From 6a4541ade95e6649eb6b4d66e8213a90c9739b49 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Mon, 7 Dec 2020 19:40:41 +0100 Subject: [PATCH 1/4] Fix expected empty test output They still require an (empty) expected-std-out.txt file --- test/tests/acme_accounts/expected-std-out.txt | 1 + test/tests/certs_san/expected-std-out.txt | 1 + test/tests/certs_single/expected-std-out.txt | 1 + test/tests/certs_single_domain/expected-std-out.txt | 1 + test/tests/certs_standalone/expected-std-out.txt | 1 + test/tests/default_cert/expected-std-out.txt | 1 + test/tests/force_renew/expected-std-out.txt | 1 + test/tests/permissions_custom/expected-std-out.txt | 1 + test/tests/permissions_default/expected-std-out.txt | 1 + test/tests/private_keys/expected-std-out.txt | 1 + test/tests/unit_tests/expected-std-out.txt | 1 + 11 files changed, 11 insertions(+) create mode 100644 test/tests/acme_accounts/expected-std-out.txt create mode 100644 test/tests/certs_san/expected-std-out.txt create mode 100644 test/tests/certs_single/expected-std-out.txt create mode 100644 test/tests/certs_single_domain/expected-std-out.txt create mode 100644 test/tests/certs_standalone/expected-std-out.txt create mode 100644 test/tests/default_cert/expected-std-out.txt create mode 100644 test/tests/force_renew/expected-std-out.txt create mode 100644 test/tests/permissions_custom/expected-std-out.txt create mode 100644 test/tests/permissions_default/expected-std-out.txt create mode 100644 test/tests/private_keys/expected-std-out.txt create mode 100644 test/tests/unit_tests/expected-std-out.txt diff --git a/test/tests/acme_accounts/expected-std-out.txt b/test/tests/acme_accounts/expected-std-out.txt new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/test/tests/acme_accounts/expected-std-out.txt @@ -0,0 +1 @@ + diff --git a/test/tests/certs_san/expected-std-out.txt b/test/tests/certs_san/expected-std-out.txt new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/test/tests/certs_san/expected-std-out.txt @@ -0,0 +1 @@ + diff --git a/test/tests/certs_single/expected-std-out.txt b/test/tests/certs_single/expected-std-out.txt new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/test/tests/certs_single/expected-std-out.txt @@ -0,0 +1 @@ + diff --git a/test/tests/certs_single_domain/expected-std-out.txt b/test/tests/certs_single_domain/expected-std-out.txt new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/test/tests/certs_single_domain/expected-std-out.txt @@ -0,0 +1 @@ + diff --git a/test/tests/certs_standalone/expected-std-out.txt b/test/tests/certs_standalone/expected-std-out.txt new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/test/tests/certs_standalone/expected-std-out.txt @@ -0,0 +1 @@ + diff --git a/test/tests/default_cert/expected-std-out.txt b/test/tests/default_cert/expected-std-out.txt new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/test/tests/default_cert/expected-std-out.txt @@ -0,0 +1 @@ + diff --git a/test/tests/force_renew/expected-std-out.txt b/test/tests/force_renew/expected-std-out.txt new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/test/tests/force_renew/expected-std-out.txt @@ -0,0 +1 @@ + diff --git a/test/tests/permissions_custom/expected-std-out.txt b/test/tests/permissions_custom/expected-std-out.txt new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/test/tests/permissions_custom/expected-std-out.txt @@ -0,0 +1 @@ + diff --git a/test/tests/permissions_default/expected-std-out.txt b/test/tests/permissions_default/expected-std-out.txt new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/test/tests/permissions_default/expected-std-out.txt @@ -0,0 +1 @@ + diff --git a/test/tests/private_keys/expected-std-out.txt b/test/tests/private_keys/expected-std-out.txt new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/test/tests/private_keys/expected-std-out.txt @@ -0,0 +1 @@ + diff --git a/test/tests/unit_tests/expected-std-out.txt b/test/tests/unit_tests/expected-std-out.txt new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/test/tests/unit_tests/expected-std-out.txt @@ -0,0 +1 @@ + From 39682fa3e6745a11a0c22653a6fede6dc32d09a9 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Mon, 7 Dec 2020 21:04:29 +0100 Subject: [PATCH 2/4] Test any image passed as argument to test/run.sh --- test/config.sh | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/test/config.sh b/test/config.sh index 3f731dbf..6bfd204b 100755 --- a/test/config.sh +++ b/test/config.sh @@ -1,12 +1,7 @@ #!/bin/bash set -e -testAlias+=( - [jrcs/letsencrypt-nginx-proxy-companion]='le-companion' -) - -imageTests+=( - [le-companion]=' +globalTests+=( docker_api location_config default_cert @@ -21,5 +16,4 @@ imageTests+=( permissions_default permissions_custom symlinks - ' ) From 082ad32f49c08d078e3d910f1c556f20d5bcf7cd Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Mon, 7 Dec 2020 21:05:32 +0100 Subject: [PATCH 3/4] Fix the private_keys test --- app/cleanup_test_artifacts | 6 ++++++ test/tests/private_keys/run.sh | 16 ++++++++-------- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/app/cleanup_test_artifacts b/app/cleanup_test_artifacts index 519ec684..801021e1 100755 --- a/app/cleanup_test_artifacts +++ b/app/cleanup_test_artifacts @@ -31,6 +31,10 @@ done for domain in le1.wtf le2.wtf le3.wtf le4.wtf lim.it; do folder="/etc/nginx/certs/$domain" [[ -d "$folder" ]] && rm -rf "$folder" + folder="/etc/acme.sh/default/$domain" + [[ -d "$folder" ]] && rm -rf "$folder" + folder="/etc/acme.sh/default/${domain}_ecc" + [[ -d "$folder" ]] && rm -rf "$folder" location_file="/etc/nginx/vhost.d/$domain" [[ -f "$location_file" ]] && rm -rf "$location_file" 2> /dev/null for extension in key crt chain.pem dhparam.pem; do @@ -38,3 +42,5 @@ for domain in le1.wtf le2.wtf le3.wtf le4.wtf lim.it; do [[ -L "$symlink" ]] && rm -rf "$symlink" done done + +exit 0 diff --git a/test/tests/private_keys/run.sh b/test/tests/private_keys/run.sh index 224bac72..d5886c3b 100755 --- a/test/tests/private_keys/run.sh +++ b/test/tests/private_keys/run.sh @@ -27,12 +27,11 @@ trap cleanup EXIT declare -A key_types key_types=( \ - ['1024']='RSA Public-Key: (1024 bit)' \ ['2048']='RSA Public-Key: (2048 bit)' \ + ['3072']='RSA Public-Key: (3072 bit)' \ ['4096']='RSA Public-Key: (4096 bit)' \ - ['ec256']='secp256r1' \ - ['ec384']='secp384r1' \ - ['ec512']='secp512r1' \ + ['ec-256']='prime256v1' \ + ['ec-384']='secp384r1' \ ) for key in "${!key_types[@]}"; do @@ -42,7 +41,7 @@ for key in "${!key_types[@]}"; do --name "${key}" \ -e "VIRTUAL_HOST=${domains[0]}" \ -e "LETSENCRYPT_HOST=${domains[0]}" \ - -e "LETSENCRYPT_PRIVATE_KEY=${key}" \ + -e "LETSENCRYPT_KEYSIZE=${key}" \ --network boulder_bluenet \ nginx:alpine > /dev/null; then @@ -54,14 +53,15 @@ for key in "${!key_types[@]}"; do # Grep the expected string from the public key in text form. if wait_for_symlink "${domains[0]}" "$le_container_name"; then public_key=$(docker exec "$le_container_name" openssl pkey -in "/etc/nginx/certs/${domains[0]}.key" -noout -text_pub) - if ! grep "${key_types[$key]}" <<< "$public_key"; then + if ! grep -q "${key_types[$key]}" <<< "$public_key"; then echo "Keys for test $key were not of the correct type, expected ${key_types[$key]} and got the following:" echo "$public_key" fi + else + echo "${key_types[$key]} key test timed out" fi docker stop "${key}" &> /dev/null - docker exec "$le_container_name" rm -rf /etc/nginx/certs/le?.wtf* - docker exec "$le_container_name" rm -rf /etc/acme.sh/default/le?.wtf* + docker exec "$le_container_name" /app/cleanup_test_artifacts done From 6bfdd8710991e2fa3e9a60a7dabc3857f6c4dd1f Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Mon, 7 Dec 2020 21:10:14 +0100 Subject: [PATCH 4/4] Fix private keys types --- app/letsencrypt_service | 6 ++++-- docs/Let's-Encrypt-and-ACME.md | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/app/letsencrypt_service b/app/letsencrypt_service index 61d83c6d..ffc9fbd4 100755 --- a/app/letsencrypt_service +++ b/app/letsencrypt_service @@ -143,7 +143,7 @@ function update_cert { local -n cert_keysize="LETSENCRYPT_${cid}_KEYSIZE" if [[ -z "$cert_keysize" || "$cert_keysize" == "" ]] || \ - [[ ! "$cert_keysize" =~ ^(2048|3072|4096|8192|ec-256|ec-384|ec-512)$ ]]; then + [[ ! "$cert_keysize" =~ ^(2048|3072|4096|ec-256|ec-384)$ ]]; then cert_keysize=$DEFAULT_KEY_SIZE fi params_issue_arr+=(--keylength "$cert_keysize") @@ -277,7 +277,9 @@ function update_cert { # Using amce.sh --preferred-chain to select alternate chain. params_issue_arr+=(--preferred-chain "$acme_preferred_chain") fi - [[ "$RENEW_PRIVATE_KEYS" == false || "$REUSE_PRIVATE_KEYS" == true ]] && params_issue_arr+=(--always-force-new-domain-key) + if [[ "$RENEW_PRIVATE_KEYS" != 'false' && "$REUSE_PRIVATE_KEYS" != 'true' ]]; then + params_issue_arr+=(--always-force-new-domain-key) + fi [[ "${2:-}" == "--force-renew" ]] && params_issue_arr+=(--force) # Create directory for the first domain diff --git a/docs/Let's-Encrypt-and-ACME.md b/docs/Let's-Encrypt-and-ACME.md index 31ec7f93..e613f52c 100644 --- a/docs/Let's-Encrypt-and-ACME.md +++ b/docs/Let's-Encrypt-and-ACME.md @@ -50,7 +50,7 @@ The `LETSENCRYPT_EMAIL` environment variable must be a valid email and will be u #### Private key size -The `LETSENCRYPT_KEYSIZE` environment variable determines the type and size of the requested key. Supported values are `2048`, `3072`, `4096` and `8192` for RSA keys, and `ec-256`, `ec-384` or `ec-512` for elliptic curve keys. The default is RSA 4096. +The `LETSENCRYPT_KEYSIZE` environment variable determines the type and size of the requested key. Supported values are `2048`, `3072` and `4096` for RSA keys, and `ec-256` or `ec-384` for elliptic curve keys. The default is RSA 4096. #### Test certificates