test: fix flaky force_renew test (detect renewal by serial) (#1269)

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

Author: JamBalaya56562

test/tests/force_renew/run.sh

@@ -26,42 +26,32 @@ trap cleanup EXIT
 # Run a nginx container for ${domains[0]}.
 run_nginx_container --hosts "${domains[0]}"
 
-# Wait for a symlink at /etc/nginx/certs/${domains[0]}.crt
-# Grab the expiration time of the certificate
+# Wait for the certificate to be issued, then record its serial number.
 wait_for_symlink "${domains[0]}" "$le_container_name"
-first_cert_expire="$(get_cert_date_epoch expiration "${domains[0]}" "$le_container_name")"
+first_serial="$(get_cert_serial "${domains[0]}" "$le_container_name")"
 
 # Just to be sure
 sleep 5
 
-# Issue a forced renewal
-docker exec "$le_container_name" /app/force_renew &> /dev/null
+# Issue a forced renewal (capture the output so a failure is diagnosable).
+renew_output="$(docker exec "$le_container_name" /app/force_renew 2>&1)"
 
-# Poll until expiration date changes or timeout
-# Use a longer sleep and add error handling for transient states
+# A renewal re-issues the cert, so its serial must change.
 timeout=$(($(date +%s) + 30))
-second_cert_expire="$first_cert_expire"
+second_serial="$first_serial"
 while [[ $(date +%s) -lt $timeout ]]; do
-  # Try to get the new expiration date, but handle errors gracefully
-  new_expire="$(get_cert_date_epoch expiration "${domains[0]}" "$le_container_name" 2>/dev/null || echo "$first_cert_expire")"
-  
-  # Only update if we got a valid value (not empty and numeric)
-  if [[ -n "$new_expire" ]] && [[ "$new_expire" =~ ^[0-9]+$ ]]; then
-    second_cert_expire="$new_expire"
-    
-    # If the new certificate has a later expiration, renewal succeeded
-    if [[ $second_cert_expire -gt $first_cert_expire ]]; then
-      [[ "${DRY_RUN:-}" == 1 ]] && echo "Certificate for ${domains[0]} was correctly renewed."
-      break
-    fi
+  new_serial="$(get_cert_serial "${domains[0]}" "$le_container_name" 2>/dev/null || true)"
+  if [[ -n "$new_serial" && "$new_serial" != "$first_serial" ]]; then
+    second_serial="$new_serial"
+    [[ "${DRY_RUN:-}" == 1 ]] && echo "Certificate for ${domains[0]} was correctly renewed."
+    break
   fi
-  
   sleep 2
 done
 
-# Final check - verify renewal actually happened
-if ! [[ $second_cert_expire -gt $first_cert_expire ]]; then
-  echo "Certificate for ${domains[0]} was not correctly renewed within 30s."
-  echo "First certificate expiration epoch : $first_cert_expire."
-  echo "Second certificate expiration epoch : $second_cert_expire."
+# Final check - verify the certificate was actually re-issued.
+if [[ "$second_serial" == "$first_serial" ]]; then
+  echo "Certificate for ${domains[0]} was not correctly renewed within 30s (serial unchanged: $first_serial)."
+  echo "force_renew output:"
+  echo "$renew_output"
 fi

test/tests/test-functions.sh

@@ -348,6 +348,14 @@ function get_cert_date_epoch {
 }
 export -f get_cert_date_epoch
 
+# Get the serial number of the certificate for domain $1 inside container $2.
+function get_cert_serial {
+  local domain="${1:?}"
+  local name="${2:?}"
+  docker exec "$name" openssl x509 -noout -serial -in "/etc/nginx/certs/$domain.crt" | cut -d '=' -f 2
+}
+export -f get_cert_serial
+
 # Get the certificate validity period in seconds of domain $1 inside container $2
 function get_cert_validity_seconds {
   local domain="${1:?}"