From 046f7c59982d1f93a9c0320f84d33a9cbf782157 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?=
 <nicolas.jeannerod@moduscreate.com>
Date: Wed, 4 Jun 2025 15:38:38 +0200
Subject: [PATCH] Deployment tests: comment on Pebble's certificate

---
 deployment/check/common/targetNode.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/deployment/check/common/targetNode.nix b/deployment/check/common/targetNode.nix
index b42c5e21..16eacb94 100644
--- a/deployment/check/common/targetNode.nix
+++ b/deployment/check/common/targetNode.nix
@@ -50,13 +50,16 @@ in
       };
 
       security.pki.certificateFiles = [
+        ## NOTE: This certificate is the one used by the Pebble HTTPS server.
+        ## This is NOT the root CA of the Pebble server. We do add it here so
+        ## that Pebble clients can talk to its API, but this will not allow
+        ## those machines to verify generated certificates.
         testCerts.ca.cert
       ];
 
       ## FIXME: it is a bit sad that all this logistics is necessary. look into
       ## better DNS stuff
       networking.extraHosts = "${config.acmeNodeIP} acme.test";
-
     })
   ];
 }