Download raw body.
acme-client(1): improve regress test
With the pebble test server we no longer depend on Internet connectivity
and using localhost means the regress test is undependent of DNS.
I'm mostly carg-culting this, so if things should be done differently,
please tell me. I particularly do not like the sleep 1 for pebble, this
seems fragile. sleep .1 as used for httpd is not enough...
Input, OK?
diff --git Makefile Makefile
index c56d1be7726..faee7350428 100644
--- Makefile
+++ Makefile
@@ -14,26 +14,23 @@
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# acme-client retrieves a certificate from letsencrypt.org. For
-# that a domain must be registered and the local machine must be
-# reachable via this DNS name.
-
-DOMAIN ?=
+# The following ports must be installed:
+#
+# pebble small test server for RFC 8555 (ACME)
-.if empty (DOMAIN)
+.if ! exists(/usr/local/bin/pebble)
regress:
- @echo This tests needs a domain reachable from letsencrypt.org.
- @echo Set it with the DOMAIN variable.
+ @echo Install pebble package to run this regress.
@echo SKIPPED
.endif
clean: _SUBDIRUSE
- rm -f a.out [Ee]rrs mklog *.core y.tab.h ktrace.out
+ rm -f a.out [Ee]rrs mklog *.core y.tab.h ktrace.out pebble-config.json
rm -rf etc www
etc/acme-client.conf: acme-client.conf
mkdir -p etc
- sed 's,$${.OBJDIR},${.OBJDIR},;s,$${DOMAIN},${DOMAIN},'\
+ sed 's,$${.OBJDIR},${.OBJDIR},'\
${.CURDIR}/acme-client.conf >etc/acme-client.conf
etc/httpd.conf: httpd.conf
@@ -50,19 +47,32 @@ httpd-start: etc/httpd.conf
httpd-stop:
-${SUDO} pkill -xf "/usr/sbin/httpd -f ${.OBJDIR}/etc/httpd.conf"
+pebble-config.json:
+ sed 's,$${.CURDIR},${.CURDIR},'\
+ ${.CURDIR}/pebble-config.json > pebble-config.json
+
+pebble-start: pebble-config.json
+ ${SUDO} /usr/local/bin/pebble -config ${.OBJDIR}/pebble-config.json &
+ sleep 1 # give pebble some time to spin up
+ pgrep -xf "/usr/local/bin/pebble -config ${.OBJDIR}/pebble-config.json"
+
+pebble-stop:
+ -${SUDO} pkill -xf "/usr/local/bin/pebble -config ${.OBJDIR}/pebble-config.json"
+
REGRESS_TARGETS += run-regress-acme
-run-regress-acme: etc/acme-client.conf httpd-start
+run-regress-acme: etc/acme-client.conf httpd-start pebble-start
${SUDO} /usr/sbin/acme-client \
-f ${.OBJDIR}/etc/acme-client.conf \
- -v ${DOMAIN}
+ -v localhost
${SUDO} /usr/sbin/acme-client \
-f ${.OBJDIR}/etc/acme-client.conf \
- -r -v ${DOMAIN}
+ -r -v localhost
REGRESS_TARGETS += run-regress-cleanup
run-regress-cleanup:
${.MAKE} -C ${.CURDIR} httpd-stop
+ ${.MAKE} -C ${.CURDIR} pebble-stop
-.PHONY: ${REGRESS_TARGETS} httpd-start httpd-stop
+.PHONY: ${REGRESS_TARGETS} httpd-start httpd-stop pebble-start pebble-stop
.include <bsd.regress.mk>
diff --git acme-client.conf acme-client.conf
index 049d2b3b5dd..a82f0ae2c99 100644
--- acme-client.conf
+++ acme-client.conf
@@ -1,10 +1,11 @@
-authority myauth {
+authority pebble {
account key "${.OBJDIR}/etc/acme/privkey.pem"
- api url "https://acme-staging-v02.api.letsencrypt.org/directory"
+ api url https://127.0.0.1:14000/dir
+ insecure
}
-domain ${DOMAIN} {
+domain localhost {
domain key "${.OBJDIR}/etc/ssl/acme/private/privkey.pem"
domain certificate "${.OBJDIR}/etc/ssl/acme/cert.pem"
- sign with "myauth"
+ sign with "pebble"
challengedir "${.OBJDIR}/www/acme"
}
diff --git localhost_cert.pem localhost_cert.pem
new file mode 100644
index 00000000000..2866a2b484d
--- /dev/null
+++ localhost_cert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGzCCAgOgAwIBAgIIbEfayDFsBtwwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
+AxMVbWluaWNhIHJvb3QgY2EgMjRlMmRiMCAXDTE3MTIwNjE5NDIxMFoYDzIxMDcx
+MjA2MTk0MjEwWjAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCbFMW3DXXdErvQf2lCZ0qz0DGEWadDoF0O2neM5mVa
+VQ7QGW0xc5Qwvn3Tl62C0JtwLpF0pG2BICIN+DHdVaIUwkf77iBS2doH1I3waE1I
+8GkV9JrYmFY+j0dA1SwBmqUZNXhLNwZGq1a91nFSI59DZNy/JciqxoPX2K++ojU2
+FPpuXe2t51NmXMsszpa+TDqF/IeskA9A/ws6UIh4Mzhghx7oay2/qqj2IIPjAmJj
+i73kdUvtEry3wmlkBvtVH50+FscS9WmPC5h3lDTk5nbzSAXKuFusotuqy3XTgY5B
+PiRAwkZbEY43JNfqenQPHo7mNTt29i+NVVrBsnAa5ovrAgMBAAGjYzBhMA4GA1Ud
+DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0T
+AQH/BAIwADAiBgNVHREEGzAZgglsb2NhbGhvc3SCBnBlYmJsZYcEfwAAATANBgkq
+hkiG9w0BAQsFAAOCAQEAYIkXff8H28KS0KyLHtbbSOGU4sujHHVwiVXSATACsNAE
+D0Qa8hdtTQ6AUqA6/n8/u1tk0O4rPE/cTpsM3IJFX9S3rZMRsguBP7BSr1Lq/XAB
+7JP/CNHt+Z9aKCKcg11wIX9/B9F7pyKM3TdKgOpqXGV6TMuLjg5PlYWI/07lVGFW
+/mSJDRs8bSCFmbRtEqc4lpwlrpz+kTTnX6G7JDLfLWYw/xXVqwFfdengcDTHCc8K
+wtgGq/Gu6vcoBxIO3jaca+OIkMfxxXmGrcNdseuUCa3RMZ8Qy03DqGu6Y6XQyK4B
+W8zIG6H9SVKkAznM2yfYhW8v2ktcaZ95/OBHY97ZIw==
+-----END CERTIFICATE-----
diff --git localhost_key.pem localhost_key.pem
new file mode 100644
index 00000000000..66be6daa9de
--- /dev/null
+++ localhost_key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAmxTFtw113RK70H9pQmdKs9AxhFmnQ6BdDtp3jOZlWlUO0Blt
+MXOUML5905etgtCbcC6RdKRtgSAiDfgx3VWiFMJH++4gUtnaB9SN8GhNSPBpFfSa
+2JhWPo9HQNUsAZqlGTV4SzcGRqtWvdZxUiOfQ2TcvyXIqsaD19ivvqI1NhT6bl3t
+redTZlzLLM6Wvkw6hfyHrJAPQP8LOlCIeDM4YIce6Gstv6qo9iCD4wJiY4u95HVL
+7RK8t8JpZAb7VR+dPhbHEvVpjwuYd5Q05OZ280gFyrhbrKLbqst104GOQT4kQMJG
+WxGONyTX6np0Dx6O5jU7dvYvjVVawbJwGuaL6wIDAQABAoIBAGW9W/S6lO+DIcoo
+PHL+9sg+tq2gb5ZzN3nOI45BfI6lrMEjXTqLG9ZasovFP2TJ3J/dPTnrwZdr8Et/
+357YViwORVFnKLeSCnMGpFPq6YEHj7mCrq+YSURjlRhYgbVPsi52oMOfhrOIJrEG
+ZXPAwPRi0Ftqu1omQEqz8qA7JHOkjB2p0i2Xc/uOSJccCmUDMlksRYz8zFe8wHuD
+XvUL2k23n2pBZ6wiez6Xjr0wUQ4ESI02x7PmYgA3aqF2Q6ECDwHhjVeQmAuypMF6
+IaTjIJkWdZCW96pPaK1t+5nTNZ+Mg7tpJ/PRE4BkJvqcfHEOOl6wAE8gSk5uVApY
+ZRKGmGkCgYEAzF9iRXYo7A/UphL11bR0gqxB6qnQl54iLhqS/E6CVNcmwJ2d9pF8
+5HTfSo1/lOXT3hGV8gizN2S5RmWBrc9HBZ+dNrVo7FYeeBiHu+opbX1X/C1HC0m1
+wJNsyoXeqD1OFc1WbDpHz5iv4IOXzYdOdKiYEcTv5JkqE7jomqBLQk8CgYEAwkG/
+rnwr4ThUo/DG5oH+l0LVnHkrJY+BUSI33g3eQ3eM0MSbfJXGT7snh5puJW0oXP7Z
+Gw88nK3Vnz2nTPesiwtO2OkUVgrIgWryIvKHaqrYnapZHuM+io30jbZOVaVTMR9c
+X/7/d5/evwXuP7p2DIdZKQKKFgROm1XnhNqVgaUCgYBD/ogHbCR5RVsOVciMbRlG
+UGEt3YmUp/vfMuAsKUKbT2mJM+dWHVlb+LZBa4pC06QFgfxNJi/aAhzSGvtmBEww
+xsXbaceauZwxgJfIIUPfNZCMSdQVIVTi2Smcx6UofBz6i/Jw14MEwlvhamaa7qVf
+kqflYYwelga1wRNCPopLaQKBgQCWsZqZKQqBNMm0Q9yIhN+TR+2d7QFjqeePoRPl
+1qxNejhq25ojE607vNv1ff9kWUGuoqSZMUC76r6FQba/JoNbefI4otd7x/GzM9uS
+8MHMJazU4okwROkHYwgLxxkNp6rZuJJYheB4VDTfyyH/ng5lubmY7rdgTQcNyZ5I
+majRYQKBgAMKJ3RlII0qvAfNFZr4Y2bNIq+60Z+Qu2W5xokIHCFNly3W1XDDKGFe
+CCPHSvQljinke3P9gPt2HVdXxcnku9VkTti+JygxuLkVg7E0/SWwrWfGsaMJs+84
+fK+mTZay2d3v24r9WKEKwLykngYPyZw5+BdWU0E+xx5lGUd3U4gG
+-----END RSA PRIVATE KEY-----
diff --git pebble-config.json pebble-config.json
new file mode 100644
index 00000000000..03257a09ddd
--- /dev/null
+++ pebble-config.json
@@ -0,0 +1,27 @@
+{
+ "pebble": {
+ "listenAddress": "0.0.0.0:14000",
+ "managementListenAddress": "0.0.0.0:15000",
+ "certificate": "${.CURDIR}/localhost_cert.pem",
+ "privateKey": "${.CURDIR}/localhost_key.pem",
+ "httpPort": 80,
+ "tlsPort": 5001,
+ "ocspResponderURL": "",
+ "externalAccountBindingRequired": false,
+ "domainBlocklist": ["blocked-domain.example"],
+ "retryAfter": {
+ "authz": 3,
+ "order": 5
+ },
+ "profiles": {
+ "default": {
+ "description": "The profile you know and love",
+ "validityPeriod": 7776000
+ },
+ "shortlived": {
+ "description": "A short-lived cert profile, without actual enforcement",
+ "validityPeriod": 518400
+ }
+ }
+ }
+}
--
In my defence, I have been left unsupervised.
acme-client(1): improve regress test