pebble ca does not work

ForNetCode · Jun 28, 2024 · 756d771 · 756d771
1 parent 2d3b527
commit 756d771
Show file tree

Hide file tree

Showing 11 changed files with 47 additions and 23 deletions.
diff --git a/docs/develop/develop-tips.md b/docs/develop/develop-tips.md
@@ -21,7 +21,7 @@ config should be set as follows:
 
 ```shell
 # I try to change Pebble httpPort, but does not success. so the port must be Pebble default port.
-http.port = 5002
+http.port = 8080
 https.acme {
       emails = ["mailto:zsy.evan@gmail.com"]
       # directory to store account and certificate

diff --git a/test/config.test.acme.conf b/test/config.test.acme.conf
@@ -1,6 +1,6 @@
 # http bind, if set port <= 0, will disable http server(need set https config)
 http {
- port = 5002
+ port = 8080
  addr = "0.0.0.0"
 }
 

diff --git a/tests/bash/run_pebble.sh b/tests/bash/run_pebble.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
 docker run --network=host -d -e PEBBLE_WFE_NONCEREJECT=0 \
 --name pebble \
-ghcr.io/letsencrypt/pebble:2.6.0
+-v $(pwd)/../data/pebble/pebble_config.json:/test/config/pebble_config.json \
+ghcr.io/letsencrypt/pebble:2.6.0 -config /test/config/pebble_config.json
diff --git a/tests/bash/run_pebble_dev.sh b/tests/bash/run_pebble_dev.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
 docker run --network=host --rm -e PEBBLE_WFE_NONCEREJECT=0 \
 --name pebble \
-ghcr.io/letsencrypt/pebble:2.6.0
+-v $(pwd)/../data/pebble/pebble_config.json:/test/config/pebble_config.json \
+ghcr.io/letsencrypt/pebble:2.6.0 -config /test/config/pebble_config.json
diff --git a/tests/bash/run_pebble_mac.sh b/tests/bash/run_pebble_mac.sh
@@ -3,5 +3,7 @@
 #export IP=192.168.1.255
 docker run -p 14000:14000 -p 15000:15000 --rm -e PEBBLE_WFE_NONCEREJECT=0 \
 --add-host=local.fornetcode.com:$IP \
+--add-host=local2.fornetcode.com:$IP \
 --name pebble \
-ghcr.io/letsencrypt/pebble:2.6.0
+-v $(pwd)/../data/pebble/pebble_config.json:/test/config/pebble_config.json \
+ghcr.io/letsencrypt/pebble:2.6.0 -config /test/config/pebble_config.json
diff --git a/tests/data/pebble/pebble_config.json b/tests/data/pebble/pebble_config.json
@@ -0,0 +1,18 @@
+{
+  "pebble": {
+    "listenAddress": "0.0.0.0:14000",
+    "managementListenAddress": "0.0.0.0:15000",
+    "certificate": "test/certs/localhost/cert.pem",
+    "privateKey": "test/certs/localhost/key.pem",
+    "httpPort": 8080,
+    "tlsPort": 5001,
+    "ocspResponderURL": "",
+    "externalAccountBindingRequired": false,
+    "domainBlocklist": [],
+    "retryAfter": {
+      "authz": 3,
+      "order": 5
+    },
+    "certificateValidityPeriod": 2592000
+  }
+}
diff --git a/tests/data/server_config_acme.conf b/tests/data/server_config_acme.conf
@@ -1,6 +1,6 @@
 # http bind, if set port <= 0, will disable http server(need set https config)
 http {
- port = 5002
+ port = 8080
  addr = "0.0.0.0"
 }
 

diff --git a/tests/data/server_config_acme_alias.toml b/tests/data/server_config_acme_alias.toml
@@ -3,7 +3,7 @@ cors = true
 
 # http bind, if set port <= 0, will disable http server(need set https config)
 [http]
-port = 5002
+port = 8080
 addr = "0.0.0.0"
 
 # https config, optional
@@ -14,10 +14,10 @@ external_port = 8443
 
 [https.acme]
 emails = ["mailto:zsy.evan@gmail.com"]
-    # directory to store account and certificate
-    # optional, default is ${file_dir}/acme
-    #dir = "/data/acme"
-    # optional ,default is false
+# directory to store account and certificate
+# optional, default is ${file_dir}/acme
+#dir = "/data/acme"
+# optional ,default is false
 type = "ci"
 ci_ca_path = "./data/pebble/certs/pebble.minica.pem"
 
@@ -29,7 +29,7 @@ compression = true
 
 [[cache.client_cache]]
 expire = '30d'
-extension_names = ['icon','gif','jpg','jpeg','png','js']
+extension_names = ['icon', 'gif', 'jpg', 'jpeg', 'png', 'js']
 
 [[cache.client_cache]]
 expire = '0'
@@ -41,12 +41,12 @@ extension_names = ['html']
 # optional, and it's disabled by default.
 # if you use spa-client to upload files, control version. Need to open it
 [admin_config]
-  # bind host
+# bind host
 port = 9000
 addr = "127.0.0.1"
 
-  # this is used to check client request
-  # put it in http header,  Authorization: Bearer $token
+# this is used to check client request
+# put it in http header,  Authorization: Bearer $token
 token = "token"
 
 [[domains]]

diff --git a/tests/tests/acme_test.rs b/tests/tests/acme_test.rs
@@ -1,4 +1,4 @@
-#[allow(unused_variables)]
+#![allow(unused_variables)]
 use crate::common::*;
 use spa_server::config::get_host_path_from_domain;
 use std::fs;
@@ -50,15 +50,15 @@ async fn simple_acme_test() {
 
     assert_redirect_correct(request_prefix, "/27/").await;
     assert_redirect_correct(
-        &format!("http://{LOCAL_HOST}:5002/27"),
+        &format!("http://{LOCAL_HOST}:8080/27"),
         &format!("https://{LOCAL_HOST}:8443/27"),
     )
     .await;
 
     assert_files(domain, request_prefix, 1, vec![""]).await;
     assert_files(
         domain,
-        &format!("http://{LOCAL_HOST}:5002/27"),
+        &format!("http://{LOCAL_HOST}:8080/27"),
         1,
         vec!["", "index.html"],
     )
@@ -145,4 +145,3 @@ async fn alias_acme() {
     assert_files(domain, request_prefix, 1, vec!["index.html"]).await;
     assert_redirects(request_prefix, vec![format!("https://{LOCAL_HOST}:8443/")]).await
 }
-
diff --git a/tests/tests/common.rs b/tests/tests/common.rs
@@ -49,7 +49,8 @@ pub fn run_server_with_config(config_file_name: &str) -> JoinHandle<()> {
     );
     let _ = tracing_subscriber::fmt()
         .with_env_filter(
-            EnvFilter::try_from_default_env().unwrap_or_else(|_| "info,spa_server=debug".into()),
+            EnvFilter::try_from_default_env()
+                .unwrap_or_else(|_| "info,spa_server=debug,spa_client=debug".into()),
         )
         .with_test_writer()
         .try_init();
@@ -172,8 +173,9 @@ pub fn get_http_client() -> &'static Client {
             .add_root_certificate(get_root_cert(
                 get_test_dir().join("pebble/certs/pebble.minica.pem"),
             ))
+            //.tls_built_in_root_certs(false)
             .add_root_certificate(get_root_cert(get_test_dir().join("cert/cacerts.pem")))
-            // .danger_accept_invalid_certs(true)
+            .danger_accept_invalid_certs(true)
             .build()
             .unwrap()
     })
@@ -186,7 +188,8 @@ pub fn get_http_no_redirect_client() -> &'static Client {
                 get_test_dir().join("pebble/certs/pebble.minica.pem"),
             ))
             .add_root_certificate(get_root_cert(get_test_dir().join("cert/cacerts.pem")))
-            // .danger_accept_invalid_certs(true)
+            //.tls_built_in_root_certs(false)
+            .danger_accept_invalid_certs(true)
             .redirect(Policy::none())
             .build()
             .unwrap()

diff --git a/tests/tests/http_test.rs b/tests/tests/http_test.rs
@@ -1,4 +1,4 @@
-#[allow(unused_variables)]
+#![allow(unused_variables)]
 use reqwest::header::LOCATION;
 use reqwest::redirect::Policy;
 use reqwest::{ClientBuilder, StatusCode};