From b2758880b30f1d4e9f2878d6b7e59f43a9d67ee4 Mon Sep 17 00:00:00 2001
From: Lucas Savva <lucas@m1cr0man.com>
Date: Tue, 24 Sep 2024 21:33:48 +0100
Subject: [PATCH] nixos/tests/acme: Fix fullchain validation

In the next release of Pebble, the certificate
subject is no longer populated with a useful domain name.
This change will refactor the fullchain validation assertions
to avoid checking the subject line.
---
 nixos/tests/acme.nix | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix
index a4f00be887be..a3f8c16eac70 100644
--- a/nixos/tests/acme.nix
+++ b/nixos/tests/acme.nix
@@ -471,14 +471,18 @@ in {
 
       # Ensure cert comes before chain in fullchain.pem
       def check_fullchain(node, cert_name):
-          subject_data = node.succeed(
-              f"openssl crl2pkcs7 -nocrl -certfile /var/lib/acme/{cert_name}/fullchain.pem"
-              " | openssl pkcs7 -print_certs -noout"
+          cert_file = f"/var/lib/acme/{cert_name}/fullchain.pem"
+          num_certs = node.succeed(f"grep -o 'END CERTIFICATE' {cert_file}")
+          assert len(num_certs.strip().split("\n")) > 1, "Insufficient certs in fullchain.pem"
+
+          first_cert_data = node.succeed(
+              f"grep -m1 -B50 'END CERTIFICATE' {cert_file}"
+              " | openssl x509 -noout -text"
           )
-          for line in subject_data.lower().split("\n"):
-              if "subject" in line:
-                  print(f"First subject in fullchain.pem: {line}")
-                  assert cert_name.lower() in line
+          for line in first_cert_data.lower().split("\n"):
+              if "dns:" in line:
+                  print(f"First DNSName in fullchain.pem: {line}")
+                  assert cert_name.lower() in line, f"{cert_name} not found in {line}"
                   return
 
           assert False