From: Guilhem Moulin Date: Wed, 26 Apr 2023 17:41:24 +0200 Subject: Adjust test suite against current Let's Encrypt staging environment Origin: https://git.guilhem.org/lacme/commit/?id=cb0b301e7a62a71d9e4454f9f7af5358c857c48c Origin: https://git.guilhem.org/lacme/commit/?id=f84716c064312dd9dc0d149f0ec7a12f5c88c3af Origin: https://git.guilhem.org/lacme/commit/?id=a41444b8b1fe5349a4a33c45f1e96036845609bb Origin: https://git.guilhem.org/lacme/commit/?id=98e4397f5330245cb7f8a21054ab078c4d0bba82 --- tests/account-encrypted-gpg | 2 +- tests/account-encrypted-openssl | 1 + tests/cert-install | 2 +- tests/cert-verify | 22 +++++----------------- tests/old-lacme | 9 +++++---- 5 files changed, 13 insertions(+), 23 deletions(-) diff --git a/tests/account-encrypted-gpg b/tests/account-encrypted-gpg index fd1e4ac..7cb978d 100644 --- a/tests/account-encrypted-gpg +++ b/tests/account-encrypted-gpg @@ -9,7 +9,7 @@ keyid="$(gpg --list-secret-key --with-colons | grep -m1 ^fpr: | cut -sd: -f10)" gpg --encrypt -r "$keyid" /etc/lacme/account.key sed -ri '0,\|^#?privkey\s*=.*| {s||privkey = gpg:/etc/lacme/account.key.gpg|}' /etc/lacme/lacme-accountd.conf -export GPG_TTY="$(tty)" +export GPG_TTY="$(tty)" TERM="linux" lacme account # vim: set filetype=sh : diff --git a/tests/account-encrypted-openssl b/tests/account-encrypted-openssl index e79a528..a3ad707 100644 --- a/tests/account-encrypted-openssl +++ b/tests/account-encrypted-openssl @@ -5,6 +5,7 @@ PASSPHRASE="test" openssl rsa -aes128 -passout pass:"$PASSPHRASE" /etc/lacme/account.enc.key sed -ri '0,\|^#?privkey\s*=.*| {s||privkey = file:/etc/lacme/account.enc.key|}' /etc/lacme/lacme-accountd.conf +export TERM="linux" lacme account # vim: set filetype=sh : diff --git a/tests/cert-install b/tests/cert-install index c38f3cf..279309f 100644 --- a/tests/cert-install +++ b/tests/cert-install @@ -79,7 +79,7 @@ check_chain() { # 'certificate' installs only the leaf certificate openssl genpkey -algorithm RSA -out /etc/lacme/test1.key -subject="/CN=$(head -c10 /dev/urandom | base32 -w0).$DOMAINNAME" +subject="/CN=$(head -c10 /dev/urandom | base32 -w0 | tr "A-Z" "a-z").$DOMAINNAME" cat >"/etc/lacme/lacme-certs.conf.d/test1.conf" <<- EOF [test1] certificate-key = /etc/lacme/test1.key diff --git a/tests/cert-verify b/tests/cert-verify index 4d254c6..6ee9211 100644 --- a/tests/cert-verify +++ b/tests/cert-verify @@ -8,31 +8,19 @@ for ca in /usr/share/lacme/letsencrypt-stg-root-*.pem; do done update-ca-certificates -# test (modified) trust store for intermediate certificates -openssl verify -no-CAfile -CApath /etc/ssl/certs -show_chain /usr/share/lacme/letsencrypt-stg-int-*.pem -openssl verify -no-CApath -CAfile /etc/ssl/certs/ca-certificates.crt -show_chain /usr/share/lacme/letsencrypt-stg-int-*.pem +# test (modified) trust store +openssl verify -no-CAfile -CApath /etc/ssl/certs -show_chain /usr/share/lacme/letsencrypt-stg-root-x1.pem +openssl verify -no-CApath -CAfile /etc/ssl/certs/ca-certificates.crt -show_chain /usr/share/lacme/letsencrypt-stg-root-x1.pem mv /usr/share/lacme/ca-certificates.crt /usr/share/lacme/ca-certificates.crt.back ! lacme newOrder 2>"$STDERR" || fail -grepstderr -Fxq "Could not open file or uri for loading certs of trusted certificates from /usr/share/lacme/ca-certificates.crt" +grepstderr -Fq " certs of trusted certificates from /usr/share/lacme/ca-certificates.crt" grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!" # verification error for unrelated CA bundle cat /etc/ssl/certs/ssl-cert-snakeoil.pem >/usr/share/lacme/ca-certificates.crt ! lacme newOrder 2>"$STDERR" || fail -grepstderr -Fxq "error 20 at 0 depth lookup: unable to get local issuer certificate" -grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!" - -# verification error when the CA bundle contains only the root certificates -cat /usr/share/lacme/letsencrypt-stg-root-*.pem >/usr/share/lacme/ca-certificates.crt -! lacme newOrder 2>"$STDERR" || fail -grepstderr -Fxq "error 20 at 0 depth lookup: unable to get local issuer certificate" -grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!" - -# verification error when the CA bundle contains only the intermediate certificates -cat /usr/share/lacme/letsencrypt-stg-int-*.pem >/usr/share/lacme/ca-certificates.crt -! lacme newOrder 2>"$STDERR" || fail -grepstderr -Fxq "error 2 at 1 depth lookup: unable to get issuer certificate" +grepstderr -Fxq "error 20 at 1 depth lookup: unable to get local issuer certificate" grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!" # use saved bundle as custom CAfile diff --git a/tests/old-lacme b/tests/old-lacme index b1c9f88..278a705 100644 --- a/tests/old-lacme +++ b/tests/old-lacme @@ -1,5 +1,6 @@ -# IPC test between recent lacme-accountd(1) and ancient lacme(8) 0.5 from Debian buster -# (we don't try earlier versions as we need v2 support of the ACME API) +# IPC test between recent lacme-accountd(1) and ancient lacme(8) 0.8 from Debian Bullseye +# (we don't try earlier versions as we need v2 support of the ACME API +# and non-pinned intermediates) adduser --disabled-password \ --home /home/lacme-account \ @@ -14,12 +15,12 @@ cat >~lacme-account/.config/lacme/lacme-accountd.conf <<-EOF privkey = file:/etc/lacme/account.key EOF -echo "deb http://deb.debian.org/debian buster main" >>/etc/apt/sources.list +echo "deb http://deb.debian.org/debian bullseye main" >>/etc/apt/sources.list DEBIAN_FRONTEND="noninteractive" apt update DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-recommends \ --reinstall --allow-downgrades \ -oDPkg::Options::="--force-confdef" -oDPkg::Options::="--force-overwrite" \ - lacme/buster + lacme/bullseye # restore staging environment mv -f /usr/share/lacme/ca-certificates.crt.back /usr/share/lacme/ca-certificates.crt