Test using pebble and docker

6 years ago · 5df6026c1b
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,33 @@
 version: '3'
 services:
  pebble:
    image: letsencrypt/pebble:latest
    # TODO enable -strict
    command: pebble -config /test/config/pebble-config.json
    environment:
      # with Go 1.13.x which defaults TLS 1.3 to on
      GODEBUG: "tls13=1"
    ports:
      - 14000:14000  # HTTPS ACME API
      - 15000:15000  # HTTPS Management API
    networks:
      acmenet:
        ipv4_address: 10.30.50.2
  getssl:
    build:
      context: .
      dockerfile: test/Dockerfile
    container_name: getssl
    volumes:
      - .:/getssl
    networks:
      acmenet:
        ipv4_address: 10.30.50.4

 networks:
  acmenet:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 10.30.50.0/24
--- a/test/Dockerfile
+++ b/test/Dockerfile
@ -0,0 +1,30 @@
 FROM ubuntu:bionic
 # bionic = latest 18 version

 # Update and install required software
 RUN apt-get update
 # TODO work out why default version of awk fails
 RUN apt-get install -y git curl dnsutils wget linux-libc-dev make gcc binutils nginx-light gawk
 RUN apt-get install -y vim dos2unix # for debugging
 # TODO test with drill, dig, host

 WORKDIR /root
 RUN mkdir /etc/nginx/pki
 RUN mkdir /etc/nginx/pki/private
 COPY ./test/test-config/nginx-ubuntu-sites-enabled-default /etc/nginx/sites-enabled/default

 # BATS (Bash Automated Testings)
 # RUN git clone https://github.com/bats-core/bats-core.git
 # RUN bats-core/install.sh /usr/local

 COPY test/test-config/getssl-ubuntu.cfg getssl.cfg

 EXPOSE 80 443

 # Run eternal loop - for testing
 CMD ["/bin/bash", "-c", "while :; do sleep 10; done"]

 # with Pebble
 # docker-compose -f "test\docker-compose.yml" up -d --build
 # docker exec -it test_getssl /bin/bash
 # /getssl/test/run-test.sh
--- a/test/run-test.sh
+++ b/test/run-test.sh
@ -0,0 +1,9 @@
 #! /bin/sh

 wget --no-clobber https://raw.githubusercontent.com/letsencrypt/pebble/master/test/certs/pebble.minica.pem
 export CURL_CA_BUNDLE=/root/pebble.minica.pem

 service nginx start
 /getssl/getssl -c getssl
 cp getssl.cfg /root/.getssl/getssl
 /getssl/getssl getssl
--- a/test/test-config/getssl-ubuntu.cfg
+++ b/test/test-config/getssl-ubuntu.cfg
@ -0,0 +1,49 @@
 # Uncomment and modify any variables you need
 # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 #
 # The staging server is best for testing
 #CA="https://acme-staging.api.letsencrypt.org"
 # This server issues full certificates, however has rate limits
 #CA="https://acme-v01.api.letsencrypt.org"
 CA="https://pebble:14000/dir"
 SERVER_TYPE="5002"
 #PRIVATE_KEY_ALG="rsa"

 # Additional domains - this could be multiple domains / subdomains in a comma separated list
 # Note: this is Additional domains - so should not include the primary domain.
 SANS=""

 # Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
 # If these start with ssh: then the next variable is assumed to be the hostname and the rest the location.
 # An ssh key will be needed to provide you with access to the remote server.
 # Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign.
 # If left blank, the username on the local server will be used to authenticate against the remote server.
 # If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location
 # These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge"
 # where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.
 ACL=('/var/www/html/.well-known/acme-challenge')
 #     'ssh:server5:/var/www/getssltest.hopto.org/web/.well-known/acme-challenge'
 #     'ssh:sshuserid@server5:/var/www/getssltest.hopto.org/web/.well-known/acme-challenge'
 #     'ftp:ftpuserid:ftppassword:getssltest.hopto.org:/web/.well-known/acme-challenge')

 #Set USE_SINGLE_ACL="true" to use a single ACL for all checks
 USE_SINGLE_ACL="false"

 # Location for all your certs, these can either be on the server (full path name)
 # or using ssh /sftp as for the ACL
 DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
 DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
 CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
 DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
 DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert

 # The command needed to reload apache / nginx or whatever you use
 RELOAD_CMD="service nginx restart"

 # Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
 # smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
 # will be checked for certificate expiry and also will be checked after
 # an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
 #SERVER_TYPE="https"
 #CHECK_REMOTE="true"
--- a/test/test-config/nginx-ubuntu-sites-enabled-default
+++ b/test/test-config/nginx-ubuntu-sites-enabled-default
@ -0,0 +1,88 @@
 ##
 # You should look at the following URL's in order to grasp a solid understanding
 # of Nginx configuration files in order to fully unleash the power of Nginx.
 # http://wiki.nginx.org/Pitfalls
 # http://wiki.nginx.org/QuickStart
 # http://wiki.nginx.org/Configuration
 #
 # Generally, you will want to move this file somewhere, and start with a clean
 # file but keep this around for reference. Or just disable in sites-enabled.
 #
 # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
 ##

 # Default server configuration
 #
 server {
 	listen 5002 default_server;
 	listen [::]:5002 default_server;

 	# SSL configuration
 	#
 	listen 5001 ssl default_server;
 	listen [::]:5001 ssl default_server;
 	#
 	# Note: You should disable gzip for SSL traffic.
 	# See: https://bugs.debian.org/773332
 	#
 	# Read up on ssl_ciphers to ensure a secure configuration.
 	# See: https://bugs.debian.org/765782
 	#
 	# Self signed certs generated by the ssl-cert package
 	# Don't use them in a production server!
 	#
 	# include snippets/snakeoil.conf;

 	root /var/www/html;

 	# Add index.php to the list if you are using PHP
 	index index.html index.htm index.nginx-debian.html;

 	server_name _;
    # ssl_certificate /etc/nginx/pki/server.crt;
    # ssl_certificate_key /etc/nginx/pki/private/server.key;

 	location / {
 		# First attempt to serve request as file, then
 		# as directory, then fall back to displaying a 404.
 		try_files $uri $uri/ =404;
 	}

 	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
 	#
 	#location ~ \.php$ {
 	#	include snippets/fastcgi-php.conf;
 	#
 	#	# With php7.0-cgi alone:
 	#	fastcgi_pass 127.0.0.1:9000;
 	#	# With php7.0-fpm:
 	#	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
 	#}

 	# deny access to .htaccess files, if Apache's document root
 	# concurs with nginx's one
 	#
 	#location ~ /\.ht {
 	#	deny all;
 	#}
 }


 # Virtual Host configuration for example.com
 #
 # You can move that to a different file under sites-available/ and symlink that
 # to sites-enabled/ to enable it.
 #
 #server {
 #	listen 80;
 #	listen [::]:80;
 #
 #	server_name example.com;
 #
 #	root /var/www/example.com;
 #	index index.html;
 #
 #	location / {
 #		try_files $uri $uri/ =404;
 #	}
 #}