From: Lukas Schauer Date: Wed, 16 Dec 2015 12:58:49 +0000 (+0100) Subject: rearranged and extended travis tests a bit X-Git-Tag: v0.1.0~116 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a4e7c43a78658fc25145a4b1be4e7eab6347f3f3;p=thirdparty%2Fdehydrated.git rearranged and extended travis tests a bit --- diff --git a/.travis.yml b/.travis.yml index 8fd26d0..db87996 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,45 +5,6 @@ cache: directories: - ngrok -before_script: - # install ngrok - - if [[ ! -e "ngrok/ngrok" ]]; then mkdir -p ngrok; (cd ngrok; wget https://dl.ngrok.com/ngrok_2.0.19_linux_amd64.zip -O ngrok.zip; unzip ngrok.zip ngrok; chmod +x ngrok); fi - - # run ngrok and grab url from logfile - - ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp.log & - - sleep 5 - - cat tmp.log - - export TMP_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp.log | head -1 | cut -d':' -f2)" - - if [[ -z "${TMP_URL}" ]]; then exit 1; fi - - # start python http server in challenges directory - - (mkdir -p .acme-challenges/.well-known/acme-challenge; cd .acme-challenges; python -m SimpleHTTPServer 8080) & - - # generate config - - echo 'CA="https://acme-staging.api.letsencrypt.org/directory"' > config.sh - - echo 'WELLKNOWN=".acme-challenges/.well-known/acme-challenge"' >> config.sh - - echo "${TMP_URL}" > domains.txt - script: - # check if help command is working - - ./letsencrypt.sh --help - - # move config out of the way and try signing certificate by using temporary config location - - mv config.sh tmp_config.sh - - ./letsencrypt.sh --domain "${TMP_URL}" -f tmp_config.sh - - mv tmp_config.sh config.sh - - # run in cron mode (should find a non-expiring certificate) - - ./letsencrypt.sh --cron - - # check if certificate is valid in various ways - - openssl x509 -in "certs/${TMP_URL}/cert.pem" -noout -text - - openssl x509 -in "certs/${TMP_URL}/fullchain.pem" -noout -text > /dev/null - - "errout=\"$(openssl verify -verbose -CAfile \"certs/${TMP_URL}/fullchain.pem\" -purpose sslserver \"certs/${TMP_URL}/fullchain.pem\" | grep -v ': OK$' || true)\"" - - if [[ ! -z "${errout}" ]]; then printf -- "${errout}"; exit 1; fi - - # delete account key - - rm private_key.pem - - # revoke certificate using certificate key - - ./letsencrypt.sh --revoke "certs/${TMP_URL}/cert.pem" --privkey "certs/${TMP_URL}/privkey.pem" + - export CI="true" + - ./test.sh diff --git a/letsencrypt.sh b/letsencrypt.sh index 64ac436..c4d6df8 100755 --- a/letsencrypt.sh +++ b/letsencrypt.sh @@ -372,7 +372,7 @@ sign_domain() { crt_path="${BASEDIR}/certs/${domain}/cert-${timestamp}.pem" printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" > "${crt_path}" # try to load the certificate to detect corruption - echo " + Checking certificate..." >&2 + echo " + Checking certificate..." _openssl x509 -text < "${crt_path}" # Create fullchain.pem diff --git a/test.sh b/test.sh new file mode 100755 index 0000000..3b4d739 --- /dev/null +++ b/test.sh @@ -0,0 +1,131 @@ +#!/bin/bash + +# Fail early +set -eu -o pipefail + +# Check if running in CI environment +if [[ ! "${CI:-false}" == "true" ]]; then + echo "ERROR: Not running in CI environment!" + exit 1 +fi + +_TEST() { + echo -n "${1} " +} +_PASS() { + if [[ -z "$(cat errorlog)" ]]; then + echo -e "[\u001B[32mPASS\u001B[0m]" + else + _FAIL "Non-empty errorlog" + fi +} +_FAIL() { + echo -e "[\u001B[31mFAIL\u001B[0m]" + echo + echo "Problem: ${@}" + echo + echo "STDOUT:" + cat tmplog + echo + echo "STDERR:" + cat errorlog + exit 1 +} +_CHECK_FILE() { + [[ -e "${1}" ]] || _FAIL "Missing file: ${1}" +} +_CHECK_LOG() { + grep "${1}" tmplog > /dev/null || _FAIL "Missing in log: ${1}" +} + +# If not found (should be cached in travis) download ngrok +if [[ ! -e "ngrok/ngrok" ]]; then + ( + mkdir -p ngrok + cd ngrog + wget https://dl.ngrok.com/ngrok_2.0.19_linux_amd64.zip -O ngrok.zip + unzip ngrok.zip ngrok + chmod +x ngrok + ) +fi + +# Run ngrok and grab temporary url from logfile +ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp.log & +sleep 2 +TMP_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp.log | head -1 | cut -d':' -f2)" +if [[ -z "${TMP_URL}" ]]; then + echo "Couldn't get an url from ngrok, not a letsencrypt.sh bug, tests can't continue." + exit 1 +fi + +# Run python webserver in .acme-challenges directory to serve challenge responses +mkdir -p .acme-challenges/.well-known/acme-challenge +( + cd .acme-challenges + python -m SimpleHTTPServer 8080 > /dev/null 2> /dev/null +) & + +# Generate config and create empty domains.txt +echo 'CA="https://acme-staging.api.letsencrypt.org/directory"' > config.sh +echo 'WELLKNOWN=".acme-challenges/.well-known/acme-challenge"' >> config.sh +touch domains.txt + +# Check if help command is working +_TEST "Checking if help command is working..." +./letsencrypt.sh --help > tmplog 2> errorlog +_CHECK_LOG "Default command: help" +_CHECK_LOG "\--help (-h)" +_CHECK_LOG "\--domain (-d) domain.tld" +_PASS + +# Run in cron mode with empty domains.txt (should only generate private key and exit) +_TEST "First run in cron mode, checking if private key is generated and registered" +./letsencrypt.sh --cron > tmplog 2> errorlog +_CHECK_LOG "Registering account key" +_CHECK_FILE "private_key.pem" +_PASS + +# Temporarily move config out of the way and try signing certificate by using temporary config location +_TEST "Try signing using temporary config location and with domain as command line parameter" +mv config.sh tmp_config.sh +./letsencrypt.sh --domain "${TMP_URL}" -f tmp_config.sh > tmplog 2> errorlog +_CHECK_LOG "Generating private key" +_CHECK_LOG "Requesting challenge for ${TMP_URL}" +_CHECK_LOG "Challenge is valid!" +_CHECK_LOG "Creating fullchain.pem" +_CHECK_LOG "Done!" +_PASS +mv tmp_config.sh config.sh + +# Move private key and add new location to config +mv private_key.pem account_key.pem +echo 'PRIVATE_KEY="./account_key.pem"' >> config.sh + +# Add domain to domains.txt and run in cron mode again (should find a non-expiring certificate and do nothing) +_TEST "Run in cron mode again, this time with domain in domains.txt, should find non-expiring certificate" +echo "${TMP_URL}" >> domains.txt +./letsencrypt.sh --cron > tmplog 2> errorlog +_CHECK_LOG "Skipping!" +_PASS + +# Delete account key (not needed anymore) +rm account_key.pem + +# Check if certificate is valid in various ways +_TEST "Verifying certificate..." +openssl x509 -in "certs/${TMP_URL}/cert.pem" -noout -text > tmplog 2> errorlog +_CHECK_LOG "CN=${TMP_URL}" +openssl x509 -in "certs/${TMP_URL}/fullchain.pem" -noout -text > /dev/null 2>> errorlog +(openssl verify -verbose -CAfile "certs/${TMP_URL}/fullchain.pem" -purpose sslserver "certs/${TMP_URL}/fullchain.pem" 2>&1 || true) | (grep -v ': OK$' || true) >> errorlog 2>> errorlog +_PASS + +# Revoke certificate using certificate key +_TEST "Revoking certificate..." +./letsencrypt.sh --revoke "certs/${TMP_URL}/cert.pem" --privkey "certs/${TMP_URL}/privkey.pem" > tmplog 2> errorlog +_CHECK_LOG "Revoking certs/${TMP_URL}/cert.pem" +_CHECK_LOG "SUCCESS" +_CHECK_FILE "certs/${TMP_URL}/cert.pem-revoked" +_PASS + +# All done +exit 0