feat: [#21] Implement Pebble SSL testing environment and decide on pre-generated cert approach

- Created comprehensive Pebble testing environment with Docker Compose
- All SSL scripts implemented and deployed: ssl-setup.sh, ssl-validate-dns.sh, ssl-generate.sh, ssl-configure-nginx.sh, ssl-activate-renewal.sh, ssl-setup-local-dns.sh
- Two-phase nginx template system: nginx-http.conf.tpl (base) + nginx-https-extension.conf.tpl (HTTPS extension)
- Pebble ACME server running and accessible at https://192.168.122.92:14000/dir
- Nginx serving ACME challenges from /var/lib/torrust/certbot/webroot
- Fixed working tree deployment via rsync --filter=':- .gitignore' for local testing
- Created comprehensive SSL testing guide with manual validation steps

Architecture Decision: Switch to pre-generated test certificates approach
- Complexity of Pebble environment makes iteration slow
- Pre-generated certificates will enable faster testing of nginx HTTPS configuration
- Focus on SSL script workflow validation rather than certificate authority integration
- Keep Pebble environment for optional comprehensive integration testing

Next: Implement ssl-generate-test-certs.sh for simplified SSL testing workflow

Author: josecelano

application/compose.test.yaml

@@ -0,0 +1,166 @@
+---
+# Docker Compose configuration for SSL testing with Pebble
+# This file provides a complete testing environment for SSL certificate generation
+# using Pebble (Let's Encrypt testing server) instead of the real Let's Encrypt API
+
+name: torrust-test
+services:
+  # Pebble - Let's Encrypt testing server
+  pebble:
+    image: ghcr.io/letsencrypt/pebble:latest
+    container_name: pebble
+    command: ["-dnsserver", "pebble-challtestsrv:8055"]
+    ports:
+      - "14000:14000"  # ACME API
+      - "15000:15000"  # Management API
+    networks:
+      - test_network
+    environment:
+      PEBBLE_VA_NOSLEEP: 1
+      PEBBLE_WFE_NONCEREJECT: 0
+      PEBBLE_CHALLTESTSRV: pebble-challtestsrv:8055
+    depends_on:
+      - pebble-challtestsrv
+
+  # Challenge test server for Pebble
+  pebble-challtestsrv:
+    image: ghcr.io/letsencrypt/pebble-challtestsrv:latest
+    container_name: pebble-challtestsrv
+    command: [
+      "-defaultIPv6", "", 
+      "-defaultIPv4", "proxy",
+      "-http01", "proxy:80",
+      "-https01", "",
+      "-tlsalpn01", ""
+    ]
+    ports:
+      - "8055:8055"  # Management port
+    networks:
+      - test_network
+
+  # Certbot configured for Pebble testing
+  certbot-test:
+    image: certbot/certbot
+    container_name: certbot-test
+    volumes:
+      - /var/lib/torrust/proxy/webroot:/var/www/html
+      - /var/lib/torrust/certbot/etc:/etc/letsencrypt
+      - /var/lib/torrust/certbot/lib:/var/lib/letsencrypt
+    networks:
+      - test_network
+    depends_on:
+      - pebble
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  # Nginx proxy configured for testing
+  proxy:
+    image: nginx:mainline-alpine
+    container_name: proxy-test
+    restart: unless-stopped
+    networks:
+      - test_network
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - /var/lib/torrust/certbot/webroot:/var/www/html
+      - /var/lib/torrust/proxy/etc/nginx-conf:/etc/nginx/conf.d
+      - /var/lib/torrust/certbot/etc:/etc/letsencrypt
+      - /var/lib/torrust/certbot/lib:/var/lib/letsencrypt
+      - /var/lib/torrust/dhparam:/etc/ssl/certs
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "3"
+    depends_on:
+      - tracker
+      - grafana
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost/"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  # Grafana for testing
+  grafana:
+    image: grafana/grafana:11.4.0
+    container_name: grafana-test
+    restart: unless-stopped
+    environment:
+      - GF_SECURITY_ADMIN_USER=${GF_SECURITY_ADMIN_USER:-admin}
+      - GF_SECURITY_ADMIN_PASSWORD=${GF_SECURITY_ADMIN_PASSWORD:-admin}
+    networks:
+      - test_network
+    ports:
+      - "3101:3000"  # Avoid conflict with production Grafana
+    volumes:
+      - grafana_test_data:/var/lib/grafana
+      - ../share/grafana/dashboards:/etc/grafana/provisioning/dashboards
+      - ../share/grafana/datasources:/etc/grafana/provisioning/datasources
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  # MySQL database for testing
+  mysql:
+    image: mysql:8.0
+    container_name: mysql-test
+    restart: unless-stopped
+    environment:
+      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD:-root_password}
+      MYSQL_DATABASE: ${MYSQL_DATABASE:-torrust_tracker}
+      MYSQL_USER: ${MYSQL_USER:-torrust}
+      MYSQL_PASSWORD: ${MYSQL_PASSWORD:-user_password}
+    networks:
+      - test_network
+    ports:
+      - "3307:3306"  # Avoid conflict with production MySQL
+    volumes:
+      - mysql_test_data:/var/lib/mysql
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "3"
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "root", "-p${MYSQL_ROOT_PASSWORD:-root_password}"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+
+  # Torrust Tracker for testing
+  tracker:
+    image: torrust/tracker:develop
+    container_name: tracker-test
+    restart: unless-stopped
+    networks:
+      - test_network
+    ports:
+      - "6870:6868/udp"  # Avoid conflict with production tracker
+      - "6971:6969/udp"  # Avoid conflict with production tracker
+      - "7071:7070"      # Avoid conflict with production tracker
+      - "1213:1212"      # Avoid conflict with production tracker
+    volumes:
+      - ../storage/tracker/lib:/var/lib/torrust/tracker:Z
+      - ../storage/tracker/log:/var/log/torrust/tracker:Z
+      - ../storage/tracker/etc:/etc/torrust/tracker:Z
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "3"
+    depends_on:
+      mysql:
+        condition: service_healthy
+
+networks:
+  test_network:
+    driver: bridge
+
+volumes:
+  grafana_test_data:
+    driver: local
+  mysql_test_data:
+    driver: local

application/compose.yaml

@@ -28,6 +28,7 @@ services:
       - /var/lib/torrust/proxy/webroot:/var/www/html
       - /var/lib/torrust/proxy/etc/nginx-conf:/etc/nginx/conf.d
       - /var/lib/torrust/certbot/etc:/etc/letsencrypt
+      - /var/lib/torrust/certbot/webroot:/var/lib/torrust/certbot/webroot
       - /var/lib/torrust/certbot/lib:/var/lib/letsencrypt
       - /var/lib/torrust/dhparam:/etc/ssl/certs
     logging:

application/pebble-config/pebble-config.json

@@ -0,0 +1,10 @@
+{
+    "pebble": {
+        "listenAddress": "0.0.0.0:14000",
+        "managementListenAddress": "0.0.0.0:15000",
+        "httpPort": 80,
+        "tlsPort": 443,
+        "ocspResponderURL": "",
+        "externalAccountRequired": false
+    }
+}