tests fix checkpoint.

alexmv · alexmv · commit 22ca821fedbc · 2025-11-26T23:51:06.000-05:00
diff --git a/ci/certbot/compose.yaml b/ci/certbot/compose.yaml
@@ -15,6 +15,11 @@ services:
       - ./ci/certbot/post-setup.d/:/data/post-setup.d/
     extra_hosts:
       - "zulip.example.net:172.28.5.100"
+    # We override the port mapping, because port 25 is not available in CI.
+    ports: !override
+      - "2525:25"
+      - "80:80"
+      - "443:443"
 
   database:
     networks: [zulip-backend]
@@ -34,6 +39,8 @@ services:
       - 14000:14000 # HTTPS ACME API
       - 15000:15000 # HTTPS Management API
     networks: [zulip-backend]
+    environment:
+      PEBBLE_VA_NOSLEEP: "1"
     extra_hosts:
       - "zulip.example.net:172.28.5.100"
 
diff --git a/ci/certbot/test.sh b/ci/certbot/test.sh
@@ -35,34 +35,38 @@ if [ "${success}" = "0" ]; then
     exit 1
 fi
 
-## SMTP also has the same cert
-echo | openssl s_client -showcerts -servername zulip.example.net -connect localhost:25 -starttls smtp \
-    | openssl x509 -text -noout \
-    | tee cert.pem
-if ! grep -E "Issuer: CN\s*=\s*Pebble Intermediate CA" cert.pem; then
+## SMTP should also have the same cert
+# We may need to retry a few times, since nginx gets reloaded first,
+# and the email server doesn't go hot-reloads.
+success=0
+for _ in {1..10}; do
+    set +o pipefail
+    echo | openssl s_client -showcerts -servername zulip.example.net -connect localhost:2525 -starttls smtp \
+        | openssl x509 -text -noout \
+        | tee cert.pem
+    set -o pipefail
+    if grep -E "Issuer: CN\s*=\s*Pebble Intermediate CA" cert.pem; then
+        success=1
+        break
+    fi
+    sleep 1
+done
+
+if [ "${success}" = "0" ]; then
     echo "SMTP STARTTLS does not have Pebble-signed certificate!"
     exit 1
 fi
 
 ## Test renewing -- this should generate and deploy a new certificate
 serial=$(grep "Serial Number:" cert.pem)
-"${docker[@]:?}" exec zulip /usr/bin/certbot renew --force-renew --non-interactive --debug
+"${docker[@]:?}" exec zulip /usr/bin/certbot renew --force-renew --no-random-sleep-on-renew
+"${docker[@]:?}" exec zulip cat /var/log/letsencrypt/letsencrypt.log
 getcert | tee cert.pem
 newserial=$(grep "Serial Number:" cert.pem)
 if [ "${newserial}" = "${serial}" ]; then
     echo "Failed to renew -- same serial number?"
     exit 1
 fi
-
-echo | openssl s_client -showcerts -servername zulip.example.net -connect localhost:25 -starttls smtp \
-    | openssl x509 -text -noout \
-    | tee cert.pem
-smtpserial=$(grep "Serial Number:" cert.pem)
-if [ "${newserial}" != "${smtpserial}" ]; then
-    echo "Serial numbers on HTTPS and SMTP STARTTLS differ after renew"
-    exit 1
-fi
-
 # For simplicity below, we update $serial
 serial="$newserial"
 
@@ -102,7 +106,7 @@ if grep -qi pebble cert.pem; then
 fi
 
 ## Even if certbot is renewed in the container, we still serve the configured self-signed cert
-"${docker[@]:?}" exec zulip /usr/bin/certbot renew --force-renew --non-interactive
+"${docker[@]:?}" exec zulip /usr/bin/certbot renew --force-renew --no-random-sleep-on-renew
 getcert | tee cert.pem
 if grep -qi pebble cert.pem; then
     echo "Certificate is from Pebble, not self-signed!"
