CI/CD: Test against Pebble

.github/workflows/test.yml

@@ -126,13 +126,14 @@ jobs:
       # PREPARE RUNNER ENV
       - name: Add Test Domains in /etc/hosts
         run: |
-          test_domains=$(echo $TEST_DOMAINS | tr "," "\n")
-          for domain in $test_domains
+          IFS=',' read -r -a test_domains <<< "$TEST_DOMAINS"
+          test_domains+=(pebble pebble-challtestsrv)
+          for domain in "${test_domains[@]}"
           do
               echo "127.0.0.1 $domain" | sudo tee -a /etc/hosts
           done
-      - name: Setup Boulder
-        run: test/setup/setup-boulder.sh
+      - name: Setup Pebble
+        run: test/setup/setup-pebble.sh
       - name: Download nginx-proxy Patched Image
         uses: actions/download-artifact@v2
         with:

test/github_actions/containers-logs.sh

@@ -10,7 +10,7 @@ fi
 
 containers+=("$NGINX_CONTAINER_NAME")
 [[ $SETUP = "3containers" ]] && containers+=("$DOCKER_GEN_CONTAINER_NAME")
-containers+=("boulder")
+containers+=(pebble challtestserv)
 
 for container in "${containers[@]}"; do
   bold_echo "Docker container output for $container"

test/setup/pebble-config.json

@@ -0,0 +1,12 @@
+{
+    "pebble": {
+      "listenAddress": "0.0.0.0:14000",
+      "managementListenAddress": "0.0.0.0:15000",
+      "certificate": "test/certs/localhost/cert.pem",
+      "privateKey": "test/certs/localhost/key.pem",
+      "httpPort": 80,
+      "tlsPort": 443,
+      "ocspResponderURL": "",
+      "externalAccountBindingRequired": false
+    }
+}

test/setup/setup-nginx-proxy.sh

@@ -13,7 +13,7 @@ case $SETUP in
       -v /usr/share/nginx/html \
       -v /var/run/docker.sock:/tmp/docker.sock:ro \
       --label com.github.jrcs.letsencrypt_nginx_proxy_companion.test_suite \
-      --network boulder_bluenet \
+      --network acme_net \
       jwilder/nginx-proxy
     ;;
 
@@ -27,7 +27,7 @@ case $SETUP in
       -v /etc/nginx/vhost.d \
       -v /usr/share/nginx/html \
       --label com.github.jrcs.letsencrypt_nginx_proxy_companion.test_suite \
-      --network boulder_bluenet \
+      --network acme_net \
       nginx:alpine
 
     docker run -d \
@@ -36,7 +36,7 @@ case $SETUP in
       -v "${GITHUB_WORKSPACE}/nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro" \
       -v /var/run/docker.sock:/tmp/docker.sock:ro \
       --label com.github.jrcs.letsencrypt_nginx_proxy_companion.test_suite \
-      --network boulder_bluenet \
+      --network acme_net \
       jwilder/docker-gen \
       -notify-sighup "$NGINX_CONTAINER_NAME" -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
     ;;

test/setup/setup-pebble.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+
+set -e
+
+setup_pebble() {
+    docker network create --driver=bridge --subnet=10.30.50.0/24 acme_net
+    curl https://raw.githubusercontent.com/letsencrypt/pebble/master/test/certs/pebble.minica.pem > "${GITHUB_WORKSPACE}/pebble.minica.pem"
+    cat "${GITHUB_WORKSPACE}/pebble.minica.pem"
+
+    docker run -d \
+        --name pebble \
+        --volume "${GITHUB_WORKSPACE}/test/setup/pebble-config.json:/test/config/pebble-config.json" \
+        --env PEBBLE_WFE_NONCEREJECT=0 \
+        --network acme_net \
+        --ip="10.30.50.2" \
+        --publish 14000:14000 \
+        letsencrypt/pebble:v2.1.0 \
+        pebble -config /test/config/pebble-config.json -dnsserver 10.30.50.3:8053
+
+    docker run -d \
+        --name challtestserv \
+        --network acme_net \
+        --ip="10.30.50.3" \
+        --publish 8055:8055 \
+        letsencrypt/pebble-challtestsrv:v2.1.0 \
+        pebble-challtestsrv -tlsalpn01 ""
+}
+
+wait_for_pebble() {
+    for endpoint in 'https://pebble:14000/dir' 'http://pebble-challtestsrv:8055'; do
+        while ! curl -k "$endpoint" >/dev/null 2>&1; do
+            if [ $((i * 5)) -gt $((5 * 60)) ]; then
+                echo "$endpoint was not available under 5 minutes, timing out."
+                exit 1
+            fi
+            i=$((i + 1))
+            sleep 5
+        done
+    done
+}
+
+setup_pebble_challtestserv() {
+    curl -X POST -d '{"ip":"10.30.50.1"}' http://pebble-challtestsrv:8055/set-default-ipv4
+    curl -X POST -d '{"ip":""}' http://pebble-challtestsrv:8055/set-default-ipv6
+    curl -X POST -d '{"host":"lim.it", "addresses":["10.0.0.0"]}' http://pebble-challtestsrv:8055/add-a
+}
+
+setup_pebble
+wait_for_pebble
+setup_pebble_challtestserv

test/tests/acme_accounts/run.sh

@@ -32,14 +32,15 @@ run_nginx_container "${domains[0]}"
 wait_for_symlink "${domains[0]}" "$le_container_name"
 
 # Test if the expected folder / file / content are there.
-json_file="/etc/acme.sh/default/ca/boulder/account.json"
+json_file="/etc/acme.sh/default/ca/pebble/account.json"
 if docker exec "$le_container_name" [[ ! -d "/etc/acme.sh/default" ]]; then
   echo "The /etc/acme.sh/default folder does not exist."
 elif docker exec "$le_container_name" [[ ! -f "$json_file" ]]; then
   echo "The $json_file file does not exist."
-elif [[ "$(docker exec "$le_container_name" jq .contact "$json_file")" != '[]' ]]; then
+elif [[ "$(docker exec "$le_container_name" jq .contact "$json_file")" != 'null' ]]; then
   echo "There is an address set on ${json_file}."
   docker exec "$le_container_name" jq . "$json_file"
+  docker exec "$le_container_name" jq .contact "$json_file"
 fi
 
 # Stop the nginx and companion containers silently.
@@ -58,7 +59,7 @@ run_nginx_container "${domains[1]}"
 wait_for_symlink "${domains[1]}" "$le_container_name"
 
 # Test if the expected folder / file / content are there.
-json_file="/etc/acme.sh/${default_email}/ca/boulder/account.json"
+json_file="/etc/acme.sh/${default_email}/ca/pebble/account.json"
 if docker exec "$le_container_name" [[ ! -d "/etc/acme.sh/$default_email" ]]; then
   echo "The /etc/acme.sh/$default_email folder does not exist."
 elif docker exec "$le_container_name" [[ ! -f "$json_file" ]]; then
@@ -75,7 +76,7 @@ if ! docker run --rm -d \
   -e "VIRTUAL_HOST=${domains[2]}" \
   -e "LETSENCRYPT_HOST=${domains[2]}" \
   -e "LETSENCRYPT_EMAIL=${container_email}" \
-  --network boulder_bluenet \
+  --network acme_net \
   nginx:alpine > /dev/null ; \
 then
   echo "Failed to start test web server for ${domains[2]}"
@@ -87,7 +88,7 @@ fi
 wait_for_symlink "${domains[2]}" "$le_container_name"
 
 # Test if the expected folder / file / content are there.
-json_file="/etc/acme.sh/${container_email}/ca/boulder/account.json"
+json_file="/etc/acme.sh/${container_email}/ca/pebble/account.json"
 if docker exec "$le_container_name" [[ ! -d "/etc/acme.sh/$container_email" ]]; then
   echo "The /etc/acme.sh/$container_email folder does not exist."
 elif docker exec "$le_container_name" [[ ! -f "$json_file" ]]; then

test/tests/certs_single_domain/run.sh

@@ -47,7 +47,7 @@ for hosts in "${letsencrypt_hosts[@]}"; do
     -e "VIRTUAL_HOST=${TEST_DOMAINS}" \
     -e "LETSENCRYPT_HOST=${hosts}" \
     -e "LETSENCRYPT_SINGLE_DOMAIN_CERTS=true" \
-    --network boulder_bluenet \
+    --network acme_net \
     nginx:alpine > /dev/null;
   then
     echo "Could not start test web server for $hosts"

test/tests/certs_standalone/run.sh

@@ -34,7 +34,7 @@ EOF
 if ! docker run --rm -d \
     --name "$subdomain" \
     -e "VIRTUAL_HOST=$subdomain" \
-    --network boulder_bluenet \
+    --network acme_net \
     nginx:alpine > /dev/null;
 then
   echo "Could not start test web server for $subdomain"

test/tests/container_restart/run.sh

@@ -42,7 +42,7 @@ for domain in "${domains[@]}"; do
     -e "VIRTUAL_HOST=${domain}" \
     -e "LETSENCRYPT_HOST=${domain}" \
     -e "LETSENCRYPT_RESTART_CONTAINER=true" \
-    --network boulder_bluenet \
+    --network acme_net \
     nginx:alpine > /dev/null; \
   then
     [[ "${DRY_RUN:-}" == 1 ]] && echo "Started test web server for $domain"

test/tests/ocsp_must_staple/run.sh

@@ -31,7 +31,7 @@ if docker run --rm -d \
   -e "VIRTUAL_HOST=${domains[0]}" \
   -e "LETSENCRYPT_HOST=${domains[0]}" \
   -e "ACME_OCSP=true" \
-  --network boulder_bluenet \
+  --network acme_net \
   nginx:alpine > /dev/null; \
 then
   [[ "${DRY_RUN:-}" == 1 ]] && echo "Started test web server for ${domains[0]} (ACME_OCSP=true)"

test/tests/private_keys/run.sh

@@ -42,7 +42,7 @@ for key in "${!key_types[@]}"; do
     -e "VIRTUAL_HOST=${domains[0]}" \
     -e "LETSENCRYPT_HOST=${domains[0]}" \
     -e "LETSENCRYPT_KEYSIZE=${key}" \
-    --network boulder_bluenet \
+    --network acme_net \
     nginx:alpine > /dev/null;
   then
     echo "Could not start test web server for ${key}"

test/tests/test-functions.sh

@@ -27,14 +27,16 @@ function run_le_container {
     --name "$name" \
     --volumes-from "$NGINX_CONTAINER_NAME" \
     --volume /var/run/docker.sock:/var/run/docker.sock:ro \
+    --volume "${GITHUB_WORKSPACE}/pebble.minica.pem:/pebble.minica.pem" \
     "${cli_args_arr[@]}" \
     --env "DOCKER_GEN_WAIT=500ms:2s" \
     --env "TEST_MODE=true" \
     --env "DHPARAM_BITS=256" \
     --env "DEBUG=1" \
-    --env "ACME_CA_URI=http://boulder:4001/directory" \
+    --env "ACME_CA_URI=https://pebble:14000/dir" \
+    --env "CA_BUNDLE=/pebble.minica.pem" \
     --label com.github.jrcs.letsencrypt_nginx_proxy_companion.test_suite \
-    --network boulder_bluenet \
+    --network acme_net \
     "$image" > /dev/null; \
   then
     [[ "${DRY_RUN:-}" == 1 ]] && echo "Started letsencrypt container for test ${name%%_2*}"
@@ -56,7 +58,7 @@ function run_nginx_container {
     --name "$container_name" \
     -e "VIRTUAL_HOST=$virtual_host" \
     -e "LETSENCRYPT_HOST=$le_host" \
-    --network boulder_bluenet \
+    --network acme_net \
     nginx:alpine > /dev/null ; \
   then
     [[ "${DRY_RUN:-}" == 1 ]] && echo "Started $container_name nginx container."