Upgrade libraries to pass the test

.github/workflows/main.yml

@@ -20,7 +20,7 @@ jobs:
           - centos
           - alpine
           - ubuntu
-          - openresty1.13
+          - openresty1.21
           - lua51
     steps:
       - uses: actions/checkout@v1

Dockerfile-test

@@ -1,9 +1,8 @@
-FROM openresty/openresty:1.15.8.1-4-centos
+FROM openresty/openresty:1.21.4.1-0-centos
 
 # Runtime dependencies
 RUN yum -y install \
   bash \
-  coreutils \
   curl \
   diffutils \
   grep \
@@ -25,8 +24,10 @@ RUN yum -y install epel-release && \
     lua \
     procps-ng \
     redis \
-    sudo \
-    https://bin.equinox.io/a/6iuHhJeWypm/ngrok-2.3.34-linux-amd64.rpm
+    sudo
+RUN curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz && \
+  tar -xvf /tmp/ngrok.tar.gz -C /usr/local/bin/ && \
+  rm -f /tmp/ngrok.tar.gz
 
 RUN mkdir /app
 WORKDIR /app

Dockerfile-test-alpine

@@ -1,4 +1,4 @@
-FROM openresty/openresty:1.15.8.2-1-alpine-fat
+FROM openresty/openresty:1.21.4.1-0-alpine-fat
 
 RUN mkdir /app
 WORKDIR /app
@@ -27,11 +27,10 @@ RUN apk add --no-cache \
     redis \
     sudo \
     tzdata \
-    wget && \
-  curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/a/naDTyS8Kyxv/ngrok-2.3.34-linux-386.tar.gz && \
+    wget
+RUN curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-386.tgz && \
   tar -xvf /tmp/ngrok.tar.gz -C /usr/local/bin/ && \
-  rm -f /tmp/ngrok.tar.gz && \
-  chmod +x /usr/local/bin/ngrok
+  rm -f /tmp/ngrok.tar.gz
 
 COPY Makefile /app/Makefile
 RUN make install-test-deps

Dockerfile-test-lua51

@@ -1,9 +1,8 @@
-FROM openresty/openresty:1.11.2.1-centos
+FROM openresty/openresty:1.21.4.1-0-centos
 
 # Runtime dependencies
 RUN yum -y install \
   bash \
-  coreutils \
   curl \
   diffutils \
   grep \
@@ -22,8 +21,10 @@ RUN yum -y install epel-release && \
     lua \
     procps-ng \
     redis \
-    sudo \
-    https://bin.equinox.io/a/6iuHhJeWypm/ngrok-2.3.34-linux-amd64.rpm
+    sudo
+RUN curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz && \
+  tar -xvf /tmp/ngrok.tar.gz -C /usr/local/bin/ && \
+  rm -f /tmp/ngrok.tar.gz
 
 ENV PATH /usr/local/openresty/luajit/bin:/usr/local/openresty/bin:/usr/local/openresty/nginx/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 ENV TEST_NGINX_RESOLVER 127.0.0.11 ipv6=off

Dockerfile-test-openresty1.13 → Dockerfile-test-openresty1.21

@@ -1,9 +1,8 @@
-FROM openresty/openresty:1.13.6.2-2-centos
+FROM openresty/openresty:1.21.4.1-0-centos
 
 # Runtime dependencies
 RUN yum -y install \
   bash \
-  coreutils \
   curl \
   diffutils \
   grep \
@@ -22,8 +21,10 @@ RUN yum -y install epel-release && \
     lua \
     procps-ng \
     redis \
-    sudo \
-    https://bin.equinox.io/a/6iuHhJeWypm/ngrok-2.3.34-linux-amd64.rpm
+    sudo
+RUN curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz && \
+  tar -xvf /tmp/ngrok.tar.gz -C /usr/local/bin/ && \
+  rm -f /tmp/ngrok.tar.gz
 
 RUN mkdir /app
 WORKDIR /app

Dockerfile-test-ubuntu

@@ -1,12 +1,11 @@
-FROM openresty/openresty:1.15.8.2-1-bionic
+FROM openresty/openresty:1.21.4.1-0-jammy
 
 ENV DEBIAN_FRONTEND noninteractive
 
 # Runtime dependencies
 RUN apt-get update && \
   apt-get -y install \
     bash \
-    coreutils \
     curl \
     diffutils \
     grep \
@@ -22,13 +21,17 @@ RUN apt-get update && \
   apt-get -y install \
     git \
     lsof \
-    lua5.2 \
+    lua5.4 \
     redis-server \
     sudo \
-    tzdata && \
-  curl -fsSL -o /tmp/ngrok.deb https://bin.equinox.io/a/b2wQezFbsHk/ngrok-2.3.34-linux-amd64.deb && \
-  dpkg -i /tmp/ngrok.deb || apt-get -fy install && \
-  rm -f /tmp/ngrok.deb
+    tzdata \
+    bsdmainutils
+RUN curl -s https://ngrok-agent.s3.amazonaws.com/ngrok.asc | \
+    sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null && \
+    echo "deb https://ngrok-agent.s3.amazonaws.com buster main" | \
+    sudo tee /etc/apt/sources.list.d/ngrok.list && \
+    sudo apt update && \
+    sudo apt install ngrok
 
 RUN mkdir /app
 WORKDIR /app

Makefile

@@ -1,7 +1,7 @@
 ROOT_DIR:=$(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
 BUILD_DIR?=$(ROOT_DIR)/build
 
-DEHYDRATED_VERSION:=05eda91a2fbaed1e13c733230238fc68475c535e
+DEHYDRATED_VERSION:=ea841998631561543357f032fa7c06598c34d517
 LUA_RESTY_SHELL_VERSION:=955243d70506c21e7cc29f61d745d1a8a718994f
 SOCKPROC_VERSION:=92aba736027bb5d96e190b71555857ac5bb6b2be
 
@@ -95,11 +95,11 @@ install-test-deps:
 	luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install busted 2.0.0-1
 	luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install etlua 1.3.0-1
 	luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install inspect 3.1.1-0
-	luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install lua-resty-http 0.15-0
+	luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install lua-resty-http 0.17.1-0
 	luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install luacheck 0.23.0-1
 	luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install luaposix 34.1.1-1
 	luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install penlight 1.5.4-1
-	luarocks install luarocks-fetch-gitrec && luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install process 1.9.0-1
+	luarocks install luarocks-fetch-gitrec && luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install process 1.9.1-1
 	luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install shell-games 1.0.1-1
 
 lint:

docker-compose.yml

@@ -36,13 +36,13 @@ services:
       - ubuntu_build_cache:/app/build
     sysctls:
       net.core.somaxconn: 1024
-  openresty1.13:
+  openresty1.21:
     build:
       context: .
-      dockerfile: Dockerfile-test-openresty1.13
+      dockerfile: Dockerfile-test-openresty1.21
     volumes:
       - .:/app
-      - openresty1.13_build_cache:/app/build
+      - openresty1.21_build_cache:/app/build
     sysctls:
       net.core.somaxconn: 1024
   lua51:
@@ -59,5 +59,5 @@ volumes:
   centos_build_cache:
   alpine_build_cache:
   ubuntu_build_cache:
-  openresty1.13_build_cache:
+  openresty1.21_build_cache:
   lua51_build_cache:

lib/resty/auto-ssl/ssl_certificate.lua

@@ -207,9 +207,24 @@ local function get_ocsp_response(fullchain_der, auto_ssl_instance)
   return ocsp_resp
 end
 
-local function set_ocsp_stapling(domain, cert_der, auto_ssl_instance)
-  -- Fetch the OCSP stapling response from the cache, or make the request to
-  -- fetch it.
+local function get_ocsp_response_unlock(local_lock)
+  local _, local_unlock_err = local_lock:unlock()
+  if local_unlock_err then
+    ngx.log(ngx.ERR, "auto-ssl: failed to unlock: ", local_unlock_err)
+  end
+end
+
+local function get_ocsp_response_lock(domain, cert_der, auto_ssl_instance)
+  -- Before issuing a cert, create a local lock to ensure multiple workers
+  -- don't simultaneously try to get OCSP response for the same cert.
+  local local_lock, new_local_lock_err = lock:new("auto_ssl", { exptime = 30, timeout = 5 })
+  if new_local_lock_err then
+    return nil, "auto-ssl: failed to create lock: " .. (new_local_lock_err or "")
+  end
+  local _, local_lock_err = local_lock:lock("set_ocsp_stapling:" .. domain)
+  if local_lock_err then
+    return nil, "auto-ssl: failed to obtain lock: " .. (local_lock_err or "")
+  end
   local ocsp_resp = ngx.shared.auto_ssl:get("domain:ocsp:" .. domain)
   if not ocsp_resp then
     -- If the certificate was just issued on the current request, wait 1 second
@@ -222,7 +237,8 @@ local function set_ocsp_stapling(domain, cert_der, auto_ssl_instance)
     local ocsp_response_err
     ocsp_resp, ocsp_response_err = get_ocsp_response(cert_der["fullchain_der"], auto_ssl_instance)
     if ocsp_response_err then
-      return false, "failed to get ocsp response: " .. (ocsp_response_err or "")
+      get_ocsp_response_unlock(local_lock)
+      return nil, "failed to get ocsp response: " .. (ocsp_response_err or "")
     end
 
     -- Cache the OCSP stapling response for 1 hour (this is what nginx does by
@@ -235,6 +251,23 @@ local function set_ocsp_stapling(domain, cert_der, auto_ssl_instance)
     end
   end
 
+  get_ocsp_response_unlock(local_lock)
+
+  return ocsp_resp
+end
+
+local function set_ocsp_stapling(domain, cert_der, auto_ssl_instance)
+  -- Fetch the OCSP stapling response from the cache, or make the request to
+  -- fetch it.
+  local ocsp_resp = ngx.shared.auto_ssl:get("domain:ocsp:" .. domain)
+  if not ocsp_resp then
+    local ocsp_response_err
+    ocsp_resp, ocsp_response_err = get_ocsp_response_lock(domain, cert_der, auto_ssl_instance)
+    if not ocsp_resp then
+      return false, ocsp_response_err
+    end
+  end
+
   -- Set the OCSP stapling response.
   local ok, ocsp_status_err = ocsp.set_ocsp_status_resp(ocsp_resp)
   if not ok then

spec/certs/letsencrypt-stg-root-x1.pem

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFmDCCA4CgAwIBAgIQU9C87nMpOIFKYpfvOHFHFDANBgkqhkiG9w0BAQsFADBm
+MQswCQYDVQQGEwJVUzEzMDEGA1UEChMqKFNUQUdJTkcpIEludGVybmV0IFNlY3Vy
+aXR5IFJlc2VhcmNoIEdyb3VwMSIwIAYDVQQDExkoU1RBR0lORykgUHJldGVuZCBQ
+ZWFyIFgxMB4XDTE1MDYwNDExMDQzOFoXDTM1MDYwNDExMDQzOFowZjELMAkGA1UE
+BhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0eSBSZXNl
+YXJjaCBHcm91cDEiMCAGA1UEAxMZKFNUQUdJTkcpIFByZXRlbmQgUGVhciBYMTCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALbagEdDTa1QgGBWSYkyMhsc
+ZXENOBaVRTMX1hceJENgsL0Ma49D3MilI4KS38mtkmdF6cPWnL++fgehT0FbRHZg
+jOEr8UAN4jH6omjrbTD++VZneTsMVaGamQmDdFl5g1gYaigkkmx8OiCO68a4QXg4
+wSyn6iDipKP8utsE+x1E28SA75HOYqpdrk4HGxuULvlr03wZGTIf/oRt2/c+dYmD
+oaJhge+GOrLAEQByO7+8+vzOwpNAPEx6LW+crEEZ7eBXih6VP19sTGy3yfqK5tPt
+TdXXCOQMKAp+gCj/VByhmIr+0iNDC540gtvV303WpcbwnkkLYC0Ft2cYUyHtkstO
+fRcRO+K2cZozoSwVPyB8/J9RpcRK3jgnX9lujfwA/pAbP0J2UPQFxmWFRQnFjaq6
+rkqbNEBgLy+kFL1NEsRbvFbKrRi5bYy2lNms2NJPZvdNQbT/2dBZKmJqxHkxCuOQ
+FjhJQNeO+Njm1Z1iATS/3rts2yZlqXKsxQUzN6vNbD8KnXRMEeOXUYvbV4lqfCf8
+mS14WEbSiMy87GB5S9ucSV1XUrlTG5UGcMSZOBcEUpisRPEmQWUOTWIoDQ5FOia/
+GI+Ki523r2ruEmbmG37EBSBXdxIdndqrjy+QVAmCebyDx9eVEGOIpn26bW5LKeru
+mJxa/CFBaKi4bRvmdJRLAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBS182Xy/rAKkh/7PH3zRKCsYyXDFDANBgkqhkiG
+9w0BAQsFAAOCAgEAncDZNytDbrrVe68UT6py1lfF2h6Tm2p8ro42i87WWyP2LK8Y
+nLHC0hvNfWeWmjZQYBQfGC5c7aQRezak+tHLdmrNKHkn5kn+9E9LCjCaEsyIIn2j
+qdHlAkepu/C3KnNtVx5tW07e5bvIjJScwkCDbP3akWQixPpRFAsnP+ULx7k0aO1x
+qAeaAhQ2rgo1F58hcflgqKTXnpPM02intVfiVVkX5GXpJjK5EoQtLceyGOrkxlM/
+sTPq4UrnypmsqSagWV3HcUlYtDinc+nukFk6eR4XkzXBbwKajl0YjztfrCIHOn5Q
+CJL6TERVDbM/aAPly8kJ1sWGLuvvWYzMYgLzDul//rUF10gEMWaXVZV51KpS9DY/
+5CunuvCXmEQJHo7kGcViT7sETn6Jz9KOhvYcXkJ7po6d93A/jy4GKPIPnsKKNEmR
+xUuXY4xRdh45tMJnLTUDdC9FIU0flTeO9/vNpVA8OPU1i14vCz+MU8KX1bV3GXm/
+fxlB7VBBjX9v5oUep0o/j68R/iDlCOM4VVfRa8gX6T2FU7fNdatvGro7uQzIvWof
+gN9WUwCbEMBy/YhBSrXycKA8crgGg3x1mIsopn88JKwmMBa68oS7EHM9w7C4y71M
+7DiA+/9Qdp9RBWJpTS9i/mDnJg1xvo8Xz49mrrgfmcAXTCJqXi24NatI3Oc=
+-----END CERTIFICATE-----

spec/config/busted-nginx.conf

@@ -1,3 +1,3 @@
-lua_ssl_trusted_certificate /app/spec/certs/letsencrypt_staging_chain.pem;
+lua_ssl_trusted_certificate /app/spec/certs/letsencrypt-stg-root-x1.pem;
 lua_ssl_verify_depth 5;
 lua_shared_dict test_counts 128k;

spec/proxy_spec.lua

@@ -44,7 +44,7 @@ describe("proxy", function()
     local error_log = server.read_error_log()
     assert.matches("auto-ssl: issuing new certificate for " .. server.ngrok_hostname, error_log, nil, true)
     assert.matches("http proxy auth: Basic ZGVtbzp0ZXN0", error_log, nil, true)
-    assert.matches("auto-ssl: failed to set ocsp stapling for " .. server.ngrok_hostname .. " - continuing anyway - failed to get ocsp response: OCSP responder returns bad response body (http://ocsp.stg-int-x1.letsencrypt.org): ,", error_log, nil, true)
+    assert.matches("auto-ssl: failed to set ocsp stapling for " .. server.ngrok_hostname .. " - continuing anyway - failed to get ocsp response: OCSP responder returns bad response body (http://stg-e1.o.lencr.org): ,", error_log, nil, true)
     assert.Not.matches("[warn]", error_log, nil, true)
     assert.matches("[error]", error_log, nil, true)
     assert.Not.matches("[alert]", error_log, nil, true)

spec/support/server.lua

@@ -49,12 +49,12 @@ end
 local function start_ngrok()
   if not _M.ngrok_hostname then
     assert(dir.makepath(_M.ngrok_test_dir))
-    local ngrok_process, exec_err = process.exec("ngrok", { "http", "9080", "--log", _M.ngrok_test_dir .. "/ngrok.log", "--log-format", "logfmt", "--log-level", "debug" })
+    local ngrok_process, exec_err = process.exec("ngrok", { "http", "9080", "--scheme", "http", "--log", _M.ngrok_test_dir .. "/ngrok.log", "--log-format", "logfmt", "--log-level", "debug" })
     assert(not exec_err, exec_err)
     _M.ngrok_process = ngrok_process
 
     local log = log_tail.new(_M.ngrok_test_dir .. "/ngrok.log")
-    local ok, output = log:read_until("start tunnel listen.*Hostname:[a-z0-9]+.ngrok.io")
+    local ok, output = log:read_until("started tunnel.*url=https?://[a-z0-9-]+.ngrok.io")
     if not ok then
       print(ngrok_process:stdout())
       print(ngrok_process:stderr())
@@ -68,7 +68,7 @@ local function start_ngrok()
       error("ngrok did not startup as expected")
     end
 
-    local matches, match_err = ngx.re.match(output, "Hostname:([a-z0-9]+.ngrok.io)", "jo")
+    local matches, match_err = ngx.re.match(output, "url=https?://([a-z0-9-]+.ngrok.io)", "jo")
     assert(not match_err, match_err)
     _M.ngrok_hostname = matches[1]
   end