From b1e1c44119caa087173d274389fde976fd2d5122 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Thu, 22 Jul 2021 22:28:50 +0100 Subject: [PATCH 1/4] Check if drill supports +noidnout Only pass +noidnout param to dig/drill --- getssl | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/getssl b/getssl index f64d01ce..bf1fb15f 100755 --- a/getssl +++ b/getssl @@ -693,28 +693,27 @@ check_config() { # check the config files for all obvious errors # check domain exists using all DNS utilities. DNS_CHECK_OPTIONS may bind IP address or provide TSIG - # add +noidnout if idn-domain so search for domain in results works - if [[ "${d}" == xn--* || "${d}" == *".xn--"* ]]; then - if [[ "$HAS_DIG_OR_DRILL" != "dig" || "$DIG_SUPPORTS_NOIDNOUT" == "true" ]]; then - DNS_CHECK_OPTIONS="$DNS_CHECK_OPTIONS +noidnout" - fi - fi - found_ip=false if [[ -n "$HAS_DIG_OR_DRILL" ]]; then - debug "DNS lookup using $HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS ${d}" + # add +noidnout if idn-domain so search for domain in results works + DIG_CHECK_OPTIONS="$DNS_CHECK_OPTIONS" + if [[ ("${d}" == xn--* || "${d}" == *".xn--"* ) && "$DIG_SUPPORTS_NOIDNOUT" == "true" ]]; then + DIG_CHECK_OPTIONS="$DNS_CHECK_OPTIONS +noidnout" + fi + + debug "DNS lookup using $HAS_DIG_OR_DRILL $DIG_CHECK_OPTIONS ${d}" # shellcheck disable=SC2086 - if [[ "$($HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS -t SOA "${d}" |grep -c -i "^${d}")" -ge 1 ]]; then + if [[ "$($HAS_DIG_OR_DRILL $DIG_CHECK_OPTIONS -t SOA "${d}" |grep -c -i "^${d}")" -ge 1 ]]; then found_ip=true - elif [[ "$($HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS -t A "${d}"|grep -c -i "^${d}")" -ge 1 ]]; then + elif [[ "$($HAS_DIG_OR_DRILL $DIG_CHECK_OPTIONS -t A "${d}"|grep -c -i "^${d}")" -ge 1 ]]; then found_ip=true - elif [[ "$($HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS -t AAAA "${d}"|grep -c -i "^${d}")" -ge 1 ]]; then + elif [[ "$($HAS_DIG_OR_DRILL $DIG_CHECK_OPTIONS -t AAAA "${d}"|grep -c -i "^${d}")" -ge 1 ]]; then found_ip=true fi fi if [[ "$HAS_HOST" == "true" ]]; then - debug "DNS lookup using host ${d}" + debug "DNS lookup using host $DNS_CHECK_OPTIONS ${d}" # shellcheck disable=SC2086 if [[ "$(host $DNS_CHECK_OPTIONS "${d}" |grep -c -i "^${d}")" -ge 1 ]]; then found_ip=true @@ -722,7 +721,7 @@ check_config() { # check the config files for all obvious errors fi if [[ "$HAS_NSLOOKUP" == "true" ]]; then - debug "DNS lookup using nslookup -query AAAA ${d}" + debug "DNS lookup using nslookup $DNS_CHECK_OPTIONS -query AAAA ${d}" # shellcheck disable=SC2086 if [[ "$(nslookup $DNS_CHECK_OPTIONS -query=AAAA "${d}"|grep -c -i "^${d}.*has AAAA address")" -ge 1 ]]; then debug "found IPv6 record for ${d}" @@ -1161,7 +1160,6 @@ find_dns_utils() { fi if [[ -n "$(command -v drill 2>/dev/null)" ]]; then - debug "HAS DIG_OR_DRILL=drill" HAS_DIG_OR_DRILL="drill" elif [[ -n "$(command -v dig 2>/dev/null)" ]] && dig >/dev/null 2>&1; then if dig -r >/dev/null 2>&1; then @@ -1170,8 +1168,10 @@ find_dns_utils() { else HAS_DIG_OR_DRILL="dig" fi + fi - if dig +noidnout >/dev/null 2>&1; then + if [[ -n "$HAS_DIG_OR_DRILL" ]]; then + if $HAS_DIG_OR_DRILL +noidnout >/dev/null 2>&1; then DIG_SUPPORTS_NOIDNOUT=true fi From 0855b908eaf4388a3eeb644e57b4f5f6a81439f3 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Thu, 22 Jul 2021 22:30:26 +0100 Subject: [PATCH 2/4] Add GETSSL_IDN_HOST instead of hardcoding idn test domain --- test/37-idn.bats | 7 +++---- test/run-test.cmd | 5 +++-- test/run-test.sh | 5 +++-- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/test/37-idn.bats b/test/37-idn.bats index 7b918276..be624de0 100644 --- a/test/37-idn.bats +++ b/test/37-idn.bats @@ -7,14 +7,13 @@ load '/getssl/test/test_helper.bash' setup_file() { if [ -z "$STAGING" ]; then export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt - GETSSL_CMD_HOST=${GETSSL_HOST/getssl/xn--t-r1a81lydm69gz81r} - curl --silent -X POST -d '{"host":"'$GETSSL_CMD_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a + curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a fi } # This is run for every test setup() { - GETSSL_CMD_HOST=${GETSSL_HOST/getssl/xn--t-r1a81lydm69gz81r} + GETSSL_CMD_HOST=${GETSSL_IDN_HOST} # use the test description to move tools we don't want to test out of the way DNS_TOOL=${BATS_TEST_DESCRIPTION##*:} @@ -39,7 +38,7 @@ teardown() { teardown_file() { if [ -z "$STAGING" ]; then - curl --silent -X POST -d '{"host":"'$GETSSL_CMD_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a + curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a fi } diff --git a/test/run-test.cmd b/test/run-test.cmd index 88e692db..44c46beb 100644 --- a/test/run-test.cmd +++ b/test/run-test.cmd @@ -8,11 +8,11 @@ SET COMMAND=%2 %3 :CheckAlias REM check if OS *contains* staging +SET GETSSL_IDN_HOST=%OS%.xn--t-r1a81lydm69gz81r.test IF NOT x%OS:duck=%==x%OS% GOTO duckdns IF NOT x%OS:dynu=%==x%OS% GOTO dynu IF NOT x%OS:bash=%==x%OS% GOTO bash SET ALIAS=%OS%.getssl.test -SET IDN=%OS%.xn--t-r1a81lydm69gz81r.test SET STAGING= SET GETSSL_OS=%OS% GOTO Run @@ -51,12 +51,13 @@ IF %ErrorLevel% EQU 1 GOTO End @echo on docker run -it ^ --env GETSSL_HOST=%ALIAS% %STAGING% ^ + --env GETSSL_IDN_HOST=%GETSSL_IDN_HOST% ^ --env GETSSL_OS=%GETSSL_OS% ^ -v %cd%:/getssl ^ --rm ^ --network %CurrDirName%_acmenet ^ --network-alias %ALIAS% ^ - --network-alias %IDN% ^ + --network-alias %GETSSL_IDN_HOST% ^ --network-alias a.%OS%.getssl.test ^ --network-alias b.%OS%.getssl.test ^ --network-alias c.%OS%.getssl.test ^ diff --git a/test/run-test.sh b/test/run-test.sh index 8f405e11..c3852ef2 100755 --- a/test/run-test.sh +++ b/test/run-test.sh @@ -15,7 +15,7 @@ else fi ALIAS="$OS.getssl.test" -IDN="$OS.xn--t-r1a81lydm69gz81r.test" +GETSSL_IDN_HOST="$OS.xn--t-r1a81lydm69gz81r.test" STAGING="" GETSSL_OS=$OS @@ -35,12 +35,13 @@ docker build --rm -f "test/Dockerfile-$OS" -t "getssl-$OS" . # shellcheck disable=SC2086 docker run \ --env GETSSL_HOST=$ALIAS $STAGING \ + --env GETSSL_IDN_HOST=$GETSSL_IDN_HOST \ --env GETSSL_OS=$GETSSL_OS \ -v "$(pwd)":/getssl \ --rm \ --network ${PWD##*/}_acmenet \ --network-alias $ALIAS \ - --network-alias $IDN \ + --network-alias $GETSSL_IDN_HOST \ --network-alias "a.$OS.getssl.test" \ --network-alias "b.$OS.getssl.test" \ --network-alias "c.$OS.getssl.test" \ From 9d023115b01e978b4d66a1a38be1295ad705b968 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Thu, 22 Jul 2021 22:31:09 +0100 Subject: [PATCH 3/4] Test that host/nslookup are not called with +noidnout --- test/38-idn-http01-check-noidnout.bats | 44 ++++++++++++++++++++++++++ test/test_helper.bash | 2 +- 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 test/38-idn-http01-check-noidnout.bats diff --git a/test/38-idn-http01-check-noidnout.bats b/test/38-idn-http01-check-noidnout.bats new file mode 100644 index 00000000..fde4fe66 --- /dev/null +++ b/test/38-idn-http01-check-noidnout.bats @@ -0,0 +1,44 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + +setup_file() { + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a + fi +} + +setup() { + GETSSL_CMD_HOST=$GETSSL_IDN_HOST +} + +teardown_file() { + if [ -z "$STAGING" ]; then + curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a + + fi +} + +@test "Ensure noidnout in check_config isn't passed to host and nslookup (HTTP-01)" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + CONFIG_FILE="getssl-http01.cfg" + setup_environment + init_getssl + cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg +SANS="${GETSSL_HOST}" +USE_SINGLE_ACL="true" +EOF + + create_certificate -d --check-config + + assert_success + refute_output --partial "DNS lookup using host +noidnout" + refute_output --partial "DNS lookup using nslookup +noidnout" + refute_output --partial "+noidnout $GETSSL_HOST" + check_output_for_errors +} diff --git a/test/test_helper.bash b/test/test_helper.bash index dedd3aef..ea71967d 100644 --- a/test/test_helper.bash +++ b/test/test_helper.bash @@ -47,7 +47,7 @@ create_certificate() { # Create certificate cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl.cfg" # shellcheck disable=SC2086 - run ${CODE_DIR}/getssl $1 "$GETSSL_CMD_HOST" + run ${CODE_DIR}/getssl "$@" "$GETSSL_CMD_HOST" } init_getssl() { From 2f518618d34f8d844d26b060ef9e553cf16dd6e2 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Fri, 23 Jul 2021 15:10:06 +0100 Subject: [PATCH 4/4] Update version and change log --- getssl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/getssl b/getssl index bf1fb15f..fecbc7cc 100755 --- a/getssl +++ b/getssl @@ -263,6 +263,7 @@ # 2021-07-07 Request new certificate if SANs have changed (#669)(#673) # 2021-07-12 Do not redirect outputs on remote commands when the debug option is used (atisne) # 2021-07-20 Use +noidnout to enable certificates for IDN domains (#679)(2.37) +# 2021-07-22 Only pass +noidnout param to dig/drill(#682)(2.38) # ---------------------------------------------------------------------------------------- case :$SHELLOPTS: in @@ -271,7 +272,7 @@ esac PROGNAME=${0##*/} PROGDIR="$(cd "$(dirname "$0")" || exit; pwd -P;)" -VERSION="2.37" +VERSION="2.38" # defaults ACCOUNT_KEY_LENGTH=4096