From d364ace02a242ab9874c9e5cd885db67a6955f97 Mon Sep 17 00:00:00 2001
From: shankar0123 <skreddy040@gmail.com>
Date: Wed, 13 May 2026 23:06:22 +0000
Subject: [PATCH] fix(ci): set CERTCTL_ACME_INSECURE_ACK=true in test compose
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Phase 2 SEC-M4 (commit 5062624) added a fail-closed pairing
requirement: when CERTCTL_ACME_INSECURE=true, the server refuses to
start unless CERTCTL_ACME_INSECURE_ACK=true is also set. The integration
test compose at deploy/docker-compose.test.yml has been setting
CERTCTL_ACME_INSECURE=true (correct — Pebble's self-signed ACME
directory needs TLS verification disabled) but never set the paired
ACK, so the certctl-test-server container restart-loops with:

  Failed to load configuration: phase-2 SEC-M4 fail-closed guard:
  CERTCTL_ACME_INSECURE=true but CERTCTL_ACME_INSECURE_ACK is not
  true — refuse to start.

This breaks the deploy-vendor-e2e CI job that exercises the EST/ACME
integration stack.

Fix: set CERTCTL_ACME_INSECURE_ACK=true alongside the existing
CERTCTL_ACME_INSECURE=true. The ACK posture is correct here because
the integration suite is built around Pebble's self-signed directory
— that's the design. The guard's purpose (block accidental production
deploys with TLS verify disabled) is preserved by the ACK still being
explicit per-environment, not a fail-open default.
---
 deploy/docker-compose.test.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/deploy/docker-compose.test.yml b/deploy/docker-compose.test.yml
index acf9818..4e53f54 100644
--- a/deploy/docker-compose.test.yml
+++ b/deploy/docker-compose.test.yml
@@ -272,6 +272,14 @@ services:
       CERTCTL_ACME_EMAIL: test@certctl.dev
       CERTCTL_ACME_CHALLENGE_TYPE: http-01
       CERTCTL_ACME_INSECURE: "true"
+      # Phase 2 SEC-M4 (2026-05-13): CERTCTL_ACME_INSECURE=true requires
+      # the paired CERTCTL_ACME_INSECURE_ACK=true; without the ACK the
+      # server's Config.Validate() refuses to start. This integration
+      # stack uses Pebble's self-signed ACME directory, so disabling
+      # TLS verification is correct — but the ACK env var has to be
+      # set explicitly so the test posture matches what production
+      # operators are blocked from doing accidentally.
+      CERTCTL_ACME_INSECURE_ACK: "true"
 
       # step-ca issuer (iss-stepca)
       CERTCTL_STEPCA_URL: https://step-ca:9000