a.${GETSSL_HOST}, b.${GETSSL_HOST}, c.${GETSSL_HOST}"
15 | 
16 | # Location for all your certs, these can either be on the server (full path name)
17 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
18 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
19 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
20 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
21 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
22 | 
23 | # The command needed to reload apache / nginx or whatever you use
24 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
25 | 
26 | # Define the server type and confirm correct certificate is installed
27 | SERVER_TYPE="https"
28 | CHECK_REMOTE="true"
29 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-dns01-spaces-sans-and-ignore-dir-domain.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | 
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | VALIDATE_VIA_DNS=true
 8 | DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
 9 | DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
10 | AUTH_DNS_SERVER=10.30.50.3
11 | DNS_EXTRA_WAIT=0
12 | 
13 | # Ignore directory domain (i.e. the domain passed on the command line), and just use the domains in the SANS list
14 | IGNORE_DIRECTORY_DOMAIN="true"
15 | SANS="a.${GETSSL_HOST} b.${GETSSL_HOST} c.${GETSSL_HOST}"
16 | 
17 | # Location for all your certs, these can either be on the server (full path name)
18 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
19 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
20 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
21 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
22 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
23 | 
24 | # The command needed to reload apache / nginx or whatever you use
25 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
26 | 
27 | # Define the server type and confirm correct certificate is installed
28 | SERVER_TYPE="https"
29 | CHECK_REMOTE="true"
30 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-dns01-spaces-sans.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | 
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | VALIDATE_VIA_DNS=true
 8 | DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
 9 | DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
10 | AUTH_DNS_SERVER=10.30.50.3
11 | DNS_EXTRA_WAIT=0
12 | 
13 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
14 | SANS="a.${GETSSL_HOST} b.${GETSSL_HOST} c.${GETSSL_HOST}"
15 | 
16 | # Location for all your certs, these can either be on the server (full path name)
17 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
18 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
19 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
20 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
21 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
22 | 
23 | # The command needed to reload apache / nginx or whatever you use
24 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
25 | 
26 | # Define the server type and confirm correct certificate is installed
27 | SERVER_TYPE="https"
28 | CHECK_REMOTE="true"
29 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-dns01.cfg:
--------------------------------------------------------------------------------
 1 | # Test that the script works with dns
 2 | 
 3 | VALIDATE_VIA_DNS=true
 4 | # Speed up the test by reducing the number or retries and the wait between retries.
 5 | DNS_WAIT=2
 6 | DNS_WAIT_COUNT=11
 7 | DNS_EXTRA_WAIT=0
 8 | 
 9 | if [ -z "$STAGING" ]; then
10 |     # Settings for challtestserv dns provider running in local docker
11 |     CA="https://pebble:14000/dir"
12 | 
13 |     DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
14 |     DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
15 |     AUTH_DNS_SERVER=10.30.50.3
16 | else
17 |     # Settings for external dns provider and staging server
18 |     CA="https://acme-staging-v02.api.letsencrypt.org/directory"
19 | 
20 |     # Re-use the account key when calling the staging server (otherwise hit limits)
21 |     ACCOUNT_KEY="${HOME}/account.key"
22 |     DEACTIVATE_AUTH="true"
23 | 
24 |     DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_${dynamic_dns}"
25 |     DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_${dynamic_dns}"
26 |     PUBLIC_DNS_SERVER="8.8.8.8" # resolver1.infoserve.de"
27 |     if [[ "${dynamic_dns}" == "dynu" ]]; then
28 |         AUTH_DNS_SERVER=ns1.dynu.com
29 |     elif [[ "${dynamic_dns}" != "acmedns" ]]; then
30 |         AUTH_DNS_SERVER=ns1.duckdns.org
31 |     fi
32 |     CHECK_ALL_AUTH_DNS="true"
33 |     CHECK_PUBLIC_DNS_SERVER="true"
34 |     if [[ "${dynamic_dns}" != "acmedns" ]]; then
35 |         DNS_WAIT=30
36 |         DNS_WAIT_COUNT=20
37 |         DNS_EXTRA_WAIT=120
38 |     fi
39 | fi
40 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
41 | SANS=""
42 | 
43 | # Location for all your certs, these can either be on the server (full path name)
44 | # or using ssh /sftp as for the ACL
45 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
46 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
47 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
48 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
49 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
50 | 
51 | # The command needed to reload apache / nginx or whatever you use
52 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
53 | 
54 | # Define the server type and confirm correct certificate is installed
55 | SERVER_TYPE="https"
56 | CHECK_REMOTE="true"
57 | 
58 | if [[ -s "$DOMAIN_DIR/getssl_test_specific.cfg" ]]; then
59 |     . $DOMAIN_DIR/getssl_test_specific.cfg
60 | fi
61 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-etc-template.cfg:
--------------------------------------------------------------------------------
 1 | # vim: filetype=sh
 2 | #
 3 | # This file is read first and is common to all domains
 4 | #
 5 | # Uncomment and modify any variables you need
 6 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 7 | #
 8 | # The staging server is best for testing (hence set as default)
 9 | CA="https://acme-staging-v02.api.letsencrypt.org"
10 | # This server issues full certificates, however has rate limits
11 | #CA="https://acme-v02.api.letsencrypt.org"
12 | 
13 | # The agreement that must be signed with the CA, if not defined the default agreement will be used
14 | #AGREEMENT=""
15 | 
16 | # Set an email address associated with your account - generally set at account level rather than domain.
17 | #ACCOUNT_EMAIL="me@example.com"
18 | ACCOUNT_KEY_LENGTH=4096
19 | ACCOUNT_KEY="/etc/getssl/account.key"
20 | 
21 | # Account key and private key types - can be rsa, prime256v1, secp384r1 or secp521r1
22 | #ACCOUNT_KEY_TYPE="rsa"
23 | PRIVATE_KEY_ALG="rsa"
24 | #REUSE_PRIVATE_KEY="true"
25 | 
26 | # The command needed to reload apache / nginx or whatever you use
27 | #RELOAD_CMD=""
28 | 
29 | # The time period within which you want to allow renewal of a certificate
30 | #  this prevents hitting some of the rate limits.
31 | # Creating a file called FORCE_RENEWAL in the domain directory allows one-off overrides
32 | # of this setting
33 | RENEW_ALLOW="30"
34 | 
35 | # Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
36 | # smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
37 | # will be checked for certificate expiry and also will be checked after
38 | # an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
39 | SERVER_TYPE="https"
40 | CHECK_REMOTE="true"
41 | 
42 | # Use the following 3 variables if you want to validate via DNS
43 | #VALIDATE_VIA_DNS="true"
44 | #DNS_ADD_COMMAND=
45 | #DNS_DEL_COMMAND=
46 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-http01-10-hosts.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | 
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
 8 | SANS="a.${GETSSL_HOST},b.${GETSSL_HOST},c.${GETSSL_HOST},d.${GETSSL_HOST},e.${GETSSL_HOST},f.${GETSSL_HOST},g.${GETSSL_HOST},h.${GETSSL_HOST},i.${GETSSL_HOST},j.${GETSSL_HOST},k.${GETSSL_HOST}"
 9 | 
10 | # Acme Challenge Location.
11 | ACL=('/var/www/html/.well-known/acme-challenge')
12 | 
13 | # Use a single ACL for all checks
14 | USE_SINGLE_ACL="true"
15 | 
16 | # Location for all your certs, these can either be on the server (full path name)
17 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
18 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
19 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
20 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
21 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
22 | 
23 | # The command needed to reload apache / nginx or whatever you use
24 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
25 | 
26 | # Define the server type and confirm correct certificate is installed
27 | SERVER_TYPE="https"
28 | CHECK_REMOTE="true"
29 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-http01-bad-acl.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | #
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
 8 | SANS=""
 9 | 
10 | # Acme Challenge Location.
11 | ACL= ('/var/www/html/.well-known/acme-challenge')
12 | 
13 | #Set USE_SINGLE_ACL="true" to use a single ACL for all checks
14 | USE_SINGLE_ACL="false"
15 | 
16 | # Location for all your certs, these can either be on the server (full path name)
17 | # or using ssh /sftp as for the ACL
18 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
19 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
20 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
21 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
22 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
23 | 
24 | # The command needed to reload apache / nginx or whatever you use
25 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
26 | 
27 | # Define the server type and confirm correct certificate is installed
28 | SERVER_TYPE="https"
29 | CHECK_REMOTE="true"
30 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-http01-dual-rsa-ecdsa-2-locations-old-nginx.cfg:
--------------------------------------------------------------------------------
 1 | # Test that more than one location can be specified for CERT and KEY locations and that the
 2 | # files are copied to both locations when both RSA and ECDSA certificates are created
 3 | #
 4 | CA="https://pebble:14000/dir"
 5 | 
 6 | DUAL_RSA_ECDSA="true"
 7 | ACCOUNT_KEY_TYPE="prime256v1"
 8 | PRIVATE_KEY_ALG="prime256v1"
 9 | 
10 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
11 | SANS="a.${GETSSL_HOST}"
12 | 
13 | # Acme Challenge Location.
14 | ACL=('/var/www/html/.well-known/acme-challenge')
15 | 
16 | #Set USE_SINGLE_ACL="true" to use a single ACL for all checks
17 | USE_SINGLE_ACL="true"
18 | 
19 | # Location for all your certs, these can either be on the server (full path name)
20 | # or using ssh /sftp as for the ACL
21 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
22 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key;/root/a.${GETSSL_HOST}/server.key"
23 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
24 | DOMAIN_CHAIN_LOCATION="/etc/nginx/pki/domain-chain.crt;/root/a.${GETSSL_HOST}/domain-chain.crt" # this is the domain cert and CA cert
25 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
26 | 
27 | # The command needed to reload apache / nginx or whatever you use
28 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
29 | 
30 | # Define the server type and confirm correct certificate is installed
31 | SERVER_TYPE="https"
32 | CHECK_REMOTE="false"
33 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-http01-dual-rsa-ecdsa-2-locations-wrong-nginx.cfg:
--------------------------------------------------------------------------------
 1 | # Test that more than one location can be specified for CERT and KEY locations and that the
 2 | # files are copied to both locations when both RSA and ECDSA certificates are created
 3 | #
 4 | CA="https://pebble:14000/dir"
 5 | 
 6 | DUAL_RSA_ECDSA="true"
 7 | ACCOUNT_KEY_TYPE="prime256v1"
 8 | PRIVATE_KEY_ALG="prime256v1"
 9 | 
10 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
11 | SANS="a.${GETSSL_HOST}"
12 | 
13 | # Acme Challenge Location.
14 | ACL=('/var/www/html/.well-known/acme-challenge')
15 | 
16 | #Set USE_SINGLE_ACL="true" to use a single ACL for all checks
17 | USE_SINGLE_ACL="true"
18 | 
19 | # Location for all your certs, these can either be on the server (full path name)
20 | # or using ssh /sftp as for the ACL
21 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
22 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key;/root/a.${GETSSL_HOST}/server.key"
23 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
24 | DOMAIN_CHAIN_LOCATION="/etc/nginx/pki/domain-chain.crt;/root/a.${GETSSL_HOST}/domain-chain.crt" # this is the domain cert and CA cert
25 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
26 | 
27 | # The command needed to reload apache / nginx or whatever you use
28 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
29 | 
30 | # Define the server type and confirm correct certificate is installed
31 | SERVER_TYPE="https"
32 | CHECK_REMOTE="true"
33 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-http01-dual-rsa-ecdsa-2-locations.cfg:
--------------------------------------------------------------------------------
 1 | # Test that more than one location can be specified for CERT and KEY locations and that the
 2 | # files are copied to both locations when both RSA and ECDSA certificates are created
 3 | #
 4 | CA="https://pebble:14000/dir"
 5 | 
 6 | DUAL_RSA_ECDSA="true"
 7 | ACCOUNT_KEY_TYPE="prime256v1"
 8 | PRIVATE_KEY_ALG="prime256v1"
 9 | 
10 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
11 | SANS="a.${GETSSL_HOST}"
12 | 
13 | # Acme Challenge Location.
14 | ACL=('/var/www/html/.well-known/acme-challenge')
15 | 
16 | #Set USE_SINGLE_ACL="true" to use a single ACL for all checks
17 | USE_SINGLE_ACL="true"
18 | 
19 | # Location for all your certs, these can either be on the server (full path name)
20 | # or using ssh /sftp as for the ACL
21 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
22 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key;/root/a.${GETSSL_HOST}/server.key"
23 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
24 | DOMAIN_CHAIN_LOCATION="/etc/nginx/pki/domain-chain.crt;/root/a.${GETSSL_HOST}/domain-chain.crt" # this is the domain cert and CA cert
25 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
26 | 
27 | # The command needed to reload apache / nginx or whatever you use
28 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-dual-certs ${NGINX_CONFIG} && /getssl/test/restart-nginx"
29 | 
30 | # Define the server type and confirm correct certificate is installed
31 | SERVER_TYPE="https"
32 | CHECK_REMOTE="true"
33 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-http01-dual-rsa-ecdsa-old-nginx.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | #
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | DUAL_RSA_ECDSA="true"
 8 | ACCOUNT_KEY_TYPE="prime256v1"
 9 | PRIVATE_KEY_ALG="prime256v1"
10 | 
11 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
12 | SANS=""
13 | 
14 | # Acme Challenge Location.
15 | ACL=('/var/www/html/.well-known/acme-challenge')
16 | 
17 | #Set USE_SINGLE_ACL="true" to use a single ACL for all checks
18 | USE_SINGLE_ACL="false"
19 | 
20 | # Location for all your certs, these can either be on the server (full path name)
21 | # or using ssh /sftp as for the ACL
22 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
23 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
24 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
25 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
26 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
27 | 
28 | # The command needed to reload apache / nginx or whatever you use
29 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
30 | 
31 | # Define the server type and confirm correct certificate is installed
32 | SERVER_TYPE="https"
33 | CHECK_REMOTE="false"
34 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-http01-dual-rsa-ecdsa.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | #
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | DUAL_RSA_ECDSA="true"
 8 | ACCOUNT_KEY_TYPE="prime256v1"
 9 | PRIVATE_KEY_ALG="prime256v1"
10 | 
11 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
12 | SANS=""
13 | 
14 | # Acme Challenge Location.
15 | ACL=('/var/www/html/.well-known/acme-challenge')
16 | 
17 | #Set USE_SINGLE_ACL="true" to use a single ACL for all checks
18 | USE_SINGLE_ACL="false"
19 | 
20 | # Location for all your certs, these can either be on the server (full path name)
21 | # or using ssh /sftp as for the ACL
22 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
23 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
24 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
25 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
26 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
27 | 
28 | # The command needed to reload apache / nginx or whatever you use
29 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-dual-certs ${NGINX_CONFIG} && /getssl/test/restart-nginx"
30 | 
31 | # Define the server type and confirm correct certificate is installed
32 | SERVER_TYPE="https"
33 | CHECK_REMOTE="true"
34 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-http01-no-domain-storage.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | #
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
 8 | SANS=""
 9 | 
10 | # Acme Challenge Location.
11 | ACL=('/var/www/html/.well-known/acme-challenge')
12 | 
13 | #Set USE_SINGLE_ACL="true" to use a single ACL for all checks
14 | USE_SINGLE_ACL="false"
15 | 
16 | # Location for all your certs, these can either be on the server (full path name)
17 | # or using ssh /sftp as for the ACL
18 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
19 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
20 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
21 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
22 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
23 | 
24 | # The command needed to reload apache / nginx or whatever you use
25 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
26 | 
27 | # Define the server type and confirm correct certificate is installed
28 | SERVER_TYPE="https"
29 | CHECK_REMOTE="true"
30 | 
31 | DOMAIN_STORAGE="/"
32 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-http01-no-suffix.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | #
 5 | CA="https://pebble:14000/dir"
 6 | CA="https://pebble:14000"
 7 | 
 8 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
 9 | SANS=""
10 | 
11 | # Acme Challenge Location.
12 | ACL=('/var/www/html/.well-known/acme-challenge')
13 | 
14 | #Set USE_SINGLE_ACL="true" to use a single ACL for all checks
15 | USE_SINGLE_ACL="false"
16 | 
17 | # Location for all your certs, these can either be on the server (full path name)
18 | # or using ssh /sftp as for the ACL
19 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
20 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
21 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
22 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
23 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
24 | 
25 | # The command needed to reload apache / nginx or whatever you use
26 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
27 | 
28 | # Define the server type and confirm correct certificate is installed
29 | SERVER_TYPE="https"
30 | CHECK_REMOTE="true"
31 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-http01-secp384.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | #
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | ACCOUNT_KEY_TYPE="secp384r1"
 8 | PRIVATE_KEY_ALG="secp384r1"
 9 | 
10 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
11 | SANS=""
12 | 
13 | # Acme Challenge Location.
14 | ACL=('/var/www/html/.well-known/acme-challenge')
15 | 
16 | #Set USE_SINGLE_ACL="true" to use a single ACL for all checks
17 | USE_SINGLE_ACL="false"
18 | 
19 | # Location for all your certs, these can either be on the server (full path name)
20 | # or using ssh /sftp as for the ACL
21 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
22 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
23 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
24 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
25 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
26 | 
27 | # The command needed to reload apache / nginx or whatever you use
28 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
29 | 
30 | # Define the server type and confirm correct certificate is installed
31 | SERVER_TYPE="https"
32 | CHECK_REMOTE="true"
33 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-http01-secp521.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | #
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | ACCOUNT_KEY_TYPE="secp521r1"
 8 | PRIVATE_KEY_ALG="secp521r1"
 9 | 
10 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
11 | SANS=""
12 | 
13 | # Acme Challenge Location.
14 | ACL=('/var/www/html/.well-known/acme-challenge')
15 | 
16 | #Set USE_SINGLE_ACL="true" to use a single ACL for all checks
17 | USE_SINGLE_ACL="false"
18 | 
19 | # Location for all your certs, these can either be on the server (full path name)
20 | # or using ssh /sftp as for the ACL
21 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
22 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
23 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
24 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
25 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
26 | 
27 | # The command needed to reload apache / nginx or whatever you use
28 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
29 | 
30 | # Define the server type and confirm correct certificate is installed
31 | SERVER_TYPE="https"
32 | CHECK_REMOTE="true"
33 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-http01-spaces-and-commas-sans.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | 
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
 8 | SANS="a.${GETSSL_HOST}, b.${GETSSL_HOST}, c.${GETSSL_HOST}"
 9 | 
10 | # Acme Challenge Location.
11 | ACL=('/var/www/html/.well-known/acme-challenge')
12 | 
13 | # Use a single ACL for all checks
14 | USE_SINGLE_ACL="true"
15 | 
16 | # Location for all your certs, these can either be on the server (full path name)
17 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
18 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
19 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
20 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
21 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
22 | 
23 | # The command needed to reload apache / nginx or whatever you use
24 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
25 | 
26 | # Define the server type and confirm correct certificate is installed
27 | SERVER_TYPE="https"
28 | CHECK_REMOTE="true"
29 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-http01-spaces-sans-and-ignore-dir-domain.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | 
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | # Ignore directory domain (i.e. the domain passed on the command line), and just use the domains in the SANS list
 8 | IGNORE_DIRECTORY_DOMAIN="true"
 9 | SANS="a.${GETSSL_HOST} b.${GETSSL_HOST} c.${GETSSL_HOST}"
10 | 
11 | # Acme Challenge Location.
12 | ACL=('/var/www/html/.well-known/acme-challenge')
13 | 
14 | # Use a single ACL for all checks
15 | USE_SINGLE_ACL="true"
16 | 
17 | # Location for all your certs, these can either be on the server (full path name)
18 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
19 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
20 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
21 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
22 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
23 | 
24 | # The command needed to reload apache / nginx or whatever you use
25 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
26 | 
27 | # Define the server type and confirm correct certificate is installed
28 | SERVER_TYPE="https"
29 | CHECK_REMOTE="true"
30 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-http01-spaces-sans.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | 
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
 8 | SANS="a.${GETSSL_HOST} b.${GETSSL_HOST} c.${GETSSL_HOST}"
 9 | 
10 | # Acme Challenge Location.
11 | ACL=('/var/www/html/.well-known/acme-challenge')
12 | 
13 | # Use a single ACL for all checks
14 | USE_SINGLE_ACL="true"
15 | 
16 | # Location for all your certs, these can either be on the server (full path name)
17 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
18 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
19 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
20 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
21 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
22 | 
23 | # The command needed to reload apache / nginx or whatever you use
24 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
25 | 
26 | # Define the server type and confirm correct certificate is installed
27 | SERVER_TYPE="https"
28 | CHECK_REMOTE="true"
29 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-http01-two-acl.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | #
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
 8 | SANS=""
 9 | 
10 | # Acme Challenge Location.
11 | ACL=('/var/www/html/.well-known/acme-challenge;/var/webroot/html/.well-known/acme-challenge')
12 | 
13 | #Set USE_SINGLE_ACL="true" to use a single ACL for all checks
14 | USE_SINGLE_ACL="false"
15 | 
16 | # Location for all your certs, these can either be on the server (full path name)
17 | # or using ssh /sftp as for the ACL
18 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
19 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
20 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
21 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
22 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
23 | 
24 | # The command needed to reload apache / nginx or whatever you use
25 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
26 | 
27 | # Define the server type and confirm correct certificate is installed
28 | SERVER_TYPE="https"
29 | CHECK_REMOTE="true"
30 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-http01.cfg:
--------------------------------------------------------------------------------
 1 | # Uncomment and modify any variables you need
 2 | # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 3 | # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 4 | #
 5 | CA="https://pebble:14000/dir"
 6 | 
 7 | # Additional domains - this could be multiple domains / subdomains in a comma separated list
 8 | SANS=""
 9 | 
10 | # Acme Challenge Location.
11 | ACL=('/var/www/html/.well-known/acme-challenge')
12 | 
13 | #Set USE_SINGLE_ACL="true" to use a single ACL for all checks
14 | USE_SINGLE_ACL="false"
15 | 
16 | # Location for all your certs, these can either be on the server (full path name)
17 | # or using ssh /sftp as for the ACL
18 | DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
19 | DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
20 | CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
21 | DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
22 | DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
23 | 
24 | # The command needed to reload apache / nginx or whatever you use
25 | RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
26 | 
27 | # Define the server type and confirm correct certificate is installed
28 | SERVER_TYPE="https"
29 | CHECK_REMOTE="true"
30 | 
31 | if [[ -s "$DOMAIN_DIR/getssl_test_specific.cfg" ]]; then
32 |     . $DOMAIN_DIR/getssl_test_specific.cfg
33 | fi
34 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-upgrade-test-pebble.cfg:
--------------------------------------------------------------------------------
1 | #
2 | # Test that auto-upgrade to v2 doesn't change pebble url
3 | #
4 | CA="https://pebble:14000/dir"
5 | 
6 | 
7 | # Acme Challenge Location.
8 | ACL=('/var/www/html/.well-known/acme-challenge')
9 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-upgrade-test-v1-prod.cfg:
--------------------------------------------------------------------------------
1 | #
2 | # Test that auto-upgrade to v2 changes v1 prod to v2 prod
3 | #
4 | CA="https://acme-v01.api.letsencrypt.org/directory"
5 | 
6 | # Acme Challenge Location.
7 | ACL=('/var/www/html/.well-known/acme-challenge')
8 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-upgrade-test-v1-staging.cfg:
--------------------------------------------------------------------------------
1 | #
2 | # Test that auto-upgrade to v2 changes v1 staging to v2 staging
3 | #
4 | CA="https://acme-staging.api.letsencrypt.org/directory"
5 | 
6 | # Acme Challenge Location.
7 | ACL=('/var/www/html/.well-known/acme-challenge')
8 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-upgrade-test-v2-prod.cfg:
--------------------------------------------------------------------------------
1 | #
2 | # Test that auto-upgrade to v2 doesn't change v2 prod url
3 | #
4 | CA="https://acme-v02.api.letsencrypt.org/directory"
5 | 
6 | # Acme Challenge Location.
7 | ACL=('/var/www/html/.well-known/acme-challenge')
8 | 


--------------------------------------------------------------------------------
/test/test-config/getssl-upgrade-test-v2-staging.cfg:
--------------------------------------------------------------------------------
1 | #
2 | # Test that auto-upgrade to v2 doesn't change v2 staging url
3 | #
4 | CA="https://acme-staging-v02.api.letsencrypt.org/directory"
5 | 
6 | # Acme Challenge Location.
7 | ACL=('/var/www/html/.well-known/acme-challenge')
8 | 


--------------------------------------------------------------------------------
/test/test-config/nginx-centos7.conf:
--------------------------------------------------------------------------------
 1 | user nginx;
 2 | worker_processes auto;
 3 | error_log /var/log/nginx/error.log;
 4 | pid /run/nginx.pid;
 5 | 
 6 | include /usr/share/nginx/modules/*.conf;
 7 | 
 8 | events {
 9 |     worker_connections 1024;
10 | }
11 | 
12 | http {
13 |     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
14 |                       '$status $body_bytes_sent "$http_referer" '
15 |                       '"$http_user_agent" "$http_x_forwarded_for"';
16 | 
17 |     access_log  /var/log/nginx/access.log  main;
18 | 
19 |     sendfile            on;
20 |     tcp_nopush          on;
21 |     tcp_nodelay         on;
22 |     keepalive_timeout   65;
23 |     types_hash_max_size 2048;
24 | 
25 |     include             /etc/nginx/mime.types;
26 |     default_type        application/octet-stream;
27 | 
28 |     include /etc/nginx/conf.d/*.conf;
29 | }
30 | 


--------------------------------------------------------------------------------
/test/test-config/nginx-ubuntu-dual-certs:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 80 default_server;
 3 |     listen 5002 default_server;
 4 |     listen [::]:5002 default_server;
 5 | 
 6 |     listen 443 ssl default_server;
 7 |     listen [::]:443 ssl default_server;
 8 | 
 9 |     listen 5001 ssl default_server;
10 |     listen [::]:5001 ssl default_server;
11 | 
12 |     root /var/www/html;
13 | 
14 |     index index.html index.htm index.nginx-debian.html;
15 | 
16 |     ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
17 | 
18 |     server_name _;
19 |     ssl_certificate /etc/nginx/pki/server.crt;
20 |     ssl_certificate_key /etc/nginx/pki/private/server.key;
21 | 
22 |     ssl_certificate /etc/nginx/pki/server.ec.crt;
23 |     ssl_certificate_key /etc/nginx/pki/private/server.ec.key;
24 | 
25 |     location / {
26 |         try_files $uri $uri/ =404;
27 |     }
28 | }
29 | 


--------------------------------------------------------------------------------
/test/test-config/nginx-ubuntu-no-ssl:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 80 default_server;
 3 |     listen 5002 default_server;
 4 |     listen [::]:5002 default_server;
 5 | 
 6 |     listen 443 default_server;
 7 |     listen [::]:443 default_server;
 8 | 
 9 |     listen 5001 default_server;
10 |     listen [::]:5001 default_server;
11 | 
12 |     root /var/www/html;
13 | 
14 |     index index.html index.htm index.nginx-debian.html;
15 | 
16 |     server_name _;
17 | 
18 |     location / {
19 |         try_files $uri $uri/ =404;
20 |     }
21 | }
22 | 


--------------------------------------------------------------------------------
/test/test-config/nginx-ubuntu-ssl:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 80 default_server;
 3 |     listen 5002 default_server;
 4 |     listen [::]:5002 default_server;
 5 | 
 6 |     listen 443 ssl default_server;
 7 |     listen [::]:443 ssl default_server;
 8 | 
 9 |     listen 5001 ssl default_server;
10 |     listen [::]:5001 ssl default_server;
11 | 
12 |     root /var/www/html;
13 | 
14 |     index index.html index.htm index.nginx-debian.html;
15 | 
16 |     server_name _;
17 |     ssl_certificate /etc/nginx/pki/server.crt;
18 |     ssl_certificate_key /etc/nginx/pki/private/server.key;
19 | 
20 |     location / {
21 |         try_files $uri $uri/ =404;
22 |     }
23 | }
24 | 


--------------------------------------------------------------------------------
/test/test-config/vsftpd.initd:
--------------------------------------------------------------------------------
  1 | #!/bin/sh
  2 | 
  3 | ### BEGIN INIT INFO
  4 | # Provides:		vsftpd
  5 | # Required-Start:	$network $remote_fs $syslog
  6 | # Required-Stop:	$network $remote_fs $syslog
  7 | # Default-Start:	2 3 4 5
  8 | # Default-Stop:		0 1 6
  9 | # Short-Description:	Very secure FTP server
 10 | # Description:		Provides a lightweight, efficient FTP server written
 11 | #			for security.
 12 | ### END INIT INFO
 13 | 
 14 | set -e
 15 | 
 16 | DAEMON="/usr/sbin/vsftpd"
 17 | NAME="vsftpd"
 18 | PATH="/sbin:/bin:/usr/sbin:/usr/bin"
 19 | LOGFILE="/var/log/vsftpd.log"
 20 | CHROOT="/var/run/vsftpd/empty"
 21 | 
 22 | test -x "${DAEMON}" || exit 0
 23 | 
 24 | . /lib/lsb/init-functions
 25 | 
 26 | if [ ! -e "${LOGFILE}" ]
 27 | then
 28 | 	touch "${LOGFILE}"
 29 | 	chmod 640 "${LOGFILE}"
 30 | 	chown root:adm "${LOGFILE}"
 31 | fi
 32 | 
 33 | if [ ! -d "${CHROOT}" ]
 34 | then
 35 | 	mkdir -p "${CHROOT}"
 36 | fi
 37 | 
 38 | case "${1}" in
 39 | 	start)
 40 | 		log_daemon_msg "Starting FTP server" "${NAME}"
 41 | 
 42 | 		if [ -e /etc/vsftpd.conf ] && ! grep -Eiq "^ *listen(_ipv6)? *= *yes" /etc/vsftpd.conf
 43 | 		then
 44 | 			log_warning_msg "vsftpd disabled - listen disabled in config."
 45 | 			exit 0
 46 | 		fi
 47 | 
 48 | 		start-stop-daemon --start --background -m --oknodo --pidfile /var/run/vsftpd/vsftpd.pid --exec ${DAEMON}
 49 | 
 50 | 		n=0
 51 | 		while [ ${n} -le 5 ]
 52 | 		do
 53 | 			_PID="$(if [ -e /var/run/vsftpd/vsftpd.pid ]; then cat /var/run/vsftpd/vsftpd.pid; fi)"
 54 | 			if pgrep vsftpd --pidfile /var/run/vsftpd/vsftpd.pid >/dev/null
 55 | 			then
 56 | 				break
 57 | 			fi
 58 | 			sleep 1
 59 | 			n=$(( $n + 1 ))
 60 | 		done
 61 | 
 62 |   	if ! pgrep vsftpd --pidfile /var/run/vsftpd/vsftpd.pid >/dev/null
 63 | 		then
 64 | 			log_warning_msg "vsftpd failed - probably invalid config."
 65 | 			exit 1
 66 | 		fi
 67 | 
 68 | 		log_end_msg 0
 69 | 		;;
 70 | 
 71 | 	stop)
 72 | 		log_daemon_msg "Stopping FTP server" "${NAME}"
 73 | 
 74 | 		start-stop-daemon --stop --pidfile /var/run/vsftpd/vsftpd.pid --oknodo --exec ${DAEMON}
 75 | 		rm -f /var/run/vsftpd/vsftpd.pid
 76 | 
 77 | 		log_end_msg 0
 78 | 		;;
 79 | 
 80 | 	restart)
 81 | 		${0} stop
 82 | 		${0} start
 83 | 		;;
 84 | 
 85 | 	reload|force-reload)
 86 | 		log_daemon_msg "Reloading FTP server configuration"
 87 | 
 88 | 		start-stop-daemon --stop --pidfile /var/run/vsftpd/vsftpd.pid --signal 1 --exec $DAEMON
 89 | 
 90 | 		log_end_msg "${?}"
 91 | 		;;
 92 | 
 93 | 	status)
 94 | 		status_of_proc "${DAEMON}" "FTP server"
 95 | 		;;
 96 | 
 97 | 	*)
 98 | 		echo "Usage: ${0} {start|stop|restart|reload|status}"
 99 | 		exit 1
100 | 		;;
101 | esac
102 | 
103 | exit 0
104 | 


--------------------------------------------------------------------------------
/test/u3-mktemp-template.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | setup() {
 9 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
10 | }
11 | teardown() {
12 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
13 | }
14 | 
15 | @test "Check mktemp -t getssl.XXXXXX works on all platforms" {
16 |     run mktemp -t getssl.XXXXXX
17 |     assert_success
18 | }
19 | 


--------------------------------------------------------------------------------
/test/u4-create-csr-and-ifs.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | teardown() {
10 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
11 | }
12 | 
13 | setup() {
14 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
15 |     . /getssl/getssl --source
16 |     find_dns_utils
17 |     _USE_DEBUG=1
18 | }
19 | 
20 | 
21 | @test "Check create_csr works for multiple domains" {
22 |     # Create a key
23 |     csr_key=$(mktemp -t getssl.key.XXXXXX) || error_exit "mktemp failed"
24 |     csr_file=$(mktemp -t getssl.csr.XXXXXX) || error_exit "mktemp failed"
25 |     SANS="a.getssl.test,b.getssl.test"
26 |     SANLIST="subjectAltName=DNS:${SANS//[, ]/,DNS:}"
27 |     create_key "$ACCOUNT_KEY_TYPE" "$csr_key" "$ACCOUNT_KEY_LENGTH"
28 | 
29 |     # Create an initial csr
30 |     run create_csr $csr_file $csr_key
31 |     assert_success
32 | 
33 |     # Check that calling create_csr with the same SANSLIST doesn't re-create the csr
34 |     run create_csr $csr_file $csr_key
35 |     assert_success
36 |     refute_line --partial "does not have the same domains"
37 | 
38 |     # Check that calling create_csr with a different SANSLIST does re-create the csr
39 |     SANS="a.getssl.test,b.getssl.test,c.getssl.test"
40 |     SANLIST="subjectAltName=DNS:${SANS//[, ]/,DNS:}"
41 |     run create_csr $csr_file $csr_key
42 |     assert_success
43 |     assert_line --partial "does not contain"
44 | 
45 |     # Check that calling create_csr with the same SANSLIST, but in a different order does not re-create the csr
46 |     SANS="c.getssl.test,a.getssl.test,b.getssl.test"
47 |     SANLIST="subjectAltName=DNS:${SANS//[, ]/,DNS:}"
48 |     run create_csr $csr_file $csr_key
49 |     assert_success
50 |     refute_line --partial "does not contain"
51 | 
52 |     # Check that removing a domain from the SANSLIST causes the csr to be re-created
53 |     SANS="c.getssl.test,a.getssl.test"
54 |     SANLIST="subjectAltName=DNS:${SANS//[, ]/,DNS:}"
55 |     run create_csr $csr_file $csr_key
56 |     assert_success
57 |     assert_line --partial "does not have the same domains as the config"
58 | }
59 | 


--------------------------------------------------------------------------------
/test/u6-test-combined-directory.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | # CA with a unified directory (both ACME V1 and V2 at the same URI)
 8 | CA="https://api.test4.buypass.no/acme"
 9 | 
10 | # This is run for every test
11 | setup() {
12 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
13 | 
14 |     . /getssl/getssl --source
15 | 
16 |     requires curl
17 |     _NOMETER="--silent"
18 | 
19 |     _USE_DEBUG=1
20 | }
21 | 
22 | 
23 | teardown() {
24 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
25 | }
26 | 
27 | 
28 | @test "Check that API V2 is selected in a unified ACME directory." {
29 |     obtain_ca_resource_locations
30 | 
31 |     [ "$API" -eq 2 ]
32 | }
33 | 


--------------------------------------------------------------------------------
/test/u8-test-get_auth_dns-cname-nslookup.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | setup() {
10 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
11 |     for app in dig drill host
12 |     do
13 |         if [ -f /usr/bin/${app} ]; then
14 |             mv /usr/bin/${app} /usr/bin/${app}.getssl.bak
15 |         fi
16 |     done
17 | 
18 |     . /getssl/getssl --source
19 |     find_dns_utils
20 |     _USE_DEBUG=1
21 | 
22 |     NSLOOKUP_VERSION=$(echo "" | nslookup -version 2>/dev/null | awk -F"[ -]" '{ print $2 }')
23 |     # Version 9.11.3 on Ubuntu -debug doesn't work inside docker in my test env, version 9.16.1 does
24 |     if [[ "${NSLOOKUP_VERSION}" != "Invalid" ]] && check_version "${NSLOOKUP_VERSION}" "9.11.4" ; then
25 |         DNS_CHECK_OPTIONS="$DNS_CHECK_OPTIONS -debug"
26 |     else
27 |         skip "This version of nslookup either doesn't support -debug or it doesn't work in local docker"
28 |     fi
29 | }
30 | 
31 | 
32 | teardown() {
33 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
34 |     for app in dig drill host
35 |     do
36 |         if [ -f /usr/bin/${app}.getssl.bak ]; then
37 |             mv /usr/bin/${app}.getssl.bak /usr/bin/${app}
38 |         fi
39 |     done
40 | }
41 | 
42 | 
43 | @test "Check get_auth_dns for a CNAME using system DNS and nslookup" {
44 |     PUBLIC_DNS_SERVER=
45 |     AUTH_DNS_SERVER=
46 |     CHECK_ALL_AUTH_DNS="false"
47 |     CHECK_PUBLIC_DNS_SERVER="false"
48 | 
49 |     # This is a CNAME, but the later `nslookup -type=txt <domain>` call will fail if set to the remote ns
50 |     run get_auth_dns _acme-challenge.ubuntu-acmedns-getssl.freeddns.org
51 |     assert_output --regexp 'set primary_ns=ns[0-9].dynu.com'
52 | }
53 | 
54 | @test "Check get_auth_dns for a CNAME using public DNS and nslookup" {
55 |     PUBLIC_DNS_SERVER=1.0.0.1
56 |     AUTH_DNS_SERVER=
57 |     CHECK_ALL_AUTH_DNS="false"
58 |     CHECK_PUBLIC_DNS_SERVER="false"
59 | 
60 |     run get_auth_dns _acme-challenge.ubuntu-acmedns-getssl.freeddns.org
61 |     assert_output --regexp 'set primary_ns=ns[0-9].dynu.com'
62 | }
63 | 


--------------------------------------------------------------------------------
/test/u9-test-ca-newlines.bats:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bats
 2 | 
 3 | load '/bats-support/load.bash'
 4 | load '/bats-assert/load.bash'
 5 | load '/getssl/test/test_helper.bash'
 6 | 
 7 | 
 8 | # This is run for every test
 9 | setup() {
10 |     [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
11 | 
12 |     . /getssl/getssl --source
13 | #    find_dns_utils
14 |     _USE_DEBUG=1
15 | }
16 | 
17 | 
18 | teardown() {
19 |     [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
20 | }
21 | 
22 | 
23 | @test "Check obtain_ca_resource_locations for LetsEncrypt (uses newlines)" {
24 |     # LetsEncrypt CA splits the directory with comma then newline
25 |     CA="https://acme-staging-v02.api.letsencrypt.org/directory"
26 |     obtain_ca_resource_locations
27 | 
28 |     assert_equal $API 2
29 |     assert_not_equal $URL_newAccount $URL_newNonce
30 |     assert_not_equal $URL_newNonce $URL_newOrder
31 |     assert_not_equal $URL_newOrder $URL_revole
32 | }
33 | 
34 | 
35 | @test "Check obtain_ca_resource_locations for Sectigo (no newlines)" {
36 |     # Sectigo CA splits the directory with commas
37 |     CA="https://acme.enterprise.sectigo.com"
38 |     obtain_ca_resource_locations
39 | 
40 |     assert_equal $API 2
41 |     assert_not_equal $URL_newAccount $URL_newNonce
42 |     assert_not_equal $URL_newNonce $URL_newOrder
43 |     assert_not_equal $URL_newOrder $URL_revole
44 | }
45 | 
46 | 
47 | @test "Check obtain_ca_resource_locations for BuyPass (no newlines)" {
48 |     # BuyPass CA splits the directory with commas
49 |     CA="https://api.test4.buypass.no/acme"
50 |     obtain_ca_resource_locations
51 | 
52 |     assert_equal $API 2
53 |     assert_not_equal $URL_newAccount $URL_newNonce
54 |     assert_not_equal $URL_newNonce $URL_newOrder
55 |     assert_not_equal $URL_newOrder $URL_revole
56 | }
57 | 


--------------------------------------------------------------------------------