Skip to content

Commit ea631c5

Browse files
alexmvalexmv
committed
tests fix checkpoint.
1 parent 3853314 commit ea631c5

File tree

2 files changed

+24
-15
lines changed

2 files changed

+24
-15
lines changed

ci/certbot/compose.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,11 @@ services:
1515
- ./ci/certbot/post-setup.d/:/data/post-setup.d/
1616
extra_hosts:
1717
- "zulip.example.net:172.28.5.100"
18+
# We override the port mapping, because port 25 is not available in CI.
19+
ports: !override
20+
- "2525:25"
21+
- "80:80"
22+
- "443:443"
1823

1924
database:
2025
networks: [zulip-backend]

ci/certbot/test.sh

Lines changed: 19 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -35,34 +35,38 @@ if [ "${success}" = "0" ]; then
3535
exit 1
3636
fi
3737

38-
## SMTP also has the same cert
39-
echo | openssl s_client -showcerts -servername zulip.example.net -connect localhost:25 -starttls smtp \
40-
| openssl x509 -text -noout \
41-
| tee cert.pem
42-
if ! grep -E "Issuer: CN\s*=\s*Pebble Intermediate CA" cert.pem; then
38+
## SMTP should also have the same cert
39+
# We may need to retry a few times, since nginx gets reloaded first,
40+
# and the email server doesn't go hot-reloads.
41+
success=0
42+
for _ in {1..10}; do
43+
set +o pipefail
44+
echo | openssl s_client -showcerts -servername zulip.example.net -connect localhost:2525 -starttls smtp \
45+
| openssl x509 -text -noout \
46+
| tee cert.pem
47+
set -o pipefail
48+
if grep -E "Issuer: CN\s*=\s*Pebble Intermediate CA" cert.pem; then
49+
success=1
50+
break
51+
fi
52+
sleep 1
53+
done
54+
55+
if [ "${success}" = "0" ]; then
4356
echo "SMTP STARTTLS does not have Pebble-signed certificate!"
4457
exit 1
4558
fi
4659

4760
## Test renewing -- this should generate and deploy a new certificate
4861
serial=$(grep "Serial Number:" cert.pem)
4962
"${docker[@]:?}" exec zulip /usr/bin/certbot renew --force-renew --non-interactive --debug
63+
"${docker[@]:?}" exec zulip cat /var/log/letsencrypt/letsencrypt.log
5064
getcert | tee cert.pem
5165
newserial=$(grep "Serial Number:" cert.pem)
5266
if [ "${newserial}" = "${serial}" ]; then
5367
echo "Failed to renew -- same serial number?"
5468
exit 1
5569
fi
56-
57-
echo | openssl s_client -showcerts -servername zulip.example.net -connect localhost:25 -starttls smtp \
58-
| openssl x509 -text -noout \
59-
| tee cert.pem
60-
smtpserial=$(grep "Serial Number:" cert.pem)
61-
if [ "${newserial}" != "${smtpserial}" ]; then
62-
echo "Serial numbers on HTTPS and SMTP STARTTLS differ after renew"
63-
exit 1
64-
fi
65-
6670
# For simplicity below, we update $serial
6771
serial="$newserial"
6872

0 commit comments

Comments
 (0)