TestScript

The following script can be used to assist with SRU verification of the Certbot family of packages:

#!/bin/bash

# This script tests Certbot packages in proposed-updates repos on Ubuntu. You
# can use the script to test the Certbot packages found in other repositories
# by installing them manually and running this script with the environment
# variable CERTBOT_PREINSTALLED=1.
#
# WARNING: It runs as root and makes many global modifications to the system it
# is run on so it should only be run on a machine temporarily set up for
# testing.

set -eo pipefail
cd ~

if test "$(id -u)" -ne "0"; then
    echo "Must run as root to install packages and use Docker." >&2
    exit 1
fi

apt-get update
apt-get install docker.io gawk git lsb-release net-tools psmisc wget -y

wget https://github.com/docker/compose/releases/download/1.15.0-rc1/docker-compose-Linux-x86_64 -O /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

# Add a replacement for coverage which is a tool used by upstream devs. This
# dummy script is a noop unless asked to run Certbot.
cat << EOF > /usr/local/bin/coverage
#!/bin/bash -e
if [ "\$1" != "run" ]; then
    exit 0
fi

while [ "\$1" != "\$(command -v certbot)" ]; do
    shift 1
done

"\$@"
EOF
chmod +x /usr/local/bin/coverage

codename=$(lsb_release -a 2>/dev/null | grep Codename | cut -f2)
if [ "$CERTBOT_PREINSTALLED" != 1 ]; then
    echo "deb http://archive.ubuntu.com/ubuntu/ $codename-proposed restricted main multiverse universe" > /etc/apt/sources.list.d/proposed.list
    echo "Package: *" > /etc/apt/preferences.d/proposed-updates
    echo "Pin: release a=$codename-proposed" >> /etc/apt/preferences.d/proposed-updates
    echo "Pin-Priority: 400" >> /etc/apt/preferences.d/proposed-updates
    apt-get update

    if [ "$codename" = "xenial" ]; then
        apt-get install -y \
            certbot/$codename-proposed \
            letsencrypt/$codename-proposed \
            python-acme/$codename-proposed \
            python-certbot-apache/$codename-proposed \
            python-josepy/$codename-proposed \
            python-letsencrypt-apache/$codename-proposed \
            python-letsencrypt/$codename-proposed
    else
        apt-get install -y \
            certbot/$codename-proposed \
            letsencrypt/$codename-proposed \
            python3-acme/$codename-proposed \
            python3-certbot-apache/$codename-proposed \
            python3-josepy/$codename-proposed
    fi
fi
service apache2 stop

if ! certbot plugins | grep apache; then
    echo "Certbot can't find the Apache plugin!" >&2
    exit 1
fi

if [ "$codename" = "xenial" ]; then
    cat << EOF > shim_test.py
import acme.jose
from acme.jose import b64 as acme_b64
import certbot
import certbot_apache
import josepy
from josepy import b64 as jose_b64
import letsencrypt
import letsencrypt_apache

assert acme.jose is josepy
assert acme.jose.RS512 is josepy.RS512
assert acme.jose.b64 is josepy.b64
assert acme.jose.b64.b64decode is josepy.b64.b64decode
assert acme_b64 is jose_b64
assert acme_b64.b64decode is jose_b64.b64decode
assert letsencrypt is certbot
assert letsencrypt_apache is certbot_apache
EOF
    python shim_test.py
else
    if [ "$CERTBOT_PREINSTALLED" != 1 ]; then
        apt-get install python3-certbot-nginx/$codename-proposed -y
    fi
    service nginx stop

    if ! certbot plugins | grep nginx; then
        echo "Certbot can't find the nginx plugin!" >&2
        exit 1
    fi
fi

if [ "$(realpath $(command -v letsencrypt))" != "$(command -v certbot)" ]; then
    echo "letsencrypt is not a symlink to Certbot!" >&2
    exit 1
fi

if ! grep '^max-log-backups = 0$' /etc/letsencrypt/cli.ini; then
    echo "Certbot's built in log rotation is not disabled!" >&2
    exit 1
fi

if ! systemctl is-enabled certbot.timer; then
    echo "Certbot's systemd timer is not enabled!" >&2
    exit 1
fi

if [ ! -f /etc/cron.d/certbot ]; then
    echo "Certbot's cron tab enteries weren't found!" >&2
    exit 1
fi

certbot_version=$(certbot --version 2>&1 | grep "^certbot" | cut -d " " -f 2)
git clone https://github.com/certbot/certbot --branch v$certbot_version --depth 1
cd certbot

export GOPATH=${GOPATH:-$HOME/gopath}
export BOULDERPATH=${BOULDERPATH:-$GOPATH/src/github.com/letsencrypt/boulder}
git clone --depth=1 https://github.com/letsencrypt/boulder ${BOULDERPATH}
cd "$BOULDERPATH"
# Turn TLS-SNI-01 back on in boulder because Certbot's old test scripts test
# support for TLS-SNI-01 as well as other challenge types.
sed -i 's/tls-alpn-01/tls-sni-01/g' test/config/ra.json
cd ~-
# Newer versions of boulder don't let you use example.org
sed -i 's/example.org/domain.org/g' tests/boulder-integration.sh
# Accept either output from openssl about must staple extension
sed -i "s/grep '1.3.6.1.5.5.7.1.24'/grep -E 'status_request|1\\\.3\\\.6\\\.1\\\.5\\\.5\\\.7\\\.1\\\.24\'/" tests/boulder-integration.sh

for acme_version in "v1" "v2" ; do
    tests/boulder-fetch.sh
    until curl http://localhost:4000/directory 2>/dev/null; do
      echo waiting for boulder
      sleep 1
    done
    BOULDER_INTEGRATION="$acme_version" tests/boulder-integration.sh
    # Reset the server to reset rate limits
    cd "$BOULDERPATH"
    docker-compose down
    cd ~-
done

if ! certbot-apache/certbot_apache/tests/apache-conf-files/apache-conf-test --debian-modules; then
    echo "Apache tests failed!" >&2
    exit 1
fi

echo "Success!"
echo "Package versions tested:"

if [ "$codename" = "xenial" ]; then
    dpkg-query -W certbot letsencrypt python-josepy python-acme python-certbot python-certbot-apache python-letsencrypt python-letsencrypt-apache
else
    dpkg-query -W certbot letsencrypt python3-josepy python3-acme python3-certbot python3-certbot-apache python3-certbot-nginx
fi

StableReleaseUpdates/Certbot/TestScript (last edited 2019-02-13 02:01:56 by bradmwarren)