From: Florian Obser Subject: Re: acme-client(1): improve regress test To: tech , Alexander Bluhm Date: Sun, 15 Jun 2025 11:31:14 +0200 On 2025-06-12 19:09 +02, Florian Obser wrote: > With the pebble test server we no longer depend on Internet connectivity > and using localhost means the regress test is undependent of DNS. > > Input, OK? > ping Bluhm, would this work in your automated(?) regress setup? diff --git Makefile Makefile index c56d1be7726..41764e91f7e 100644 --- Makefile +++ Makefile @@ -14,26 +14,24 @@ # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# acme-client retrieves a certificate from letsencrypt.org. For -# that a domain must be registered and the local machine must be -# reachable via this DNS name. - -DOMAIN ?= +# The following ports must be installed: +# +# pebble small test server for RFC 8555 (ACME) -.if empty (DOMAIN) +.if ! exists(/usr/local/bin/pebble) regress: - @echo This tests needs a domain reachable from letsencrypt.org. - @echo Set it with the DOMAIN variable. + @echo Install pebble package to run this regress. @echo SKIPPED .endif clean: _SUBDIRUSE - rm -f a.out [Ee]rrs mklog *.core y.tab.h ktrace.out + rm -f a.out [Ee]rrs mklog *.core y.tab.h ktrace.out pebble-config.json + rm -f pebble.out rm -rf etc www etc/acme-client.conf: acme-client.conf mkdir -p etc - sed 's,$${.OBJDIR},${.OBJDIR},;s,$${DOMAIN},${DOMAIN},'\ + sed 's,$${.OBJDIR},${.OBJDIR},'\ ${.CURDIR}/acme-client.conf >etc/acme-client.conf etc/httpd.conf: httpd.conf @@ -50,19 +48,33 @@ httpd-start: etc/httpd.conf httpd-stop: -${SUDO} pkill -xf "/usr/sbin/httpd -f ${.OBJDIR}/etc/httpd.conf" +pebble-config.json: + sed 's,$${.CURDIR},${.CURDIR},'\ + ${.CURDIR}/pebble-config.json > pebble-config.json + +pebble-start: pebble-config.json + /usr/local/bin/pebble -config ${.OBJDIR}/pebble-config.json > \ + ${.OBJDIR}/pebble.out & + while ! $$(fgrep -q 'Root CA certificate available' \ + ${.OBJDIR}/pebble.out); do sleep .1; done + +pebble-stop: + pkill -xf "/usr/local/bin/pebble -config ${.OBJDIR}/pebble-config.json" + REGRESS_TARGETS += run-regress-acme -run-regress-acme: etc/acme-client.conf httpd-start +run-regress-acme: etc/acme-client.conf httpd-start pebble-start ${SUDO} /usr/sbin/acme-client \ -f ${.OBJDIR}/etc/acme-client.conf \ - -v ${DOMAIN} + -v localhost ${SUDO} /usr/sbin/acme-client \ -f ${.OBJDIR}/etc/acme-client.conf \ - -r -v ${DOMAIN} + -r -v localhost REGRESS_TARGETS += run-regress-cleanup run-regress-cleanup: ${.MAKE} -C ${.CURDIR} httpd-stop + ${.MAKE} -C ${.CURDIR} pebble-stop -.PHONY: ${REGRESS_TARGETS} httpd-start httpd-stop +.PHONY: ${REGRESS_TARGETS} httpd-start httpd-stop pebble-start pebble-stop .include diff --git acme-client.conf acme-client.conf index 049d2b3b5dd..a82f0ae2c99 100644 --- acme-client.conf +++ acme-client.conf @@ -1,10 +1,11 @@ -authority myauth { +authority pebble { account key "${.OBJDIR}/etc/acme/privkey.pem" - api url "https://acme-staging-v02.api.letsencrypt.org/directory" + api url https://127.0.0.1:14000/dir + insecure } -domain ${DOMAIN} { +domain localhost { domain key "${.OBJDIR}/etc/ssl/acme/private/privkey.pem" domain certificate "${.OBJDIR}/etc/ssl/acme/cert.pem" - sign with "myauth" + sign with "pebble" challengedir "${.OBJDIR}/www/acme" } diff --git localhost_cert.pem localhost_cert.pem new file mode 100644 index 00000000000..2866a2b484d --- /dev/null +++ localhost_cert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDGzCCAgOgAwIBAgIIbEfayDFsBtwwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE +AxMVbWluaWNhIHJvb3QgY2EgMjRlMmRiMCAXDTE3MTIwNjE5NDIxMFoYDzIxMDcx +MjA2MTk0MjEwWjAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQCbFMW3DXXdErvQf2lCZ0qz0DGEWadDoF0O2neM5mVa +VQ7QGW0xc5Qwvn3Tl62C0JtwLpF0pG2BICIN+DHdVaIUwkf77iBS2doH1I3waE1I +8GkV9JrYmFY+j0dA1SwBmqUZNXhLNwZGq1a91nFSI59DZNy/JciqxoPX2K++ojU2 +FPpuXe2t51NmXMsszpa+TDqF/IeskA9A/ws6UIh4Mzhghx7oay2/qqj2IIPjAmJj +i73kdUvtEry3wmlkBvtVH50+FscS9WmPC5h3lDTk5nbzSAXKuFusotuqy3XTgY5B +PiRAwkZbEY43JNfqenQPHo7mNTt29i+NVVrBsnAa5ovrAgMBAAGjYzBhMA4GA1Ud +DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0T +AQH/BAIwADAiBgNVHREEGzAZgglsb2NhbGhvc3SCBnBlYmJsZYcEfwAAATANBgkq +hkiG9w0BAQsFAAOCAQEAYIkXff8H28KS0KyLHtbbSOGU4sujHHVwiVXSATACsNAE +D0Qa8hdtTQ6AUqA6/n8/u1tk0O4rPE/cTpsM3IJFX9S3rZMRsguBP7BSr1Lq/XAB +7JP/CNHt+Z9aKCKcg11wIX9/B9F7pyKM3TdKgOpqXGV6TMuLjg5PlYWI/07lVGFW +/mSJDRs8bSCFmbRtEqc4lpwlrpz+kTTnX6G7JDLfLWYw/xXVqwFfdengcDTHCc8K +wtgGq/Gu6vcoBxIO3jaca+OIkMfxxXmGrcNdseuUCa3RMZ8Qy03DqGu6Y6XQyK4B +W8zIG6H9SVKkAznM2yfYhW8v2ktcaZ95/OBHY97ZIw== +-----END CERTIFICATE----- diff --git localhost_key.pem localhost_key.pem new file mode 100644 index 00000000000..66be6daa9de --- /dev/null +++ localhost_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAmxTFtw113RK70H9pQmdKs9AxhFmnQ6BdDtp3jOZlWlUO0Blt +MXOUML5905etgtCbcC6RdKRtgSAiDfgx3VWiFMJH++4gUtnaB9SN8GhNSPBpFfSa +2JhWPo9HQNUsAZqlGTV4SzcGRqtWvdZxUiOfQ2TcvyXIqsaD19ivvqI1NhT6bl3t +redTZlzLLM6Wvkw6hfyHrJAPQP8LOlCIeDM4YIce6Gstv6qo9iCD4wJiY4u95HVL +7RK8t8JpZAb7VR+dPhbHEvVpjwuYd5Q05OZ280gFyrhbrKLbqst104GOQT4kQMJG +WxGONyTX6np0Dx6O5jU7dvYvjVVawbJwGuaL6wIDAQABAoIBAGW9W/S6lO+DIcoo +PHL+9sg+tq2gb5ZzN3nOI45BfI6lrMEjXTqLG9ZasovFP2TJ3J/dPTnrwZdr8Et/ +357YViwORVFnKLeSCnMGpFPq6YEHj7mCrq+YSURjlRhYgbVPsi52oMOfhrOIJrEG +ZXPAwPRi0Ftqu1omQEqz8qA7JHOkjB2p0i2Xc/uOSJccCmUDMlksRYz8zFe8wHuD +XvUL2k23n2pBZ6wiez6Xjr0wUQ4ESI02x7PmYgA3aqF2Q6ECDwHhjVeQmAuypMF6 +IaTjIJkWdZCW96pPaK1t+5nTNZ+Mg7tpJ/PRE4BkJvqcfHEOOl6wAE8gSk5uVApY +ZRKGmGkCgYEAzF9iRXYo7A/UphL11bR0gqxB6qnQl54iLhqS/E6CVNcmwJ2d9pF8 +5HTfSo1/lOXT3hGV8gizN2S5RmWBrc9HBZ+dNrVo7FYeeBiHu+opbX1X/C1HC0m1 +wJNsyoXeqD1OFc1WbDpHz5iv4IOXzYdOdKiYEcTv5JkqE7jomqBLQk8CgYEAwkG/ +rnwr4ThUo/DG5oH+l0LVnHkrJY+BUSI33g3eQ3eM0MSbfJXGT7snh5puJW0oXP7Z +Gw88nK3Vnz2nTPesiwtO2OkUVgrIgWryIvKHaqrYnapZHuM+io30jbZOVaVTMR9c +X/7/d5/evwXuP7p2DIdZKQKKFgROm1XnhNqVgaUCgYBD/ogHbCR5RVsOVciMbRlG +UGEt3YmUp/vfMuAsKUKbT2mJM+dWHVlb+LZBa4pC06QFgfxNJi/aAhzSGvtmBEww +xsXbaceauZwxgJfIIUPfNZCMSdQVIVTi2Smcx6UofBz6i/Jw14MEwlvhamaa7qVf +kqflYYwelga1wRNCPopLaQKBgQCWsZqZKQqBNMm0Q9yIhN+TR+2d7QFjqeePoRPl +1qxNejhq25ojE607vNv1ff9kWUGuoqSZMUC76r6FQba/JoNbefI4otd7x/GzM9uS +8MHMJazU4okwROkHYwgLxxkNp6rZuJJYheB4VDTfyyH/ng5lubmY7rdgTQcNyZ5I +majRYQKBgAMKJ3RlII0qvAfNFZr4Y2bNIq+60Z+Qu2W5xokIHCFNly3W1XDDKGFe +CCPHSvQljinke3P9gPt2HVdXxcnku9VkTti+JygxuLkVg7E0/SWwrWfGsaMJs+84 +fK+mTZay2d3v24r9WKEKwLykngYPyZw5+BdWU0E+xx5lGUd3U4gG +-----END RSA PRIVATE KEY----- diff --git pebble-config.json pebble-config.json new file mode 100644 index 00000000000..03257a09ddd --- /dev/null +++ pebble-config.json @@ -0,0 +1,27 @@ +{ + "pebble": { + "listenAddress": "0.0.0.0:14000", + "managementListenAddress": "0.0.0.0:15000", + "certificate": "${.CURDIR}/localhost_cert.pem", + "privateKey": "${.CURDIR}/localhost_key.pem", + "httpPort": 80, + "tlsPort": 5001, + "ocspResponderURL": "", + "externalAccountBindingRequired": false, + "domainBlocklist": ["blocked-domain.example"], + "retryAfter": { + "authz": 3, + "order": 5 + }, + "profiles": { + "default": { + "description": "The profile you know and love", + "validityPeriod": 7776000 + }, + "shortlived": { + "description": "A short-lived cert profile, without actual enforcement", + "validityPeriod": 518400 + } + } + } +} -- In my defence, I have been left unsupervised.