From 87c27d22a6a9c5d4e138b6144c66029772a6ccef Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Tue, 6 Dec 2022 12:28:48 +0100 Subject: [PATCH] feat: use EAB if available no matter the ACME CI (#981) * ci: setup Pebble with docker-compose + .env file * refactor: move acme.sh hooks further down the file * feat: user EAB with other CAs than Zero SSL * tests: ACME External Account Binding (EAB) * ci: add local Pebble EAB testing --- .github/workflows/test.yml | 14 +++- app/functions.sh | 9 +++ app/letsencrypt_service | 92 +++++++++++++++--------- test/config.sh | 7 ++ test/setup/pebble-config.json | 12 ---- test/setup/pebble/.env | 2 + test/setup/pebble/docker-compose.yml | 36 ++++++++++ test/setup/pebble/pebble-config-eab.json | 16 +++++ test/setup/pebble/pebble-config.json | 12 ++++ test/setup/pebble/setup-pebble.sh | 33 +++++++++ test/setup/setup-local.sh | 26 ++++--- test/setup/setup-pebble.sh | 51 ------------- test/tests/acme_eab/expected-std-out.txt | 1 + test/tests/acme_eab/run.sh | 73 +++++++++++++++++++ 14 files changed, 277 insertions(+), 107 deletions(-) delete mode 100644 test/setup/pebble-config.json create mode 100644 test/setup/pebble/.env create mode 100644 test/setup/pebble/docker-compose.yml create mode 100644 test/setup/pebble/pebble-config-eab.json create mode 100644 test/setup/pebble/pebble-config.json create mode 100755 test/setup/pebble/setup-pebble.sh delete mode 100755 test/setup/setup-pebble.sh create mode 100644 test/tests/acme_eab/expected-std-out.txt create mode 100755 test/tests/acme_eab/run.sh diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6ac88b30..c7dbc594 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -97,7 +97,16 @@ jobs: ] setup: [2containers, 3containers] acme-ca: [pebble] + pebble-config: [pebble-config.json] include: + - test-name: acme_eab + setup: 2containers + acme-ca: pebble + pebble-config: pebble-config-eab.json + - test-name: acme_eab + setup: 3containers + acme-ca: pebble + pebble-config: pebble-config-eab.json - test-name: ocsp_must_staple setup: 2containers acme-ca: boulder @@ -122,7 +131,9 @@ jobs: - name: Setup Pebble if: ${{ matrix.acme-ca == 'pebble' }} - run: test/setup/setup-pebble.sh + env: + PEBBLE_CONFIG: ${{ matrix.pebble-config }} + run: test/setup/pebble/setup-pebble.sh - name: Setup Boulder if: ${{ matrix.acme-ca == 'boulder' }} @@ -148,6 +159,7 @@ jobs: env: SETUP: ${{ matrix.setup }} ACME_CA: ${{ matrix.acme-ca }} + PEBBLE_CONFIG: ${{ matrix.pebble-config }} run: test/run.sh -t ${{ matrix.test-name }} "$IMAGE" - name: Display containers logs diff --git a/app/functions.sh b/app/functions.sh index bec4664e..540a25dd 100644 --- a/app/functions.sh +++ b/app/functions.sh @@ -24,6 +24,15 @@ function parse_true() { esac } +function in_array() { + local needle="$1" item + local -n arrref="$2" + for item in "${arrref[@]}"; do + [[ "$item" == "$needle" ]] && return 0 + done + return 1 +} + [[ -z "${VHOST_DIR:-}" ]] && \ declare -r VHOST_DIR=/etc/nginx/vhost.d [[ -z "${START_HEADER:-}" ]] && \ diff --git a/app/letsencrypt_service b/app/letsencrypt_service index c94c2e58..edc2f9b3 100755 --- a/app/letsencrypt_service +++ b/app/letsencrypt_service @@ -220,37 +220,50 @@ function update_cert { --fullchain-file "${certificate_dir}/fullchain.pem" \ ) - # acme.sh pre and post hooks - local -n acme_pre_hook="ACME_${cid}_PRE_HOOK" - acme_pre_hook=${acme_pre_hook:-$ACME_PRE_HOOK} - if [[ -n "${acme_pre_hook// }" ]]; then - params_issue_arr+=(--pre-hook "$acme_pre_hook") - fi - local -n acme_post_hook="ACME_${cid}_POST_HOOK" - acme_post_hook=${acme_post_hook:-$ACME_POST_HOOK} - if [[ -n "${acme_post_hook// }" ]]; then - params_issue_arr+=(--post-hook "$acme_post_hook") - fi - [[ ! -d "$config_home" ]] && mkdir -p "$config_home" params_base_arr+=(--config-home "$config_home") local account_file="${config_home}/ca/${ca_dir}/account.json" - # Zero SSL External Account Binding (EAB) + # External Account Binding (EAB) + local -n eab_kid="ACME_${cid}_EAB_KID" + local -n eab_hmac_key="ACME_${cid}_EAB_HMAC_KEY" + if [[ ! -f "$account_file" ]]; then + if [[ -n "${eab_kid}" && -n "${eab_hmac_key}" ]]; then + # Register the ACME account with the per container EAB credentials. + params_register_arr+=(--eab-kid "$eab_kid" --eab-hmac-key "$eab_hmac_key") + elif [[ -n "${ACME_EAB_KID// }" && -n "${ACME_EAB_HMAC_KEY// }" ]]; then + # We don't have per-container EAB kid and hmac key or Zero SSL API key. + # Register the ACME account with the default EAB credentials. + params_register_arr+=(--eab-kid "$ACME_EAB_KID" --eab-hmac-key "$ACME_EAB_HMAC_KEY") + elif [[ -n "${accountemail// }" ]]; then + # We don't have per container nor default EAB credentials, register a new account. + params_register_arr+=(--accountemail "$accountemail") + fi + fi + + # Zero SSL if [[ "$acme_ca_uri" == "https://acme.zerossl.com/v2/DV90" ]]; then - local -n eab_kid="ACME_${cid}_EAB_KID" - local -n eab_hmac_key="ACME_${cid}_EAB_HMAC_KEY" - local -n zerossl_api_key="ZEROSSL_${cid}_API_KEY" - if [[ -z "$zerossl_api_key" ]]; then - # Try using the default API key - zerossl_api_key="$ZEROSSL_API_KEY" + # Test if we already have: + # - an account file + # - the --accountemail account registration parameter + # - the --eab-kid and --eab-hmac-key account registration parameters + local account_ok='false' + if [[ -f "$account_file" ]]; then + account_ok='true' + elif in_array '--accountemail' 'params_register_arr'; then + account_ok='true' + elif in_array '--eab-kid' 'params_register_arr' && in_array '--eab-hmac-key' 'params_register_arr'; then + account_ok='true' fi - if [[ ! -f "$account_file" ]]; then - if [[ -n "${eab_kid}" && -n "${eab_hmac_key}" ]]; then - # Register the ACME account with the per container EAB credentials. - params_register_arr+=(--eab-kid "$eab_kid" --eab-hmac-key "$eab_hmac_key") - elif [[ -n "${zerossl_api_key}" ]]; then - # We have a Zero SSL API key but no per-container EAB kid and hmac key. + + if [[ $account_ok == 'false' ]]; then + local -n zerossl_api_key="ZEROSSL_${cid}_API_KEY" + if [[ -z "$zerossl_api_key" ]]; then + # Try using the default API key + zerossl_api_key="${ZEROSSL_API_KEY:-}" + fi + + if [[ -n "${zerossl_api_key// }" ]]; then # Generate a set of ACME EAB credentials using the ZeroSSL API. local zerossl_api_response if zerossl_api_response="$(curl -s -X POST "https://api.zerossl.com/acme/eab-credentials?access_key=${zerossl_api_key}")"; then @@ -267,13 +280,6 @@ function update_cert { # curl failed. echo "Warning: curl failed to make an HTTP POST request to https://api.zerossl.com/acme/eab-credentials." fi - elif [[ -n "${ACME_EAB_KID// }" && -n "${ACME_EAB_HMAC_KEY// }" ]]; then - # We don't have per-container EAB kid and hmac key or Zero SSL API key. - # Register the ACME account with the default EAB credentials. - params_register_arr+=(--eab-kid "$ACME_EAB_KID" --eab-hmac-key "$ACME_EAB_HMAC_KEY") - elif [[ -n "${accountemail// }" ]]; then - # We don't have per container nor default EAB credentials, register a new account with ZeroSSL. - params_register_arr+=(--accountemail "$accountemail") else # We don't have a Zero SSL ACME account, EAB credentials, a ZeroSSL API key or an account email : # skip certificate account registration and certificate issuance. @@ -281,9 +287,6 @@ function update_cert { return 1 fi fi - elif [[ -n "${accountemail// }" ]]; then - # We're not using Zero SSL, register the ACME account using the provided email. - params_register_arr+=(--accountemail "$accountemail") fi # Account registration and update if required @@ -304,6 +307,25 @@ function update_cert { return 1 fi + # acme.sh pre and post hooks + local -n acme_pre_hook="ACME_${cid}_PRE_HOOK" + if [[ -n "${acme_pre_hook}" ]]; then + # Use per-container pre hook + params_issue_arr+=(--pre-hook "$acme_pre_hook") + elif [[ -n ${ACME_PRE_HOOK// } ]]; then + # Use default pre hook + params_issue_arr+=(--pre-hook "$ACME_PRE_HOOK") + fi + + local -n acme_post_hook="ACME_${cid}_POST_HOOK" + if [[ -n "${acme_post_hook}" ]]; then + # Use per-container post hook + params_issue_arr+=(--post-hook "$acme_post_hook") + elif [[ -n ${ACME_POST_HOOK// } ]]; then + # Use default post hook + params_issue_arr+=(--post-hook "$ACME_POST_HOOK") + fi + local -n acme_preferred_chain="ACME_${cid}_PREFERRED_CHAIN" if [[ -n "${acme_preferred_chain}" ]]; then # Using amce.sh --preferred-chain to select alternate chain. diff --git a/test/config.sh b/test/config.sh index bb370407..2984899b 100755 --- a/test/config.sh +++ b/test/config.sh @@ -19,6 +19,13 @@ globalTests+=( acme_hooks ) +# The acme_eab test requires Pebble with a specific configuration +if [[ "$ACME_CA" == 'pebble' && "$PEBBLE_CONFIG" == 'pebble-config-eab.json' ]]; then + globalTests+=( + acme_eab + ) +fi + # The ocsp_must_staple test does not work with Pebble if [[ "$ACME_CA" == 'boulder' ]]; then globalTests+=( diff --git a/test/setup/pebble-config.json b/test/setup/pebble-config.json deleted file mode 100644 index 2f450dc4..00000000 --- a/test/setup/pebble-config.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "pebble": { - "listenAddress": "0.0.0.0:14000", - "managementListenAddress": "0.0.0.0:15000", - "certificate": "test/certs/localhost/cert.pem", - "privateKey": "test/certs/localhost/key.pem", - "httpPort": 80, - "tlsPort": 443, - "ocspResponderURL": "", - "externalAccountBindingRequired": false - } -} diff --git a/test/setup/pebble/.env b/test/setup/pebble/.env new file mode 100644 index 00000000..ee93935f --- /dev/null +++ b/test/setup/pebble/.env @@ -0,0 +1,2 @@ +PEBBLE_VERSION='v2.3.1' +PEBBLE_CONFIG='pebble-config.json' diff --git a/test/setup/pebble/docker-compose.yml b/test/setup/pebble/docker-compose.yml new file mode 100644 index 00000000..6ab1dc3f --- /dev/null +++ b/test/setup/pebble/docker-compose.yml @@ -0,0 +1,36 @@ +version: '3' + +services: + pebble: + image: "letsencrypt/pebble:${PEBBLE_VERSION}" + container_name: pebble + volumes: + - "./${PEBBLE_CONFIG}:/test/config/pebble-config.json" + environment: + - PEBBLE_VA_NOSLEEP=1 + command: pebble -config /test/config/pebble-config.json -dnsserver 10.30.50.3:8053 + ports: + - 14000:14000 # HTTPS ACME API + - 15000:15000 # HTTPS Management API + networks: + acme_net: + ipv4_address: 10.30.50.2 + + challtestsrv: + image: "letsencrypt/pebble-challtestsrv:${PEBBLE_VERSION}" + container_name: challtestserv + command: pebble-challtestsrv -tlsalpn01 "" + ports: + - 8055:8055 # HTTP Management API + networks: + acme_net: + ipv4_address: 10.30.50.3 + +networks: + acme_net: + name: acme_net + driver: bridge + ipam: + driver: default + config: + - subnet: 10.30.50.0/24 diff --git a/test/setup/pebble/pebble-config-eab.json b/test/setup/pebble/pebble-config-eab.json new file mode 100644 index 00000000..2c8e974b --- /dev/null +++ b/test/setup/pebble/pebble-config-eab.json @@ -0,0 +1,16 @@ +{ + "pebble": { + "listenAddress": "0.0.0.0:14000", + "managementListenAddress": "0.0.0.0:15000", + "certificate": "test/certs/localhost/cert.pem", + "privateKey": "test/certs/localhost/key.pem", + "httpPort": 80, + "tlsPort": 443, + "ocspResponderURL": "", + "externalAccountBindingRequired": true, + "externalAccountMACKeys": { + "kid-1": "zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W", + "kid-2": "b10lLJs8l1GPIzsLP0s6pMt8O0XVGnfTaCeROxQM0BIt2XrJMDHJZBM5NuQmQJQH" + } + } +} \ No newline at end of file diff --git a/test/setup/pebble/pebble-config.json b/test/setup/pebble/pebble-config.json new file mode 100644 index 00000000..325d4775 --- /dev/null +++ b/test/setup/pebble/pebble-config.json @@ -0,0 +1,12 @@ +{ + "pebble": { + "listenAddress": "0.0.0.0:14000", + "managementListenAddress": "0.0.0.0:15000", + "certificate": "test/certs/localhost/cert.pem", + "privateKey": "test/certs/localhost/key.pem", + "httpPort": 80, + "tlsPort": 443, + "ocspResponderURL": "", + "externalAccountBindingRequired": false + } +} \ No newline at end of file diff --git a/test/setup/pebble/setup-pebble.sh b/test/setup/pebble/setup-pebble.sh new file mode 100755 index 00000000..c3e54f51 --- /dev/null +++ b/test/setup/pebble/setup-pebble.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +set -e + +setup_pebble() { + curl --silent --show-error https://raw.githubusercontent.com/letsencrypt/pebble/master/test/certs/pebble.minica.pem > "${GITHUB_WORKSPACE}/pebble.minica.pem" + cat "${GITHUB_WORKSPACE}/pebble.minica.pem" + docker-compose --file "${GITHUB_WORKSPACE}/test/setup/pebble/docker-compose.yml" up --detach +} + +wait_for_pebble() { + for endpoint in 'https://pebble:14000/dir' 'http://pebble-challtestsrv:8055'; do + while ! curl --cacert "${GITHUB_WORKSPACE}/pebble.minica.pem" "$endpoint" >/dev/null 2>&1; do + if [ $((i * 5)) -gt $((5 * 60)) ]; then + echo "$endpoint was not available under 5 minutes, timing out." + exit 1 + fi + i=$((i + 1)) + sleep 5 + done + done +} + +setup_pebble_challtestserv() { + curl --silent --show-error --data '{"ip":"10.30.50.1"}' http://pebble-challtestsrv:8055/set-default-ipv4 + curl --silent --show-error --data '{"ip":""}' http://pebble-challtestsrv:8055/set-default-ipv6 + curl --silent --show-error --data '{"host":"lim.it", "addresses":["10.0.0.0"]}' http://pebble-challtestsrv:8055/add-a +} + +setup_pebble +wait_for_pebble +setup_pebble_challtestserv +docker-compose --file "${GITHUB_WORKSPACE}/test/setup/pebble/docker-compose.yml" logs diff --git a/test/setup/setup-local.sh b/test/setup/setup-local.sh index 7703d1e3..a45fe7d1 100755 --- a/test/setup/setup-local.sh +++ b/test/setup/setup-local.sh @@ -44,7 +44,7 @@ function get_environment { break ;; *) - : + exit 1 ;; esac done @@ -55,9 +55,10 @@ function get_environment { while true; do echo "Which ACME CA do you want to use or remove ?" echo "" - echo " 1) Boulder https://github.com/letsencrypt/boulder" - echo " 2) Pebble https://github.com/letsencrypt/pebble" - read -re -p "Select an option [1-2]: " option + echo " 1) Boulder https://github.com/letsencrypt/boulder" + echo " 2) Pebble with base configuration https://github.com/letsencrypt/pebble" + echo " 3) Pebble with EAB configuration https://github.com/letsencrypt/pebble" + read -re -p "Select an option [1-3]: " option case $option in 1) acme_ca="boulder" @@ -65,15 +66,22 @@ function get_environment { ;; 2) acme_ca="pebble" + pebble_config="pebble-config.json" + break + ;; + 3) + acme_ca="pebble" + pebble_config="pebble-config-eab.json" break ;; *) - : + exit 1 ;; esac done fi export ACME_CA="${ACME_CA:-$acme_ca}" + export PEBBLE_CONFIG="${PEBBLE_CONFIG:-$pebble_config}" } case $1 in @@ -88,6 +96,7 @@ export DOCKER_GEN_CONTAINER_NAME="$DOCKER_GEN_CONTAINER_NAME" export TEST_DOMAINS="$TEST_DOMAINS" export SETUP="$SETUP" export ACME_CA="$ACME_CA" +export PEBBLE_CONFIG="$PEBBLE_CONFIG" EOF # Add the required custom entries to /etc/hosts @@ -109,7 +118,7 @@ EOF if [[ "$ACME_CA" == 'boulder' ]]; then "${GITHUB_WORKSPACE}/test/setup/setup-boulder.sh" elif [[ "$ACME_CA" == 'pebble' ]]; then - "${GITHUB_WORKSPACE}/test/setup/setup-pebble.sh" + "${GITHUB_WORKSPACE}/test/setup/pebble/setup-pebble.sh" else echo "ACME_CA is not set, aborting." exit 1 @@ -127,14 +136,15 @@ EOF done if [[ "$ACME_CA" == 'boulder' ]]; then - # Stop and remove boulder + # Stop and remove Boulder docker stop boulder docker-compose --project-name 'boulder' \ --file "${GITHUB_WORKSPACE}/go/src/github.com/letsencrypt/boulder/docker-compose.yml" \ down --volumes docker rm boulder elif [[ "$ACME_CA" == 'pebble' ]]; then - docker network rm acme_net + # Stop and remove Pebble + docker-compose --file "${GITHUB_WORKSPACE}/test/setup/pebble/docker-compose.yml" down [[ -f "${GITHUB_WORKSPACE}/pebble.minica.pem" ]] && rm "${GITHUB_WORKSPACE}/pebble.minica.pem" fi diff --git a/test/setup/setup-pebble.sh b/test/setup/setup-pebble.sh deleted file mode 100755 index ddcfb3dc..00000000 --- a/test/setup/setup-pebble.sh +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/bash - -set -e - -setup_pebble() { - docker network create --driver=bridge --subnet=10.30.50.0/24 acme_net - curl https://raw.githubusercontent.com/letsencrypt/pebble/master/test/certs/pebble.minica.pem > "${GITHUB_WORKSPACE}/pebble.minica.pem" - cat "${GITHUB_WORKSPACE}/pebble.minica.pem" - - docker run -d \ - --name pebble \ - --volume "${GITHUB_WORKSPACE}/test/setup/pebble-config.json:/test/config/pebble-config.json" \ - --network acme_net \ - --ip="10.30.50.2" \ - --publish 14000:14000 \ - --label com.github.jrcs.letsencrypt_nginx_proxy_companion.test_suite \ - letsencrypt/pebble:v2.3.1 \ - pebble -config /test/config/pebble-config.json -dnsserver 10.30.50.3:8053 - - docker run -d \ - --name challtestserv \ - --network acme_net \ - --ip="10.30.50.3" \ - --publish 8055:8055 \ - --label com.github.jrcs.letsencrypt_nginx_proxy_companion.test_suite \ - letsencrypt/pebble-challtestsrv:v2.3.1 \ - pebble-challtestsrv -tlsalpn01 "" -} - -wait_for_pebble() { - for endpoint in 'https://pebble:14000/dir' 'http://pebble-challtestsrv:8055'; do - while ! curl -k "$endpoint" >/dev/null 2>&1; do - if [ $((i * 5)) -gt $((5 * 60)) ]; then - echo "$endpoint was not available under 5 minutes, timing out." - exit 1 - fi - i=$((i + 1)) - sleep 5 - done - done -} - -setup_pebble_challtestserv() { - curl -X POST -d '{"ip":"10.30.50.1"}' http://pebble-challtestsrv:8055/set-default-ipv4 - curl -X POST -d '{"ip":""}' http://pebble-challtestsrv:8055/set-default-ipv6 - curl -X POST -d '{"host":"lim.it", "addresses":["10.0.0.0"]}' http://pebble-challtestsrv:8055/add-a -} - -setup_pebble -wait_for_pebble -setup_pebble_challtestserv \ No newline at end of file diff --git a/test/tests/acme_eab/expected-std-out.txt b/test/tests/acme_eab/expected-std-out.txt new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/test/tests/acme_eab/expected-std-out.txt @@ -0,0 +1 @@ + diff --git a/test/tests/acme_eab/run.sh b/test/tests/acme_eab/run.sh new file mode 100755 index 00000000..1c91567d --- /dev/null +++ b/test/tests/acme_eab/run.sh @@ -0,0 +1,73 @@ +#!/bin/bash + +## Test for ACME External Account Binding (EAB). + +declare -A eab=( \ + [kid-1]=zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W \ + [kid-2]=b10lLJs8l1GPIzsLP0s6pMt8O0XVGnfTaCeROxQM0BIt2XrJMDHJZBM5NuQmQJQH \ +) + +if [[ -z $GITHUB_ACTIONS ]]; then + le_container_name="$(basename "${0%/*}")_$(date "+%Y-%m-%d_%H.%M.%S")" +else + le_container_name="$(basename "${0%/*}")" +fi +run_le_container "${1:?}" "$le_container_name" \ + --cli-args "--env ACME_EAB_KID=kid-1" \ + --cli-args "--env ACME_EAB_HMAC_KEY=${eab[kid-1]}" + +# Create the $domains array from comma separated domains in TEST_DOMAINS. +IFS=',' read -r -a domains <<< "$TEST_DOMAINS" + +# Cleanup function with EXIT trap +function cleanup { + # Remove any remaining Nginx container(s) silently. + for domain in "${domains[@]}"; do + docker rm --force "$domain" &> /dev/null + done + # Cleanup the files created by this run of the test to avoid foiling following test(s). + docker exec "$le_container_name" /app/cleanup_test_artifacts + # Stop the LE container + docker stop "$le_container_name" > /dev/null +} +trap cleanup EXIT + +# Run an nginx container for ${domains[0]}. +run_nginx_container --hosts "${domains[0]}" + +# Run an nginx container for ${domains[1]} with LETSENCRYPT_EMAIL and ACME_EAB_* set. +container_email="contact@${domains[1]}" +run_nginx_container --hosts "${domains[1]}" \ + --cli-args "--env LETSENCRYPT_EMAIL=${container_email}" \ + --cli-args "--env ACME_EAB_KID=kid-2" \ + --cli-args "--env ACME_EAB_HMAC_KEY=${eab[kid-2]}" + +# Wait for a symlink at /etc/nginx/certs/${domains[0]}.crt +wait_for_symlink "${domains[0]}" "$le_container_name" + +# Test if the expected file is there. +config_path="/etc/acme.sh/default/ca/$ACME_CA" +json_file="${config_path}/account.json" +conf_file="${config_path}/ca.conf" +if docker exec "$le_container_name" [[ ! -f "$json_file" ]]; then + echo "The $json_file file does not exist." +elif ! docker exec "$le_container_name" grep -q "${eab[kid-1]}" "$conf_file"; then + echo "There correct EAB HMAC key isn't on ${conf_file}." +fi + +# Wait for a symlink at /etc/nginx/certs/${domains[1]}.crt +wait_for_symlink "${domains[1]}" "$le_container_name" + +# Test if the expected file is there. +config_path="/etc/acme.sh/${container_email}/ca/$ACME_CA" +json_file="${config_path}/account.json" +conf_file="${config_path}/ca.conf" +if docker exec "$le_container_name" [[ ! -f "$json_file" ]]; then + echo "The $json_file file does not exist." +elif ! docker exec "$le_container_name" grep -q "${eab[kid-2]}" "$conf_file"; then + echo "There correct EAB HMAC key isn't on ${conf_file}." +fi + +# Stop the nginx containers silently. +docker stop "${domains[0]}" &> /dev/null +docker stop "${domains[1]}" &> /dev/null