diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 212f443..f61653d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -20,7 +20,7 @@ jobs: - centos - alpine - ubuntu - - openresty1.13 + - openresty1.21 - lua51 steps: - uses: actions/checkout@v1 diff --git a/Dockerfile-test b/Dockerfile-test index b044892..a3f5642 100644 --- a/Dockerfile-test +++ b/Dockerfile-test @@ -1,9 +1,8 @@ -FROM openresty/openresty:1.15.8.1-4-centos +FROM openresty/openresty:1.21.4.1-0-centos # Runtime dependencies RUN yum -y install \ bash \ - coreutils \ curl \ diffutils \ grep \ @@ -25,8 +24,10 @@ RUN yum -y install epel-release && \ lua \ procps-ng \ redis \ - sudo \ - https://bin.equinox.io/a/6iuHhJeWypm/ngrok-2.3.34-linux-amd64.rpm + sudo +RUN curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz && \ + tar -xvf /tmp/ngrok.tar.gz -C /usr/local/bin/ && \ + rm -f /tmp/ngrok.tar.gz RUN mkdir /app WORKDIR /app diff --git a/Dockerfile-test-alpine b/Dockerfile-test-alpine index 0d2d56d..e42de6b 100644 --- a/Dockerfile-test-alpine +++ b/Dockerfile-test-alpine @@ -1,4 +1,4 @@ -FROM openresty/openresty:1.15.8.2-1-alpine-fat +FROM openresty/openresty:1.21.4.1-0-alpine-fat RUN mkdir /app WORKDIR /app @@ -27,11 +27,10 @@ RUN apk add --no-cache \ redis \ sudo \ tzdata \ - wget && \ - curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/a/naDTyS8Kyxv/ngrok-2.3.34-linux-386.tar.gz && \ + wget +RUN curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-386.tgz && \ tar -xvf /tmp/ngrok.tar.gz -C /usr/local/bin/ && \ - rm -f /tmp/ngrok.tar.gz && \ - chmod +x /usr/local/bin/ngrok + rm -f /tmp/ngrok.tar.gz COPY Makefile /app/Makefile RUN make install-test-deps diff --git a/Dockerfile-test-lua51 b/Dockerfile-test-lua51 index 4509620..bfedf12 100644 --- a/Dockerfile-test-lua51 +++ b/Dockerfile-test-lua51 @@ -1,9 +1,8 @@ -FROM openresty/openresty:1.11.2.1-centos +FROM openresty/openresty:1.21.4.1-0-centos # Runtime dependencies RUN yum -y install \ bash \ - coreutils \ curl \ diffutils \ grep \ @@ -22,8 +21,10 @@ RUN yum -y install epel-release && \ lua \ procps-ng \ redis \ - sudo \ - https://bin.equinox.io/a/6iuHhJeWypm/ngrok-2.3.34-linux-amd64.rpm + sudo +RUN curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz && \ + tar -xvf /tmp/ngrok.tar.gz -C /usr/local/bin/ && \ + rm -f /tmp/ngrok.tar.gz ENV PATH /usr/local/openresty/luajit/bin:/usr/local/openresty/bin:/usr/local/openresty/nginx/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ENV TEST_NGINX_RESOLVER 127.0.0.11 ipv6=off diff --git a/Dockerfile-test-openresty1.13 b/Dockerfile-test-openresty1.21 similarity index 74% rename from Dockerfile-test-openresty1.13 rename to Dockerfile-test-openresty1.21 index 3a285d3..6c7f3cc 100644 --- a/Dockerfile-test-openresty1.13 +++ b/Dockerfile-test-openresty1.21 @@ -1,9 +1,8 @@ -FROM openresty/openresty:1.13.6.2-2-centos +FROM openresty/openresty:1.21.4.1-0-centos # Runtime dependencies RUN yum -y install \ bash \ - coreutils \ curl \ diffutils \ grep \ @@ -22,8 +21,10 @@ RUN yum -y install epel-release && \ lua \ procps-ng \ redis \ - sudo \ - https://bin.equinox.io/a/6iuHhJeWypm/ngrok-2.3.34-linux-amd64.rpm + sudo +RUN curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz && \ + tar -xvf /tmp/ngrok.tar.gz -C /usr/local/bin/ && \ + rm -f /tmp/ngrok.tar.gz RUN mkdir /app WORKDIR /app diff --git a/Dockerfile-test-ubuntu b/Dockerfile-test-ubuntu index fff7566..9756af0 100644 --- a/Dockerfile-test-ubuntu +++ b/Dockerfile-test-ubuntu @@ -1,4 +1,4 @@ -FROM openresty/openresty:1.15.8.2-1-bionic +FROM openresty/openresty:1.21.4.1-0-jammy ENV DEBIAN_FRONTEND noninteractive @@ -6,7 +6,6 @@ ENV DEBIAN_FRONTEND noninteractive RUN apt-get update && \ apt-get -y install \ bash \ - coreutils \ curl \ diffutils \ grep \ @@ -22,13 +21,17 @@ RUN apt-get update && \ apt-get -y install \ git \ lsof \ - lua5.2 \ + lua5.4 \ redis-server \ sudo \ - tzdata && \ - curl -fsSL -o /tmp/ngrok.deb https://bin.equinox.io/a/b2wQezFbsHk/ngrok-2.3.34-linux-amd64.deb && \ - dpkg -i /tmp/ngrok.deb || apt-get -fy install && \ - rm -f /tmp/ngrok.deb + tzdata \ + bsdmainutils +RUN curl -s https://ngrok-agent.s3.amazonaws.com/ngrok.asc | \ + sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null && \ + echo "deb https://ngrok-agent.s3.amazonaws.com buster main" | \ + sudo tee /etc/apt/sources.list.d/ngrok.list && \ + sudo apt update && \ + sudo apt install ngrok RUN mkdir /app WORKDIR /app diff --git a/Makefile b/Makefile index 0636d73..4478f34 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ ROOT_DIR:=$(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) BUILD_DIR?=$(ROOT_DIR)/build -DEHYDRATED_VERSION:=05eda91a2fbaed1e13c733230238fc68475c535e +DEHYDRATED_VERSION:=ea841998631561543357f032fa7c06598c34d517 LUA_RESTY_SHELL_VERSION:=955243d70506c21e7cc29f61d745d1a8a718994f SOCKPROC_VERSION:=92aba736027bb5d96e190b71555857ac5bb6b2be @@ -95,11 +95,11 @@ install-test-deps: luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install busted 2.0.0-1 luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install etlua 1.3.0-1 luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install inspect 3.1.1-0 - luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install lua-resty-http 0.15-0 + luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install lua-resty-http 0.17.1-0 luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install luacheck 0.23.0-1 luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install luaposix 34.1.1-1 luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install penlight 1.5.4-1 - luarocks install luarocks-fetch-gitrec && luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install process 1.9.0-1 + luarocks install luarocks-fetch-gitrec && luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install process 1.9.1-1 luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install shell-games 1.0.1-1 lint: diff --git a/docker-compose.yml b/docker-compose.yml index abfa231..7942fcb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -36,13 +36,13 @@ services: - ubuntu_build_cache:/app/build sysctls: net.core.somaxconn: 1024 - openresty1.13: + openresty1.21: build: context: . - dockerfile: Dockerfile-test-openresty1.13 + dockerfile: Dockerfile-test-openresty1.21 volumes: - .:/app - - openresty1.13_build_cache:/app/build + - openresty1.21_build_cache:/app/build sysctls: net.core.somaxconn: 1024 lua51: @@ -59,5 +59,5 @@ volumes: centos_build_cache: alpine_build_cache: ubuntu_build_cache: - openresty1.13_build_cache: + openresty1.21_build_cache: lua51_build_cache: diff --git a/lib/resty/auto-ssl/ssl_certificate.lua b/lib/resty/auto-ssl/ssl_certificate.lua index ab71cfd..22a1d29 100644 --- a/lib/resty/auto-ssl/ssl_certificate.lua +++ b/lib/resty/auto-ssl/ssl_certificate.lua @@ -207,9 +207,24 @@ local function get_ocsp_response(fullchain_der, auto_ssl_instance) return ocsp_resp end -local function set_ocsp_stapling(domain, cert_der, auto_ssl_instance) - -- Fetch the OCSP stapling response from the cache, or make the request to - -- fetch it. +local function get_ocsp_response_unlock(local_lock) + local _, local_unlock_err = local_lock:unlock() + if local_unlock_err then + ngx.log(ngx.ERR, "auto-ssl: failed to unlock: ", local_unlock_err) + end +end + +local function get_ocsp_response_lock(domain, cert_der, auto_ssl_instance) + -- Before issuing a cert, create a local lock to ensure multiple workers + -- don't simultaneously try to get OCSP response for the same cert. + local local_lock, new_local_lock_err = lock:new("auto_ssl", { exptime = 30, timeout = 5 }) + if new_local_lock_err then + return nil, "auto-ssl: failed to create lock: " .. (new_local_lock_err or "") + end + local _, local_lock_err = local_lock:lock("set_ocsp_stapling:" .. domain) + if local_lock_err then + return nil, "auto-ssl: failed to obtain lock: " .. (local_lock_err or "") + end local ocsp_resp = ngx.shared.auto_ssl:get("domain:ocsp:" .. domain) if not ocsp_resp then -- If the certificate was just issued on the current request, wait 1 second @@ -222,7 +237,8 @@ local function set_ocsp_stapling(domain, cert_der, auto_ssl_instance) local ocsp_response_err ocsp_resp, ocsp_response_err = get_ocsp_response(cert_der["fullchain_der"], auto_ssl_instance) if ocsp_response_err then - return false, "failed to get ocsp response: " .. (ocsp_response_err or "") + get_ocsp_response_unlock(local_lock) + return nil, "failed to get ocsp response: " .. (ocsp_response_err or "") end -- Cache the OCSP stapling response for 1 hour (this is what nginx does by @@ -235,6 +251,23 @@ local function set_ocsp_stapling(domain, cert_der, auto_ssl_instance) end end + get_ocsp_response_unlock(local_lock) + + return ocsp_resp +end + +local function set_ocsp_stapling(domain, cert_der, auto_ssl_instance) + -- Fetch the OCSP stapling response from the cache, or make the request to + -- fetch it. + local ocsp_resp = ngx.shared.auto_ssl:get("domain:ocsp:" .. domain) + if not ocsp_resp then + local ocsp_response_err + ocsp_resp, ocsp_response_err = get_ocsp_response_lock(domain, cert_der, auto_ssl_instance) + if not ocsp_resp then + return false, ocsp_response_err + end + end + -- Set the OCSP stapling response. local ok, ocsp_status_err = ocsp.set_ocsp_status_resp(ocsp_resp) if not ok then diff --git a/spec/certs/letsencrypt-stg-root-x1.pem b/spec/certs/letsencrypt-stg-root-x1.pem new file mode 100644 index 0000000..37655b2 --- /dev/null +++ b/spec/certs/letsencrypt-stg-root-x1.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFmDCCA4CgAwIBAgIQU9C87nMpOIFKYpfvOHFHFDANBgkqhkiG9w0BAQsFADBm +MQswCQYDVQQGEwJVUzEzMDEGA1UEChMqKFNUQUdJTkcpIEludGVybmV0IFNlY3Vy +aXR5IFJlc2VhcmNoIEdyb3VwMSIwIAYDVQQDExkoU1RBR0lORykgUHJldGVuZCBQ +ZWFyIFgxMB4XDTE1MDYwNDExMDQzOFoXDTM1MDYwNDExMDQzOFowZjELMAkGA1UE +BhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0eSBSZXNl +YXJjaCBHcm91cDEiMCAGA1UEAxMZKFNUQUdJTkcpIFByZXRlbmQgUGVhciBYMTCC +AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALbagEdDTa1QgGBWSYkyMhsc +ZXENOBaVRTMX1hceJENgsL0Ma49D3MilI4KS38mtkmdF6cPWnL++fgehT0FbRHZg +jOEr8UAN4jH6omjrbTD++VZneTsMVaGamQmDdFl5g1gYaigkkmx8OiCO68a4QXg4 +wSyn6iDipKP8utsE+x1E28SA75HOYqpdrk4HGxuULvlr03wZGTIf/oRt2/c+dYmD +oaJhge+GOrLAEQByO7+8+vzOwpNAPEx6LW+crEEZ7eBXih6VP19sTGy3yfqK5tPt +TdXXCOQMKAp+gCj/VByhmIr+0iNDC540gtvV303WpcbwnkkLYC0Ft2cYUyHtkstO +fRcRO+K2cZozoSwVPyB8/J9RpcRK3jgnX9lujfwA/pAbP0J2UPQFxmWFRQnFjaq6 +rkqbNEBgLy+kFL1NEsRbvFbKrRi5bYy2lNms2NJPZvdNQbT/2dBZKmJqxHkxCuOQ +FjhJQNeO+Njm1Z1iATS/3rts2yZlqXKsxQUzN6vNbD8KnXRMEeOXUYvbV4lqfCf8 +mS14WEbSiMy87GB5S9ucSV1XUrlTG5UGcMSZOBcEUpisRPEmQWUOTWIoDQ5FOia/ +GI+Ki523r2ruEmbmG37EBSBXdxIdndqrjy+QVAmCebyDx9eVEGOIpn26bW5LKeru +mJxa/CFBaKi4bRvmdJRLAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB +Af8EBTADAQH/MB0GA1UdDgQWBBS182Xy/rAKkh/7PH3zRKCsYyXDFDANBgkqhkiG +9w0BAQsFAAOCAgEAncDZNytDbrrVe68UT6py1lfF2h6Tm2p8ro42i87WWyP2LK8Y +nLHC0hvNfWeWmjZQYBQfGC5c7aQRezak+tHLdmrNKHkn5kn+9E9LCjCaEsyIIn2j +qdHlAkepu/C3KnNtVx5tW07e5bvIjJScwkCDbP3akWQixPpRFAsnP+ULx7k0aO1x +qAeaAhQ2rgo1F58hcflgqKTXnpPM02intVfiVVkX5GXpJjK5EoQtLceyGOrkxlM/ +sTPq4UrnypmsqSagWV3HcUlYtDinc+nukFk6eR4XkzXBbwKajl0YjztfrCIHOn5Q +CJL6TERVDbM/aAPly8kJ1sWGLuvvWYzMYgLzDul//rUF10gEMWaXVZV51KpS9DY/ +5CunuvCXmEQJHo7kGcViT7sETn6Jz9KOhvYcXkJ7po6d93A/jy4GKPIPnsKKNEmR +xUuXY4xRdh45tMJnLTUDdC9FIU0flTeO9/vNpVA8OPU1i14vCz+MU8KX1bV3GXm/ +fxlB7VBBjX9v5oUep0o/j68R/iDlCOM4VVfRa8gX6T2FU7fNdatvGro7uQzIvWof +gN9WUwCbEMBy/YhBSrXycKA8crgGg3x1mIsopn88JKwmMBa68oS7EHM9w7C4y71M +7DiA+/9Qdp9RBWJpTS9i/mDnJg1xvo8Xz49mrrgfmcAXTCJqXi24NatI3Oc= +-----END CERTIFICATE----- diff --git a/spec/certs/letsencrypt_staging_chain.pem b/spec/certs/letsencrypt_staging_chain.pem deleted file mode 100644 index 1c458f4..0000000 --- a/spec/certs/letsencrypt_staging_chain.pem +++ /dev/null @@ -1,56 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFATCCAumgAwIBAgIRAKc9ZKBASymy5TLOEp57N98wDQYJKoZIhvcNAQELBQAw -GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDMyMzIyNTM0NloXDTM2 -MDMyMzIyNTM0NlowGjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMIICIjANBgkq -hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA+pYHvQw5iU3v2b3iNuYNKYgsWD6KU7aJ -diddtZQxSWYzUI3U0I1UsRPTxnhTifs/M9NW4ZlV13ZfB7APwC8oqKOIiwo7IwlP -xg0VKgyz+kT8RJfYr66PPIYP0fpTeu42LpMJ+CKo9sbpgVNDZN2z/qiXrRNX/VtG -TkPV7a44fZ5bHHVruAxvDnylpQxJobtCBWlJSsbIRGFHMc2z88eUz9NmIOWUKGGj -EmP76x8OfRHpIpuxRSCjn0+i9+hR2siIOpcMOGd+40uVJxbRRP5ZXnUFa2fF5FWd -O0u0RPI8HON0ovhrwPJY+4eWKkQzyC611oLPYGQ4EbifRsTsCxUZqyUuStGyp8oa -aoSKfF6X0+KzGgwwnrjRTUpIl19A92KR0Noo6h622OX+4sZiO/JQdkuX5w/HupK0 -A0M0WSMCvU6GOhjGotmh2VTEJwHHY4+TUk0iQYRtv1crONklyZoAQPD76hCrC8Cr -IbgsZLfTMC8TWUoMbyUDgvgYkHKMoPm0VGVVuwpRKJxv7+2wXO+pivrrUl2Q9fPe -Kk055nJLMV9yPUdig8othUKrRfSxli946AEV1eEOhxddfEwBE3Lt2xn0hhiIedbb -Ftf/5kEWFZkXyUmMJK8Ra76Kus2ABueUVEcZ48hrRr1Hf1N9n59VbTUaXgeiZA50 -qXf2bymE6F8CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB -Af8wHQYDVR0OBBYEFMEmdKSKRKDm+iAo2FwjmkWIGHngMA0GCSqGSIb3DQEBCwUA -A4ICAQBCPw74M9X/Xx04K1VAES3ypgQYH5bf9FXVDrwhRFSVckria/7dMzoF5wln -uq9NGsjkkkDg17AohcQdr8alH4LvPdxpKr3BjpvEcmbqF8xH+MbbeUEnmbSfLI8H -sefuhXF9AF/9iYvpVNC8FmJ0OhiVv13VgMQw0CRKkbtjZBf8xaEhq/YqxWVsgOjm -dm5CAQ2X0aX7502x8wYRgMnZhA5goC1zVWBVAi8yhhmlhhoDUfg17cXkmaJC5pDd -oenZ9NVhW8eDb03MFCrWNvIh89DDeCGWuWfDltDq0n3owyL0IeSn7RfpSclpxVmV -/53jkYjwIgxIG7Gsv0LKMbsf6QdBcTjhvfZyMIpBRkTe3zuHd2feKzY9lEkbRvRQ -zbh4Ps5YBnG6CKJPTbe2hfi3nhnw/MyEmF3zb0hzvLWNrR9XW3ibb2oL3424XOwc -VjrTSCLzO9Rv6s5wi03qoWvKAQQAElqTYRHhynJ3w6wuvKYF5zcZF3MDnrVGLbh1 -Q9ePRFBCiXOQ6wPLoUhrrbZ8LpFUFYDXHMtYM7P9sc9IAWoONXREJaO08zgFtMp4 -8iyIYUyQAbsvx8oD2M8kRvrIRSrRJSl6L957b4AFiLIQ/GgV2curs0jje7Edx34c -idWw1VrejtwclobqNMVtG3EiPUIpJGpbMcJgbiLSmKkrvQtGng== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIEqTCCApGgAwIBAgIRAIvhKg5ZRO08VGQx8JdhT+QwDQYJKoZIhvcNAQELBQAw -GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDMyMzIyNTkwNFoXDTM2 -MDMyMzIyNTkwNFowIjEgMB4GA1UEAwwXRmFrZSBMRSBJbnRlcm1lZGlhdGUgWDEw -ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtWKySDn7rWZc5ggjz3ZB0 -8jO4xti3uzINfD5sQ7Lj7hzetUT+wQob+iXSZkhnvx+IvdbXF5/yt8aWPpUKnPym -oLxsYiI5gQBLxNDzIec0OIaflWqAr29m7J8+NNtApEN8nZFnf3bhehZW7AxmS1m0 -ZnSsdHw0Fw+bgixPg2MQ9k9oefFeqa+7Kqdlz5bbrUYV2volxhDFtnI4Mh8BiWCN -xDH1Hizq+GKCcHsinDZWurCqder/afJBnQs+SBSL6MVApHt+d35zjBD92fO2Je56 -dhMfzCgOKXeJ340WhW3TjD1zqLZXeaCyUNRnfOmWZV8nEhtHOFbUCU7r/KkjMZO9 -AgMBAAGjgeEwgd4wDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAw -HQYDVR0OBBYEFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHgGCCsGAQUFBwEBBGwwajAz -BggrBgEFBQcwAYYnaHR0cDovL29jc3Auc3RnLWludC14MS5sZXRzZW5jcnlwdC5v -cmcvMDMGCCsGAQUFBzAChidodHRwOi8vY2VydC5zdGctaW50LXgxLmxldHNlbmNy -eXB0Lm9yZy8wHwYDVR0jBBgwFoAUwSZ0pIpEoOb6ICjYXCOaRYgYeeAwDQYJKoZI -hvcNAQELBQADggIBAHODDwZVaO5EqEYoVvEPPzaZas5BNVRHUAdc+xNg4oKACBAW -o3mnX1tKr9lsWSDxLrCE7y+mdRq37PKzapEaL1q8KYXgzI1Ua7JeyOvCs4IMmhSZ -HLSJMFgAv77nD28kB6teMlJI+NxmvD5cmsDl+1C2D862DFuiy3R/80c++ZIqfWg3 -CvsQmwx0bategh3cT8mPwQEdRW0LpgomT37kSxZSGn9TzPXQ+NSvD/CpEF0mVQWM -09aiOE3QWg8BpdzxpbbmEhtWv4MNU1U3iyYNjaPzqD1J3R/7IjJmsNbDY5XKoqIB -AeHPisSzP8CdCwQpJC8rBDefUfrbYqvhWuCff+amrUe01nvp9jtWefwUWWSwcjEg -xYwz2vt6TgLNw5wBWk854x6yc323se/Wp7u7F9lguCRIUMPVH9MfBzR1wyUfpbZa -eFVPFkHQsKv5ydKNQlk8fO97xXhpK4yueMNLnjbWEDKnEvJtCsbqlQm3XHWvqhz9 -B/V1c95n8Z9Av2uVZ5HvZKnA9OXi4WF1ES6hkiFzom/exWxBxd+skh6yJuX1edpX -L5TSN5XTa5OPONWh3AQfz7/0aenJNhyPJ4687pwQpGir4ctvT1k3enSRNqO6Vwxv -0BB50f7tpC0k/XzGyQyCVXo6jjDv1057VbZTUB+Y7BzXvcm7aglHPA71K3nW ------END CERTIFICATE----- diff --git a/spec/config/busted-nginx.conf b/spec/config/busted-nginx.conf index c21b5c7..4ff94c1 100644 --- a/spec/config/busted-nginx.conf +++ b/spec/config/busted-nginx.conf @@ -1,3 +1,3 @@ -lua_ssl_trusted_certificate /app/spec/certs/letsencrypt_staging_chain.pem; +lua_ssl_trusted_certificate /app/spec/certs/letsencrypt-stg-root-x1.pem; lua_ssl_verify_depth 5; lua_shared_dict test_counts 128k; diff --git a/spec/proxy_spec.lua b/spec/proxy_spec.lua index 8c7c2b3..726d700 100644 --- a/spec/proxy_spec.lua +++ b/spec/proxy_spec.lua @@ -44,7 +44,7 @@ describe("proxy", function() local error_log = server.read_error_log() assert.matches("auto-ssl: issuing new certificate for " .. server.ngrok_hostname, error_log, nil, true) assert.matches("http proxy auth: Basic ZGVtbzp0ZXN0", error_log, nil, true) - assert.matches("auto-ssl: failed to set ocsp stapling for " .. server.ngrok_hostname .. " - continuing anyway - failed to get ocsp response: OCSP responder returns bad response body (http://ocsp.stg-int-x1.letsencrypt.org): ,", error_log, nil, true) + assert.matches("auto-ssl: failed to set ocsp stapling for " .. server.ngrok_hostname .. " - continuing anyway - failed to get ocsp response: OCSP responder returns bad response body (http://stg-e1.o.lencr.org): ,", error_log, nil, true) assert.Not.matches("[warn]", error_log, nil, true) assert.matches("[error]", error_log, nil, true) assert.Not.matches("[alert]", error_log, nil, true) diff --git a/spec/support/server.lua b/spec/support/server.lua index d41cc7a..490cdd5 100644 --- a/spec/support/server.lua +++ b/spec/support/server.lua @@ -49,12 +49,12 @@ end local function start_ngrok() if not _M.ngrok_hostname then assert(dir.makepath(_M.ngrok_test_dir)) - local ngrok_process, exec_err = process.exec("ngrok", { "http", "9080", "--log", _M.ngrok_test_dir .. "/ngrok.log", "--log-format", "logfmt", "--log-level", "debug" }) + local ngrok_process, exec_err = process.exec("ngrok", { "http", "9080", "--scheme", "http", "--log", _M.ngrok_test_dir .. "/ngrok.log", "--log-format", "logfmt", "--log-level", "debug" }) assert(not exec_err, exec_err) _M.ngrok_process = ngrok_process local log = log_tail.new(_M.ngrok_test_dir .. "/ngrok.log") - local ok, output = log:read_until("start tunnel listen.*Hostname:[a-z0-9]+.ngrok.io") + local ok, output = log:read_until("started tunnel.*url=https?://[a-z0-9-]+.ngrok.io") if not ok then print(ngrok_process:stdout()) print(ngrok_process:stderr()) @@ -68,7 +68,7 @@ local function start_ngrok() error("ngrok did not startup as expected") end - local matches, match_err = ngx.re.match(output, "Hostname:([a-z0-9]+.ngrok.io)", "jo") + local matches, match_err = ngx.re.match(output, "url=https?://([a-z0-9-]+.ngrok.io)", "jo") assert(not match_err, match_err) _M.ngrok_hostname = matches[1] end