From bb3ef24a8d97dd9b0299cf23e4815c57c5ad7fb7 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 24 Feb 2021 13:17:43 +0100 Subject: typofix --- tests/cert-install | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'tests/cert-install') diff --git a/tests/cert-install b/tests/cert-install index f2147d2..347570c 100644 --- a/tests/cert-install +++ b/tests/cert-install @@ -103,7 +103,7 @@ st="$(stat -c "%U:%G %#a" /etc/lacme/test3.pem)" st="$(stat -c "%U:%G %#a" /etc/lacme/test3.crt)" [ "$st" = "root:root 0644" ] -# chmod user +# chown user openssl genpkey -algorithm RSA -out /etc/lacme/test4.key cat >"/etc/lacme/lacme-certs.conf.d/test4.conf" <<- EOF [test4] @@ -120,7 +120,7 @@ st="$(stat -c "%U:%G %#a" /etc/lacme/test4.pem)" st="$(stat -c "%U:%G %#a" /etc/lacme/test4.crt)" [ "$st" = "nobody:root 0644" ] -# chmod user:group +# chown user:group openssl genpkey -algorithm RSA -out /etc/lacme/test5.key cat >"/etc/lacme/lacme-certs.conf.d/test5.conf" <<- EOF [test5] @@ -137,7 +137,7 @@ st="$(stat -c "%U:%G %#a" /etc/lacme/test5.pem)" st="$(stat -c "%U:%G %#a" /etc/lacme/test5.crt)" [ "$st" = "nobody:nogroup 0644" ] -# chown +# chmod openssl genpkey -algorithm RSA -out /etc/lacme/test6.key cat >"/etc/lacme/lacme-certs.conf.d/test6.conf" <<- EOF [test6] -- cgit v1.2.3 From c96f887e5d8a1625f7dfb76d7f646499aead8eed Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 24 Feb 2021 13:18:00 +0100 Subject: tab damage --- tests/cert-install | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'tests/cert-install') diff --git a/tests/cert-install b/tests/cert-install index 347570c..afc86c3 100644 --- a/tests/cert-install +++ b/tests/cert-install @@ -110,7 +110,7 @@ cat >"/etc/lacme/lacme-certs.conf.d/test4.conf" <<- EOF certificate-key = /etc/lacme/test4.key certificate = /etc/lacme/test4.pem certificate-chain = /etc/lacme/test4.crt - chown = nobody + chown = nobody subject = $subject EOF @@ -127,7 +127,7 @@ cat >"/etc/lacme/lacme-certs.conf.d/test5.conf" <<- EOF certificate-key = /etc/lacme/test5.key certificate = /etc/lacme/test5.pem certificate-chain = /etc/lacme/test5.crt - chown = nobody:nogroup + chown = nobody:nogroup subject = $subject EOF @@ -144,7 +144,7 @@ cat >"/etc/lacme/lacme-certs.conf.d/test6.conf" <<- EOF certificate-key = /etc/lacme/test6.key certificate = /etc/lacme/test6.pem certificate-chain = /etc/lacme/test6.crt - chmod = 0400 + chmod = 0400 subject = $subject EOF -- cgit v1.2.3 From 539e3a8b8a2baf6746716125e99231da14a153a9 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 24 Feb 2021 13:19:21 +0100 Subject: tests/cert-install: Include tests for failing chown(2). Due to unknown user/group name. --- tests/cert-install | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'tests/cert-install') diff --git a/tests/cert-install b/tests/cert-install index afc86c3..39110f4 100644 --- a/tests/cert-install +++ b/tests/cert-install @@ -120,6 +120,15 @@ st="$(stat -c "%U:%G %#a" /etc/lacme/test4.pem)" st="$(stat -c "%U:%G %#a" /etc/lacme/test4.crt)" [ "$st" = "nobody:root 0644" ] +rm -f /etc/lacme/test4.pem /etc/lacme/test4.crt +sed -ri "s/^chown\\s*=.*/chown = nonexistent-user/" /etc/lacme/lacme-certs.conf.d/test4.conf +! lacme newOrder test4 2>"$STDERR" || fail newOrder test4 +grepstderr -Fxq "getpwnam(nonexistent-user)" +st="$(stat -c "%U:%G %#a" /etc/lacme/test4.pem)" +[ "$st" = "root:root 0644" ] +st="$(stat -c "%U:%G %#a" /etc/lacme/test4.crt)" +[ "$st" = "root:root 0644" ] + # chown user:group openssl genpkey -algorithm RSA -out /etc/lacme/test5.key cat >"/etc/lacme/lacme-certs.conf.d/test5.conf" <<- EOF @@ -137,6 +146,15 @@ st="$(stat -c "%U:%G %#a" /etc/lacme/test5.pem)" st="$(stat -c "%U:%G %#a" /etc/lacme/test5.crt)" [ "$st" = "nobody:nogroup 0644" ] +rm -f /etc/lacme/test5.pem /etc/lacme/test5.crt +sed -ri "s/^chown\\s*=.*/chown = nobody:nonexistent-group/" /etc/lacme/lacme-certs.conf.d/test5.conf +! lacme newOrder test5 2>"$STDERR" || fail newOrder test5 +grepstderr -Fxq "getgrnam(nonexistent-group)" +st="$(stat -c "%U:%G %#a" /etc/lacme/test5.pem)" +[ "$st" = "root:root 0644" ] +st="$(stat -c "%U:%G %#a" /etc/lacme/test5.crt)" +[ "$st" = "root:root 0644" ] + # chmod openssl genpkey -algorithm RSA -out /etc/lacme/test6.key cat >"/etc/lacme/lacme-certs.conf.d/test6.conf" <<- EOF -- cgit v1.2.3 From cdd025133a306cd8d3e81aa832ac056119d65f3a Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 24 Feb 2021 20:03:44 +0100 Subject: lacme: Don't write certificate(-chain) file on chown/chmod failure. Otherwise we end up with files with mode 0644 owned by root:root, and subsequent lacme(8) invocations will likely not renew them for a while. This change also saves a chown(2) call. And the new logic (chown resp. chmod from root:root resp. 0600) is safe if we ever include private key material in there too. --- tests/cert-install | 34 ++++++++++++++-------------------- 1 file changed, 14 insertions(+), 20 deletions(-) (limited to 'tests/cert-install') diff --git a/tests/cert-install b/tests/cert-install index 39110f4..5d8a239 100644 --- a/tests/cert-install +++ b/tests/cert-install @@ -110,25 +110,22 @@ cat >"/etc/lacme/lacme-certs.conf.d/test4.conf" <<- EOF certificate-key = /etc/lacme/test4.key certificate = /etc/lacme/test4.pem certificate-chain = /etc/lacme/test4.crt - chown = nobody + chown = nonexistent-user subject = $subject EOF +! lacme newOrder test4 2>"$STDERR" || fail newOrder test4 +grepstderr -Fxq "getpwnam(nonexistent-user)" +! test -e /etc/lacme/test4.pem +! test -e /etc/lacme/test4.crt + +sed -ri "s/^chown\\s*=.*/chown = nobody/" /etc/lacme/lacme-certs.conf.d/test4.conf lacme newOrder test4 2>"$STDERR" || fail newOrder test4 st="$(stat -c "%U:%G %#a" /etc/lacme/test4.pem)" [ "$st" = "nobody:root 0644" ] st="$(stat -c "%U:%G %#a" /etc/lacme/test4.crt)" [ "$st" = "nobody:root 0644" ] -rm -f /etc/lacme/test4.pem /etc/lacme/test4.crt -sed -ri "s/^chown\\s*=.*/chown = nonexistent-user/" /etc/lacme/lacme-certs.conf.d/test4.conf -! lacme newOrder test4 2>"$STDERR" || fail newOrder test4 -grepstderr -Fxq "getpwnam(nonexistent-user)" -st="$(stat -c "%U:%G %#a" /etc/lacme/test4.pem)" -[ "$st" = "root:root 0644" ] -st="$(stat -c "%U:%G %#a" /etc/lacme/test4.crt)" -[ "$st" = "root:root 0644" ] - # chown user:group openssl genpkey -algorithm RSA -out /etc/lacme/test5.key cat >"/etc/lacme/lacme-certs.conf.d/test5.conf" <<- EOF @@ -136,25 +133,22 @@ cat >"/etc/lacme/lacme-certs.conf.d/test5.conf" <<- EOF certificate-key = /etc/lacme/test5.key certificate = /etc/lacme/test5.pem certificate-chain = /etc/lacme/test5.crt - chown = nobody:nogroup + chown = nobody:nonexistent-group subject = $subject EOF +! lacme newOrder test5 2>"$STDERR" || fail newOrder test5 +grepstderr -Fxq "getgrnam(nonexistent-group)" +! test -e /etc/lacme/test5.pem +! test -e /etc/lacme/test5.crt + +sed -ri "s/^chown\\s*=.*/chown = nobody:nogroup/" /etc/lacme/lacme-certs.conf.d/test5.conf lacme newOrder test5 2>"$STDERR" || fail newOrder test5 st="$(stat -c "%U:%G %#a" /etc/lacme/test5.pem)" [ "$st" = "nobody:nogroup 0644" ] st="$(stat -c "%U:%G %#a" /etc/lacme/test5.crt)" [ "$st" = "nobody:nogroup 0644" ] -rm -f /etc/lacme/test5.pem /etc/lacme/test5.crt -sed -ri "s/^chown\\s*=.*/chown = nobody:nonexistent-group/" /etc/lacme/lacme-certs.conf.d/test5.conf -! lacme newOrder test5 2>"$STDERR" || fail newOrder test5 -grepstderr -Fxq "getgrnam(nonexistent-group)" -st="$(stat -c "%U:%G %#a" /etc/lacme/test5.pem)" -[ "$st" = "root:root 0644" ] -st="$(stat -c "%U:%G %#a" /etc/lacme/test5.crt)" -[ "$st" = "root:root 0644" ] - # chmod openssl genpkey -algorithm RSA -out /etc/lacme/test6.key cat >"/etc/lacme/lacme-certs.conf.d/test6.conf" <<- EOF -- cgit v1.2.3 From c612a7ff44995f4f9c39fa0fb68470d90c88decf Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 24 Feb 2021 21:01:12 +0100 Subject: lacme: Default mode for certificate(-chain) creation is 0644 minus umask restrictions. Also, always spawn the client with umask 0022 so a starting lacme(8) with a restrictive umask doesn't impede serving challenge response files. --- tests/cert-install | 45 +++++++++++++++++++++++++++++++-------------- 1 file changed, 31 insertions(+), 14 deletions(-) (limited to 'tests/cert-install') diff --git a/tests/cert-install b/tests/cert-install index 5d8a239..c49a294 100644 --- a/tests/cert-install +++ b/tests/cert-install @@ -149,40 +149,57 @@ st="$(stat -c "%U:%G %#a" /etc/lacme/test5.pem)" st="$(stat -c "%U:%G %#a" /etc/lacme/test5.crt)" [ "$st" = "nobody:nogroup 0644" ] -# chmod +# umask restrictions (also test empty values) openssl genpkey -algorithm RSA -out /etc/lacme/test6.key cat >"/etc/lacme/lacme-certs.conf.d/test6.conf" <<- EOF [test6] certificate-key = /etc/lacme/test6.key - certificate = /etc/lacme/test6.pem certificate-chain = /etc/lacme/test6.crt - chmod = 0400 + certificate = + chmod = + chown = subject = $subject EOF -lacme newOrder test6 2>"$STDERR" || fail newOrder test6 -st="$(stat -c "%U:%G %#a" /etc/lacme/test6.pem)" -[ "$st" = "root:root 0400" ] +( umask 0077 && lacme newOrder test6 2>"$STDERR" || fail newOrder test6 ) +! test -e /etc/lacme/test6.pem st="$(stat -c "%U:%G %#a" /etc/lacme/test6.crt)" -[ "$st" = "root:root 0400" ] +[ "$st" = "root:root 0600" ] -# post-issuance notification +# chmod openssl genpkey -algorithm RSA -out /etc/lacme/test7.key cat >"/etc/lacme/lacme-certs.conf.d/test7.conf" <<- EOF [test7] certificate-key = /etc/lacme/test7.key + certificate = /etc/lacme/test7.pem certificate-chain = /etc/lacme/test7.crt + chmod = 0400 subject = $subject - notify = touch /tmp/test7.notify EOF lacme newOrder test7 2>"$STDERR" || fail newOrder test7 -grepstderr -Fxq "Running notification command \`touch /tmp/test7.notify\`" -test -e /tmp/test7.notify +st="$(stat -c "%U:%G %#a" /etc/lacme/test7.pem)" +[ "$st" = "root:root 0400" ] +st="$(stat -c "%U:%G %#a" /etc/lacme/test7.crt)" +[ "$st" = "root:root 0400" ] -rm -f /tmp/test7.notify -lacme newOrder test7 2>"$STDERR" || fail newOrder test7 +# post-issuance notification +openssl genpkey -algorithm RSA -out /etc/lacme/test8.key +cat >"/etc/lacme/lacme-certs.conf.d/test8.conf" <<- EOF + [test8] + certificate-key = /etc/lacme/test8.key + certificate-chain = /etc/lacme/test8.crt + subject = $subject + notify = touch /tmp/test8.notify +EOF + +lacme newOrder test8 2>"$STDERR" || fail newOrder test8 +grepstderr -Fxq "Running notification command \`touch /tmp/test8.notify\`" +test -e /tmp/test8.notify + +rm -f /tmp/test8.notify +lacme newOrder test8 2>"$STDERR" || fail newOrder test8 ngrepstderr -Fq "Running notification command" -! test -e /tmp/test7.notify +! test -e /tmp/test8.notify # vim: set filetype=sh : -- cgit v1.2.3 From c6a4aaa6128d55ba5f7f3cd2bd75f789f69ae407 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 24 Feb 2021 21:24:13 +0100 Subject: lacme: Add 'owner' resp. 'mode' as (prefered) alias for 'chown' resp. 'chmod'. --- tests/cert-install | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'tests/cert-install') diff --git a/tests/cert-install b/tests/cert-install index c49a294..4b3e820 100644 --- a/tests/cert-install +++ b/tests/cert-install @@ -103,14 +103,14 @@ st="$(stat -c "%U:%G %#a" /etc/lacme/test3.pem)" st="$(stat -c "%U:%G %#a" /etc/lacme/test3.crt)" [ "$st" = "root:root 0644" ] -# chown user +# owner user openssl genpkey -algorithm RSA -out /etc/lacme/test4.key cat >"/etc/lacme/lacme-certs.conf.d/test4.conf" <<- EOF [test4] certificate-key = /etc/lacme/test4.key certificate = /etc/lacme/test4.pem certificate-chain = /etc/lacme/test4.crt - chown = nonexistent-user + owner = nonexistent-user subject = $subject EOF @@ -119,21 +119,21 @@ grepstderr -Fxq "getpwnam(nonexistent-user)" ! test -e /etc/lacme/test4.pem ! test -e /etc/lacme/test4.crt -sed -ri "s/^chown\\s*=.*/chown = nobody/" /etc/lacme/lacme-certs.conf.d/test4.conf +sed -ri "s/^owner\\s*=.*/owner = nobody/" /etc/lacme/lacme-certs.conf.d/test4.conf lacme newOrder test4 2>"$STDERR" || fail newOrder test4 st="$(stat -c "%U:%G %#a" /etc/lacme/test4.pem)" [ "$st" = "nobody:root 0644" ] st="$(stat -c "%U:%G %#a" /etc/lacme/test4.crt)" [ "$st" = "nobody:root 0644" ] -# chown user:group +# owner user:group openssl genpkey -algorithm RSA -out /etc/lacme/test5.key cat >"/etc/lacme/lacme-certs.conf.d/test5.conf" <<- EOF [test5] certificate-key = /etc/lacme/test5.key certificate = /etc/lacme/test5.pem certificate-chain = /etc/lacme/test5.crt - chown = nobody:nonexistent-group + owner = nobody:nonexistent-group subject = $subject EOF @@ -142,7 +142,7 @@ grepstderr -Fxq "getgrnam(nonexistent-group)" ! test -e /etc/lacme/test5.pem ! test -e /etc/lacme/test5.crt -sed -ri "s/^chown\\s*=.*/chown = nobody:nogroup/" /etc/lacme/lacme-certs.conf.d/test5.conf +sed -ri "s/^owner\\s*=.*/owner = nobody:nogroup/" /etc/lacme/lacme-certs.conf.d/test5.conf lacme newOrder test5 2>"$STDERR" || fail newOrder test5 st="$(stat -c "%U:%G %#a" /etc/lacme/test5.pem)" [ "$st" = "nobody:nogroup 0644" ] @@ -156,8 +156,8 @@ cat >"/etc/lacme/lacme-certs.conf.d/test6.conf" <<- EOF certificate-key = /etc/lacme/test6.key certificate-chain = /etc/lacme/test6.crt certificate = - chmod = - chown = + mode = + owner = subject = $subject EOF @@ -166,14 +166,14 @@ EOF st="$(stat -c "%U:%G %#a" /etc/lacme/test6.crt)" [ "$st" = "root:root 0600" ] -# chmod +# mode openssl genpkey -algorithm RSA -out /etc/lacme/test7.key cat >"/etc/lacme/lacme-certs.conf.d/test7.conf" <<- EOF [test7] certificate-key = /etc/lacme/test7.key certificate = /etc/lacme/test7.pem certificate-chain = /etc/lacme/test7.crt - chmod = 0400 + mode = 0400 subject = $subject EOF -- cgit v1.2.3