github: Add a test for certbot, using pebble.

Author: alexmv

ci/certbot/compose.yaml

@@ -0,0 +1,45 @@
+---
+services:
+  zulip:
+    environment:
+      SSL_CERTIFICATE_GENERATION: certbot
+    networks:
+      zulip-backend:
+        ipv4_address: 172.28.5.100
+    depends_on:
+      - pebble
+    volumes: !override
+      - ./ci/certbot/post-setup.d/:/data/post-setup.d/
+    extra_hosts:
+      - "zulip.example.net:172.28.5.100"
+
+  database:
+    networks: [zulip-backend]
+  memcached:
+    networks: [zulip-backend]
+  rabbitmq:
+    networks: [zulip-backend]
+  redis:
+    networks: [zulip-backend]
+
+  pebble:
+    image: ghcr.io/letsencrypt/pebble:latest
+    volumes:
+      - ./ci/certbot/pebble-config/:/config/
+    command: -config /config/pebble-config.json -strict
+    ports:
+      - 14000:14000 # HTTPS ACME API
+      - 15000:15000 # HTTPS Management API
+    networks: [zulip-backend]
+    extra_hosts:
+      - "zulip.example.net:172.28.5.100"
+
+networks:
+  zulip-backend:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+        - subnet: 172.28.0.0/16
+          ip_range: 172.28.5.0/24
+          gateway: 172.28.5.254

ci/certbot/env

@@ -0,0 +1,24 @@
+{
+    "pebble": {
+        "listenAddress": "0.0.0.0:14000",
+        "managementListenAddress": "0.0.0.0:15000",
+        "certificate": "test/certs/localhost/cert.pem",
+        "privateKey": "test/certs/localhost/key.pem",
+        "httpPort": 80,
+        "tlsPort": 443,
+        "ocspResponderURL": "",
+        "externalAccountBindingRequired": false,
+        "domainBlocklist": ["blocked-domain.example"],
+        "retryAfter": {
+            "authz": 3,
+            "order": 5
+        },
+        "keyAlgorithm": "ecdsa",
+        "profiles": {
+            "default": {
+                "description": "The profile you know and love",
+                "validityPeriod": 7776000
+            }
+        }
+    }
+}

ci/certbot/pebble-config/pebble-config.json

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+# This configures certbot to talk to the Pebble instance we started
+echo "server=https://pebble:14000/dir" >>/etc/letsencrypt/cli.ini
+echo "no-verify-ssl=true" >>/etc/letsencrypt/cli.ini

ci/certbot/post-setup.d/setup-pebble.sh

@@ -0,0 +1,5 @@
+---
+services:
+  zulip:
+    environment:
+      SSL_CERTIFICATE_GENERATION: self-signed

ci/certbot/self-signed.yaml

@@ -0,0 +1,107 @@
+#!/bin/bash
+
+set -eux
+set -o pipefail
+
+getcert() {
+    echo | openssl s_client -showcerts -servername zulip.example.net -connect localhost:443 \
+        | openssl x509 -text -noout
+}
+wait_for_log() {
+    logline="$1"
+    for _ in {1..60}; do
+        if "${docker[@]:?}" logs zulip --no-log-prefix --no-color | grep "$logline"; then
+            return 0
+        fi
+        sleep 1
+    done
+
+    return 1
+}
+
+success=0
+for _ in {1..60}; do
+    getcert | tee cert.pem
+
+    if grep "Issuer: CN=Pebble Intermediate CA" cert.pem; then
+        success=1
+        break
+    fi
+    sleep 1
+done
+
+if [ "${success}" = "0" ]; then
+    echo "Timed out waiting for a Pebble-signed certificate to be served!"
+    exit 1
+fi
+
+## Test renewing -- this should generate and deploy a new certificate
+serial=$(grep "Serial Number:" cert.pem)
+"${docker[@]:?}" exec zulip /usr/bin/certbot renew --force-renew
+getcert | tee cert.pem
+newserial=$(grep "Serial Number:" cert.pem)
+if [ "${newserial}" = "${serial}" ]; then
+    echo "Failed to renew -- same serial number?"
+    exit 1
+fi
+# For simplicity below, we update $serial
+serial="$newserial"
+
+## Restarting the container should not get a new certificate
+"${docker[@]}" stop zulip
+
+"${docker[@]}" up zulip --wait
+# This will kick off runCertbotAsNeeded; we wait for a bit, tailing
+# the logs, until we see the "LetsEncrypt cert generated" line that we
+# expect at the end of it.
+if ! wait_for_log "LetsEncrypt cert generated"; then
+    echo "Failed to run Certbot to completion!"
+    exit 1
+fi
+getcert | tee cert.pem
+newserial=$(grep "Serial Number:" cert.pem)
+if [ "$newserial" != "$serial" ]; then
+    echo "Restarting forced a renewal it should not have!"
+    exit 1
+fi
+
+## Switching to self-signed drops the cert
+"${docker[@]}" stop zulip
+
+"${docker[@]}" -f ci/certbot/self-signed.yaml up zulip --wait
+logs="$("${docker[@]}" -f ci/certbot/self-signed.yaml logs zulip --no-log-prefix --no-color)"
+if echo "$logs" | grep -qEi 'certbot|letsencrypt'; then
+    echo "Certbot detected in nominally self-signed configuration!"
+    echo "$logs"
+    exit 1
+fi
+
+getcert | tee cert.pem
+if grep -qi pebble cert.pem; then
+    echo "Certificate is from Pebble, not self-signed!"
+    exit 1
+fi
+
+## Even if certbot is renewed in the container, we still serve the configured self-signed cert
+"${docker[@]:?}" exec zulip /usr/bin/certbot renew --force-renew
+getcert | tee cert.pem
+if grep -qi pebble cert.pem; then
+    echo "Certificate is from Pebble, not self-signed!"
+    exit 1
+fi
+
+## Switching _back_ to certbot still has the same cert, since it's not expired
+"${docker[@]}" stop zulip
+"${docker[@]}" up zulip --wait
+if ! wait_for_log "LetsEncrypt cert generated"; then
+    echo "Failed to run certbot codepath in restarted container"
+    exit 1
+fi
+getcert | tee cert.pem
+newserial=$(grep "Serial Number:" cert.pem)
+if [ "$newserial" != "$serial" ]; then
+    echo "Restarting forced a renewal it should not have!"
+    exit 1
+fi
+
+exit 0