github: Add a test for certbot, using pebble.

alexmv · alexmv · commit 98c09d8105dd · 2025-11-21T00:40:45.000-05:00
diff --git a/ci/certbot/compose.yaml b/ci/certbot/compose.yaml
@@ -0,0 +1,44 @@
+---
+services:
+  zulip:
+    environment:
+      SSL_CERTIFICATE_GENERATION: certbot
+    networks:
+      zulip-backend:
+        ipv4_address: 172.28.5.100
+    depends_on:
+      - pebble
+      - challtestsrv
+
+  database:
+    networks: [zulip-backend]
+  memcached:
+    networks: [zulip-backend]
+  rabbitmq:
+    networks: [zulip-backend]
+  redis:
+    networks: [zulip-backend]
+
+  pebble:
+    image: ghcr.io/letsencrypt/pebble:latest
+    volumes:
+      - ./ci/certbot/pebble-config/:/config/
+    command: -config /config/pebble-config.json -strict -dnsserver challtestsrv:8053
+    ports:
+      - 14000:14000 # HTTPS ACME API
+      - 15000:15000 # HTTPS Management API
+    networks: [zulip-backend]
+  challtestsrv:
+    image: ghcr.io/letsencrypt/pebble-challtestsrv:latest
+    command: -defaultIPv6 "" -defaultIPv4 172.28.5.100
+    networks: [zulip-backend]
+
+networks:
+  zulip-backend:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+        - subnet: 172.28.0.0/16
+          ip_range: 172.28.5.0/24
+          gateway: 172.28.5.254
diff --git a/ci/certbot/env b/ci/certbot/env
@@ -0,0 +1 @@
+../basic/env
diff --git a/ci/certbot/pebble-config/pebble-config.json b/ci/certbot/pebble-config/pebble-config.json
@@ -0,0 +1,28 @@
+{
+  "pebble": {
+    "listenAddress": "0.0.0.0:14000",
+    "managementListenAddress": "0.0.0.0:15000",
+    "certificate": "test/certs/localhost/cert.pem",
+    "privateKey": "test/certs/localhost/key.pem",
+    "httpPort": 80,
+    "tlsPort": 443,
+    "ocspResponderURL": "",
+    "externalAccountBindingRequired": false,
+    "domainBlocklist": ["blocked-domain.example"],
+    "retryAfter": {
+      "authz": 3,
+      "order": 5
+    },
+    "keyAlgorithm": "ecdsa",
+    "profiles": {
+      "default": {
+        "description": "The profile you know and love",
+        "validityPeriod": 7776000
+      },
+      "shortlived": {
+        "description": "A short-lived cert profile, without actual enforcement",
+        "validityPeriod": 518400
+      }
+    }
+  }
+}
diff --git a/ci/certbot/test.sh b/ci/certbot/test.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -eux
+set -o pipefail
+
+url="https://${hostname:?}"
+
+curl --verbose --insecure "${url}"
