1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 26 Apr 2023 17:41:24 +0200
Subject: Adjust test suite against current Let's Encrypt staging environment
Origin: https://git.guilhem.org/lacme/commit/?id=cb0b301e7a62a71d9e4454f9f7af5358c857c48c
Origin: https://git.guilhem.org/lacme/commit/?id=f84716c064312dd9dc0d149f0ec7a12f5c88c3af
Origin: https://git.guilhem.org/lacme/commit/?id=a41444b8b1fe5349a4a33c45f1e96036845609bb
Origin: https://git.guilhem.org/lacme/commit/?id=98e4397f5330245cb7f8a21054ab078c4d0bba82
---
tests/account-encrypted-gpg | 2 +-
tests/account-encrypted-openssl | 1 +
tests/cert-install | 2 +-
tests/cert-verify | 22 +++++-----------------
tests/old-lacme | 9 +++++----
5 files changed, 13 insertions(+), 23 deletions(-)
diff --git a/tests/account-encrypted-gpg b/tests/account-encrypted-gpg
index fd1e4ac..7cb978d 100644
--- a/tests/account-encrypted-gpg
+++ b/tests/account-encrypted-gpg
@@ -9,7 +9,7 @@ keyid="$(gpg --list-secret-key --with-colons | grep -m1 ^fpr: | cut -sd: -f10)"
gpg --encrypt -r "$keyid" /etc/lacme/account.key
sed -ri '0,\|^#?privkey\s*=.*| {s||privkey = gpg:/etc/lacme/account.key.gpg|}' /etc/lacme/lacme-accountd.conf
-export GPG_TTY="$(tty)"
+export GPG_TTY="$(tty)" TERM="linux"
lacme account
# vim: set filetype=sh :
diff --git a/tests/account-encrypted-openssl b/tests/account-encrypted-openssl
index e79a528..a3ad707 100644
--- a/tests/account-encrypted-openssl
+++ b/tests/account-encrypted-openssl
@@ -5,6 +5,7 @@ PASSPHRASE="test"
openssl rsa -aes128 -passout pass:"$PASSPHRASE" </etc/lacme/account.key >/etc/lacme/account.enc.key
sed -ri '0,\|^#?privkey\s*=.*| {s||privkey = file:/etc/lacme/account.enc.key|}' /etc/lacme/lacme-accountd.conf
+export TERM="linux"
lacme account
# vim: set filetype=sh :
diff --git a/tests/cert-install b/tests/cert-install
index c38f3cf..279309f 100644
--- a/tests/cert-install
+++ b/tests/cert-install
@@ -79,7 +79,7 @@ check_chain() {
# 'certificate' installs only the leaf certificate
openssl genpkey -algorithm RSA -out /etc/lacme/test1.key
-subject="/CN=$(head -c10 /dev/urandom | base32 -w0).$DOMAINNAME"
+subject="/CN=$(head -c10 /dev/urandom | base32 -w0 | tr "A-Z" "a-z").$DOMAINNAME"
cat >"/etc/lacme/lacme-certs.conf.d/test1.conf" <<- EOF
[test1]
certificate-key = /etc/lacme/test1.key
diff --git a/tests/cert-verify b/tests/cert-verify
index 4d254c6..6ee9211 100644
--- a/tests/cert-verify
+++ b/tests/cert-verify
@@ -8,31 +8,19 @@ for ca in /usr/share/lacme/letsencrypt-stg-root-*.pem; do
done
update-ca-certificates
-# test (modified) trust store for intermediate certificates
-openssl verify -no-CAfile -CApath /etc/ssl/certs -show_chain /usr/share/lacme/letsencrypt-stg-int-*.pem
-openssl verify -no-CApath -CAfile /etc/ssl/certs/ca-certificates.crt -show_chain /usr/share/lacme/letsencrypt-stg-int-*.pem
+# test (modified) trust store
+openssl verify -no-CAfile -CApath /etc/ssl/certs -show_chain /usr/share/lacme/letsencrypt-stg-root-x1.pem
+openssl verify -no-CApath -CAfile /etc/ssl/certs/ca-certificates.crt -show_chain /usr/share/lacme/letsencrypt-stg-root-x1.pem
mv /usr/share/lacme/ca-certificates.crt /usr/share/lacme/ca-certificates.crt.back
! lacme newOrder 2>"$STDERR" || fail
-grepstderr -Fxq "Could not open file or uri for loading certs of trusted certificates from /usr/share/lacme/ca-certificates.crt"
+grepstderr -Fq " certs of trusted certificates from /usr/share/lacme/ca-certificates.crt"
grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!"
# verification error for unrelated CA bundle
cat /etc/ssl/certs/ssl-cert-snakeoil.pem >/usr/share/lacme/ca-certificates.crt
! lacme newOrder 2>"$STDERR" || fail
-grepstderr -Fxq "error 20 at 0 depth lookup: unable to get local issuer certificate"
-grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!"
-
-# verification error when the CA bundle contains only the root certificates
-cat /usr/share/lacme/letsencrypt-stg-root-*.pem >/usr/share/lacme/ca-certificates.crt
-! lacme newOrder 2>"$STDERR" || fail
-grepstderr -Fxq "error 20 at 0 depth lookup: unable to get local issuer certificate"
-grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!"
-
-# verification error when the CA bundle contains only the intermediate certificates
-cat /usr/share/lacme/letsencrypt-stg-int-*.pem >/usr/share/lacme/ca-certificates.crt
-! lacme newOrder 2>"$STDERR" || fail
-grepstderr -Fxq "error 2 at 1 depth lookup: unable to get issuer certificate"
+grepstderr -Fxq "error 20 at 1 depth lookup: unable to get local issuer certificate"
grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!"
# use saved bundle as custom CAfile
diff --git a/tests/old-lacme b/tests/old-lacme
index b1c9f88..278a705 100644
--- a/tests/old-lacme
+++ b/tests/old-lacme
@@ -1,5 +1,6 @@
-# IPC test between recent lacme-accountd(1) and ancient lacme(8) 0.5 from Debian buster
-# (we don't try earlier versions as we need v2 support of the ACME API)
+# IPC test between recent lacme-accountd(1) and ancient lacme(8) 0.8 from Debian Bullseye
+# (we don't try earlier versions as we need v2 support of the ACME API
+# and non-pinned intermediates)
adduser --disabled-password \
--home /home/lacme-account \
@@ -14,12 +15,12 @@ cat >~lacme-account/.config/lacme/lacme-accountd.conf <<-EOF
privkey = file:/etc/lacme/account.key
EOF
-echo "deb http://deb.debian.org/debian buster main" >>/etc/apt/sources.list
+echo "deb http://deb.debian.org/debian bullseye main" >>/etc/apt/sources.list
DEBIAN_FRONTEND="noninteractive" apt update
DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-recommends \
--reinstall --allow-downgrades \
-oDPkg::Options::="--force-confdef" -oDPkg::Options::="--force-overwrite" \
- lacme/buster
+ lacme/bullseye
# restore staging environment
mv -f /usr/share/lacme/ca-certificates.crt.back /usr/share/lacme/ca-certificates.crt
|
