Merge pull request srvrco#684 from srvrco/fix-host-idn-bug

Fix host idn bug

Author: timkimber

getssl

@@ -263,6 +263,7 @@
 # 2021-07-07 Request new certificate if SANs have changed (#669)(#673)
 # 2021-07-12 Do not redirect outputs on remote commands when the debug option is used (atisne)
 # 2021-07-20 Use +noidnout to enable certificates for IDN domains (#679)(2.37)
+# 2021-07-22 Only pass +noidnout param to dig/drill(#682)(2.38)
 # ----------------------------------------------------------------------------------------
 
 case :$SHELLOPTS: in
@@ -271,7 +272,7 @@ esac
 
 PROGNAME=${0##*/}
 PROGDIR="$(cd "$(dirname "$0")" || exit; pwd -P;)"
-VERSION="2.37"
+VERSION="2.38"
 
 # defaults
 ACCOUNT_KEY_LENGTH=4096
@@ -693,36 +694,35 @@ check_config() { # check the config files for all obvious errors
 
       # check domain exists using all DNS utilities. DNS_CHECK_OPTIONS may bind IP address or provide TSIG
 
-      # add +noidnout if idn-domain so search for domain in results works
-      if [[ "${d}" == xn--* || "${d}" == *".xn--"* ]]; then
-        if [[ "$HAS_DIG_OR_DRILL" != "dig" || "$DIG_SUPPORTS_NOIDNOUT" == "true" ]]; then
-          DNS_CHECK_OPTIONS="$DNS_CHECK_OPTIONS +noidnout"
-        fi
-      fi
-
       found_ip=false
       if [[ -n "$HAS_DIG_OR_DRILL" ]]; then
-        debug "DNS lookup using $HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS ${d}"
+        # add +noidnout if idn-domain so search for domain in results works
+        DIG_CHECK_OPTIONS="$DNS_CHECK_OPTIONS"
+        if [[ ("${d}" == xn--* || "${d}" == *".xn--"* ) && "$DIG_SUPPORTS_NOIDNOUT" == "true" ]]; then
+          DIG_CHECK_OPTIONS="$DNS_CHECK_OPTIONS +noidnout"
+        fi
+
+        debug "DNS lookup using $HAS_DIG_OR_DRILL $DIG_CHECK_OPTIONS ${d}"
         # shellcheck disable=SC2086
-        if [[ "$($HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS -t SOA "${d}" |grep -c -i "^${d}")" -ge 1 ]]; then
+        if [[ "$($HAS_DIG_OR_DRILL $DIG_CHECK_OPTIONS -t SOA "${d}" |grep -c -i "^${d}")" -ge 1 ]]; then
           found_ip=true
-        elif [[ "$($HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS -t A "${d}"|grep -c -i "^${d}")" -ge 1 ]]; then
+        elif [[ "$($HAS_DIG_OR_DRILL $DIG_CHECK_OPTIONS -t A "${d}"|grep -c -i "^${d}")" -ge 1 ]]; then
           found_ip=true
-        elif [[ "$($HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS -t AAAA "${d}"|grep -c -i "^${d}")" -ge 1 ]]; then
+        elif [[ "$($HAS_DIG_OR_DRILL $DIG_CHECK_OPTIONS -t AAAA "${d}"|grep -c -i "^${d}")" -ge 1 ]]; then
           found_ip=true
         fi
       fi
 
       if [[ "$HAS_HOST" == "true" ]]; then
-        debug "DNS lookup using host ${d}"
+        debug "DNS lookup using host $DNS_CHECK_OPTIONS ${d}"
         # shellcheck disable=SC2086
         if [[ "$(host $DNS_CHECK_OPTIONS "${d}" |grep -c -i "^${d}")" -ge 1 ]]; then
           found_ip=true
         fi
       fi
 
       if [[ "$HAS_NSLOOKUP" == "true" ]]; then
-        debug "DNS lookup using nslookup -query AAAA ${d}"
+        debug "DNS lookup using nslookup $DNS_CHECK_OPTIONS -query AAAA ${d}"
         # shellcheck disable=SC2086
         if [[ "$(nslookup $DNS_CHECK_OPTIONS -query=AAAA "${d}"|grep -c -i "^${d}.*has AAAA address")" -ge 1 ]]; then
           debug "found IPv6 record for ${d}"
@@ -1161,7 +1161,6 @@ find_dns_utils() {
     fi
 
     if [[ -n "$(command -v drill 2>/dev/null)" ]]; then
-        debug "HAS DIG_OR_DRILL=drill"
         HAS_DIG_OR_DRILL="drill"
     elif [[ -n "$(command -v dig 2>/dev/null)" ]] && dig >/dev/null 2>&1; then
         if dig -r >/dev/null 2>&1; then
@@ -1170,8 +1169,10 @@ find_dns_utils() {
         else
           HAS_DIG_OR_DRILL="dig"
         fi
+    fi
 
-        if dig +noidnout >/dev/null 2>&1; then
+    if [[ -n "$HAS_DIG_OR_DRILL" ]]; then
+        if $HAS_DIG_OR_DRILL +noidnout >/dev/null 2>&1; then
           DIG_SUPPORTS_NOIDNOUT=true
         fi
 

test/37-idn.bats

@@ -7,14 +7,13 @@ load '/getssl/test/test_helper.bash'
 setup_file() {
     if [ -z "$STAGING" ]; then
         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
-        GETSSL_CMD_HOST=${GETSSL_HOST/getssl/xn--t-r1a81lydm69gz81r}
-        curl --silent -X POST -d '{"host":"'$GETSSL_CMD_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+        curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
     fi
 }
 
 # This is run for every test
 setup() {
-    GETSSL_CMD_HOST=${GETSSL_HOST/getssl/xn--t-r1a81lydm69gz81r}
+    GETSSL_CMD_HOST=${GETSSL_IDN_HOST}
 
     # use the test description to move tools we don't want to test out of the way
     DNS_TOOL=${BATS_TEST_DESCRIPTION##*:}
@@ -39,7 +38,7 @@ teardown() {
 
 teardown_file() {
     if [ -z "$STAGING" ]; then
-        curl --silent -X POST -d '{"host":"'$GETSSL_CMD_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
+        curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
     fi
 }
 

test/38-idn-http01-check-noidnout.bats

@@ -0,0 +1,44 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+setup_file() {
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+        curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+    fi
+}
+
+setup() {
+    GETSSL_CMD_HOST=$GETSSL_IDN_HOST
+}
+
+teardown_file() {
+    if [ -z "$STAGING" ]; then
+        curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
+
+    fi
+}
+
+@test "Ensure noidnout in check_config isn't passed to host and nslookup (HTTP-01)" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+    init_getssl
+    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+SANS="${GETSSL_HOST}"
+USE_SINGLE_ACL="true"
+EOF
+
+    create_certificate -d --check-config
+
+    assert_success
+    refute_output --partial "DNS lookup using host  +noidnout"
+    refute_output --partial "DNS lookup using nslookup  +noidnout"
+    refute_output --partial "+noidnout $GETSSL_HOST"
+    check_output_for_errors
+}

test/run-test.cmd

@@ -8,11 +8,11 @@ SET COMMAND=%2 %3
 
 :CheckAlias
 REM check if OS *contains* staging
+SET GETSSL_IDN_HOST=%OS%.xn--t-r1a81lydm69gz81r.test
 IF NOT x%OS:duck=%==x%OS% GOTO duckdns
 IF NOT x%OS:dynu=%==x%OS% GOTO dynu
 IF NOT x%OS:bash=%==x%OS% GOTO bash
 SET ALIAS=%OS%.getssl.test
-SET IDN=%OS%.xn--t-r1a81lydm69gz81r.test
 SET STAGING=
 SET GETSSL_OS=%OS%
 GOTO Run
@@ -51,12 +51,13 @@ IF %ErrorLevel% EQU 1 GOTO End
 @echo on
 docker run -it ^
   --env GETSSL_HOST=%ALIAS% %STAGING% ^
+  --env GETSSL_IDN_HOST=%GETSSL_IDN_HOST% ^
   --env GETSSL_OS=%GETSSL_OS% ^
   -v %cd%:/getssl ^
   --rm ^
   --network %CurrDirName%_acmenet ^
   --network-alias %ALIAS% ^
-  --network-alias %IDN% ^
+  --network-alias %GETSSL_IDN_HOST% ^
   --network-alias a.%OS%.getssl.test ^
   --network-alias b.%OS%.getssl.test ^
   --network-alias c.%OS%.getssl.test ^

test/run-test.sh

@@ -15,7 +15,7 @@ else
 fi
 
 ALIAS="$OS.getssl.test"
-IDN="$OS.xn--t-r1a81lydm69gz81r.test"
+GETSSL_IDN_HOST="$OS.xn--t-r1a81lydm69gz81r.test"
 STAGING=""
 GETSSL_OS=$OS
 
@@ -35,12 +35,13 @@ docker build --rm -f "test/Dockerfile-$OS" -t "getssl-$OS" .
 # shellcheck disable=SC2086
 docker run \
   --env GETSSL_HOST=$ALIAS $STAGING \
+  --env GETSSL_IDN_HOST=$GETSSL_IDN_HOST \
   --env GETSSL_OS=$GETSSL_OS \
   -v "$(pwd)":/getssl \
   --rm \
   --network ${PWD##*/}_acmenet \
   --network-alias $ALIAS \
-  --network-alias $IDN \
+  --network-alias $GETSSL_IDN_HOST \
   --network-alias "a.$OS.getssl.test" \
   --network-alias "b.$OS.getssl.test" \
   --network-alias "c.$OS.getssl.test" \

test/test_helper.bash

@@ -47,7 +47,7 @@ create_certificate() {
   # Create certificate
   cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl.cfg"
   # shellcheck disable=SC2086
-  run ${CODE_DIR}/getssl $1 "$GETSSL_CMD_HOST"
+  run ${CODE_DIR}/getssl "$@" "$GETSSL_CMD_HOST"
 }
 
 init_getssl() {