🔱: [acme] sync upgrade with 4 commits [trident-sync]

Example for on-demand tls-alpn-01
Example disclaimer, fallback cert
Replace CircleCI with GitHub Actions

packages/core/acme-client/.github/scripts/tests-install-coredns.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+#
+# Install CoreDNS for testing.
+#
+set -euo pipefail
+
+# Download and install
+wget -nv "https://github.com/coredns/coredns/releases/download/v${COREDNS_VERSION}/coredns_${COREDNS_VERSION}_linux_amd64.tgz" -O /tmp/coredns.tgz
+
+tar zxvf /tmp/coredns.tgz -C /usr/local/bin
+chown root:root /usr/local/bin/coredns
+chmod 0755 /usr/local/bin/coredns
+
+mkdir -p /etc/coredns
+
+# Zones
+tee /etc/coredns/db.example.com << EOF
+\$ORIGIN example.com.
+@       3600 IN SOA ns.coredns.invalid. master.coredns.invalid. (
+                                2017042745  ; serial
+                                7200        ; refresh
+                                3600        ; retry
+                                1209600     ; expire
+                                3600        ; minimum
+                                )
+
+        3600 IN NS ns1.example.com.
+        3600 IN NS ns2.example.com.
+
+ns1     3600 IN A 127.0.0.1
+ns2     3600 IN A 127.0.0.1
+
+@       3600 IN A 127.0.0.1
+www     3600 IN CNAME example.com.
+EOF
+
+# Config
+tee /etc/coredns/Corefile << EOF
+example.com {
+    errors
+    log
+    bind 127.53.53.53
+    file /etc/coredns/db.example.com
+}
+
+test.example.com {
+    errors
+    log
+    bind 127.53.53.53
+    forward . 127.0.0.1:${PEBBLECTS_DNS_PORT}
+}
+
+. {
+    errors
+    log
+    bind 127.53.53.53
+    forward . 8.8.8.8
+}
+EOF
+
+exit 0

packages/core/acme-client/.github/scripts/tests-install-cts.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+#
+# Install Pebble Challenge Test Server for testing.
+#
+set -euo pipefail
+
+# Download and install
+wget -nv "https://github.com/letsencrypt/pebble/releases/download/v${PEBBLECTS_VERSION}/pebble-challtestsrv_linux-amd64" -O /usr/local/bin/pebble-challtestsrv
+
+chown root:root /usr/local/bin/pebble-challtestsrv
+chmod 0755 /usr/local/bin/pebble-challtestsrv
+
+exit 0

packages/core/acme-client/.github/scripts/tests-install-pebble.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+#
+# Install Pebble for testing.
+#
+set -euo pipefail
+
+CONFIG_NAME="pebble-config.json"
+
+# Use Pebble EAB config if enabled
+set +u
+if [[ -n $ACME_CAP_EAB_ENABLED ]] && [[ $ACME_CAP_EAB_ENABLED -eq 1 ]]; then
+    CONFIG_NAME="pebble-config-external-account-bindings.json"
+fi
+set -u
+
+# Download certs and config
+mkdir -p /etc/pebble
+
+wget -nv "https://raw.githubusercontent.com/letsencrypt/pebble/v${PEBBLE_VERSION}/test/certs/pebble.minica.pem" -O /etc/pebble/ca.cert.pem
+wget -nv "https://raw.githubusercontent.com/letsencrypt/pebble/v${PEBBLE_VERSION}/test/certs/localhost/cert.pem" -O /etc/pebble/cert.pem
+wget -nv "https://raw.githubusercontent.com/letsencrypt/pebble/v${PEBBLE_VERSION}/test/certs/localhost/key.pem" -O /etc/pebble/key.pem
+wget -nv "https://raw.githubusercontent.com/letsencrypt/pebble/v${PEBBLE_VERSION}/test/config/${CONFIG_NAME}" -O /etc/pebble/pebble.json
+
+# Download and install Pebble
+wget -nv "https://github.com/letsencrypt/pebble/releases/download/v${PEBBLE_VERSION}/pebble_linux-amd64" -O /usr/local/bin/pebble
+
+chown root:root /usr/local/bin/pebble
+chmod 0755 /usr/local/bin/pebble
+
+# Config
+sed -i 's/test\/certs\/localhost/\/etc\/pebble/' /etc/pebble/pebble.json
+
+exit 0

packages/core/acme-client/.github/scripts/tests-wait-for-ca.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+#
+# Wait for ACME server to accept connections.
+#
+set -euo pipefail
+
+MAX_ATTEMPTS=15
+ATTEMPT=0
+
+# Loop until ready
+while ! curl --cacert "${ACME_CA_CERT_PATH}" -s -D - "${ACME_DIRECTORY_URL}" | grep '^HTTP.*200' > /dev/null 2>&1; do
+    ATTEMPT=$((ATTEMPT + 1))
+
+    # Max attempts
+    if [[ $ATTEMPT -gt $MAX_ATTEMPTS ]]; then
+        echo "[!] Waited ${ATTEMPT} attempts for server to become ready, exit 1"
+        exit 1
+    fi
+
+    # Retry
+    echo "[-] Waiting 1 second for server to become ready, attempt: ${ATTEMPT}/${MAX_ATTEMPTS}, check: ${ACME_DIRECTORY_URL}, cert: ${ACME_CA_CERT_PATH}"
+    sleep 1
+done
+
+# Ready
+echo "[+] Server ready!"
+exit 0

packages/core/acme-client/.github/workflows/tests.yml

@@ -0,0 +1,94 @@
+---
+name: test
+on: [push, pull_request]
+
+jobs:
+  test:
+    name: node=${{matrix.node}} eab=${{matrix.eab}}
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node: [16, 18, 20]
+        eab: [0, 1]
+
+
+    #
+    # Environment
+    #
+
+    env:
+      FORCE_COLOR: 1
+      NPM_CONFIG_COLOR: always
+
+      PEBBLE_VERSION: 2.3.1
+      PEBBLE_ALTERNATE_ROOTS: 2
+      PEBBLECTS_VERSION: 2.3.1
+      PEBBLECTS_DNS_PORT: 8053
+      COREDNS_VERSION: 1.11.1
+
+      NODE_EXTRA_CA_CERTS: /etc/pebble/ca.cert.pem
+      ACME_CA_CERT_PATH: /etc/pebble/ca.cert.pem
+
+      ACME_DIRECTORY_URL: https://127.0.0.1:14000/dir
+      ACME_CHALLTESTSRV_URL: http://127.0.0.1:8055
+      ACME_PEBBLE_MANAGEMENT_URL: https://127.0.0.1:15000
+
+      ACME_DOMAIN_NAME: test.example.com
+      ACME_CAP_EAB_ENABLED: ${{matrix.eab}}
+
+      ACME_TLSALPN_PORT: 5001
+      ACME_HTTP_PORT: 5002
+      ACME_HTTPS_PORT: 5003
+
+
+    #
+    # Pipeline
+    #
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{matrix.node}}
+
+      # Pebble Challenge Test Server
+      - name: Install Pebble Challenge Test Server
+        run: sudo -E /bin/bash ./.github/scripts/tests-install-cts.sh
+
+      - name: Start Pebble Challenge Test Server
+        run: |-
+          nohup bash -c "pebble-challtestsrv \
+            -dns01 :${PEBBLECTS_DNS_PORT} \
+            -tlsalpn01 :${ACME_TLSALPN_PORT} \
+            -http01 :${ACME_HTTP_PORT} \
+            -https01 :${ACME_HTTPS_PORT} \
+            -defaultIPv4 127.0.0.1 \
+            -defaultIPv6 \"\" &"
+
+      # Pebble
+      - name: Install Pebble
+        run: sudo -E /bin/bash ./.github/scripts/tests-install-pebble.sh
+
+      - name: Start Pebble
+        run: nohup bash -c "pebble -strict -config /etc/pebble/pebble.json -dnsserver 127.53.53.53:53 &"
+
+      - name: Wait for Pebble
+        run: /bin/bash ./.github/scripts/tests-wait-for-ca.sh
+
+      # CoreDNS
+      - name: Install CoreDNS
+        run: sudo -E /bin/bash ./.github/scripts/tests-install-coredns.sh
+
+      - name: Start CoreDNS
+        run: nohup bash -c "sudo coredns -p 53 -conf /etc/coredns/Corefile &"
+
+      - name: Use CoreDNS for DNS resolution
+        run: echo "nameserver 127.53.53.53" | sudo tee /etc/resolv.conf
+
+      # Run tests
+      - run: npm i
+      - run: npm run lint
+      - run: npm run lint-types
+      - run: npm run build-docs
+      - run: npm run test