refactor: letsencrypt implicit location discovery (#2525)

* chore: Extract letsencrypt logic into methods This allows other scripts to share the functionality to discover the correct letsencrypt folder from the 3 possible locations (where specific order is important). As these methods should now return a string value, the `return 1` after a panic is now dropped. * chore: Update comments The todo is resolved with this PR, `_setup_ssl` will be called by both cert conditional statements with purpose for each better documented to maintainers at the start of the logic block. * refactor: Defer most logic to helper/ssl.sh The loop is no longer required, extraction is delegated to `_setup_ssl` now. For the change event prevention, we retrieve the relevant FQDN via the new helper method, beyond that it's just indentation diff. `check-for-changes.sh` adjusted to allow locally scoped var declarations by wrapping a function. Presently no loop control flow is needed so this seems fine. Made it clear that `CHANGED` is local and `CHKSUM_FILE` is not. Panic scope doesn't require `SSL_TYPE` for context, it's clearly`letsencrypt`. * fix: Correctly match wildcard results Now that the service configs are properly updated, when the services restart they will return a cert with the SAN `DNS:*.example.test`, which is valid for `mail.example.test`, however the test function did not properly account for this in the regexp query. Resolved by truncating the left-most DNS label from FQDN and adding a third check to match a returned wildcard DNS result. Extracted out the common logic to create the regexp query and renamed the methods to communicate more clearly that they check the FQDN is supported, not necessarily explicitly listed by the cert. * tests(letsencrypt): Enable remaining tests These will now pass. Adjusted comments accordingly. Added an additional test on a fake FQDN that should still be valid to a wildcard cert (SNI validation in a proper setup would reject the connection afterwards). Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2025-08-04 01:55:29 +02:00 · 2022-04-18 22:52:50 +12:00 · 2022-04-18 22:52:50 +12:00 · 1b1877f025
commit 1b1877f025
parent 412f675bfe
4 changed files with 97 additions and 84 deletions
--- a/test/test_helper/tls.bash
+++ b/test/test_helper/tls.bash
@ -52,7 +52,7 @@ function _negotiate_tls() {
  run docker exec "${CONTAINER_NAME}" sh -c "${CMD_OPENSSL_VERIFY}"
  assert_output --partial 'Verification: OK'

-  _should_have_fqdn_in_cert "${FQDN}" "${PORT}"
+  _should_support_fqdn_in_cert "${FQDN}" "${PORT}"
 }

 function _generate_openssl_cmd() {
@ -86,21 +86,23 @@ function _generate_openssl_cmd() {

 # ? --------------------------------------------- Verify FQDN

-
-function _should_have_fqdn_in_cert() {
+function _get_fqdn_match_query() {
  local FQDN
  FQDN=$(escape_fqdn "${1}")

-  _get_fqdns_for_cert "$@"
-  assert_output --regexp "Subject: CN = ${FQDN}|DNS:${FQDN}"
+  # 3rd check is for wildcard support by replacing the 1st DNS label of the FQDN with a `*`,
+  # eg: `mail.example.test` will become `*.example.test` matching `DNS:*.example.test`.
+  echo "Subject: CN = ${FQDN}|DNS:${FQDN}|DNS:\*\.${FQDN#*.}"
 }

-function _should_not_have_fqdn_in_cert() {
-  local FQDN
-  FQDN=$(escape_fqdn "${1}")
-
+function _should_support_fqdn_in_cert() {
  _get_fqdns_for_cert "$@"
-  refute_output --regexp "Subject: CN = ${FQDN}|DNS:${FQDN}"
+  assert_output --regexp "$(_get_fqdn_match_query "${1}")"
+}
+
+function _should_not_support_fqdn_in_cert() {
+  _get_fqdns_for_cert "$@"
+  refute_output --regexp "$(_get_fqdn_match_query "${1}")"
 }

 # Escapes `*` and `.` so the FQDN literal can be used in regex queries