add pebble for testing about sewer HOT 4 OPEN

I've been working on this, using pebble-chaltestsrv to answer the challenges, and ran into a problem with pebble seemingly not honoring the -dnsserver option (to direct DNS queries to the chaltestsrv). Omens are unclear. Recording what hints I find here so I don't lose track of them again.

pebble #118 mentions docker magic workaround for a DNS issue that may or may not be related

from sewer.

does this letsencrypt/pebble#139 help?

from sewer.

do you have a draft PR open?
I can have a look and try to help if I get some time

from sewer.

letsencrypt/pebble#139 would help if it worked. I banged my head on this for a while, evenually found, I think, that this is a fight against the go resolver that they're using, and they pulled a dirty(?) hack out which broke -dnsserver. That was months ago, and I understand they're a small, perhaps marginal part of letsencrypt's dev team, but I curse them roundly for not making it clear that the option was defunct. I think it was finding a bug where they chose NOT to remove the broken thing for some reason I cannot fathom, though it has an odor of arrogant pride to this afflicted user. :-( <flame/>

I'm nearly ready to have another go at it, by setting up a network namespace to stuff pebble into where it be given a custom resolv.conf (and another for challtestsrv, since there's no way to pass it the nonstandard port without the above-cursed thing). I don't know if this will translate directly into the CI environment, but it's a much more lightweight alternative to a full-load container for each piece... though it was a mention of someone who go the broken things working using containers that gave me hope again.

I have too many things going on, all of them less than perfectly independent. I'd like to finish the auth consolidation first (there's the catalog and removal of imports from init.py, which isn't in the PR yet, and some other changes that the bugs and old PRs I've been looking at have suggested), then re-assemble the pebble work, which is largely the "current RFC compat" work, on top of it. And once again, looking at other issues, especially the "*." one, has suggested some changes in the new auth interface. Continuous Improvement is the enemy of "done". :-/

from sewer.