►
A
A
This
is
an
issue
that
I
got
open
because
our
acne
client
that
we
use
in
our
cookbooks
for
doing
lots,
lots
and
stuff
got
updated,
and
since
we
only
had
specs
that
chef
specs
to
validate
behavior,
we
ended
up
pushing
a
broken,
changed
production
and
finding
out
about
it
later
so
I
mean
with
yeah
so
that
that's
the
impetus
behind
this
issue
a
little
bit
more
about
the
the
current
state
of
things
before
this.
Mr,
so
I
guess
that
we
did.
A
We
do
have
a
let's
encrypt
spec,
I'm
looking
at
here
on
the
right,
which
is
good,
but
specs
are
really
only
helpful
for
chef
when
you're
trying
to
understand
how
attributes
are
going
to
be
modifying
the
behavior
of
your
recipes.
If
you're
doing,
if
else
or
you
know
filtering
including
recipes
depending
on
you
know
whether
a
note
is
red,
hat
or
ubuntu
stuff
like
that,
so
the
specs
aren't
really
meant
to
catch
this
sort
of
issue
anyway,
but
we
do
have
some.
A
So
that's
good
building
on
that,
though,
so
the
way
that
the
lesson
crypt
works
in
the
omnibus
right
now
I'll
come
very
briefly
for
those
not
familiar.
Let
me
know
if
I
get
anything
wrong
here,
but
basically
we
have
this.
Let's
encrypt
cookbook,
I'm
looking
at
the
enable
recipe
in
it
right
now
on
the
right
side
of
my
screen,
and
so
you
can
see
here,
I'm
140
for
it
well.
First
of
all,
it
generates
a
self-signed
certificate,
so
enginex
will
be
working
and
serving
on
port
443.
A
A
I
believe
we
only
support
http
101
right
now
in
omnibus,
because
there
is
not,
you
can
see,
include,
let's
encrypt
attribute
authorization
and
then,
if
we
look
in
the
folder,
the
only
one
there
is
http.
So
that
means
you
know:
a
service
has
to
open
their
port
80
to
do
the
validation
instead
of
dns.
So
there
might
be
a
future
enhancement
here
to
enable
dns.
Let's
we've
got
a
nice
issue
for
that
one
it
all
comes
down
to
now.
A
A
It
resets
the
private
key
for
acme,
which
is
required
to
do
this
again,
and
then
it
requests
the
production
certificate
which
is
then
used.
So
that's
the
flow
of
it
was
first
looking
into
this
issue.
We
had
hard-coded
well,
there
were
a
couple
of
things
that
made
this
difficult.
So
for
one,
this
dur
argument
is
actually
the
argument
for
the
acme
endpoint
that
you
want
to
hit.
Did
I
say
acme
endpoint
instead
of
let's
encrypt
endpoint,
because
let's
encrypt
is
just
an
implementation
of
the
acme
protocol
and
they're.
A
Well,
I
mean
it's
good
for
testing
and
it's
good
for
users,
so
I
think
that's
pretty
good.
Okay.
So
now
we
have
the
the
endpoints
parameterized.
Here
they
default
to-
let's
encrypt,
as
I
said,
but
for
testing
we
don't.
We
don't
want
to
use
the
production.
That's
encrypted,
endpoint,
of
course,
because
of
weight
limiting,
but
using
the
staging.
Let's
encrypt
endpoint
for
testing
is
actually
not
so
great
either
because
it
also
has
rate
limits,
they're
higher
than
production.
A
But
so
there's
a
couple
things
going
on
here,
like
there's
the
rate
limits
and
this
failed
validations
limit
64
hours,
probably
the
one
that
would
hit
most
people,
because
the
other
limits
are
pretty
high.
But
you
also
and
I'll
get
into
this
more.
When
I
talked
about
like
using
pebble
and
our
own
acne
point
for
testing,
but
you
can't
test
it
will
it
will
identify
you
as
malicious
if
you
are
trying
to
do
tests
with
the
control
flow
of
what's
encrypt?
A
A
A
Okay,
so
we've
got
pebble
and
then
we've
got
this
other
tool
called
chao
test
serve,
which
is
not
the
most
inspired
name,
but
it's
a
challenge
test
server,
and
so
I'm
going
to
open
up
the
docker
compose
here.
I
guess
I
already
have
it
open.
So
we've
got
three
images
here.
This
is
this:
is
the
testing
docker
compose
and
so
for
the
first
image.
A
And
so
these
are
all
working
together,
because
you
see
here
to
pebble
we're
passing
the
dns
server
argument,
which
is
the
child
test
server.
So
pebble
is
talking
to
that
for
its
dns,
and
so
when
we're
running
tests,
we've
got
this
function
here
called
start
hubble,
which
starts
pebble
in
the
challenge
test
server
and
then,
once
those
are
up
it
posts
to
the
challenge
tester,
where
this
mock
a
record.
A
So
we're
saying
gitlab.example.com,
which
is
what
our
host
name
is
for
the
gitlab
image
should
point
to
that
ip
address,
and
so
this
is
how
it
there's
not.
As
far
as
I
can
tell,
there's
not
a
config
file
for
this
shell
test
serve.
You
just
make
api
requests
to
it
to
set
it
up
in
the
state.
It
can
do
a
lot
more
than
we're
using
it.
For
here
I
don't
like
with
a
lot
of
this
like
infrastructure
and
tools.
A
The
pebble
channel,
tester
folder,
a
lot
of
it
is,
was
built
by
let's
encrypt
to
test
their
own
services
and
so
we're
just
kind
of
using
smaller
parts
of
it.
There's
this
other
tool,
they
have
called
boulder,
which
is
bigger
than
pebble
that
it's
it's
basically
like
a
whole
application
like
you
need
to
have.
You
need
to
stand
up
several
services
that
all
talk
to
each
other.
A
A
Okay,
so
I'm
going
to
run
this
in
the
background.
While
I
talk
about
it
a
little
bit
more
and
the
test,
so
one
issue
that
I
ran
into
that
was
interesting
is
that
I
wanted.
I
wanted
a
way
in
the
in
the
test
to
run
the
mommy
must
doctor
image
and
then,
when
it
was
done,
configuring
just
stop
like
I
didn't
want
to
keep
running
and
so
looking
into
how
we
do
this
a
little
more.
A
If
you
look
into
this
wrapper,
which
is
the
entry
point
for
the
github
omnibus
docker
image,
scroll
all
the
way
to
the
bottom,
there's
this
gitlab
post
configure
script
which
evals
anything
you
pass
to
it,
and
so
in
the
test,
we're
setting
that
value
to
exit,
and
so
when
the
it
starts
up
it
configures
git
lab
it
gets
here.
It
just
runs
exits,
so
it's
not
tailing
the
logs
or
waiting
for
it.
So
I
was
glad
to
see
that
we
had
this
hook
in
there.
A
Okay,
so
I've
got
the
image
here,
since
this
is
still
at.
Mr,
it's
got
my
mr
tag.
This
is
just
because
I
added
those
attributes
for
the
cookbook
and
they're
only
on
their
branch.
Right
now
we've
got
cleanup
which
we
always
do
and
then
the
post
configured
and
so
by
default.
When
you
run
this,
it
just
runs
all
the
way
through
it
either
passes
or
fails.
A
A
Yeah
yep
yeah
by
default.
We
have
so
there's
a
couple
files
here.
This
there's
this
pedal
config
file,
and
so
I
changed
like
by
default.
Pebble
runs
its
challenges
against
the
port
5000
yeah
5002,
instead
of
a
lower
value
port
because
it's
made
for
our
docker
images
that
are
running
with
higher
port
numbers,
so
they
don't
have
to
run
as
privileged,
but
for
us
gitlab
runs
is
80
and
443.
A
C
A
A
A
Yeah,
so
the
only
other
file
here
is
this
pebble
mimika.pen,
which
is
basically
we
have
to
mount
it
into
the
gitlab
container,
so
that
when
we
make
our
https
request
to
pebble
pebble
doesn't
do
http,
it's
got
to
be
tls,
and
so
this
makes
it
so
it's
trusted.
So
you
can
see
over
here
here
on
the
left
that
pebble
we
we
made
our
order.
This
is
during
the
whole,
let's
encrypt
flow,
and
then
you
can
see
here
issued
certificate
cereal
for
order,
blah
blah
blah.
A
A
While
I'm
waiting
for
this
to
finish
shopping
to
talk
about
this,
mr
that
has
all
this
is
currently
in
draft,
but
the
last
thing
to
figure
out
is
really
just
running
this
nci,
and
so
I
have
added
this
trigger.
Let's
encrypt
test
right
next
to
the
qa,
because
it
needs
the
get
lab,
docker
image
to
be
built,
and
then
you
pass
it
to
that.
A
Not
like
well,
I
mean
the
ultimate
plan
is
to
get
it
running.
Let's
get
get
up
qa.
Instead,
we've
already
got
some
good
examples
for
how
to
do
this,
like
for
testing
and
gets
matter
most,
we
spin
up
a
separate
container.
I
think-
and
so
this
would
be
somewhat
similar
to
that
and
that
way
we
can
have
it
running
as
part
of
the
gitlab
qa
suite
instead
of
just
kind
of
a
one-off
functional
test.
A
Okay,
well,
you
can
see.
Oh
we're
explained
there
and
then,
if
we
go
through
and
inspect
the
certificate
here
view
certificate,
you
can
see
it
is
issued
by
pebble
intermediate
ca.
The
alt
name
gitlab
example.com,
by
default.
These
are
issued
for
five
years,
which
is,
I
think,
kind
of
an
interesting
choice
for
a
test
server.
But
I'm
sure
that's
configurable.
If
you
can.
B
B
So
like
this
in
your
cin.
I
don't
think
we've
done
this
before,
but
we'd
have
a
job
where
the
main
image
is
our
gitlab
docker
image
that
we
want
to
test,
and
then
the
two
service
images
would
be,
one
would
be
pebble
and
one
would
be
this.
The
certificate
handler
yeah,
that's
interesting
and
you
might
get
away
with
how
docker
composed.
Perhaps
I
don't
know
I
we.
B
B
A
All
right,
fair
enough:
well
yeah,
I'm
hoping
to
get
this.
You
know
once
we
get
this
image
out,
we'll
be
putting
it
up
for
review
and
then
once
we
get
this
started
then
we'll
be
moving
on
to
integrating
into
qa,
and
I
think
that
will
be
the
point
where
we
might
want
to
look
into
doing
it
with
services.
A
B
B
We
should
probably
should
probably
set
up
yeah.
We
should
probably
set
up
a
let's
encrypt
test.
We
don't
have
to
yeah.
It
would
probably
be
very
similar
just
swapping
out
the
like
booting
up,
pebble
and
swapping
out
the
staging
directory.
I
guess
it
wouldn't
be
staging
would
be
in
the
case
of
our
charts.
We
only
set
one.