Merge pull request #1553 from MichaelSp/letsencrypt-traefik-acme-json

Letsencrypt traefik v2 acme json

target/check-for-changes.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+. /usr/local/bin/helper_functions.sh
+
 # create date for log output
 log_date=$(date +"%Y-%m-%d %H:%M:%S ")
 echo "${log_date} Start check-for-changes script."
@@ -32,7 +34,7 @@ echo "${log_date} Using postmaster address ${PM_ADDRESS}"
 
 # Create an array of files to monitor, must be the same as in start-mailserver.sh
 declare -a cf_files=()
-for file in postfix-accounts.cf postfix-virtual.cf postfix-aliases.cf dovecot-quotas.cf; do
+for file in postfix-accounts.cf postfix-virtual.cf postfix-aliases.cf dovecot-quotas.cf /etc/letsencrypt/acme.json "/etc/letsencrypt/live/$HOSTNAME/key.pem" "/etc/letsencrypt/live/$HOSTNAME/fullchain.pem"; do
   [ -f "$file" ] && cf_files+=("$file")
 done
 
@@ -61,6 +63,14 @@ if [[ $chksum == *"FAIL"* ]]; then
         (
           flock -e 200
 
+  if [[ $chksum == *"/etc/letsencrypt/acme.json: FAILED"* ]]; then
+    for certdomain in $SSL_DOMAIN $HOSTNAME $DOMAINNAME; do
+      if extractCertsFromAcmeJson "$certdomain"; then
+        break
+      fi
+    done
+  fi
+
 	#regen postix aliases.
 	echo "root: ${PM_ADDRESS}" > /etc/aliases
 	if [ -f /tmp/docker-mailserver/postfix-aliases.cf ]; then

target/helper_functions.sh

@@ -2,36 +2,54 @@
 
 # expects mask prefix length and the digit
 function _mask_ip_digit() {
-	if [[ $1 -ge 8 ]]; then
-		MASK=255
-	else 
-		if [[ $1 -le 0 ]]; then
-			MASK=0
-		else
-			VALUES=('0' '128' '192' '224' '240' '248' '252' '254' '255')
-			MASK=${VALUES[$1]}
-		fi
-	fi
-	echo $(( $2 & $MASK ))
+  if [[ $1 -ge 8 ]]; then
+    MASK=255
+  else
+    if [[ $1 -le 0 ]]; then
+      MASK=0
+    else
+      VALUES=('0' '128' '192' '224' '240' '248' '252' '254' '255')
+      MASK=${VALUES[$1]}
+    fi
+  fi
+  echo $(($2 & $MASK))
 }
 
 # transforms a specific ip with CIDR suffix like 1.2.3.4/16
 # to subnet with cidr suffix like 1.2.0.0/16
 function _sanitize_ipv4_to_subnet_cidr() {
-	IP=${1%%/*}
-	PREFIX_LENGTH=${1#*/}
+  IP=${1%%/*}
+  PREFIX_LENGTH=${1#*/}
 
-	# split IP by . into digits
-	DIGITS=(${IP//./ })
+  # split IP by . into digits
+  DIGITS=(${IP//./ })
 
-	# mask digits according to prefix length
-	MASKED_DIGITS=()
-	DIGIT_PREFIX_LENGTH="$PREFIX_LENGTH"
-	for DIGIT in "${DIGITS[@]}" ; do
-		MASKED_DIGITS+=( $(_mask_ip_digit $DIGIT_PREFIX_LENGTH $DIGIT) )
-		DIGIT_PREFIX_LENGTH=$(( $DIGIT_PREFIX_LENGTH - 8 ))
-	done
+  # mask digits according to prefix length
+  MASKED_DIGITS=()
+  DIGIT_PREFIX_LENGTH="$PREFIX_LENGTH"
+  for DIGIT in "${DIGITS[@]}"; do
+    MASKED_DIGITS+=($(_mask_ip_digit $DIGIT_PREFIX_LENGTH $DIGIT))
+    DIGIT_PREFIX_LENGTH=$(($DIGIT_PREFIX_LENGTH - 8))
+  done
 
-	# output masked ip plus prefix length
-	echo ${MASKED_DIGITS[0]}.${MASKED_DIGITS[1]}.${MASKED_DIGITS[2]}.${MASKED_DIGITS[3]}/$PREFIX_LENGTH
-}
+  # output masked ip plus prefix length
+  echo ${MASKED_DIGITS[0]}.${MASKED_DIGITS[1]}.${MASKED_DIGITS[2]}.${MASKED_DIGITS[3]}/$PREFIX_LENGTH
+}
+
+# extracts certificates from acme.json and returns 0 if found
+function extractCertsFromAcmeJson() {
+  WHAT=$1
+  # sorry for the code-golf :(
+  KEY=$(cat /etc/letsencrypt/acme.json | python -c "import sys,json,itertools;  print map(lambda c: c[\"key\"]         if (c[\"domain\"][\"main\"]==\"$WHAT\" or \"$WHAT\" in c[\"domain\"][\"sans\"]) else \"\", list(itertools.chain.from_iterable(map(lambda x: x[\"Certificates\"], json.load(sys.stdin).values()))))[0]")
+  CERT=$(cat /etc/letsencrypt/acme.json | python -c "import sys,json,itertools; print map(lambda c: c[\"certificate\"] if (c[\"domain\"][\"main\"]==\"$WHAT\" or \"$WHAT\" in c[\"domain\"][\"sans\"]) else \"\", list(itertools.chain.from_iterable(map(lambda x: x[\"Certificates\"], json.load(sys.stdin).values()))))[0]")
+
+  if [[ -n "${KEY}${CERT}" ]]; then
+    mkdir -p /etc/letsencrypt/live/"$HOSTNAME"/
+    echo $KEY | base64 -d >/etc/letsencrypt/live/"$HOSTNAME"/key.pem || exit 1
+    echo $CERT | base64 -d >/etc/letsencrypt/live/"$HOSTNAME"/fullchain.pem || exit 1
+    echo "Cert found in /etc/letsencrypt/acme.json for $WHAT"
+    return 0
+  else
+    return 1
+  fi
+}

target/start-mailserver.sh

@@ -505,7 +505,7 @@ function _setup_chksum_file() {
           pushd /tmp/docker-mailserver
 
           declare -a cf_files=()
-          for file in postfix-accounts.cf postfix-virtual.cf postfix-aliases.cf dovecot-quotas.cf; do
+          for file in postfix-accounts.cf postfix-virtual.cf postfix-aliases.cf dovecot-quotas.cf /etc/letsencrypt/acme.json "/etc/letsencrypt/live/$HOSTNAME/key.pem" "/etc/letsencrypt/live/$HOSTNAME/fullchain.pem"; do
             [ -f "$file" ] && cf_files+=("$file")
           done
 
@@ -1048,6 +1048,8 @@ function _setup_ssl() {
       local LETSENCRYPT_DOMAIN=""
       local LETSENCRYPT_KEY=""
 
+      [[ -f /etc/letsencrypt/acme.json ]] && (extractCertsFromAcmeJson "$HOSTNAME" || extractCertsFromAcmeJson "$DOMAINNAME")
+
       # first determine the letsencrypt domain by checking both the full hostname or just the domainname if a SAN is used in the cert
       if [ -e "/etc/letsencrypt/live/$HOSTNAME/fullchain.pem" ]; then
         LETSENCRYPT_DOMAIN=$HOSTNAME

test/config/dovecot-lmtp/conf.d/10-auth.conf

@@ -30,7 +30,7 @@
 
 # Default realm/domain to use if none was specified. This is used for both
 # SASL realms and appending @domain to username in plaintext logins.
-#auth_default_realm = 
+#auth_default_realm =
 
 # List of allowed characters in username. If the user-given username contains
 # a character not listed in here, the login automatically fails. This is just
@@ -73,7 +73,7 @@
 # Kerberos keytab to use for the GSSAPI mechanism. Will use the system
 # default (usually /etc/krb5.keytab) if not specified. You may need to change
 # the auth service to run as root to be able to read this file.
-#auth_krb5_keytab = 
+#auth_krb5_keytab =
 
 # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
 # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
@@ -88,9 +88,9 @@
 # Require a valid SSL client certificate or the authentication fails.
 #auth_ssl_require_client_cert = no
 
-# Take the username from client's SSL certificate, using 
+# Take the username from client's SSL certificate, using
 # X509_NAME_get_text_by_NID() which returns the subject's DN's
-# CommonName. 
+# CommonName.
 #auth_ssl_username_from_cert = no
 
 # Space separated list of wanted authentication mechanisms:

test/config/dovecot-lmtp/conf.d/15-lda.conf

@@ -8,7 +8,7 @@ postmaster_address = postmaster@domain.com
 
 # Hostname to use in various parts of sent mails (e.g. in Message-Id) and
 # in LMTP replies. Default is the system's real hostname@domain.
-#hostname = 
+#hostname =
 
 # If user is over quota, return with temporary failure instead of
 # bouncing the mail.
@@ -32,7 +32,7 @@ postmaster_address = postmaster@domain.com
 #recipient_delimiter = +
 
 # Header where the original recipient address (SMTP's RCPT TO: address) is taken
-# from if not available elsewhere. With dovecot-lda -a parameter overrides this. 
+# from if not available elsewhere. With dovecot-lda -a parameter overrides this.
 # A commonly used header for this is X-Original-To.
 #lda_original_recipient_header =
 

test/config/letsencrypt/changed/cert.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5DCCAcygAwIBAgIJAN/+3LMQvnv1MA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
+BAMMB3Rlc3QtY2EwHhcNMjAwNjI5MjA1NTIxWhcNMjAwODI4MjA1NTIxWjAWMRQw
+EgYDVQQDDAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAL5UNg7ybrXoCInmxQ+f38++sLEcgG6P0X+faH11Bw47Vt+mf1vltIh7ojO8
+DeXqFxsGL3S/YqyuXX0TGIOh/csjnvv1GEL1Ux0YCsyFkvflb8NuSKW52T0dnUqF
+ZFwldykCwHnQxmwYZxnZjVF2YOr/KmGZvO5dxSTs/qDuU0cp3FD4z2CBELLmzixv
+fO2Lgk1Yn/H9mNLNSKQaiSeCxId5CzNIlmUIfnL0tuc3n2fNigjuPKOV2H/7NVTT
+TriuP384bx9WTLfX29cn+Ho4hKBaq2t1Wmz+jsWi1gya1KrLAM4zzQHI+u6r3+jS
+3PsRVs1csyO2NCXqVo/bxqe38+sCAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8E
+BAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA0GCSqGSIb3DQEB
+CwUAA4IBAQAkmHHTaZ8hiStoA/XYjGXkHT5DBjjOhRm3mmdCF+xhbUcj/frwBYn0
+apAGfNSGq+PJTgVdsZUAC+sOfxRme3FjU5gAekeIDjOQMd1VbdmcIWtnJ+Ttz94F
+Qm5V7Df8kVkcqE6UvvXyX3YEFj2/fwb4hxyyl/fAWl5acWTLNA2mOKm/fMhKez+h
+3VGhKQ5ZGS0Qt+Lea3o7LWs5dH5LhSvs3Fe9PSddxa0Nbtr4sfgfOIQJgo2mCvch
+u5zFq7nvDqdsmdZwYMIcinpPWJgEoQLJWU/gWL2Ya+5kJ137smPcYX7jDSyBHlkQ
+oAYOB65YnoWxVuQtKqHW6f8nqD1nwEBn
+-----END CERTIFICATE-----

test/config/letsencrypt/changed/fullchain.pem

@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIC5DCCAcygAwIBAgIJAN/+3LMQvnv1MA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
+BAMMB3Rlc3QtY2EwHhcNMjAwNjI5MjA1NTIxWhcNMjAwODI4MjA1NTIxWjAWMRQw
+EgYDVQQDDAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAL5UNg7ybrXoCInmxQ+f38++sLEcgG6P0X+faH11Bw47Vt+mf1vltIh7ojO8
+DeXqFxsGL3S/YqyuXX0TGIOh/csjnvv1GEL1Ux0YCsyFkvflb8NuSKW52T0dnUqF
+ZFwldykCwHnQxmwYZxnZjVF2YOr/KmGZvO5dxSTs/qDuU0cp3FD4z2CBELLmzixv
+fO2Lgk1Yn/H9mNLNSKQaiSeCxId5CzNIlmUIfnL0tuc3n2fNigjuPKOV2H/7NVTT
+TriuP384bx9WTLfX29cn+Ho4hKBaq2t1Wmz+jsWi1gya1KrLAM4zzQHI+u6r3+jS
+3PsRVs1csyO2NCXqVo/bxqe38+sCAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8E
+BAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA0GCSqGSIb3DQEB
+CwUAA4IBAQAkmHHTaZ8hiStoA/XYjGXkHT5DBjjOhRm3mmdCF+xhbUcj/frwBYn0
+apAGfNSGq+PJTgVdsZUAC+sOfxRme3FjU5gAekeIDjOQMd1VbdmcIWtnJ+Ttz94F
+Qm5V7Df8kVkcqE6UvvXyX3YEFj2/fwb4hxyyl/fAWl5acWTLNA2mOKm/fMhKez+h
+3VGhKQ5ZGS0Qt+Lea3o7LWs5dH5LhSvs3Fe9PSddxa0Nbtr4sfgfOIQJgo2mCvch
+u5zFq7nvDqdsmdZwYMIcinpPWJgEoQLJWU/gWL2Ya+5kJ137smPcYX7jDSyBHlkQ
+oAYOB65YnoWxVuQtKqHW6f8nqD1nwEBn
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC9zCCAd+gAwIBAgIJAP/41asK+I3BMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
+BAMMB3Rlc3QtY2EwHhcNMjAwNjI5MjA1NTIxWhcNMjAwODI4MjA1NTIxWjASMRAw
+DgYDVQQDDAd0ZXN0LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+kzlOF3Q8wt6G8M8Cg+/UADlkbOUnBlbCwlRnqSrvrX7BRc37R1Y+KzsMmGgkPkvE
+czZuWbOQU8ghnQJwSHT/AK1g5jMc7mZLSkE+uVMor4+4Vgt4kKvfktzcCJOfo/qL
+XV2ePRgVlHj+peilqHMM8P03VPx6kq7oZE1pBlh4QyLz7DYcP6AD3Bq/HSM5hmvP
+iHbCHy6yf+QsuBqaWCec1ygc9GPnyDXQoDRAwlcA0aVSSosc6HeVQoDBPTzZUriM
+riqPK3YT4LGEH6nTx3RUtjuG8ZdGzpguw9/y0tcct777WLFIeuBQkmZiMG3Xeivu
+TbfHCbqJCO53fsbK0CrzEQIDAQABo1AwTjAdBgNVHQ4EFgQUxo6NXRi39QxJnZZD
+vbxco+m2U7YwHwYDVR0jBBgwFoAUxo6NXRi39QxJnZZDvbxco+m2U7YwDAYDVR0T
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAOBKMG2aaZ+f2Gazdtq7+IlRM3YFv
+inF5uaZ3bqC+pKDb1wZJLzWgHVgNSGXetHPKa9QpyQqEe/bYMK7avJo//Fmhg0+3
+SwI2g9BoIPBd4jIBY41h/zryTY4PLx/NqapWR4/3nDPJ3SSMHZ4JgP8GTXlzmF6j
+4UgwRrLFQd0ZZYNDRo8bZeUEqX70k0EqY9QxBjJgUzVyWYjP+/SeXABJyPv7lzRN
+nvKj3F91eNfqf8Y+WddvB8jn3LXok4SiFzxESfJ3nVOgwp8SPhhTShbXQaj48Fx8
+o6TGM9utPtN9qINwvqyrK4lUwKj6YLyTkV10oVgtJYhyyHVVl7Jhc8UIMw==
+-----END CERTIFICATE-----

test/config/letsencrypt/changed/key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAvlQ2DvJutegIiebFD5/fz76wsRyAbo/Rf59ofXUHDjtW36Z/
+W+W0iHuiM7wN5eoXGwYvdL9irK5dfRMYg6H9yyOe+/UYQvVTHRgKzIWS9+Vvw25I
+pbnZPR2dSoVkXCV3KQLAedDGbBhnGdmNUXZg6v8qYZm87l3FJOz+oO5TRyncUPjP
+YIEQsubOLG987YuCTVif8f2Y0s1IpBqJJ4LEh3kLM0iWZQh+cvS25zefZ82KCO48
+o5XYf/s1VNNOuK4/fzhvH1ZMt9fb1yf4ejiEoFqra3VabP6OxaLWDJrUqssAzjPN
+Acj67qvf6NLc+xFWzVyzI7Y0JepWj9vGp7fz6wIDAQABAoIBAQCufh4hjfoaI+TQ
+KRY5wOU8XSM4/VxyAMCdNNRjUMtrLNP0r3zMD8h36IFI1PwY8YjFaeJQMraQgjuL
+09oBtJ4tgzba4FWh7bCJV+VupHeddmgE0DMiXUThVylBjRH5uQ+KNc+o3tNLfwPn
+GyEIsnMgf1enq38fOjDoLa80c8s9zXhHtZx9JQzDUbQr+DNTS0RLP52MI/pXGC+g
+T225sVV39uqQFccHECacLDbYe5EhzRi2PNA98fHtO/lAP9jjvQiMccr0KjjzEHlS
+loFs1/y/vCAo/kThqhKL/0T3qdiG+YNsne+Thy2xx5W37YMGIte9f+5ymTmb+lgb
+fU6/i2thAoGBAPO6Urt50h3vJ2m/+MFCkokca195k9sYO1RMkTYHPZ5n4+nTu32o
+RDKu/KwOgly9cp00Qn8XIcDi7Mut8MK7RGv1WyZVlbX1+L31FT+c/N96rHBa5SHI
+nhdTLBLPTmb6OOPSWXEHl00vsltAlutIrufjzowEtgptOhYO8a608ihvAoGBAMfp
+kiu/0bl7cQgYfgfIfyc2iMOZSDlyTEE8qfhVkSV4X7l3rqy7yCP4G51pZCWVp9zY
+8S3mbiC3xXV6iO5PxehKVfvqrIqz2zZX8SF1a1L3zDFCpE6GfPpyRMn+Ma//8oxZ
+dptezZTB1RmP7zRwHTbkIxcSsnbET9cnd75rONJFAoGBAM0Bm1dQN5mwMNG1hPJi
+IcmsmvA63lA6yKS2pqnwWzcjocRrsVgXsg2DvMqohaSmQYLTk189QMny1kTYcRwK
+0pmQTnQnJv9f/zMgtBfG37jGgccb3YGWMsvhzL+hmgvqSvHuXAdD4FMvXHF/GbKc
+d2pb5r9Fsy2ABIzLUySl1M6HAoGABALgxvXzXFhovTPYm4lfW8cRWXNi6pwrgYeZ
+FX2KCwluSkdnftnJu0cILtFljAeDtb+4nyYngYqOcLwDsVxyaSXMseBUk/fl5yI+
+mWBExgZo13gx2c2DBndyf+cU0iY9lKla4uU1FM4K25dywkeZnndXaOgcIpvvyi5l
+jbGTE00CgYAT+UNomp8Jmm5aqC0MdsNt9mwOKLVtCk1Yz/X85PmSiSZxxmuq8U5u
+a8oaJ/NmmMpYsRG9py5mIgDWH1bryOZP7aPtOIVZpYH77qMrJ4vFbz2JaA1b1irJ
+22Hdj1XD7Lv2uqt7QUlaNQcukJFIHOxYRNYChlJnIEf2e70jdlCxLg==
+-----END RSA PRIVATE KEY-----

test/mail_dhparams_manual_not_one_dir.bats

@@ -22,7 +22,7 @@ function teardown() {
 
 function setup_file() {
     # copy the custom DHE params in local config
-    cp `pwd`/test/test-files/ssl/custom-dhe-params.pem `pwd`/test/config/dhparams.pem
+    cp "`pwd`/test/test-files/ssl/custom-dhe-params.pem" "`pwd`/test/config/dhparams.pem"
 
     docker run -d --name mail_manual_dhparams_not_one_dir \
 		-v "`pwd`/test/config":/tmp/docker-mailserver \
@@ -35,7 +35,7 @@ function setup_file() {
 
 function teardown_file() {
     # remove custom dhe file
-    rm `pwd`/test/config/dhparams.pem
+    rm "`pwd`/test/config/dhparams.pem"
     docker rm -f mail_manual_dhparams_not_one_dir
 }
 

test/mail_ssl_letsencrypt.bats

@@ -26,11 +26,25 @@ function setup_file() {
   -e SSL_TYPE=letsencrypt \
   -h mail.my-domain.com -t ${NAME}
   wait_for_finished_setup_in_container mail_lets_hostname
+
+  cp "`pwd`/test/config/letsencrypt/acme.json" "`pwd`/test/config/acme.json"
+  docker run -d --name mail_lets_acme_json \
+    -v "`pwd`/test/config":/tmp/docker-mailserver \
+    -v "`pwd`/test/config/acme.json":/etc/letsencrypt/acme.json:ro \
+    -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
+    -e DMS_DEBUG=0 \
+    -e SSL_TYPE=letsencrypt \
+    -e "SSL_DOMAIN=*.example.com" \
+    -h mail.my-domain.com -t ${NAME}
+
+  wait_for_finished_setup_in_container mail_lets_acme_json
 }
 
 function teardown_file() {
   docker rm -f mail_lets_domain
   docker rm -f mail_lets_hostname
+  docker rm -f mail_lets_acme_json
+  rm "`pwd`/test/config/acme.json"
 }
 
 # this test must come first to reliably identify when to run setup_file
@@ -78,6 +92,44 @@ function teardown_file() {
   assert_success
 }
 
+#
+# acme.json updates
+#
+
+@test "checking changedetector: server is ready" {
+  run docker exec mail_lets_acme_json /bin/bash -c "ps aux | grep '/bin/bash /usr/local/bin/check-for-changes.sh'"
+  assert_success
+}
+
+@test "can extract certs from acme.json" {
+  run docker exec mail_lets_acme_json /bin/bash -c "cat /etc/letsencrypt/live/mail.my-domain.com/key.pem"
+  assert_output "$(cat "`pwd`/test/config/letsencrypt/mail.my-domain.com/privkey.pem")"
+  assert_success
+
+  run docker exec mail_lets_acme_json /bin/bash -c "cat /etc/letsencrypt/live/mail.my-domain.com/fullchain.pem"
+  assert_output "$(cat "`pwd`/test/config/letsencrypt/mail.my-domain.com/fullchain.pem")"
+  assert_success
+}
+
+@test "can detect changes" {
+  cp "`pwd`/test/config/letsencrypt/acme-changed.json" "`pwd`/test/config/acme.json"
+  sleep 11
+  run docker exec mail_lets_acme_json /bin/bash -c "supervisorctl tail changedetector"
+  assert_output --partial "Cert found in /etc/letsencrypt/acme.json for *.example.com"
+  assert_output --partial "postfix: stopped"
+  assert_output --partial "postfix: started"
+  assert_output --partial "Update checksum"
+
+  run docker exec mail_lets_acme_json /bin/bash -c "cat /etc/letsencrypt/live/mail.my-domain.com/key.pem"
+  assert_output "$(cat "`pwd`/test/config/letsencrypt/changed/key.pem")"
+  assert_success
+
+  run docker exec mail_lets_acme_json /bin/bash -c "cat /etc/letsencrypt/live/mail.my-domain.com/fullchain.pem"
+  assert_output "$(cat "`pwd`/test/config/letsencrypt/changed/fullchain.pem")"
+  assert_success
+}
+
+
  # this test is only there to reliably mark the end for the teardown_file
 @test "last" {
   skip 'Finished testing of letsencrypt SSL'