13 files changed, 187 insertions, 93 deletions
diff --git a/tests/account-encrypted-gpg b/tests/account-encrypted-gpg
index fd1e4ac..7cb978d 100644
--- a/tests/account-encrypted-gpg
+++ b/tests/account-encrypted-gpg
@@ -9,7 +9,7 @@ keyid="$(gpg --list-secret-key --with-colons | grep -m1 ^fpr: | cut -sd: -f10)"
 gpg --encrypt -r "$keyid" /etc/lacme/account.key
 sed -ri '0,\|^#?privkey\s*=.*| {s||privkey = gpg:/etc/lacme/account.key.gpg|}' /etc/lacme/lacme-accountd.conf
 
-export GPG_TTY="$(tty)"
+export GPG_TTY="$(tty)" TERM="linux"
 lacme account
 
 # vim: set filetype=sh :
diff --git a/tests/account-encrypted-openssl b/tests/account-encrypted-openssl
index e79a528..1f97fd0 100644
--- a/tests/account-encrypted-openssl
+++ b/tests/account-encrypted-openssl
@@ -2,9 +2,10 @@
 
 PASSPHRASE="test"
 
-openssl rsa -aes128 -passout pass:"$PASSPHRASE" </etc/lacme/account.key >/etc/lacme/account.enc.key
+openssl rsa -in /etc/lacme/account.key -out /etc/lacme/account.enc.key -aes128 -passout pass:"$PASSPHRASE"
 sed -ri '0,\|^#?privkey\s*=.*| {s||privkey = file:/etc/lacme/account.enc.key|}' /etc/lacme/lacme-accountd.conf
 
+export TERM="linux"
 lacme account
 
 # vim: set filetype=sh :
diff --git a/tests/accountd b/tests/accountd
index a603c16..433f8ad 100644
--- a/tests/accountd
+++ b/tests/accountd
@@ -65,6 +65,7 @@ grep -F "Error: " ~lacme-account/.local/share/lacme/accountd.log
 # rotate the log and start accountd
 rm -f ~lacme-account/.local/share/lacme/accountd.log
 runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" --quiet & PID=$!
+sleep 1
 
 # run lacme(8) multiple times using that single lacme-accountd(1) instance
 lacme --socket="$SOCKET" --debug account 2>"$STDERR" || fail
@@ -79,9 +80,9 @@ wait
 
 # ensure signature requests are logged
 grep -Fq "Starting lacme Account Key Manager at /home/lacme-account/S.lacme" ~lacme-account/.local/share/lacme/accountd.log
-grep -Fq "[0] >>> Accepted new connection" ~lacme-account/.local/share/lacme/accountd.log
-grep -Fq "[1] >>> Accepted new connection" ~lacme-account/.local/share/lacme/accountd.log
+grep -Fq "[0] Accepted new connection" ~lacme-account/.local/share/lacme/accountd.log
+grep -Fq "[1] Accepted new connection" ~lacme-account/.local/share/lacme/accountd.log
 grep -Fq "Shutting down and closing lacme Account Key Manager" ~lacme-account/.local/share/lacme/accountd.log
-grep -F ">>> OK signing request:" ~lacme-account/.local/share/lacme/accountd.log
+grep -F "] SIGNED header=base64url({" ~lacme-account/.local/share/lacme/accountd.log
 
 # vim: set filetype=sh :
diff --git a/tests/accountd-kid b/tests/accountd-kid
index e1bd63d..8a4b53c 100644
--- a/tests/accountd-kid
+++ b/tests/accountd-kid
@@ -23,13 +23,14 @@ EOF
 
 SOCKET=~lacme-account/S.lacme
 runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" --quiet & PID=$!
+sleep 1
 
 # newAccount resource fails as per RFC 8555 sec. 6.2 it requires a JWK
 ! lacme --socket="$SOCKET" account 2>"$STDERR" || fail
-grepstderr -Fxq "WARNING: lacme-accountd supplied an empty JWK; try removing 'keyid' setting from lacme-accountd.conf if the ACME resource request fails."
+grepstderr -Fxq "Warning: lacme-accountd supplied an empty JWK; try removing 'keyid' setting from lacme-accountd.conf if the ACME resource request fails."
 grepstderr -Fxq "400 Bad Request (Parse error reading JWS)"
-! grep -F ">>> OK signing request: header=" ~lacme-account/.local/share/lacme/accountd.log | \
-    grep -vF ">>> OK signing request: header=base64url({\"alg\":\"RS256\",\"jwk\":{}," || exit 1
+grep -F "] SIGNED header=base64url({" ~lacme-account/.local/share/lacme/accountd.log >/tmp/signed
+! grep -vF "] SIGNED header=base64url({\"alg\":\"RS256\",\"jwk\":{}," </tmp/signed
 
 # rotate log and restart accountd
 kill $PID
@@ -37,6 +38,7 @@ wait
 
 rm ~lacme-account/.local/share/lacme/accountd.log
 runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" --quiet & PID=$!
+sleep 1
 
 # newOrder works fine without JWK
 lacme --socket="$SOCKET" newOrder
@@ -46,14 +48,14 @@ test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key
 lacme --socket="$SOCKET" revokeCert /etc/lacme/simpletest.rsa.crt
 ! lacme --socket="$SOCKET" revokeCert /etc/lacme/simpletest.rsa.crt 2>"$STDERR" || fail
 grepstderr -Fxq "Revoking /etc/lacme/simpletest.rsa.crt"
-grepstderr -Fxq "400 Bad Request (Certificate already revoked)"
+grepstderr -Fq "400 Bad Request (unable to revoke"
 grepstderr -Fxq "Warning: Couldn't revoke /etc/lacme/simpletest.rsa.crt"
 
 kill $PID
 wait
 
 # make sure all signing requests have a KID
-! grep -F ">>> OK signing request: header=" ~lacme-account/.local/share/lacme/accountd.log | \
-    grep -vF ">>> OK signing request: header=base64url({\"alg\":\"RS256\",\"kid\":\"$keyid\"," || exit 1
+grep -F "] SIGNED header=base64url({" ~lacme-account/.local/share/lacme/accountd.log >/tmp/signed
+! grep -vF "] SIGNED header=base64url({\"alg\":\"RS256\",\"kid\":\"$keyid\"," </tmp/signed
 
 # vim: set filetype=sh :
diff --git a/tests/accountd-remote b/tests/accountd-remote
index 9e7f812..ce2b54e 100644
--- a/tests/accountd-remote
+++ b/tests/accountd-remote
@@ -50,6 +50,6 @@ lacme newOrder
 test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key
 
 # ensure signature requests are logged
-grep -F ">>> OK signing request:" ~lacme-account/.local/share/lacme/accountd.log
+grep -F "] SIGNED header=base64url({" ~lacme-account/.local/share/lacme/accountd.log
 
 # vim: set filetype=sh :
diff --git a/tests/accountd-validate b/tests/accountd-validate
new file mode 100644
index 0000000..d4be5ee
--- /dev/null
+++ b/tests/accountd-validate
@@ -0,0 +1,36 @@
+# JWS Signing Input (RFC 7515) validation
+
+# missing or empty protected header
+printf "\\r\\n" | lacme-accountd --stdio 2>"$STDERR"
+grepstderr -Fq "] NOSIGN [malformed JWS Protected Header]"
+printf ".foo\\r\\n" | lacme-accountd --stdio 2>"$STDERR"
+grepstderr -Fq "] NOSIGN [malformed JWS Protected Header]"
+
+# invalid base64url-encoded protected header
+printf "foo/bar.baz\\r\\n" | lacme-accountd --stdio 2>"$STDERR"
+grepstderr -Fq "] NOSIGN [malformed JWS Protected Header]"
+
+# missing payload
+printf "foo\\r\\n" | lacme-accountd --stdio 2>"$STDERR"
+grepstderr -Fq "] NOSIGN [malformed JWS Payload]"
+
+# invalid base64url-encoded payload
+printf "foo.bar/baz\\r\\n" | lacme-accountd --stdio 2>"$STDERR"
+grepstderr -Fq "] NOSIGN [malformed JWS Payload]"
+
+# invalid JWS Protected Header: not a JSON object; missing fields "alg",
+# "nonce", "url", or either "jwk" or "kid"
+for s in "null" "\"str\"" "{}" "{\"alg\":\"\",\"nonce\":\"\",\"url\":\"\"}" "{\"jwk\":{}}"; do
+    s="$(printf "%s" "$s" | base64 -w0 | sed "s/=*$//" | tr "+/" "-_")"
+    printf "%s.\\r\\n" "$s" | lacme-accountd --stdio 2>"$STDERR"
+    grepstderr -F "] NOSIGN [invalid JWS Protected Header]"
+done
+
+# valid JWS Protected Header and Payload
+h="{\"alg\":\"\",\"nonce\":\"\",\"url\":\"\",\"jwk\":{}}"
+s="$(printf "%s" "$h" | base64 -w0 | sed "s/=*$//" | tr "+/" "-_")"
+p="$(printf "%s" "JWS Payload" | base64 -w0 | sed "s/=*$//" | tr "+/" "-_")"
+printf "%s.%s\\r\\n" "$s" "$p" | lacme-accountd --stdio 2>"$STDERR"
+grepstderr -F "] SIGNED header=base64url($h) playload=base64url(JWS Payload)"
+
+# vim: set filetype=sh :
diff --git a/tests/cert-extensions b/tests/cert-extensions
index a397ee5..d7e7855 100644
--- a/tests/cert-extensions
+++ b/tests/cert-extensions
@@ -4,13 +4,13 @@ x509_check() {
     local cert="$1" ext out
     out="$(mktemp --tmpdir)"
     ext="basicConstraints,subjectAltName,keyUsage,extendedKeyUsage,tlsfeature"
-    openssl x509 -noout -subject -ext "$ext" -nameopt compat <"$cert" >"$out"
+    openssl x509 -in "$cert" -noout -subject -ext "$ext" -nameopt compat >"$out"
     diff --unified --color=auto -b --label="a/${cert#/}" --label="b/${cert#/}" -- - "$out"
 }
 
 # default settings (the ACME server adds a subjectAltName with the Common Name)
 openssl genpkey -algorithm RSA -out /etc/lacme/test1.key
-commonName="$(head -c10 /dev/urandom | base32 -w0 | tr "[A-Z]" "[a-z]").$DOMAINNAME"
+commonName="$(head -c10 /dev/urandom | base32 -w0 | tr "A-Z" "a-z").$DOMAINNAME"
 cat >"/etc/lacme/lacme-certs.conf.d/test1.conf" <<- EOF
 	[test1]
 	certificate-key = /etc/lacme/test1.key
@@ -34,10 +34,10 @@ EOF
 
 # subjectAltName
 openssl genpkey -algorithm RSA -out /etc/lacme/test2.key
-commonName="$(head -c10 /dev/urandom | base32 -w0 | tr "[A-Z]" "[a-z]").$DOMAINNAME"
+commonName="$(head -c10 /dev/urandom | base32 -w0 | tr "A-Z" "a-z").$DOMAINNAME"
 subjectAltName=""
 for i in $(seq 1 8); do
-    subjectAltName="${subjectAltName:+"$subjectAltName "}$(head -c10 /dev/urandom | base32 -w0 | tr "[A-Z]" "[a-z]").$DOMAINNAME"
+    subjectAltName="${subjectAltName:+"$subjectAltName "}$(head -c10 /dev/urandom | base32 -w0 | tr "A-Z" "a-z").$DOMAINNAME"
 done
 cat >"/etc/lacme/lacme-certs.conf.d/test2.conf" <<- EOF
 	[test2]
@@ -63,7 +63,7 @@ EOF
 
 # tlsfeature
 openssl genpkey -algorithm RSA -out /etc/lacme/test3.key
-commonName="$(head -c10 /dev/urandom | base32 -w0 | tr "[A-Z]" "[a-z]").$DOMAINNAME"
+commonName="$(head -c10 /dev/urandom | base32 -w0 | tr "A-Z" "a-z").$DOMAINNAME"
 cat >"/etc/lacme/lacme-certs.conf.d/test3.conf" <<- EOF
 	[test3]
 	certificate-key = /etc/lacme/test3.key
diff --git a/tests/cert-install b/tests/cert-install
index f2147d2..279309f 100644
--- a/tests/cert-install
+++ b/tests/cert-install
@@ -28,9 +28,58 @@ EOF
 grepstderr -Fxq "[bad3] Warning: Couldn't generate CSR, skipping"
 
 
+check_spki() {
+    local p1="$1" p2="$2" s1 s2
+    s1="$(openssl x509 -in "$p1" -noout -pubkey \
+        | openssl pkey -pubin -outform DER \
+        | openssl dgst -sha256 \
+        | sed 's/.*=\s*//')"
+    s2="$(openssl pkey -in "$p2" -pubout -outform DER \
+        | openssl dgst -sha256 \
+        | sed 's/.*=\s*//')"
+    if [ -n "$s1" ] && [ "$s1" = "$s2" ]; then
+        return 0
+    else
+        printf "%s != %s\\n" "$s1" "$s2" >&2
+        return 1
+    fi
+}
+check_chain() {
+    local priv="$1" chain="$2" leaf="${3-}" pem0
+
+    csplit -f "${chain%.crt}.chain.pem" "$chain" \
+        "/-----BEGIN CERTIFICATE-----/" "{*}"
+
+    pem0="${chain%.crt}.chain.pem00"
+    if [ ! -s "$pem0" ]; then
+        # 00 is empty, leaf cert is at 01
+        rm -f -- "$pem0"
+        pem0="${chain%.crt}.chain.pem01"
+    fi
+    test -s "$pem0" || return 1
+    check_spki "$pem0" "$priv"
+
+    if [ -n "$leaf" ]; then
+        diff --ignore-blank-lines --unified "$pem0" "$leaf" || return 1
+    fi
+
+    leaf="${chain%.crt}.leaf.pem"
+    mv -T -- "$pem0" "$leaf"
+
+    intermediates="${chain%.crt}.intermediates.pem"
+    sed "/^$/d" "${chain%.crt}.chain.pem"[0-9]* >"$intermediates"
+    test -s "$intermediates" || return 1 # ensure there is at least one intermediate
+
+    openssl verify -trusted /usr/share/lacme/ca-certificates.crt \
+        -untrusted "$intermediates" \
+        -purpose sslserver -x509_strict \
+        -show_chain \
+        -- "$leaf" || return 1
+}
+
 # 'certificate' installs only the leaf certificate
 openssl genpkey -algorithm RSA -out /etc/lacme/test1.key
-subject="/CN=$(head -c10 /dev/urandom | base32 -w0).$DOMAINNAME"
+subject="/CN=$(head -c10 /dev/urandom | base32 -w0 | tr "A-Z" "a-z").$DOMAINNAME"
 cat >"/etc/lacme/lacme-certs.conf.d/test1.conf" <<- EOF
 	[test1]
 	certificate-key = /etc/lacme/test1.key
@@ -42,23 +91,9 @@ lacme newOrder test1 2>"$STDERR" || fail newOrder test1
 test /etc/lacme/test1.crt -nt /etc/lacme/test1.key
 sed -n "0,/^-----END CERTIFICATE-----$/ p" /etc/lacme/test1.crt >/etc/lacme/test1.pem
 diff --unified /etc/lacme/test1.crt /etc/lacme/test1.pem
+check_spki /etc/lacme/test1.crt /etc/lacme/test1.key
 
 
-check_hash() {
-    local p1="$1" p2 s1 s2
-    s1="$(openssl x509 -noout -hash <"$p1")"
-    for p2 in /usr/share/lacme/ca-certificates.pem.*; do
-        s2="$(openssl x509 -noout -hash <"$p2")"
-        if [ "$s1" = "$s2" ]; then
-            return 0
-        fi
-    done
-    return 1
-}
-csplit -f /usr/share/lacme/ca-certificates.pem. /usr/share/lacme/ca-certificates.crt \
-    "/-----BEGIN CERTIFICATE-----/" "{*}"
-rm -f /usr/share/lacme/ca-certificates.pem.00
-
 # 'certificate-chain' appends the chain of trust
 openssl genpkey -algorithm RSA -out /etc/lacme/test2.key
 cat >"/etc/lacme/lacme-certs.conf.d/test2.conf" <<- EOF
@@ -70,16 +105,7 @@ EOF
 
 lacme newOrder test2 2>"$STDERR" || fail newOrder test2
 test /etc/lacme/test2.crt -nt /etc/lacme/test2.key
-csplit -f /etc/lacme/test2.chain.pem /etc/lacme/test2.crt \
-    "/-----BEGIN CERTIFICATE-----/" "{*}"
-test -s /etc/lacme/test2.chain.pem01 # leaf cert (00 is empty)
-rm -f /etc/lacme/test2.chain.pem0[01]
-test -s /etc/lacme/test2.chain.pem02 # depth 1
-
-# all certificates at depth >=1 must be in our CA bundle
-for p in /etc/lacme/test2.chain.pem*; do
-    check_hash "$p"
-done
+check_chain /etc/lacme/test2.key /etc/lacme/test2.crt
 
 # 'certificate' + 'certificate-chain'
 openssl genpkey -algorithm RSA -out /etc/lacme/test3.key
@@ -94,83 +120,110 @@ EOF
 lacme newOrder test3 2>"$STDERR" || fail newOrder test3
 test /etc/lacme/test3.pem -nt /etc/lacme/test3.key
 test /etc/lacme/test3.crt -nt /etc/lacme/test3.key
-csplit -f /etc/lacme/test3.chain.pem /etc/lacme/test3.crt \
-    "/-----BEGIN CERTIFICATE-----/" "{*}"
-sed -i "/^$/d" /etc/lacme/test3.chain.pem*
-diff -q /etc/lacme/test3.chain.pem01 /etc/lacme/test3.pem
+check_chain /etc/lacme/test3.key /etc/lacme/test3.crt /etc/lacme/test3.pem
+
 st="$(stat -c "%U:%G %#a" /etc/lacme/test3.pem)"
 [ "$st" = "root:root 0644" ]
 st="$(stat -c "%U:%G %#a" /etc/lacme/test3.crt)"
 [ "$st" = "root:root 0644" ]
 
-# chmod user
+# owner user
 openssl genpkey -algorithm RSA -out /etc/lacme/test4.key
 cat >"/etc/lacme/lacme-certs.conf.d/test4.conf" <<- EOF
 	[test4]
 	certificate-key = /etc/lacme/test4.key
 	certificate = /etc/lacme/test4.pem
 	certificate-chain = /etc/lacme/test4.crt
-    chown = nobody
+	owner = nonexistent-user
 	subject = $subject
 EOF
 
+! lacme newOrder test4 2>"$STDERR" || fail newOrder test4
+grepstderr -Fxq "getpwnam(nonexistent-user)"
+! test -e /etc/lacme/test4.pem
+! test -e /etc/lacme/test4.crt
+
+sed -ri "s/^owner\\s*=.*/owner = nobody/" /etc/lacme/lacme-certs.conf.d/test4.conf
 lacme newOrder test4 2>"$STDERR" || fail newOrder test4
 st="$(stat -c "%U:%G %#a" /etc/lacme/test4.pem)"
 [ "$st" = "nobody:root 0644" ]
 st="$(stat -c "%U:%G %#a" /etc/lacme/test4.crt)"
 [ "$st" = "nobody:root 0644" ]
 
-# chmod user:group
+# owner user:group
 openssl genpkey -algorithm RSA -out /etc/lacme/test5.key
 cat >"/etc/lacme/lacme-certs.conf.d/test5.conf" <<- EOF
 	[test5]
 	certificate-key = /etc/lacme/test5.key
 	certificate = /etc/lacme/test5.pem
 	certificate-chain = /etc/lacme/test5.crt
-    chown = nobody:nogroup
+	owner = nobody:nonexistent-group
 	subject = $subject
 EOF
 
+! lacme newOrder test5 2>"$STDERR" || fail newOrder test5
+grepstderr -Fxq "getgrnam(nonexistent-group)"
+! test -e /etc/lacme/test5.pem
+! test -e /etc/lacme/test5.crt
+
+sed -ri "s/^owner\\s*=.*/owner = nobody:nogroup/" /etc/lacme/lacme-certs.conf.d/test5.conf
 lacme newOrder test5 2>"$STDERR" || fail newOrder test5
 st="$(stat -c "%U:%G %#a" /etc/lacme/test5.pem)"
 [ "$st" = "nobody:nogroup 0644" ]
 st="$(stat -c "%U:%G %#a" /etc/lacme/test5.crt)"
 [ "$st" = "nobody:nogroup 0644" ]
 
-# chown
+# umask restrictions (also test empty values)
 openssl genpkey -algorithm RSA -out /etc/lacme/test6.key
 cat >"/etc/lacme/lacme-certs.conf.d/test6.conf" <<- EOF
 	[test6]
 	certificate-key = /etc/lacme/test6.key
-	certificate = /etc/lacme/test6.pem
 	certificate-chain = /etc/lacme/test6.crt
-    chmod = 0400
+	certificate =
+	mode =
+	owner =
 	subject = $subject
 EOF
 
-lacme newOrder test6 2>"$STDERR" || fail newOrder test6
-st="$(stat -c "%U:%G %#a" /etc/lacme/test6.pem)"
-[ "$st" = "root:root 0400" ]
+( umask 0077 && lacme newOrder test6 2>"$STDERR" || fail newOrder test6 )
+! test -e /etc/lacme/test6.pem
 st="$(stat -c "%U:%G %#a" /etc/lacme/test6.crt)"
-[ "$st" = "root:root 0400" ]
+[ "$st" = "root:root 0600" ]
 
-# post-issuance notification
+# mode
 openssl genpkey -algorithm RSA -out /etc/lacme/test7.key
 cat >"/etc/lacme/lacme-certs.conf.d/test7.conf" <<- EOF
 	[test7]
 	certificate-key = /etc/lacme/test7.key
+	certificate = /etc/lacme/test7.pem
 	certificate-chain = /etc/lacme/test7.crt
+	mode = 0400
 	subject = $subject
-	notify = touch /tmp/test7.notify
 EOF
 
 lacme newOrder test7 2>"$STDERR" || fail newOrder test7
-grepstderr -Fxq "Running notification command \`touch /tmp/test7.notify\`"
-test -e /tmp/test7.notify
+st="$(stat -c "%U:%G %#a" /etc/lacme/test7.pem)"
+[ "$st" = "root:root 0400" ]
+st="$(stat -c "%U:%G %#a" /etc/lacme/test7.crt)"
+[ "$st" = "root:root 0400" ]
 
-rm -f /tmp/test7.notify
-lacme newOrder test7 2>"$STDERR" || fail newOrder test7
+# post-issuance notification
+openssl genpkey -algorithm RSA -out /etc/lacme/test8.key
+cat >"/etc/lacme/lacme-certs.conf.d/test8.conf" <<- EOF
+	[test8]
+	certificate-key = /etc/lacme/test8.key
+	certificate-chain = /etc/lacme/test8.crt
+	subject = $subject
+	notify = touch /tmp/test8.notify
+EOF
+
+lacme newOrder test8 2>"$STDERR" || fail newOrder test8
+grepstderr -Fxq "Running notification command \`touch /tmp/test8.notify\`"
+test -e /tmp/test8.notify
+
+rm -f /tmp/test8.notify
+lacme newOrder test8 2>"$STDERR" || fail newOrder test8
 ngrepstderr -Fq "Running notification command"
-! test -e /tmp/test7.notify
+! test -e /tmp/test8.notify
 
 # vim: set filetype=sh :
diff --git a/tests/cert-revoke b/tests/cert-revoke
index f3d585e..179ccba 100644
--- a/tests/cert-revoke
+++ b/tests/cert-revoke
@@ -18,7 +18,7 @@ test /etc/lacme/simpletest.ecdsa.crt -nt /etc/lacme/simpletest.ecdsa.key
 lacme revokeCert /etc/lacme/simpletest.ecdsa.crt
 ! lacme revokeCert /etc/lacme/simpletest.ecdsa.crt 2>"$STDERR" || fail
 grepstderr -Fxq "Revoking /etc/lacme/simpletest.ecdsa.crt"
-grepstderr -Fxq "400 Bad Request (Certificate already revoked)"
+grepstderr -Fq "400 Bad Request (unable to revoke"
 grepstderr -Fxq "Warning: Couldn't revoke /etc/lacme/simpletest.ecdsa.crt"
 
 # and the RSA certificate using the service key
@@ -26,7 +26,7 @@ mv -vfT /etc/lacme/simpletest.rsa.key /etc/lacme/account.key
 lacme revokeCert /etc/lacme/simpletest.rsa.crt
 ! lacme revokeCert /etc/lacme/simpletest.rsa.crt 2>"$STDERR" || fail
 grepstderr -Fxq "Revoking /etc/lacme/simpletest.rsa.crt"
-grepstderr -Fxq "400 Bad Request (Certificate already revoked)"
+grepstderr -Fq "400 Bad Request (unable to revoke"
 grepstderr -Fxq "Warning: Couldn't revoke /etc/lacme/simpletest.rsa.crt"
 
 # vim: set filetype=sh :
diff --git a/tests/cert-verify b/tests/cert-verify
index 49629f2..a6cd336 100644
--- a/tests/cert-verify
+++ b/tests/cert-verify
@@ -8,31 +8,19 @@ for ca in /usr/share/lacme/letsencrypt-stg-root-*.pem; do
 done
 update-ca-certificates
 
-# test (modified) trust store for intermediate certificates
-openssl verify -no-CAfile -CApath /etc/ssl/certs                     -show_chain /usr/share/lacme/letsencrypt-stg-int-*.pem
-openssl verify -no-CApath -CAfile /etc/ssl/certs/ca-certificates.crt -show_chain /usr/share/lacme/letsencrypt-stg-int-*.pem
+# test (modified) trust store
+openssl verify -no-CAfile -CApath /etc/ssl/certs                     -show_chain /usr/share/lacme/letsencrypt-stg-root-x1.pem
+openssl verify -no-CApath -CAfile /etc/ssl/certs/ca-certificates.crt -show_chain /usr/share/lacme/letsencrypt-stg-root-x1.pem
 
 mv /usr/share/lacme/ca-certificates.crt /usr/share/lacme/ca-certificates.crt.back
 ! lacme newOrder 2>"$STDERR" || fail
-grepstderr -Fxq "Can't open /usr/share/lacme/ca-certificates.crt for reading, No such file or directory"
+grepstderr -Fq  "Could not open file or uri for loading trusted certificates from /usr/share/lacme/ca-certificates.crt:"
 grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!"
 
 # verification error for unrelated CA bundle
 cat /etc/ssl/certs/ssl-cert-snakeoil.pem >/usr/share/lacme/ca-certificates.crt
 ! lacme newOrder 2>"$STDERR" || fail
-grepstderr -Fxq "error 20 at 0 depth lookup: unable to get local issuer certificate"
-grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!"
-
-# verification error when the CA bundle contains only the root certificates
-cat /usr/share/lacme/letsencrypt-stg-root-*.pem >/usr/share/lacme/ca-certificates.crt
-! lacme newOrder 2>"$STDERR" || fail
-grepstderr -Fxq "error 20 at 0 depth lookup: unable to get local issuer certificate"
-grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!"
-
-# verification error when the CA bundle contains only the intermediate certificates
-cat /usr/share/lacme/letsencrypt-stg-int-*.pem >/usr/share/lacme/ca-certificates.crt
-! lacme newOrder 2>"$STDERR" || fail
-grepstderr -Fxq "error 2 at 1 depth lookup: unable to get issuer certificate"
+grepstderr -Fxq "error 20 at 1 depth lookup: unable to get local issuer certificate"
 grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!"
 
 # use saved bundle as custom CAfile
diff --git a/tests/drop-privileges b/tests/drop-privileges
index 0596e31..8deb8f1 100644
--- a/tests/drop-privileges
+++ b/tests/drop-privileges
@@ -1,6 +1,17 @@
 # Check privilige drop: UID/GID changes, chdir, environment, and file
 # descriptors
 
+# ensure failure to drop privileges doesn't retain root privileges
+sed -ri 's/^#(user|group)\s*=\s*$/\1 = nonexistent-\1/' /etc/lacme/lacme.conf
+! lacme account 2>"$STDERR" || fail
+grepstderr -Fxq "getgrnam(nonexistent-group)"
+grepstderr -Fxq "Error: Invalid client version"
+
+sed -ri 's/^group\s*=\s*nonexistent.*/#&/' /etc/lacme/lacme.conf
+! lacme account 2>"$STDERR" || fail
+grepstderr -Fxq "getpwnam(nonexistent-user)"
+grepstderr -Fxq "Error: Invalid client version"
+
 # create wrapper to inspect processes
 STATUSDIR="/dev/shm/lacme-wrap"
 install -oroot -groot -m0755 /dev/stdin /run/lacme-wrap <<-EOF
@@ -24,8 +35,7 @@ adduser --system --group \
        --home /nonexistent --no-create-home \
        --gecos "lacme account user" \
        --quiet lacme-account
-sed -ri 's|^#user\s*=\s*$|user = lacme-account|' /etc/lacme/lacme.conf
-sed -ri 's|^#group\s*=\s*$|group = lacme-account|' /etc/lacme/lacme.conf
+sed -ri 's/^#?(user|group)\s*=\s*nonexistent.*/\1 = lacme-account/' /etc/lacme/lacme.conf
 chown lacme-account: /etc/lacme/account.key
 
 install -oroot -groot -dm0755 -- "$STATUSDIR"
@@ -113,8 +123,8 @@ check_client() {
     grep -Exq "[0-9]+ 0700 $UID:$GID socket:\[[0-9]+\]" "$prefix/fd" || return 1
     sed -ri '0,\#^[0-9]+ .* socket:\[[0-9]+\]$# {//d}' "$prefix/fd"
 
-    grep -Exq "[0-9]+ 0500 $UID:$GID /etc/lacme/lacme\.conf" "$prefix/fd" || return 1
-    sed -ri '0,\#^[0-9]+ .* /etc/lacme/lacme\.conf$# {//d}' "$prefix/fd"
+    grep -Eq "^[0-9]+ 0500 $UID:$GID /tmp/lacme-client.conf\.json-" "$prefix/fd" || return 1
+    sed -ri '0,\#^[0-9]+ .* /tmp/lacme-client.conf\.json-# {//d}' "$prefix/fd"
     ! test -s "$prefix/fd" || return 1
 }
 check_webserver() {
diff --git a/tests/old-accountd b/tests/old-accountd
index b44f7ec..3ad4b31 100644
--- a/tests/old-accountd
+++ b/tests/old-accountd
@@ -12,7 +12,7 @@ cat >~lacme-account/.config/lacme/lacme-accountd.conf <<-EOF
 	privkey = file:/etc/lacme/account.key
 EOF
 
-echo "deb http://deb.debian.org/debian stretch main" >>/etc/apt/sources.list
+echo "deb http://archive.debian.org/debian stretch main" >>/etc/apt/sources.list
 DEBIAN_FRONTEND="noninteractive" apt update
 DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-recommends \
     --reinstall --allow-downgrades \
@@ -21,6 +21,7 @@ DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-recommends \
 
 SOCKET=~lacme-account/S.lacme
 runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" & PID=$!
+sleep 1
 lacme --socket="$SOCKET" account
 lacme --socket="$SOCKET" newOrder
 
diff --git a/tests/old-lacme b/tests/old-lacme
index fa7d827..278a705 100644
--- a/tests/old-lacme
+++ b/tests/old-lacme
@@ -1,5 +1,6 @@
-# IPC test between recent lacme-accountd(1) and ancient lacme(8) 0.5 from Debian buster
-# (we don't try earlier versions as we need v2 support of the ACME API)
+# IPC test between recent lacme-accountd(1) and ancient lacme(8) 0.8 from Debian Bullseye
+# (we don't try earlier versions as we need v2 support of the ACME API
+# and non-pinned intermediates)
 
 adduser --disabled-password \
        --home /home/lacme-account \
@@ -14,18 +15,19 @@ cat >~lacme-account/.config/lacme/lacme-accountd.conf <<-EOF
 	privkey = file:/etc/lacme/account.key
 EOF
 
-echo "deb http://deb.debian.org/debian buster main" >>/etc/apt/sources.list
+echo "deb http://deb.debian.org/debian bullseye main" >>/etc/apt/sources.list
 DEBIAN_FRONTEND="noninteractive" apt update
 DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-recommends \
     --reinstall --allow-downgrades \
     -oDPkg::Options::="--force-confdef" -oDPkg::Options::="--force-overwrite" \
-    lacme/buster
+    lacme/bullseye
 
 # restore staging environment
 mv -f /usr/share/lacme/ca-certificates.crt.back /usr/share/lacme/ca-certificates.crt
 
 SOCKET=~lacme-account/S.lacme
 runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" & PID=$!
+sleep 1
 sed -ri "s/^\[accountd]$/#&/" /etc/lacme/lacme.conf # https://bugs.debian.org/955767
 lacme --socket="$SOCKET" account
 lacme --socket="$SOCKET" newOrder