nixos/tests/acme: Fix fullchain validation

In the next release of Pebble, the certificate subject is no longer populated with a useful domain name. This change will refactor the fullchain validation assertions to avoid checking the subject line.
2024-09-24 21:33:48 +01:00 · 2024-09-24 21:33:48 +01:00 · b2758880b3
commit b2758880b3
parent 27e30d177e
1 changed files with 11 additions and 7 deletions
--- a/nixos/tests/acme.nix
+++ b/nixos/tests/acme.nix
@ -471,14 +471,18 @@ in {

      # Ensure cert comes before chain in fullchain.pem
      def check_fullchain(node, cert_name):
-          subject_data = node.succeed(
-              f"openssl crl2pkcs7 -nocrl -certfile /var/lib/acme/{cert_name}/fullchain.pem"
-              " | openssl pkcs7 -print_certs -noout"
+          cert_file = f"/var/lib/acme/{cert_name}/fullchain.pem"
+          num_certs = node.succeed(f"grep -o 'END CERTIFICATE' {cert_file}")
+          assert len(num_certs.strip().split("\n")) > 1, "Insufficient certs in fullchain.pem"
+
+          first_cert_data = node.succeed(
+              f"grep -m1 -B50 'END CERTIFICATE' {cert_file}"
+              " | openssl x509 -noout -text"
          )
-          for line in subject_data.lower().split("\n"):
-              if "subject" in line:
-                  print(f"First subject in fullchain.pem: {line}")
-                  assert cert_name.lower() in line
+          for line in first_cert_data.lower().split("\n"):
+              if "dns:" in line:
+                  print(f"First DNSName in fullchain.pem: {line}")
+                  assert cert_name.lower() in line, f"{cert_name} not found in {line}"
                  return

          assert False