Merge pull request #1553 from MichaelSp/letsencrypt-traefik-acme-json

Letsencrypt traefik v2 acme json
2020-07-16 07:49:04 +02:00 · 2020-07-16 07:49:04 +02:00 · f206ad7ee1
parent c708e019ed ffac79bc8e
commit f206ad7ee1
13 changed files with 258 additions and 35 deletions
--- a/target/check-for-changes.sh
+++ b/target/check-for-changes.sh
@ -1,5 +1,7 @@
 #!/bin/bash

+. /usr/local/bin/helper_functions.sh
+
 # create date for log output
 log_date=$(date +"%Y-%m-%d %H:%M:%S ")
 echo "${log_date} Start check-for-changes script."
@ -32,7 +34,7 @@ echo "${log_date} Using postmaster address ${PM_ADDRESS}"

 # Create an array of files to monitor, must be the same as in start-mailserver.sh
 declare -a cf_files=()
-for file in postfix-accounts.cf postfix-virtual.cf postfix-aliases.cf dovecot-quotas.cf; do
+for file in postfix-accounts.cf postfix-virtual.cf postfix-aliases.cf dovecot-quotas.cf /etc/letsencrypt/acme.json "/etc/letsencrypt/live/$HOSTNAME/key.pem" "/etc/letsencrypt/live/$HOSTNAME/fullchain.pem"; do
  [ -f "$file" ] && cf_files+=("$file")
 done

@ -61,6 +63,14 @@ if [[ $chksum == *"FAIL"* ]]; then
        (
          flock -e 200

+  if [[ $chksum == *"/etc/letsencrypt/acme.json: FAILED"* ]]; then
+    for certdomain in $SSL_DOMAIN $HOSTNAME $DOMAINNAME; do
+      if extractCertsFromAcmeJson "$certdomain"; then
+        break
+      fi
+    done
+  fi
+
 	#regen postix aliases.
 	echo "root: ${PM_ADDRESS}" > /etc/aliases
 	if [ -f /tmp/docker-mailserver/postfix-aliases.cf ]; then
--- a/target/helper_functions.sh
+++ b/target/helper_functions.sh
@ -2,36 +2,54 @@

 # expects mask prefix length and the digit
 function _mask_ip_digit() {
-	if [[ $1 -ge 8 ]]; then
-		MASK=255
-	else 
-		if [[ $1 -le 0 ]]; then
-			MASK=0
-		else
-			VALUES=('0' '128' '192' '224' '240' '248' '252' '254' '255')
-			MASK=${VALUES[$1]}
-		fi
-	fi
-	echo $(( $2 & $MASK ))
+  if [[ $1 -ge 8 ]]; then
+    MASK=255
+  else
+    if [[ $1 -le 0 ]]; then
+      MASK=0
+    else
+      VALUES=('0' '128' '192' '224' '240' '248' '252' '254' '255')
+      MASK=${VALUES[$1]}
+    fi
+  fi
+  echo $(($2 & $MASK))
 }

 # transforms a specific ip with CIDR suffix like 1.2.3.4/16
 # to subnet with cidr suffix like 1.2.0.0/16
 function _sanitize_ipv4_to_subnet_cidr() {
-	IP=${1%%/*}
-	PREFIX_LENGTH=${1#*/}
+  IP=${1%%/*}
+  PREFIX_LENGTH=${1#*/}

-	# split IP by . into digits
-	DIGITS=(${IP//./ })
+  # split IP by . into digits
+  DIGITS=(${IP//./ })

-	# mask digits according to prefix length
-	MASKED_DIGITS=()
-	DIGIT_PREFIX_LENGTH="$PREFIX_LENGTH"
-	for DIGIT in "${DIGITS[@]}" ; do
-		MASKED_DIGITS+=( $(_mask_ip_digit $DIGIT_PREFIX_LENGTH $DIGIT) )
-		DIGIT_PREFIX_LENGTH=$(( $DIGIT_PREFIX_LENGTH - 8 ))
-	done
+  # mask digits according to prefix length
+  MASKED_DIGITS=()
+  DIGIT_PREFIX_LENGTH="$PREFIX_LENGTH"
+  for DIGIT in "${DIGITS[@]}"; do
+    MASKED_DIGITS+=($(_mask_ip_digit $DIGIT_PREFIX_LENGTH $DIGIT))
+    DIGIT_PREFIX_LENGTH=$(($DIGIT_PREFIX_LENGTH - 8))
+  done

-	# output masked ip plus prefix length
-	echo ${MASKED_DIGITS[0]}.${MASKED_DIGITS[1]}.${MASKED_DIGITS[2]}.${MASKED_DIGITS[3]}/$PREFIX_LENGTH
-}
+  # output masked ip plus prefix length
+  echo ${MASKED_DIGITS[0]}.${MASKED_DIGITS[1]}.${MASKED_DIGITS[2]}.${MASKED_DIGITS[3]}/$PREFIX_LENGTH
+}
+
+# extracts certificates from acme.json and returns 0 if found
+function extractCertsFromAcmeJson() {
+  WHAT=$1
+  # sorry for the code-golf :(
+  KEY=$(cat /etc/letsencrypt/acme.json | python -c "import sys,json,itertools;  print map(lambda c: c[\"key\"]         if (c[\"domain\"][\"main\"]==\"$WHAT\" or \"$WHAT\" in c[\"domain\"][\"sans\"]) else \"\", list(itertools.chain.from_iterable(map(lambda x: x[\"Certificates\"], json.load(sys.stdin).values()))))[0]")
+  CERT=$(cat /etc/letsencrypt/acme.json | python -c "import sys,json,itertools; print map(lambda c: c[\"certificate\"] if (c[\"domain\"][\"main\"]==\"$WHAT\" or \"$WHAT\" in c[\"domain\"][\"sans\"]) else \"\", list(itertools.chain.from_iterable(map(lambda x: x[\"Certificates\"], json.load(sys.stdin).values()))))[0]")
+
+  if [[ -n "${KEY}${CERT}" ]]; then
+    mkdir -p /etc/letsencrypt/live/"$HOSTNAME"/
+    echo $KEY | base64 -d >/etc/letsencrypt/live/"$HOSTNAME"/key.pem || exit 1
+    echo $CERT | base64 -d >/etc/letsencrypt/live/"$HOSTNAME"/fullchain.pem || exit 1
+    echo "Cert found in /etc/letsencrypt/acme.json for $WHAT"
+    return 0
+  else
+    return 1
+  fi
+}
--- a/target/start-mailserver.sh
+++ b/target/start-mailserver.sh
@ -505,7 +505,7 @@ function _setup_chksum_file() {
          pushd /tmp/docker-mailserver

          declare -a cf_files=()
-          for file in postfix-accounts.cf postfix-virtual.cf postfix-aliases.cf dovecot-quotas.cf; do
+          for file in postfix-accounts.cf postfix-virtual.cf postfix-aliases.cf dovecot-quotas.cf /etc/letsencrypt/acme.json "/etc/letsencrypt/live/$HOSTNAME/key.pem" "/etc/letsencrypt/live/$HOSTNAME/fullchain.pem"; do
            [ -f "$file" ] && cf_files+=("$file")
          done

@ -1048,6 +1048,8 @@ function _setup_ssl() {
      local LETSENCRYPT_DOMAIN=""
      local LETSENCRYPT_KEY=""

+      [[ -f /etc/letsencrypt/acme.json ]] && (extractCertsFromAcmeJson "$HOSTNAME" || extractCertsFromAcmeJson "$DOMAINNAME")
+
      # first determine the letsencrypt domain by checking both the full hostname or just the domainname if a SAN is used in the cert
      if [ -e "/etc/letsencrypt/live/$HOSTNAME/fullchain.pem" ]; then
        LETSENCRYPT_DOMAIN=$HOSTNAME
--- a/test/config/dovecot-lmtp/conf.d/10-auth.conf
+++ b/test/config/dovecot-lmtp/conf.d/10-auth.conf
@ -30,7 +30,7 @@

 # Default realm/domain to use if none was specified. This is used for both
 # SASL realms and appending @domain to username in plaintext logins.
-#auth_default_realm = 
+#auth_default_realm =

 # List of allowed characters in username. If the user-given username contains
 # a character not listed in here, the login automatically fails. This is just
@ -73,7 +73,7 @@
 # Kerberos keytab to use for the GSSAPI mechanism. Will use the system
 # default (usually /etc/krb5.keytab) if not specified. You may need to change
 # the auth service to run as root to be able to read this file.
-#auth_krb5_keytab = 
+#auth_krb5_keytab =

 # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
 # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
@ -88,9 +88,9 @@
 # Require a valid SSL client certificate or the authentication fails.
 #auth_ssl_require_client_cert = no

-# Take the username from client's SSL certificate, using 
+# Take the username from client's SSL certificate, using
 # X509_NAME_get_text_by_NID() which returns the subject's DN's
-# CommonName. 
+# CommonName.
 #auth_ssl_username_from_cert = no

 # Space separated list of wanted authentication mechanisms:
--- a/test/config/dovecot-lmtp/conf.d/15-lda.conf
+++ b/test/config/dovecot-lmtp/conf.d/15-lda.conf
@ -8,7 +8,7 @@ postmaster_address = postmaster@domain.com

 # Hostname to use in various parts of sent mails (e.g. in Message-Id) and
 # in LMTP replies. Default is the system's real hostname@domain.
-#hostname = 
+#hostname =

 # If user is over quota, return with temporary failure instead of
 # bouncing the mail.
@ -32,7 +32,7 @@ postmaster_address = postmaster@domain.com
 #recipient_delimiter = +

 # Header where the original recipient address (SMTP's RCPT TO: address) is taken
-# from if not available elsewhere. With dovecot-lda -a parameter overrides this. 
+# from if not available elsewhere. With dovecot-lda -a parameter overrides this.
 # A commonly used header for this is X-Original-To.
 #lda_original_recipient_header =

--- a/test/config/letsencrypt/acme-changed.json
+++ b/test/config/letsencrypt/acme-changed.json
@ -0,0 +1,29 @@
+{
+  "le": {
+    "Account": {
+      "Email": "acme@admin.com",
+      "Registration": {
+        "body": {
+          "status": "valid",
+          "contact": [
+            "mailto:acme@admin.com"
+          ]
+        },
+        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/0123456789"
+      },
+      "PrivateKey": "YES",
+      "KeyType": "4096"
+    },
+    "Certificates": [
+      {
+        "domain": {
+          "main": "example.com",
+          "sans": ["*.example.com"]
+        },
+        "certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1RENDQWN5Z0F3SUJBZ0lKQU4vKzNMTVF2bnYxTUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3TmpJNU1qQTFOVEl4V2hjTk1qQXdPREk0TWpBMU5USXhXakFXTVJRdwpFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DCmdnRUJBTDVVTmc3eWJyWG9DSW5teFErZjM4KytzTEVjZ0c2UDBYK2ZhSDExQnc0N1Z0K21mMXZsdEloN29qTzgKRGVYcUZ4c0dMM1MvWXF5dVhYMFRHSU9oL2Nzam52djFHRUwxVXgwWUNzeUZrdmZsYjhOdVNLVzUyVDBkblVxRgpaRndsZHlrQ3dIblF4bXdZWnhuWmpWRjJZT3IvS21HWnZPNWR4U1RzL3FEdVUwY3AzRkQ0ejJDQkVMTG16aXh2CmZPMkxnazFZbi9IOW1OTE5TS1FhaVNlQ3hJZDVDek5JbG1VSWZuTDB0dWMzbjJmTmlnanVQS09WMkgvN05WVFQKVHJpdVAzODRieDlXVExmWDI5Y24rSG80aEtCYXEydDFXbXoranNXaTFneWExS3JMQU00enpRSEkrdTZyMytqUwozUHNSVnMxY3N5TzJOQ1hxVm8vYnhxZTM4K3NDQXdFQUFhTTVNRGN3Q1FZRFZSMFRCQUl3QURBTEJnTlZIUThFCkJBTUNCZUF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdJR0NDc0dBUVVGQndNQk1BMEdDU3FHU0liM0RRRUIKQ3dVQUE0SUJBUUFrbUhIVGFaOGhpU3RvQS9YWWpHWGtIVDVEQmpqT2hSbTNtbWRDRit4aGJVY2ovZnJ3QlluMAphcEFHZk5TR3ErUEpUZ1Zkc1pVQUMrc09meFJtZTNGalU1Z0Fla2VJRGpPUU1kMVZiZG1jSVd0bkorVHR6OTRGClFtNVY3RGY4a1ZrY3FFNlV2dlh5WDNZRUZqMi9md2I0aHh5eWwvZkFXbDVhY1dUTE5BMm1PS20vZk1oS2V6K2gKM1ZHaEtRNVpHUzBRdCtMZWEzbzdMV3M1ZEg1TGhTdnMzRmU5UFNkZHhhME5idHI0c2ZnZk9JUUpnbzJtQ3ZjaAp1NXpGcTdudkRxZHNtZFp3WU1JY2lucFBXSmdFb1FMSldVL2dXTDJZYSs1a0oxMzdzbVBjWVg3akRTeUJIbGtRCm9BWU9CNjVZbm9XeFZ1UXRLcUhXNmY4bnFEMW53RUJuCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5ekNDQWQrZ0F3SUJBZ0lKQVAvNDFhc0srSTNCTUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3TmpJNU1qQTFOVEl4V2hjTk1qQXdPREk0TWpBMU5USXhXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCmt6bE9GM1E4d3Q2RzhNOENnKy9VQURsa2JPVW5CbGJDd2xSbnFTcnZyWDdCUmMzN1IxWStLenNNbUdna1BrdkUKY3padVdiT1FVOGdoblFKd1NIVC9BSzFnNWpNYzdtWkxTa0UrdVZNb3I0KzRWZ3Q0a0t2Zmt0emNDSk9mby9xTApYVjJlUFJnVmxIaitwZWlscUhNTThQMDNWUHg2a3E3b1pFMXBCbGg0UXlMejdEWWNQNkFEM0JxL0hTTTVobXZQCmlIYkNIeTZ5ZitRc3VCcWFXQ2VjMXlnYzlHUG55RFhRb0RSQXdsY0EwYVZTU29zYzZIZVZRb0RCUFR6WlVyaU0KcmlxUEszWVQ0TEdFSDZuVHgzUlV0anVHOFpkR3pwZ3V3OS95MHRjY3Q3NzdXTEZJZXVCUWttWmlNRzNYZWl2dQpUYmZIQ2JxSkNPNTNmc2JLMENyekVRSURBUUFCbzFBd1RqQWRCZ05WSFE0RUZnUVV4bzZOWFJpMzlReEpuWlpECnZieGNvK20yVTdZd0h3WURWUjBqQkJnd0ZvQVV4bzZOWFJpMzlReEpuWlpEdmJ4Y28rbTJVN1l3REFZRFZSMFQKQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBT0JLTUcyYWFaK2YyR2F6ZHRxNytJbFJNM1lGdgppbkY1dWFaM2JxQytwS0RiMXdaSkx6V2dIVmdOU0dYZXRIUEthOVFweVFxRWUvYllNSzdhdkpvLy9GbWhnMCszClN3STJnOUJvSVBCZDRqSUJZNDFoL3pyeVRZNFBMeC9OcWFwV1I0LzNuRFBKM1NTTUhaNEpnUDhHVFhsem1GNmoKNFVnd1JyTEZRZDBaWllORFJvOGJaZVVFcVg3MGswRXFZOVF4QmpKZ1V6VnlXWWpQKy9TZVhBQkp5UHY3bHpSTgpudktqM0Y5MWVOZnFmOFkrV2RkdkI4am4zTFhvazRTaUZ6eEVTZkozblZPZ3dwOFNQaGhUU2hiWFFhajQ4Rng4Cm82VEdNOXV0UHROOXFJTnd2cXlySzRsVXdLajZZTHlUa1YxMG9WZ3RKWWh5eUhWVmw3SmhjOFVJTXc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==",
+        "key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdmxRMkR2SnV0ZWdJaWViRkQ1L2Z6NzZ3c1J5QWJvL1JmNTlvZlhVSERqdFczNlovClcrVzBpSHVpTTd3TjVlb1hHd1l2ZEw5aXJLNWRmUk1ZZzZIOXl5T2UrL1VZUXZWVEhSZ0t6SVdTOStWdncyNUkKcGJuWlBSMmRTb1ZrWENWM0tRTEFlZERHYkJobkdkbU5VWFpnNnY4cVlabTg3bDNGSk96K29PNVRSeW5jVVBqUApZSUVRc3ViT0xHOTg3WXVDVFZpZjhmMlkwczFJcEJxSko0TEVoM2tMTTBpV1pRaCtjdlMyNXplZlo4MktDTzQ4Cm81WFlmL3MxVk5OT3VLNC9memh2SDFaTXQ5ZmIxeWY0ZWppRW9GcXJhM1ZhYlA2T3hhTFdESnJVcXNzQXpqUE4KQWNqNjdxdmY2TkxjK3hGV3pWeXpJN1kwSmVwV2o5dkdwN2Z6NndJREFRQUJBb0lCQVFDdWZoNGhqZm9hSStUUQpLUlk1d09VOFhTTTQvVnh5QU1DZE5OUmpVTXRyTE5QMHIzek1EOGgzNklGSTFQd1k4WWpGYWVKUU1yYVFnanVMCjA5b0J0SjR0Z3piYTRGV2g3YkNKVitWdXBIZWRkbWdFMERNaVhVVGhWeWxCalJINXVRK0tOYytvM3ROTGZ3UG4KR3lFSXNuTWdmMWVucTM4Zk9qRG9MYTgwYzhzOXpYaEh0Wng5SlF6RFViUXIrRE5UUzBSTFA1Mk1JL3BYR0MrZwpUMjI1c1ZWMzl1cVFGY2NIRUNhY0xEYlllNUVoelJpMlBOQTk4Zkh0Ty9sQVA5amp2UWlNY2NyMEtqanpFSGxTCmxvRnMxL3kvdkNBby9rVGhxaEtMLzBUM3FkaUcrWU5zbmUrVGh5Mnh4NVczN1lNR0l0ZTlmKzV5bVRtYitsZ2IKZlU2L2kydGhBb0dCQVBPNlVydDUwaDN2SjJtLytNRkNrb2tjYTE5NWs5c1lPMVJNa1RZSFBaNW40K25UdTMybwpSREt1L0t3T2dseTljcDAwUW44WEljRGk3TXV0OE1LN1JHdjFXeVpWbGJYMStMMzFGVCtjL045NnJIQmE1U0hJCm5oZFRMQkxQVG1iNk9PUFNXWEVIbDAwdnNsdEFsdXRJcnVmanpvd0V0Z3B0T2hZTzhhNjA4aWh2QW9HQkFNZnAKa2l1LzBibDdjUWdZZmdmSWZ5YzJpTU9aU0RseVRFRThxZmhWa1NWNFg3bDNycXk3eUNQNEc1MXBaQ1dWcDl6WQo4UzNtYmlDM3hYVjZpTzVQeGVoS1ZmdnFySXF6MnpaWDhTRjFhMUwzekRGQ3BFNkdmUHB5Uk1uK01hLy84b3haCmRwdGV6WlRCMVJtUDd6UndIVGJrSXhjU3NuYkVUOWNuZDc1ck9OSkZBb0dCQU0wQm0xZFFONW13TU5HMWhQSmkKSWNtc212QTYzbEE2eUtTMnBxbndXemNqb2NScnNWZ1hzZzJEdk1xb2hhU21RWUxUazE4OVFNbnkxa1RZY1J3SwowcG1RVG5Rbkp2OWYvek1ndEJmRzM3akdnY2NiM1lHV01zdmh6TCtobWd2cVN2SHVYQWRENEZNdlhIRi9HYktjCmQycGI1cjlGc3kyQUJJekxVeVNsMU02SEFvR0FCQUxneHZYelhGaG92VFBZbTRsZlc4Y1JXWE5pNnB3cmdZZVoKRlgyS0N3bHVTa2RuZnRuSnUwY0lMdEZsakFlRHRiKzRueVluZ1lxT2NMd0RzVnh5YVNYTXNlQlVrL2ZsNXlJKwptV0JFeGdabzEzZ3gyYzJEQm5keWYrY1UwaVk5bEtsYTR1VTFGTTRLMjVkeXdrZVpubmRYYU9nY0lwdnZ5aTVsCmpiR1RFMDBDZ1lBVCtVTm9tcDhKbW01YXFDME1kc050OW13T0tMVnRDazFZei9YODVQbVNpU1p4eG11cThVNXUKYThvYUovTm1tTXBZc1JHOXB5NW1JZ0RXSDFicnlPWlA3YVB0T0lWWnBZSDc3cU1ySjR2RmJ6MkphQTFiMWlySgoyMkhkajFYRDdMdjJ1cXQ3UVVsYU5RY3VrSkZJSE94WVJOWUNobEpuSUVmMmU3MGpkbEN4TGc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=",
+        "Store": "default"
+      }
+    ]
+  }
+}
--- a/test/config/letsencrypt/acme.json
+++ b/test/config/letsencrypt/acme.json
@ -0,0 +1,31 @@
+{
+  "le": {
+    "Account": {
+      "Email": "acme@admin.com",
+      "Registration": {
+        "body": {
+          "status": "valid",
+          "contact": [
+            "mailto:acme@admin.com"
+          ]
+        },
+        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/0123456789"
+      },
+      "PrivateKey": "YES",
+      "KeyType": "4096"
+    },
+    "Certificates": [
+      {
+        "domain": {
+          "main": "mail.my-domain.com",
+          "sans": [
+            "mail2.my-domain.com"
+          ]
+        },
+        "certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZHVENDQkFHZ0F3SUJBZ0lTQTUwamo2QS9pbEV4TWxhNDFQd1NlanlCTUEwR0NTcUdTSWIzRFFFQkN3VUEKTUVveEN6QUpCZ05WQkFZVEFsVlRNUll3RkFZRFZRUUtFdzFNWlhRbmN5QkZibU55ZVhCME1TTXdJUVlEVlFRRApFeHBNWlhRbmN5QkZibU55ZVhCMElFRjFkR2h2Y21sMGVTQllNekFlRncweE5qQTBNVGt4T1RBMU1EQmFGdzB4Ck5qQTNNVGd4T1RBMU1EQmFNQlV4RXpBUkJnTlZCQU1UQ21sbWRYTnBieTVqYjIwd2dnRWlNQTBHQ1NxR1NJYjMKRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDY0NsZitQZWUxRUl0ZG5qYWdPVVF1d0E0U0xMaUtDZjVUKzJFYwpCUG53TUdLdERiL1RCV2M4S0VIUUd4WUNkdGFtRmNpVCtPWFVsSkdqUEdFbmE0REFLQU5pNW5qbXErVFFGYjdKCmlwQTdwZlE0ZnAvMk9xRzNlNlN3TnZXdXJKbEhJaWdpTGUxbGJjKzdydC81aG9uN0p3bjI2MHgvWGFQSFhSa1UKQWl5NUZTRFZlWG5uQ0w1UU91NXNybkhyZFRsV3BFbno5V1V2WUNqM0RNUjM4Z3hvam5tcGo0OGFNUlJ0ckJBTwpObHhUOVRzc0hvS3ZEWEkxYkViZWIydHBtQy8ra1JQdXNJdWtpdWNjM0ZvOVIvc0hYakZrRDdtSzJVTWIwVUxFCkJHMkQ0d3dFSU5VU0czQjN3c3UwZXl3QWxrcFgxVWNGemRGVHRzalU3VjJhMDZqQkFnTUJBQUdqZ2dJc01JSUMKS0RBT0JnTlZIUThCQWY4RUJBTUNCYUF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQwpNQXdHQTFVZEV3RUIvd1FDTUFBd0hRWURWUjBPQkJZRUZPS3FSbktUZDJhZFdEK1NuZFNaVkZQc0xWSmtNQjhHCkExVWRJd1FZTUJhQUZLaEthbU1FZmQyNjV0RTV0NlpGWmUvenFPeWhNSEFHQ0NzR0FRVUZCd0VCQkdRd1lqQXYKQmdnckJnRUZCUWN3QVlZamFIUjBjRG92TDI5amMzQXVhVzUwTFhnekxteGxkSE5sYm1OeWVYQjBMbTl5Wnk4dwpMd1lJS3dZQkJRVUhNQUtHSTJoMGRIQTZMeTlqWlhKMExtbHVkQzE0TXk1c1pYUnpaVzVqY25sd2RDNXZjbWN2Ck1EWUdBMVVkRVFRdk1DMkNDbWxtZFhOcGJ5NWpiMjJDRDIxaGFXd3VhV1oxYzJsdkxtTnZiWUlPZDNkM0xtbG0KZFhOcGJ5NWpiMjB3Z2Y0R0ExVWRJQVNCOWpDQjh6QUlCZ1puZ1F3QkFnRXdnZVlHQ3lzR0FRUUJndDhUQVFFQgpNSUhXTUNZR0NDc0dBUVVGQndJQkZocG9kSFJ3T2k4dlkzQnpMbXhsZEhObGJtTnllWEIwTG05eVp6Q0Jxd1lJCkt3WUJCUVVIQWdJd2daNE1nWnRVYUdseklFTmxjblJwWm1sallYUmxJRzFoZVNCdmJteDVJR0psSUhKbGJHbGwKWkNCMWNHOXVJR0o1SUZKbGJIbHBibWNnVUdGeWRHbGxjeUJoYm1RZ2IyNXNlU0JwYmlCaFkyTnZjbVJoYm1ObApJSGRwZEdnZ2RHaGxJRU5sY25ScFptbGpZWFJsSUZCdmJHbGplU0JtYjNWdVpDQmhkQ0JvZEhSd2N6b3ZMMnhsCmRITmxibU55ZVhCMExtOXlaeTl5WlhCdmMybDBiM0o1THpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWd6ZjkKRFZDZFZ0S3ZsbUdlVDJwdUhVNVVMZjN0L0pENk5MM29jdUJNc0RRUE9IeGE2a2t5ZDZ4cWRCQWVsTlNmRVl2KwpCVmZRcDZXb3gySUdyd2ZxcXZOTnpQR1RITHhTcEs5NEdrMGVlZzdZaGN4am9Pcnl2NEZnb3dRT2F4NUowT1NTCldJZEFGVnlrUHM4N1dLeUhOWThXMXpsZS9ZZTl5alM2YmpIZGpxbk9pRy83cURRL0REWUduN0lMSEFIbVVaWXkKMVFRMEVkZmZOa0xwa21DblRub3RnQlVwcW1EdDdwTU5aUnVZRlRRcTYzMWloZTdqUlhqU2tnV1M3dFRmVVQxNQpTZXNVSW8xTmJqQ0ptQmNlRmQyYy9zcmdWbGJXYzJMWHQ3UWY1eXhXSnloVDE2ci9NN29rMGJ0SDI1RDVhemsyClRLZG5xL1FGaEhXVlpVcjNoZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVrakNDQTNxZ0F3SUJBZ0lRQ2dGQlFnQUFBVk9GYzJvTGhleW5DREFOQmdrcWhraUc5dzBCQVFzRkFEQS8KTVNRd0lnWURWUVFLRXh0RWFXZHBkR0ZzSUZOcFoyNWhkSFZ5WlNCVWNuVnpkQ0JEYnk0eEZ6QVZCZ05WQkFNVApEa1JUVkNCU2IyOTBJRU5CSUZnek1CNFhEVEUyTURNeE56RTJOREEwTmxvWERUSXhNRE14TnpFMk5EQTBObG93ClNqRUxNQWtHQTFVRUJoTUNWVk14RmpBVUJnTlZCQW9URFV4bGRDZHpJRVZ1WTNKNWNIUXhJekFoQmdOVkJBTVQKR2t4bGRDZHpJRVZ1WTNKNWNIUWdRWFYwYUc5eWFYUjVJRmd6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQwpBUThBTUlJQkNnS0NBUUVBbk5NTThGcmxMa2UzY2wwM2c3Tm9ZekRxMXpVbUdTWGh2YjQxOFhDU0w3ZTRTMEVGCnE2bWVOUWhZN0xFcXhHaUhDNlBqZGVUbTg2ZGljYnA1Z1dBZjE1R2FuL1BRZUdkeHlHa09sWkhQL3VhWjZXQTgKU014K3lrMTNFaVNkUnh0YTY3bnNIamNBSEp5c2U2Y0Y2czVLNjcxQjVUYVl1Y3Y5YlR5V2FOOGpLa0tRRElaMApaOGgvcFpxNFVtRVVFejlsNllLSHk5djZEbGIyaG9uemhUK1hocSt3M0JydmF3MlZGbjNFSzZCbHNwa0VObldBCmE2eEs4eHVRU1hndm9wWlBLaUFsS1FUR2RNRFFNYzJQTVRpVkZycW9NN2hEOGJFZnd6Qi9vbmt4RXowdE52amoKL1BJemFyazVNY1d2eEkwTkhXUVdNNnI2aENtMjFBdkEySDNEa3dJREFRQUJvNElCZlRDQ0FYa3dFZ1lEVlIwVApBUUgvQkFnd0JnRUIvd0lCQURBT0JnTlZIUThCQWY4RUJBTUNBWVl3ZndZSUt3WUJCUVVIQVFFRWN6QnhNRElHCkNDc0dBUVVGQnpBQmhpWm9kSFJ3T2k4dmFYTnlaeTUwY25WemRHbGtMbTlqYzNBdWFXUmxiblJ5ZFhOMExtTnYKYlRBN0JnZ3JCZ0VGQlFjd0FvWXZhSFIwY0RvdkwyRndjSE11YVdSbGJuUnlkWE4wTG1OdmJTOXliMjkwY3k5awpjM1J5YjI5MFkyRjRNeTV3TjJNd0h3WURWUjBqQkJnd0ZvQVV4S2V4cEhzc2NmcmI0VXVRZGYvRUZXQ0ZpUkF3ClZBWURWUjBnQkUwd1N6QUlCZ1puZ1F3QkFnRXdQd1lMS3dZQkJBR0MzeE1CQVFFd01EQXVCZ2dyQmdFRkJRY0MKQVJZaWFIUjBjRG92TDJOd2N5NXliMjkwTFhneExteGxkSE5sYm1OeWVYQjBMbTl5WnpBOEJnTlZIUjhFTlRBegpNREdnTDZBdGhpdG9kSFJ3T2k4dlkzSnNMbWxrWlc1MGNuVnpkQzVqYjIwdlJGTlVVazlQVkVOQldETkRVa3d1ClkzSnNNQjBHQTFVZERnUVdCQlNvU21wakJIM2R1dWJST2JlbVJXWHY4Nmpzb1RBTkJna3Foa2lHOXcwQkFRc0YKQUFPQ0FRRUEzVFBYRWZOaldEamRHQlg3Q1ZXK2RsYTVjRWlsYVVjbmU4SWtDSkx4V2g5S0VpazNKSFJSSEdKbwp1TTJWY0dmbDk2UzhUaWhSelp2b3JvZWQ2dGk2V3FFQm10enczV29kYXRnK1Z5T2VwaDRFWXByLzF3WEt0eDgvCndBcEl2SlN3dG1WaTRNRlU1YU1xclNERTZlYTczTWoydGNNeW81ak1kNmptZVdVSEs4c28vam9XVW9IT1Vnd3UKWDRQbzFRWXorM2RzemtEcU1wNGZrbHhCd1hSc1cxMEtYelBNVForc09QQXZleXhpbmRtamtXOGxHeStRc1JsRwpQZlorRzZaNmg3bWplbTBZK2lXbGtZY1Y0UElXTDFpd0JpOHNhQ2JHUzVqTjJwOE0rWCtRN1VOS0VrUk9iM042CktPcWtxbTU3VEgySDNlREpBa1NuaDYvRE5GdTBRZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=",
+        "key": "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQ2NDbGYrUGVlMUVJdGQKbmphZ09VUXV3QTRTTExpS0NmNVQrMkVjQlBud01HS3REYi9UQldjOEtFSFFHeFlDZHRhbUZjaVQrT1hVbEpHagpQR0VuYTREQUtBTmk1bmptcStUUUZiN0ppcEE3cGZRNGZwLzJPcUczZTZTd052V3VySmxISWlnaUxlMWxiYys3CnJ0LzVob243SnduMjYweC9YYVBIWFJrVUFpeTVGU0RWZVhubkNMNVFPdTVzcm5IcmRUbFdwRW56OVdVdllDajMKRE1SMzhneG9qbm1wajQ4YU1SUnRyQkFPTmx4VDlUc3NIb0t2RFhJMWJFYmViMnRwbUMvK2tSUHVzSXVraXVjYwozRm85Ui9zSFhqRmtEN21LMlVNYjBVTEVCRzJENHd3RUlOVVNHM0Izd3N1MGV5d0Fsa3BYMVVjRnpkRlR0c2pVCjdWMmEwNmpCQWdNQkFBRUNnZ0VBTStjQTQ5RmxqQVdIeGNrRmRILzMzUEVHL1NhZzcxRnBwamVjVW55WlFqcGwKNkJnRnNVUS8xWE95aUcwcUFnSFRYZ1VxNVlWSnRVOEJybUU4RTZlZmVNc1diVVFwL05nNlVMaWE4R0RGbndHUgpYV1ZKQWRiNHlaWTM3bUVwa1VOWjdKNUE2VFdMbkV4Tlo2bEFXTGhXbHhLaUx0NlBZR0llUXdjRmUzRkp2UG4wCkdVU0ZZWFlMSnE5bElpclF2bDZsVnpsanBQNnF2RlFFcWE0ZGdXcUJPckMyL2pMNGFtS0s3MU4yM3NGbnowc1EKVXFqUDcyYzdOcis0eE1PaHNHZXRWMW1ZZ1BxQW9SNVczWFpScURQZVo2ZjBGSjdMNXhHNjlZSmVvN01yWGhLbApOOWtMaGJHUi9GSDNJSGRvN3RSYjJvR21IRExOSmY5ei9tQkVlclNXMFFLQmdRRFBIQ2M1OXRDd21GMVVWNGVWCmZoUm9xNFF5cDh3RjJJdEpUTWQxMkxKT1g2N2VOSnk2djkzQWh1YVBnS3Ava1JNdWw1WmpMOTBVVjFJU2wvbHoKZVl6Z3JlTXR0Q3RSaFp4VVN2Qm82dzMyTlNhY29pS2Nab2p5VGR5WlB1T2VBRzJSeE5IaCtuK05aN05qSVd2Rwo3eGxXOUhYUU9QaTh4bEhwRGZEcys3RWdYUUtCZ1FEQTRBSmxvcjIyZEV4R3VET0xsTzBldCtUVmhFcnFYRlNaCkN0Um13c0wrWFRlU0t5bmdaY3l1MVlueW9OT0E5dkd5T2syNkFXK1dWOU45VTZyd1ZzOENWY3plZTVlS1BaSk4KeFFaalVvK2ZlcDN4SUZ2QnBnbmFkZnJvZHhqRDhYTXBIY2IwSS9aUklDWktxSVZ2OXErRnpFWHFFK0hzZkQzQgprQmZaOEdaenRRS0JnRVZTZHc2L3ZqcGR4Vjlsck13czEwZnhvTjRUckFhSTVKWTBUTTcxS1RseWJXV1MxcUxyCmRaM3JpV0NmQUhLU2JJazcwK3AvS3RDVUtiUnZpZDlNNEFxVUtXWXkyQTBCVzhJYkV6MEs4REZvdVBQVWtTRW8KY000cG9aenBuK1pTM2xuY055UWNaSFZBTUpzTnBMV0Jja25ZcVZaNHUwajBXSlpaUkRzT1E4dEJBb0dCQUsycApCSDkraUZJL1pHNUliQ0RCZHI2eDFOaHF4UWsvR095elU0c3kwVjgxajFPTWlhZ0NBTWxxZTBwNmcvVWFZNFNWCittWC81UGo1R3ZNODRpeUQvTitkWVZqdzd3RUpiekdXdEttNUxKZnJUMHBNV0ZHRHJsdUUzdVZ3Vmx3V2lobjcKTmFlY3VhdFJ4eWh4azdPNzZVNFBIdVFrQXNkckZpK3lEY2V0TEpJQkFvR0JBSkhVTXR0S1E5L3NjNkVZZ2R5bQp1OGhNaS9XR3J0NWVPT0FKMTdsWTUzZVJaTGNpN3MxbWZzV0lGOWIwTjUwaUU2MFNhRkFEUWlNUkFVdGtKWE5JCmE1NXFkcGFsVkhzQUU0V3doN25sS0xrYURFYXJ0eDVYMXFTVEZ3NGZUTXlLTk92ZWlnZ1EvaTlMWnBGeHN6MjIKM1YrN2pQSmFDTnlQYm1PZXZYR2hCRWpyCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=",
+        "Store": "default"
+      }
+    ]
+  }
+}
--- a/test/config/letsencrypt/changed/cert.pem
+++ b/test/config/letsencrypt/changed/cert.pem
@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5DCCAcygAwIBAgIJAN/+3LMQvnv1MA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
+BAMMB3Rlc3QtY2EwHhcNMjAwNjI5MjA1NTIxWhcNMjAwODI4MjA1NTIxWjAWMRQw
+EgYDVQQDDAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAL5UNg7ybrXoCInmxQ+f38++sLEcgG6P0X+faH11Bw47Vt+mf1vltIh7ojO8
+DeXqFxsGL3S/YqyuXX0TGIOh/csjnvv1GEL1Ux0YCsyFkvflb8NuSKW52T0dnUqF
+ZFwldykCwHnQxmwYZxnZjVF2YOr/KmGZvO5dxSTs/qDuU0cp3FD4z2CBELLmzixv
+fO2Lgk1Yn/H9mNLNSKQaiSeCxId5CzNIlmUIfnL0tuc3n2fNigjuPKOV2H/7NVTT
+TriuP384bx9WTLfX29cn+Ho4hKBaq2t1Wmz+jsWi1gya1KrLAM4zzQHI+u6r3+jS
+3PsRVs1csyO2NCXqVo/bxqe38+sCAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8E
+BAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA0GCSqGSIb3DQEB
+CwUAA4IBAQAkmHHTaZ8hiStoA/XYjGXkHT5DBjjOhRm3mmdCF+xhbUcj/frwBYn0
+apAGfNSGq+PJTgVdsZUAC+sOfxRme3FjU5gAekeIDjOQMd1VbdmcIWtnJ+Ttz94F
+Qm5V7Df8kVkcqE6UvvXyX3YEFj2/fwb4hxyyl/fAWl5acWTLNA2mOKm/fMhKez+h
+3VGhKQ5ZGS0Qt+Lea3o7LWs5dH5LhSvs3Fe9PSddxa0Nbtr4sfgfOIQJgo2mCvch
+u5zFq7nvDqdsmdZwYMIcinpPWJgEoQLJWU/gWL2Ya+5kJ137smPcYX7jDSyBHlkQ
+oAYOB65YnoWxVuQtKqHW6f8nqD1nwEBn
+-----END CERTIFICATE-----
--- a/test/config/letsencrypt/changed/fullchain.pem
+++ b/test/config/letsencrypt/changed/fullchain.pem
@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIC5DCCAcygAwIBAgIJAN/+3LMQvnv1MA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
+BAMMB3Rlc3QtY2EwHhcNMjAwNjI5MjA1NTIxWhcNMjAwODI4MjA1NTIxWjAWMRQw
+EgYDVQQDDAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAL5UNg7ybrXoCInmxQ+f38++sLEcgG6P0X+faH11Bw47Vt+mf1vltIh7ojO8
+DeXqFxsGL3S/YqyuXX0TGIOh/csjnvv1GEL1Ux0YCsyFkvflb8NuSKW52T0dnUqF
+ZFwldykCwHnQxmwYZxnZjVF2YOr/KmGZvO5dxSTs/qDuU0cp3FD4z2CBELLmzixv
+fO2Lgk1Yn/H9mNLNSKQaiSeCxId5CzNIlmUIfnL0tuc3n2fNigjuPKOV2H/7NVTT
+TriuP384bx9WTLfX29cn+Ho4hKBaq2t1Wmz+jsWi1gya1KrLAM4zzQHI+u6r3+jS
+3PsRVs1csyO2NCXqVo/bxqe38+sCAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8E
+BAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA0GCSqGSIb3DQEB
+CwUAA4IBAQAkmHHTaZ8hiStoA/XYjGXkHT5DBjjOhRm3mmdCF+xhbUcj/frwBYn0
+apAGfNSGq+PJTgVdsZUAC+sOfxRme3FjU5gAekeIDjOQMd1VbdmcIWtnJ+Ttz94F
+Qm5V7Df8kVkcqE6UvvXyX3YEFj2/fwb4hxyyl/fAWl5acWTLNA2mOKm/fMhKez+h
+3VGhKQ5ZGS0Qt+Lea3o7LWs5dH5LhSvs3Fe9PSddxa0Nbtr4sfgfOIQJgo2mCvch
+u5zFq7nvDqdsmdZwYMIcinpPWJgEoQLJWU/gWL2Ya+5kJ137smPcYX7jDSyBHlkQ
+oAYOB65YnoWxVuQtKqHW6f8nqD1nwEBn
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC9zCCAd+gAwIBAgIJAP/41asK+I3BMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
+BAMMB3Rlc3QtY2EwHhcNMjAwNjI5MjA1NTIxWhcNMjAwODI4MjA1NTIxWjASMRAw
+DgYDVQQDDAd0ZXN0LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+kzlOF3Q8wt6G8M8Cg+/UADlkbOUnBlbCwlRnqSrvrX7BRc37R1Y+KzsMmGgkPkvE
+czZuWbOQU8ghnQJwSHT/AK1g5jMc7mZLSkE+uVMor4+4Vgt4kKvfktzcCJOfo/qL
+XV2ePRgVlHj+peilqHMM8P03VPx6kq7oZE1pBlh4QyLz7DYcP6AD3Bq/HSM5hmvP
+iHbCHy6yf+QsuBqaWCec1ygc9GPnyDXQoDRAwlcA0aVSSosc6HeVQoDBPTzZUriM
+riqPK3YT4LGEH6nTx3RUtjuG8ZdGzpguw9/y0tcct777WLFIeuBQkmZiMG3Xeivu
+TbfHCbqJCO53fsbK0CrzEQIDAQABo1AwTjAdBgNVHQ4EFgQUxo6NXRi39QxJnZZD
+vbxco+m2U7YwHwYDVR0jBBgwFoAUxo6NXRi39QxJnZZDvbxco+m2U7YwDAYDVR0T
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAOBKMG2aaZ+f2Gazdtq7+IlRM3YFv
+inF5uaZ3bqC+pKDb1wZJLzWgHVgNSGXetHPKa9QpyQqEe/bYMK7avJo//Fmhg0+3
+SwI2g9BoIPBd4jIBY41h/zryTY4PLx/NqapWR4/3nDPJ3SSMHZ4JgP8GTXlzmF6j
+4UgwRrLFQd0ZZYNDRo8bZeUEqX70k0EqY9QxBjJgUzVyWYjP+/SeXABJyPv7lzRN
+nvKj3F91eNfqf8Y+WddvB8jn3LXok4SiFzxESfJ3nVOgwp8SPhhTShbXQaj48Fx8
+o6TGM9utPtN9qINwvqyrK4lUwKj6YLyTkV10oVgtJYhyyHVVl7Jhc8UIMw==
+-----END CERTIFICATE-----
--- a/test/config/letsencrypt/changed/key.pem
+++ b/test/config/letsencrypt/changed/key.pem
@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAvlQ2DvJutegIiebFD5/fz76wsRyAbo/Rf59ofXUHDjtW36Z/
+W+W0iHuiM7wN5eoXGwYvdL9irK5dfRMYg6H9yyOe+/UYQvVTHRgKzIWS9+Vvw25I
+pbnZPR2dSoVkXCV3KQLAedDGbBhnGdmNUXZg6v8qYZm87l3FJOz+oO5TRyncUPjP
+YIEQsubOLG987YuCTVif8f2Y0s1IpBqJJ4LEh3kLM0iWZQh+cvS25zefZ82KCO48
+o5XYf/s1VNNOuK4/fzhvH1ZMt9fb1yf4ejiEoFqra3VabP6OxaLWDJrUqssAzjPN
+Acj67qvf6NLc+xFWzVyzI7Y0JepWj9vGp7fz6wIDAQABAoIBAQCufh4hjfoaI+TQ
+KRY5wOU8XSM4/VxyAMCdNNRjUMtrLNP0r3zMD8h36IFI1PwY8YjFaeJQMraQgjuL
+09oBtJ4tgzba4FWh7bCJV+VupHeddmgE0DMiXUThVylBjRH5uQ+KNc+o3tNLfwPn
+GyEIsnMgf1enq38fOjDoLa80c8s9zXhHtZx9JQzDUbQr+DNTS0RLP52MI/pXGC+g
+T225sVV39uqQFccHECacLDbYe5EhzRi2PNA98fHtO/lAP9jjvQiMccr0KjjzEHlS
+loFs1/y/vCAo/kThqhKL/0T3qdiG+YNsne+Thy2xx5W37YMGIte9f+5ymTmb+lgb
+fU6/i2thAoGBAPO6Urt50h3vJ2m/+MFCkokca195k9sYO1RMkTYHPZ5n4+nTu32o
+RDKu/KwOgly9cp00Qn8XIcDi7Mut8MK7RGv1WyZVlbX1+L31FT+c/N96rHBa5SHI
+nhdTLBLPTmb6OOPSWXEHl00vsltAlutIrufjzowEtgptOhYO8a608ihvAoGBAMfp
+kiu/0bl7cQgYfgfIfyc2iMOZSDlyTEE8qfhVkSV4X7l3rqy7yCP4G51pZCWVp9zY
+8S3mbiC3xXV6iO5PxehKVfvqrIqz2zZX8SF1a1L3zDFCpE6GfPpyRMn+Ma//8oxZ
+dptezZTB1RmP7zRwHTbkIxcSsnbET9cnd75rONJFAoGBAM0Bm1dQN5mwMNG1hPJi
+IcmsmvA63lA6yKS2pqnwWzcjocRrsVgXsg2DvMqohaSmQYLTk189QMny1kTYcRwK
+0pmQTnQnJv9f/zMgtBfG37jGgccb3YGWMsvhzL+hmgvqSvHuXAdD4FMvXHF/GbKc
+d2pb5r9Fsy2ABIzLUySl1M6HAoGABALgxvXzXFhovTPYm4lfW8cRWXNi6pwrgYeZ
+FX2KCwluSkdnftnJu0cILtFljAeDtb+4nyYngYqOcLwDsVxyaSXMseBUk/fl5yI+
+mWBExgZo13gx2c2DBndyf+cU0iY9lKla4uU1FM4K25dywkeZnndXaOgcIpvvyi5l
+jbGTE00CgYAT+UNomp8Jmm5aqC0MdsNt9mwOKLVtCk1Yz/X85PmSiSZxxmuq8U5u
+a8oaJ/NmmMpYsRG9py5mIgDWH1bryOZP7aPtOIVZpYH77qMrJ4vFbz2JaA1b1irJ
+22Hdj1XD7Lv2uqt7QUlaNQcukJFIHOxYRNYChlJnIEf2e70jdlCxLg==
+-----END RSA PRIVATE KEY-----
--- a/test/config/user-patches/user-patches.sh
+++ b/test/config/user-patches/user-patches.sh
--- a/test/mail_dhparams_manual_not_one_dir.bats
+++ b/test/mail_dhparams_manual_not_one_dir.bats
@ -22,7 +22,7 @@ function teardown() {

 function setup_file() {
    # copy the custom DHE params in local config
-    cp `pwd`/test/test-files/ssl/custom-dhe-params.pem `pwd`/test/config/dhparams.pem
+    cp "`pwd`/test/test-files/ssl/custom-dhe-params.pem" "`pwd`/test/config/dhparams.pem"

    docker run -d --name mail_manual_dhparams_not_one_dir \
 		-v "`pwd`/test/config":/tmp/docker-mailserver \
@ -35,7 +35,7 @@ function setup_file() {

 function teardown_file() {
    # remove custom dhe file
-    rm `pwd`/test/config/dhparams.pem
+    rm "`pwd`/test/config/dhparams.pem"
    docker rm -f mail_manual_dhparams_not_one_dir
 }

--- a/test/mail_ssl_letsencrypt.bats
+++ b/test/mail_ssl_letsencrypt.bats
@ -26,11 +26,25 @@ function setup_file() {
  -e SSL_TYPE=letsencrypt \
  -h mail.my-domain.com -t ${NAME}
  wait_for_finished_setup_in_container mail_lets_hostname
+
+  cp "`pwd`/test/config/letsencrypt/acme.json" "`pwd`/test/config/acme.json"
+  docker run -d --name mail_lets_acme_json \
+    -v "`pwd`/test/config":/tmp/docker-mailserver \
+    -v "`pwd`/test/config/acme.json":/etc/letsencrypt/acme.json:ro \
+    -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
+    -e DMS_DEBUG=0 \
+    -e SSL_TYPE=letsencrypt \
+    -e "SSL_DOMAIN=*.example.com" \
+    -h mail.my-domain.com -t ${NAME}
+
+  wait_for_finished_setup_in_container mail_lets_acme_json
 }

 function teardown_file() {
  docker rm -f mail_lets_domain
  docker rm -f mail_lets_hostname
+  docker rm -f mail_lets_acme_json
+  rm "`pwd`/test/config/acme.json"
 }

 # this test must come first to reliably identify when to run setup_file
@ -78,6 +92,44 @@ function teardown_file() {
  assert_success
 }

+#
+# acme.json updates
+#
+
+@test "checking changedetector: server is ready" {
+  run docker exec mail_lets_acme_json /bin/bash -c "ps aux | grep '/bin/bash /usr/local/bin/check-for-changes.sh'"
+  assert_success
+}
+
+@test "can extract certs from acme.json" {
+  run docker exec mail_lets_acme_json /bin/bash -c "cat /etc/letsencrypt/live/mail.my-domain.com/key.pem"
+  assert_output "$(cat "`pwd`/test/config/letsencrypt/mail.my-domain.com/privkey.pem")"
+  assert_success
+
+  run docker exec mail_lets_acme_json /bin/bash -c "cat /etc/letsencrypt/live/mail.my-domain.com/fullchain.pem"
+  assert_output "$(cat "`pwd`/test/config/letsencrypt/mail.my-domain.com/fullchain.pem")"
+  assert_success
+}
+
+@test "can detect changes" {
+  cp "`pwd`/test/config/letsencrypt/acme-changed.json" "`pwd`/test/config/acme.json"
+  sleep 11
+  run docker exec mail_lets_acme_json /bin/bash -c "supervisorctl tail changedetector"
+  assert_output --partial "Cert found in /etc/letsencrypt/acme.json for *.example.com"
+  assert_output --partial "postfix: stopped"
+  assert_output --partial "postfix: started"
+  assert_output --partial "Update checksum"
+
+  run docker exec mail_lets_acme_json /bin/bash -c "cat /etc/letsencrypt/live/mail.my-domain.com/key.pem"
+  assert_output "$(cat "`pwd`/test/config/letsencrypt/changed/key.pem")"
+  assert_success
+
+  run docker exec mail_lets_acme_json /bin/bash -c "cat /etc/letsencrypt/live/mail.my-domain.com/fullchain.pem"
+  assert_output "$(cat "`pwd`/test/config/letsencrypt/changed/fullchain.pem")"
+  assert_success
+}
+
+
 # this test is only there to reliably mark the end for the teardown_file
@test "last" {
  skip 'Finished testing of letsencrypt SSL'