Fix pebble and acmedns tests (#889)

* Use local copies of pebble certs as docker image contains outdated versions
* Update the preferred chain used in Staging
* Put test API keys in github secrets, add code to create/delete test domains to prevent misuse
* Simplify dns_add_acmedns

Author: timkimber

.github/workflows/run-tests-staging-acmedns.yml

@@ -14,8 +14,10 @@ on:
 
 
 env:
-  DYNU_API_KEY: ${{ secrets.DYNU_API_KEY == '' && '65cXefd35XbYf36546eg5dYcZT6X52Y2' || secrets.DYNU_API_KEY }}
-
+  DYNU_API_KEY: ${{ secrets.DYNU_API_KEY }}
+  ACMEDNS_API_KEY: ${{ secrets.ACMEDNS_API_KEY }}
+  ACMEDNS_API_USER: ${{ secrets.ACMEDNS_API_USER }}
+  ACMEDNS_SUBDOMAIN: ${{ secrets.ACMEDNS_SUBDOMAIN }}
 jobs:
   test-ubuntu-acmedns:
     runs-on: ubuntu-latest

.github/workflows/run-tests-staging-dynu.yml

@@ -2,7 +2,7 @@ name: Run tests against Staging server using Dynu
 on:
   workflow_dispatch
 env:
-  DYNU_API_KEY: ${{ secrets.DYNU_API_KEY == '' && '65cXefd35XbYf36546eg5dYcZT6X52Y2' || secrets.DYNU_API_KEY }}
+  DYNU_API_KEY: ${{ secrets.DYNU_API_KEY }}
 jobs:
   test-centos7-dynu:
     runs-on: ubuntu-latest

dns_scripts/dns_add_acmedns

@@ -1,10 +1,5 @@
 #!/usr/bin/env bash
 
-. "$(dirname "${BASH_SOURCE}")/../common.shrc" || {
-  echo "Unable to load shared Bash code"
-  exit 1
-} >&2
-
 # ACMEDNS env variables can be set in a config file at domain level
 acme_config="$DOMAIN_DIR/acme-dns.cfg"
 [ -s "$acme_config" ] && . "$acme_config"
@@ -37,29 +32,13 @@ if [[ -z "$token" ]]; then
   exit 1
 fi
 
-curl_params=(
-  -H "accept: application/json"
-  -H "X-Api-Key: $apikey"
-  -H "X-Api-User: $apiuser"
-  -H 'Content-Type: application/json'
-)
-
-generate_post_data()
-{
-  cat <<EOF
-{
-  "subdomain": "$apisubdomain",
-  "txt": "$token"
-}
-EOF
-}
-
-curl.do \
-  "${curl_params[@]}" \
-  -X POST "${API}" \
-  --data "$(generate_post_data)" \
-  >/dev/null || {
-  echo 'Error: DNS challenge not added: unknown error'
-  exit 1
-} >&2
-exit 0
+curl --fail --silent -X POST "${API}" \
+  -H "accept: application/json" \
+  -H "X-Api-Key: $apikey" \
+  -H "X-Api-User: $apiuser" \
+  -H 'Content-Type: application/json' \
+  -d '{
+    "subdomain": "'"${apisubdomain}"'",
+    "txt": "'"$token"'"
+  }'
+ 

docker-compose.yml

@@ -10,6 +10,8 @@ services:
     ports:
       - 14000:14000  # HTTPS ACME API
       - 15000:15000  # HTTPS Management API
+    volumes:
+      - ./pebble-certificates:/test/certs/localhost
     networks:
       acmenet:
         ipv4_address: 10.30.50.2

pebble-certificates/cert.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMDCCAhigAwIBAgIILDt8c2fMw2IwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
+AxMVbWluaWNhIHJvb3QgY2EgNTM0NWU2MB4XDTI1MDkwMzIzNDAwNVoXDTI3MTAw
+MzIzNDAwNVowFDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAmxTFtw113RK70H9pQmdKs9AxhFmnQ6BdDtp3jOZlWlUO
+0BltMXOUML5905etgtCbcC6RdKRtgSAiDfgx3VWiFMJH++4gUtnaB9SN8GhNSPBp
+FfSa2JhWPo9HQNUsAZqlGTV4SzcGRqtWvdZxUiOfQ2TcvyXIqsaD19ivvqI1NhT6
+bl3tredTZlzLLM6Wvkw6hfyHrJAPQP8LOlCIeDM4YIce6Gstv6qo9iCD4wJiY4u9
+5HVL7RK8t8JpZAb7VR+dPhbHEvVpjwuYd5Q05OZ280gFyrhbrKLbqst104GOQT4k
+QMJGWxGONyTX6np0Dx6O5jU7dvYvjVVawbJwGuaL6wIDAQABo3oweDAOBgNVHQ8B
+Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAfBgNV
+HSMEGDAWgBSu8RGpErgYUoYnQuwCq+/ggTiEjDAiBgNVHREEGzAZgglsb2NhbGhv
+c3SCBnBlYmJsZYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAAB0gkekXCNOwqWmY
+vQ2lLJ8Zk2WzQ9B+VOC27IgxEEuskZyCpyXAbJB9sCGQWZhAARyaI4SPRGGagcug
+d1SwDWdPGeSJzF3aDnXDYoP9Zw2KqiqVZTngeoiw8Yn0F8PNriANwRLybouX7mMc
+4V7T5+2k4SUs7pFH4KO0a0XBCcjXDjdKuBljftRTXCHzJzfRtmieCCuZlpnp5sHx
+hKa/uxKGyyZB+4Y3MrzsiQSCBOr9G4TH9RofmNcawl+tsVe08zLV/XVhrbakKEs7
+Y7MGHSj3BkPFF32NObc0znqWzTaUD9hU+rXWGANM4sXd4dagdnxfrb7i0WYhcUFj
+9Try8Q==
+-----END CERTIFICATE-----

pebble-certificates/key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAmxTFtw113RK70H9pQmdKs9AxhFmnQ6BdDtp3jOZlWlUO0Blt
+MXOUML5905etgtCbcC6RdKRtgSAiDfgx3VWiFMJH++4gUtnaB9SN8GhNSPBpFfSa
+2JhWPo9HQNUsAZqlGTV4SzcGRqtWvdZxUiOfQ2TcvyXIqsaD19ivvqI1NhT6bl3t
+redTZlzLLM6Wvkw6hfyHrJAPQP8LOlCIeDM4YIce6Gstv6qo9iCD4wJiY4u95HVL
+7RK8t8JpZAb7VR+dPhbHEvVpjwuYd5Q05OZ280gFyrhbrKLbqst104GOQT4kQMJG
+WxGONyTX6np0Dx6O5jU7dvYvjVVawbJwGuaL6wIDAQABAoIBAGW9W/S6lO+DIcoo
+PHL+9sg+tq2gb5ZzN3nOI45BfI6lrMEjXTqLG9ZasovFP2TJ3J/dPTnrwZdr8Et/
+357YViwORVFnKLeSCnMGpFPq6YEHj7mCrq+YSURjlRhYgbVPsi52oMOfhrOIJrEG
+ZXPAwPRi0Ftqu1omQEqz8qA7JHOkjB2p0i2Xc/uOSJccCmUDMlksRYz8zFe8wHuD
+XvUL2k23n2pBZ6wiez6Xjr0wUQ4ESI02x7PmYgA3aqF2Q6ECDwHhjVeQmAuypMF6
+IaTjIJkWdZCW96pPaK1t+5nTNZ+Mg7tpJ/PRE4BkJvqcfHEOOl6wAE8gSk5uVApY
+ZRKGmGkCgYEAzF9iRXYo7A/UphL11bR0gqxB6qnQl54iLhqS/E6CVNcmwJ2d9pF8
+5HTfSo1/lOXT3hGV8gizN2S5RmWBrc9HBZ+dNrVo7FYeeBiHu+opbX1X/C1HC0m1
+wJNsyoXeqD1OFc1WbDpHz5iv4IOXzYdOdKiYEcTv5JkqE7jomqBLQk8CgYEAwkG/
+rnwr4ThUo/DG5oH+l0LVnHkrJY+BUSI33g3eQ3eM0MSbfJXGT7snh5puJW0oXP7Z
+Gw88nK3Vnz2nTPesiwtO2OkUVgrIgWryIvKHaqrYnapZHuM+io30jbZOVaVTMR9c
+X/7/d5/evwXuP7p2DIdZKQKKFgROm1XnhNqVgaUCgYBD/ogHbCR5RVsOVciMbRlG
+UGEt3YmUp/vfMuAsKUKbT2mJM+dWHVlb+LZBa4pC06QFgfxNJi/aAhzSGvtmBEww
+xsXbaceauZwxgJfIIUPfNZCMSdQVIVTi2Smcx6UofBz6i/Jw14MEwlvhamaa7qVf
+kqflYYwelga1wRNCPopLaQKBgQCWsZqZKQqBNMm0Q9yIhN+TR+2d7QFjqeePoRPl
+1qxNejhq25ojE607vNv1ff9kWUGuoqSZMUC76r6FQba/JoNbefI4otd7x/GzM9uS
+8MHMJazU4okwROkHYwgLxxkNp6rZuJJYheB4VDTfyyH/ng5lubmY7rdgTQcNyZ5I
+majRYQKBgAMKJ3RlII0qvAfNFZr4Y2bNIq+60Z+Qu2W5xokIHCFNly3W1XDDKGFe
+CCPHSvQljinke3P9gPt2HVdXxcnku9VkTti+JygxuLkVg7E0/SWwrWfGsaMJs+84
+fK+mTZay2d3v24r9WKEKwLykngYPyZw5+BdWU0E+xx5lGUd3U4gG
+-----END RSA PRIVATE KEY-----

pebble.minica.pem

@@ -32,7 +32,8 @@ EOF
     check_output_for_errors
 
     if [ -n "$STAGING" ]; then
-        PREFERRED_CHAIN="(STAGING) Doctored Durian Root CA X3"
+        # https://letsencrypt.org/docs/staging-environment/
+        PREFERRED_CHAIN="(STAGING) Pretend Pear X1"
     else
         # pebble doesn't support CA Issuers so the fullchain.crt will just contain the certificate (code path means it won't contain the intermediate cert in this case)
         # This is testing that requesting FULL_CHAIN_INCLUDE_ROOT doesn't fail if there is no CA Issuers in the certificate
@@ -76,7 +77,7 @@ EOF
     assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.ec.crt" ]
 
     if [ -n "$STAGING" ]; then
-        PREFERRED_CHAIN="(STAGING) Doctored Durian Root CA X3"
+        PREFERRED_CHAIN="(STAGING) Pretend Pear X1"
     else
         # pebble doesn't support CA Issuers so the fullchain.crt will just contain the certificate (code path means it won't contain the intermediate cert in this case)
         # This is testing that requesting FULL_CHAIN_INCLUDE_ROOT doesn't fail if there is no CA Issuers in the certificate

test/36-full-chain-inc-root.bats

@@ -7,10 +7,6 @@ ENV DEBIAN_FRONTEND=noninteractive
 
 # Ensure tests in this image use the staging server
 ENV staging="true"
-# 2016ENV dynamic_dns "acme-dns"
-ENV ACMEDNS_API_USER=49ac5f6d-74cd-4aca-acfe-f9457af7894c
-ENV ACMEDNS_API_KEY=2NPGF8cH7PeTrHZWXImi1prhTsQGz2pdCC7Za5zE
-ENV ACMEDNS_SUBDOMAIN=7268181b-7075-4dce-be51-9c20c205cf6e
 
 # Update and install required software
 RUN apt-get update --fix-missing

test/Dockerfile-ubuntu-acmedns

@@ -24,6 +24,11 @@ For dynu.com:
 - Add DYNU_API_KEY to your repository's environment secrets.  The value is your account's API Key.
 - Add domains \<reponame>-centos7-getssl.freedns.org, wild-\<reponame>-centos7.freedns.org, \<reponame>-ubuntu-getssl.freedns.org, and wild-\<reponame>-ubuntu-getssl.freedns.org
 
+For ACME DNS (also needs Dynu)
+
+- Register to get a user, key and subdomain from acme-dns.io (see https://github.com/joohoi/acme-dns?tab=readme-ov-file)
+- Create a CNAME _acme-challenge.ubuntu-acmedns-getssl.freeddns.org. to ${ACMEDNS_SUBDOMAIN}.auth.acme-dns.io (this is done automatically in run-test.sh)
+
 To run dynamic DNS tests outside the CI environment, you need accounts without \<reponame> in the domain names.  Export the environment variable corresponding to the secrets (with the same values).
 
 For individual accounts, \<reponame> is your github account name.