Update letsencrypt/pebble to use ghcr image

2025-11-30 15:11:31 +01:00 · 2025-11-07 11:58:04 +01:00 · 2025-11-07 11:58:04 +01:00 · effca0a603
commit effca0a603
parent 998868450f
2 changed files with 68 additions and 55 deletions
--- a/integration/acme_test.go
+++ b/integration/acme_test.go
@ -21,6 +21,7 @@ import (
 	"github.com/traefik/traefik/v2/pkg/provider/acme"
 	"github.com/traefik/traefik/v2/pkg/testhelpers"
 	"github.com/traefik/traefik/v2/pkg/types"
+	"k8s.io/utils/strings/slices"
 )

 // ACME test suites.
@ -36,7 +37,7 @@ func TestAcmeSuite(t *testing.T) {

 type subCases struct {
 	host              string
-	expectedCommonName string
+	expectedDomain    string
 	expectedAlgorithm x509.PublicKeyAlgorithm
 }

@ -143,7 +144,7 @@ func (s *AcmeSuite) TestHTTP01Domains() {
 		traefikConfFilePath: "fixtures/acme/acme_domains.toml",
 		subCases: []subCases{{
 			host:              acmeDomain,
-			expectedCommonName: acmeDomain,
+			expectedDomain:    acmeDomain,
 			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
@ -166,7 +167,7 @@ func (s *AcmeSuite) TestHTTP01StoreDomains() {
 		traefikConfFilePath: "fixtures/acme/acme_store_domains.toml",
 		subCases: []subCases{{
 			host:              acmeDomain,
-			expectedCommonName: acmeDomain,
+			expectedDomain:    acmeDomain,
 			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
@ -189,7 +190,7 @@ func (s *AcmeSuite) TestHTTP01DomainsInSAN() {
 		traefikConfFilePath: "fixtures/acme/acme_domains.toml",
 		subCases: []subCases{{
 			host:              acmeDomain,
-			expectedCommonName: "acme.wtf",
+			expectedDomain:    "acme.wtf",
 			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
@ -213,7 +214,7 @@ func (s *AcmeSuite) TestHTTP01OnHostRule() {
 		traefikConfFilePath: "fixtures/acme/acme_base.toml",
 		subCases: []subCases{{
 			host:              acmeDomain,
-			expectedCommonName: acmeDomain,
+			expectedDomain:    acmeDomain,
 			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
@ -234,12 +235,12 @@ func (s *AcmeSuite) TestMultipleResolver() {
 		subCases: []subCases{
 			{
 				host:              acmeDomain,
-				expectedCommonName: acmeDomain,
+				expectedDomain:    acmeDomain,
 				expectedAlgorithm: x509.RSA,
 			},
 			{
 				host:              "tchouk.acme.wtf",
-				expectedCommonName: "tchouk.acme.wtf",
+				expectedDomain:    "tchouk.acme.wtf",
 				expectedAlgorithm: x509.ECDSA,
 			},
 		},
@ -264,7 +265,7 @@ func (s *AcmeSuite) TestHTTP01OnHostRuleECDSA() {
 		traefikConfFilePath: "fixtures/acme/acme_base.toml",
 		subCases: []subCases{{
 			host:              acmeDomain,
-			expectedCommonName: acmeDomain,
+			expectedDomain:    acmeDomain,
 			expectedAlgorithm: x509.ECDSA,
 		}},
 		template: templateModel{
@ -285,7 +286,7 @@ func (s *AcmeSuite) TestHTTP01OnHostRuleInvalidAlgo() {
 		traefikConfFilePath: "fixtures/acme/acme_base.toml",
 		subCases: []subCases{{
 			host:              acmeDomain,
-			expectedCommonName: acmeDomain,
+			expectedDomain:    acmeDomain,
 			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
@ -301,12 +302,13 @@ func (s *AcmeSuite) TestHTTP01OnHostRuleInvalidAlgo() {
 	s.retrieveAcmeCertificate(testCase)
 }

+// TODO: check why this test do not use the ACME cert resolver.
 func (s *AcmeSuite) TestHTTP01OnHostRuleDefaultDynamicCertificatesWithWildcard() {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_tls.toml",
 		subCases: []subCases{{
 			host:              acmeDomain,
-			expectedCommonName: wildcardDomain,
+			expectedDomain:    wildcardDomain,
 			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
@ -321,12 +323,13 @@ func (s *AcmeSuite) TestHTTP01OnHostRuleDefaultDynamicCertificatesWithWildcard()
 	s.retrieveAcmeCertificate(testCase)
 }

+// TODO: check why this test do not use the ACME cert resolver.
 func (s *AcmeSuite) TestHTTP01OnHostRuleDynamicCertificatesWithWildcard() {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_tls_dynamic.toml",
 		subCases: []subCases{{
 			host:              acmeDomain,
-			expectedCommonName: wildcardDomain,
+			expectedDomain:    wildcardDomain,
 			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
@ -346,7 +349,7 @@ func (s *AcmeSuite) TestTLSALPN01OnHostRuleTCP() {
 		traefikConfFilePath: "fixtures/acme/acme_tcp.toml",
 		subCases: []subCases{{
 			host:              acmeDomain,
-			expectedCommonName: acmeDomain,
+			expectedDomain:    acmeDomain,
 			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
@ -366,7 +369,7 @@ func (s *AcmeSuite) TestTLSALPN01OnHostRule() {
 		traefikConfFilePath: "fixtures/acme/acme_base.toml",
 		subCases: []subCases{{
 			host:              acmeDomain,
-			expectedCommonName: acmeDomain,
+			expectedDomain:    acmeDomain,
 			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
@ -386,7 +389,7 @@ func (s *AcmeSuite) TestTLSALPN01Domains() {
 		traefikConfFilePath: "fixtures/acme/acme_domains.toml",
 		subCases: []subCases{{
 			host:              acmeDomain,
-			expectedCommonName: acmeDomain,
+			expectedDomain:    acmeDomain,
 			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
@ -409,7 +412,7 @@ func (s *AcmeSuite) TestTLSALPN01DomainsInSAN() {
 		traefikConfFilePath: "fixtures/acme/acme_domains.toml",
 		subCases: []subCases{{
 			host:              acmeDomain,
-			expectedCommonName: "acme.wtf",
+			expectedDomain:    "acme.wtf",
 			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
@ -502,27 +505,38 @@ func (s *AcmeSuite) retrieveAcmeCertificate(testCase acmeTestCase) {
 		req.Header.Set("Host", sub.host)
 		req.Header.Set("Accept", "*/*")

-		var resp *http.Response
+		var (
+			gotStatusCode         int
+			gotDomains            []string
+			gotPublicKeyAlgorithm x509.PublicKeyAlgorithm
+		)

 		// Retry to send a Request which uses the LE generated certificate
 		err := try.Do(60*time.Second, func() error {
-			resp, err = client.Do(req)
+			resp, err := client.Do(req)
 			if err != nil {
 				return err
 			}

-			cn := resp.TLS.PeerCertificates[0].Subject.CommonName
-			if cn != sub.expectedCommonName {
-				return fmt.Errorf("domain %s found instead of %s", cn, sub.expectedCommonName)
+			gotStatusCode = resp.StatusCode
+			gotPublicKeyAlgorithm = resp.TLS.PeerCertificates[0].PublicKeyAlgorithm
+
+			// Here we are collecting the common name as it is used in wildcard tests.
+			gotDomains = append(gotDomains, resp.TLS.PeerCertificates[0].Subject.CommonName)
+			gotDomains = append(gotDomains, resp.TLS.PeerCertificates[0].DNSNames...)
+
+			if !slices.Contains(gotDomains, sub.expectedDomain) {
+				return fmt.Errorf("domain name %s not found in domain names: %v", sub.expectedDomain, gotDomains)
 			}

 			return nil
 		})

 		require.NoError(s.T(), err)
-		assert.Equal(s.T(), http.StatusOK, resp.StatusCode)
+		assert.Equal(s.T(), http.StatusOK, gotStatusCode)
+
 		// Check Domain into response certificate
-		assert.Equal(s.T(), sub.expectedCommonName, resp.TLS.PeerCertificates[0].Subject.CommonName)
-		assert.Equal(s.T(), sub.expectedAlgorithm, resp.TLS.PeerCertificates[0].PublicKeyAlgorithm)
+		assert.Contains(s.T(), gotDomains, sub.expectedDomain)
+		assert.Equal(s.T(), sub.expectedAlgorithm, gotPublicKeyAlgorithm)
 	}
 }
--- a/integration/resources/compose/pebble.yml
+++ b/integration/resources/compose/pebble.yml
@ -1,9 +1,8 @@
 version: "3.8"
 services:
  pebble:
-    image: letsencrypt/pebble:v2.3.1
+    image: ghcr.io/letsencrypt/pebble:2.8.0
    command:
-      - pebble
      - --dnsserver
      - host.docker.internal:5053
    environment: