pg-cdc test: Fix certificate test

Follow-up to MaterializeInc#35487

Causing test failures in main, see for example: https://buildkite.com/materialize/test/builds/119386#019d2eee-d56c-4bd2-8d5e-409525b0a147

pg-cdc-ssl-ca-bundle.td:38:1: executing query failed: db error: ERROR: error performing TLS handshake: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091:: self-signed certificate in certificate chain: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091:: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091:

Author: def-

test/test-certs/Dockerfile

@@ -11,7 +11,7 @@ MZFROM ubuntu-base
 
 RUN apt-get update && TZ=UTC DEBIAN_FRONTEND=noninteractive apt-get install -y openjdk-11-jdk openssl && apt-get clean && rm -rf /var/lib/apt/lists/*
 
-COPY create-certs.sh /
+COPY create-certs.sh ca.key ca-selective.key /
 
 RUN ./create-certs.sh
 

test/test-certs/ca-selective.key

@@ -0,0 +1,54 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJtTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQnVJ1Meg2ZjrqN/LJ
+FMemSwICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEIZdqqzFxGMRjrnL
+0my4Ed0EgglQiWiVu6QKVNmjtgwCLJNk8pBx5DzA6WA/4M64ocFC+D0MktwA9Suc
+P/HSzJktzJE/RSlg4ebEfsSGLVjOE2hYnmVBXynWToqoPTRBW+XYStqZAd2J1Y/2
+xvE+EvGXALbci2qAPgsD4uT7kNqztdipLXioBmGpKKSy37vo0h0AJZttlVKId+mR
+OqfTa3yUn2O2jeNeolluAqls6WjBy0EeDhXpPBL0QW7wu4k82C33jvxjDus4FHsF
+/AD/wgdZyi4C0d1586hot22nvMFZNJHbR3OemECtM0/1WOiJt1lgW8ePdqz6L5di
+jRKeBV14ym4Ef7mvnVSggtiyCCzxnW5ek5ckW+fGtfo/sIGiy8setws1iPjsqnEx
+9QSIfv9q2uEFL6vsXM5uHLdo6HSQdJWwdeDl9MEVMS5K3KAhxCM+qD1x0z0R5dbl
+9zmz0rbgASzYG0JZsqaT+9LPMjMQ2mLvxcEH2aDIPCnTfUFtF0zirHGqZwN1qOaV
+FD+LOuv4UHG+Zeiyv9h94stLgszcwXTGBQrC+KUIZvqpE1zxfWh8M8sTHydmLsl6
+MPo/uuDSLw8wjLws4eEWY75yNNMCiA1uRh3rMjTPEoJ2J9G+53FBSym76DbWP0gq
+pAI+zu5eoOPSurEEdjrntxcpk35DwP2cWTuMhxBWDeZGqrMXO1TOpeXYNyRHrLRV
+6DOvpKb97kXbBldCrEc2HsN4cY9S99FOQLhLo0HRTIBE5J7dcXG6sY+v6I/F5P+y
+ShIFauv2rsL2Pg1cBLb5BSZ+QMKF4goifd02H325pBvYaO13oSPG0oGaBkx6uiCw
+Nh/kQiR1B7yCvyIK9HJUWJz3srQE6cw3t2p3wcRbWH6HZo9UzcdLvPj1MmRMVyjI
+DikCkOEFFO7vKWsbNVWhsbW6i+hg1sPyPzcHeu1DTPK1TG9i3lrtThW5PLeOBffS
+zpbiDNzjGqNTtU1q2MoK74FtuXvoTSl2yxmKtRc99VmjfpotBlbu5gfrOeS8RKBN
+DbW9zhA03Eo9WjbyK8cF18KXDSWg+xQDcWEhTcHE7QozQRX/yNM0sAMESNLW+tve
+u1Tn/tvZlUeVUSFxCvv8SsJZJtzSzvcwUPmNEj6dhSPWIRdN4HeYCElmYkGqTYKO
++cjJWteC1CrseKQeML2XAhNjn6ve0lxK9nRAl6c0TsfdwWcQaEGAKg4hTuFYcnkC
+ma4YdjJTgJYPWwgB8eaNV/cW0vZ7LGLWB5+UhJG3d2wezBtNhJM8z+yXTs1+Ozmw
+fSYQ6bPHYXC51fOYovPgFsvGvz9eTK8X/EXTFNOkJcJ3B8VxSo/IzJaDyTQP5zjY
+m+aTVXQH/Aey+z80qttq9MjxINod0Xu+/fz32QvoUXKFktZ0zMe0KBLLRNkQ69Iz
+ToBImw784RVaKyOib3MPZREUUedZgcVmb3NrShLQEZIQKdy/SwBA8/1AoMesScqD
+JhrGCfYhlW1FMZvDPnbuT+QDVA0Nfy8ma0iituNZTyqrOCo+nSj+surYaLzwzJj0
+4tgj99RatEfmxvcv8F3ifVn9AOOCcVRgCgYuPT7ljDXi/eNzmgSzJXBQMUrtrJl+
+jgWdQTAb3ZWApPCTJlJPsc3hTbeS6d1O/2cIR6mkgk7EZXoA8sB9EQ6hdsoaMDzN
+wGOG8g9mLOBMqCB4fN8WoZmOL0dCCSfzWb6kjbfH3XPJwYQmAib54pgb935yHe5V
+oDWqSDARC75lsTTUcvaviVoi1lTnjrPKZcm6fGEWJ5mgqTkcDtpE6t4qAtmS/bk3
+/BypO8Ol3H+ilF3R1jGqFNkxcCVdGV8JgotflklzIV6ba2R5qFUGmGzF8bpnDaqS
+RaLp+ZQWNLWGfxf8YIYDVjahOpZq+x1CMA7Tn/qfnICuRFQlR46WJ5AIXwR5K/fA
+Mvu2HypvAb3YdT7sECk351nFQSdvirLv1JXncH9Qoze+eZjhHn2L5yw86ZAB1GIB
+4g8+aZV6kOqm2tKG0X+pikoED3WrUD6Yk4h9qqzKGzBXxAo41s2skfX1cT5lLrI6
+tvF1Pk1Ukj11yR8nGa7dC7ESd3rVwMHOTjHw+Btdur0A1m2ImQ3pMm2/2798H9wa
+5x17MXJTCxfMltF+sI+1YMA2S3r5DR77Ew3LP1+l4cbw5o8TAPaHsQq99cBT261b
+zSIpETcREViFcVQ0wuN0koQ5ennMvbgNZ209Vxt48zw9zXi2gDLWZ9iK5P9U0fci
+ZFJgS5UaTESTWMesoxmah+zqUwSx/gCnby6A0q6Hdoz4OD74i+7DvLoyVvORnzrB
+JQOquPpPvIJDkJrQ25/soso6ptDCAFG9MlC16xQUkJG+dLJmydwm3ekhlFG0rsOy
+oCHb5n60Lq7vb3Qr3MbWZY9dgun8auPxOE/zZsncPFDbV/CrIj9cJHLhqiKe+0ol
+Y/W7fNGoDPtNgGQb68tTyNaGtH/QenoccTr+jevEonMam1qNawWMcC8MBB7bRqqH
+U8iB/pTOhelE/Yxik4vzZhIj7f3sUAhJG/FHUxH6ETXEoIaF19r5zaRFybm7pR90
+WSGgmtI6VziAmCBOfWROstZipaw0JaUM4VnqfqqQg+UZpqU54w5o4ftkhKfZ7p3n
+h4z4wLiQs0gZjcsDdo3J2o932VarFTiYDEzHTx6bgy/5GhVoxSUk20lj57NdZk4d
+VxSNRmWSQNtAsyNctPcuAFdlj+3w7RsvQYcmPA77HF6GIhW7WJwCQAzQV19emInD
+lMVIxJCGG4xzK1ohS+LiKtkPMK2v2mcPXJxw9R4EVJOcIPR3TJp0DpPkX8+UuOzh
+Glh4Kac17i4Bo+nL/PnC7S7kUL2XBd4EFRu5rdPhrpvVo8uNNhlDh0EHft43pCgh
+5BvNBSKGmndF5rKNzIZMU6m9xdF4XSxrs0o3RRXQFJWjn07JdaYNGTX6rBlOBzeV
+GEoYNVHHhkjo2KVDFfN9/8OCa8/FIBdwvuhVAzOPAGUd2229Kj2Y00iPcgAum6M8
+1WJWt4nnogSOFM9WK24PuqdS6p6tYnum+mN8bJ2ZEq0Frr1sO9OX7mGJnjTapLOW
+dMXfv5xFCm8FEzVm8W1OdJvxs2jBDzJG521cPSXFXet3D2snsUgywkSd4X34SVGb
+K6wfeDiyuLRBaJ6nhMhnshplipEBK5Waogk11r/DKFVpnZ1xAH6+qog=
+-----END ENCRYPTED PRIVATE KEY-----

test/test-certs/ca.key

@@ -0,0 +1,54 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJtTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQ1L6Gs3VgOJZvyIzY
+fLAM1wICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEENIFWX0Xzw4bd3HU
+XBSt9vEEgglQ+ougSuq+GzJzRSj6YHZdQob2pxhyJXhBsh0D4flr9FjR8AACFZUT
+wtLzMKvQ4sBfsXd0q5ivC6Rn5+cDxJHHvWbHpUz351fURoLVTq6ba8Dwg3P17QJN
+x4YRxfQ4bWixdd1X88OtVBGHj9JjX4jpeA+6O5Ol+Sg9u1P1FjxhueJAxAHDH1bE
+j7FUCPjTlNYlVQcuDKDT5p2Qly8v6OyeMC/+B0yKNJ49qI3Xqj5EU3x2aWMTbKy5
+9ZlKmQ5lCDY/bc1C0eojQqw/46Vb1v6AXsw1A+l3SNlLkgRnd00PqwbluxDkaRwK
+8D2PIuvSfTKtDc2OTNVo6ZUtyEQgIQnjcCJGyL7zccIDaATvrxHQwOFq+Gw4Ki0q
+RYHG7pr1G4iF+PdFMK8schbahYEAMsluL1lLMN17lZFAtTO6hwQOUplsRTgOsltO
+5bMsGIN+jkWd9hgmAzSjfN9j2gsRCQ/fF+Lt4o2r+fbtTb0KhvSNLxRdx+goHwgC
+zT/p7EXHvZrvvKkw6senMKTJaeiRFKe+Txv80nbpPVA405Azwp0bIzkJT/nm/2DX
+GoS04qAiGjx6nJsJuQMVSs1d451+UwuyUdncLmpsljkDoGfFJjz9oqi7Pl4G5Az1
++1DQPU2hyoQdco1fAqlTNqoInKitSbvF6cGKM+GeCrSPe9MGI1EA7bHyLdJ/01OS
+8Bzyr/HCnmmnoybpZk6FsDeF4wDN33l/0GIn3epLdAKW9lud6AuoThZwUPIPPK6Z
+/JnkqXXGejLS4Moextm1xzymkW0dfVdZUFE4tmeuS53HynEcQmRU7xln+6cOtuSq
+bh/aR2iL6rStpIp7jhdAWvTsQF1nK03EP2AZM8LfkINEcjfzQtU/Mt0XpJJO+yQ5
+sG1Uerpo0RXZduAbponN8w1+8JZTPhdJT2PR/mE/sQggTtdcwPrqDzknub1KmpcG
+wEOkliG7lBSrK+xa19iE9/kfZ2ptDywBismUwWnV48yqkDHXo39olHbMXhP8cCcD
+unib5vHhEP/CpABpkRzZEoERQWDAxjSGBFiXvGl3fMlKjRRZ7tf6KKu5svj5IOre
+46YaEIXPwdG8DmK+yHpDghxH8K3/9yZpOwQOFWxPFPf0F6O+rz3CPkp9WGVbfzDV
+LgtdBoqoIOpJUD8n28KzI0qC27WMwPHWP8hNFjzZ41D2mSfSpj/PtVGR1OxiBFTX
+pDXWQd+cfGkxgl5gtuJp1akWarSiHuM2FbcyX5LyCeLD6ecmJTInBMjBTk41eyh1
+vi8xoyBKqQjoeaLfp4rRnXxRp/n1dT2eJDWOM09keWEGhkJwruVoPcKi22j2lh0n
+ZJFxlCHiZzOWSz6MJz1Uoz11AVAXPnycrb6xWwZK7j5gKmGJuanBMefSUxXtLe7Q
+7X0F4ZtROVt0abVcP2ey/dCzPf5O2w6E+O69gFliP3cl9OUS2Bwaz+mlY1ipQXqd
+UXbzcIRAD7Nzn0wEUpFc/xkSf7ka2I+1OOQ867KKjWbUSbgtui+jVSZXd00OLqbV
+gnYqyqLnGY4peUSHIHCXu+2H1ALAX8YeHnbhrbD55e6lqo+rhOG9CQlTwgeF5j3a
+XkjszDcsORXP4wOYpLpNVBOeIbqWg+W1+Vn5wuGPdichY0W/fvYGstH1gthedzTb
+ksjaKD76M3EhZQ2b1vMVnA8Z0HdvUU9+KfF5ap4tkZIvL/aMwfKKMKbuT+PwrD5i
+SScINwwt5+DSrFLqZetoL5dc/iTc7eD8VQjhGl8Rer0gpI45r1fUz9v2InBGo7/3
+bx287HXHqSezP96fIcaCm+7SGXiAZkU9wvj1wXvhiC9B2EBv5plXvPlApbNmdBm8
+Txat25XtVJFiyyN+rqD74KL99Y9OMxcuRhoAQwRSsd6MSmqwFDGoHirvhBX5cGV9
+CEQ9BzbTQv4+BBSdnIjFlTykYO19051V6TkL67WuIq5rIiVnnQzP2ctvDa210Use
+utfWtQP0v4Luv00zLzsTE05jsx5J3oaoh1PARF5ouWFEwDy8q2DSX0zPgr4EeSns
+QL/tjxXnrgzLrsaAoRzufdADJ/3TYXTy6XX/Y+MBBdRGPOFaun7yAnEFobBXZV53
+m9V7+UCoFGeZBH1oV8iWtkBUTQtWEEeAcaLOhyWIcMugE/rK16bimAjbqDZiyY1r
+c2ZITp3PJYJPy8vGsRKXESoZ1nOSGNOwuJ+XXVwx8ilpgstmrbGGxUmSCPdiHucL
+sFo7f/Vd2puYn3I5TE8t6iwwl/RYrO6DgFYlNNWdyO2zQYYndbntJEvl4AunOb1z
+TTPBvqbRwwPOzTHYT/wYwLlSMiXDsNtFAUXpirlIirPW84xT1KMlgH6KH/k+ZZ/+
+kvbSUltB5PBEn1cVUbqvENmUMihUoY90uuSUoCLVisesk2WQBOGYuuLXpjMB+Ef6
+sZ2D6sKda6rWoOE1PLT/UyEg40SXcmwqVEBsHx2KFHj1kijlgXarsR/tAD9pO6RR
+IMaablk2N+necOXnb70WFMHKDPiX2NPiE7Mt6GmnoGkAL1io25XA1aUwQkZYnWSo
+5s8svrigoxzkWEuNnyGF7yxf3TR4rH0KpxdxI24TZHPngmyyxK1FAn6sgk5thLc2
+mFkxYwcVMoB4yWOysg3V5u6Zd6Y3KeVeM3d+LLznFVJnqEHrEl6B0YGInPce7AgJ
+YrZwcsUaeB+7ht4nvNAtk0tyiS5QFc0NteQUmO0lkCm/si0nESEGGk+GJ3liLvtK
+F6dH+OjAQEBMl2cbCLTdClpeXvF+Scr0AvELq8N5GvEQWfWTGf1WJFRg/Hj8fPS/
+4kGJZ3886/ZGKSm1zY9NLBhawhlIddVb/AYzB2tunpcu2kV/R7Qgz6spUxfIOUxK
+wNBMw94Hm+Vyazsh5zwqDTaAWcCMBzOzg4tGCqQg6KEPBF+4DMpx0CWwdEpBan5Y
+HkQAhM2BgAOWjAvQzr6LrP7Z77X/sHzOK6VR7FGZMOX/dTU5TBtriPh61AwDZRK/
+ZVajnZLRxDj7/I0c4WYXC6iBNGntoougZPXyMCu4vyyvOzopenQDZyZzNWPiREy0
+rmWHZgRlkY13GOVD0mrBAOkbU1QW/eHBvHHDH2Je8w7MQ8uWvoS0yTjZwhK1kyVP
+NLIYvxHxNgHHgngMVAu3RkUwg+/x4+GGou9dIqVxkP8kHj8VCI2iAjY=
+-----END ENCRYPTED PRIVATE KEY-----

test/test-certs/create-certs.sh

@@ -53,31 +53,42 @@ export SSL_SECRET=mzmzmz
 
 mkdir secrets
 
-# Create CA
+# Use pre-committed CA keys to ensure deterministic builds.
+#
+# The mzbuild fingerprint is derived from file contents (Dockerfile,
+# create-certs.sh, etc.) but NOT from build outputs. Since openssl generates
+# random keys, rebuilding the test-certs image with the same fingerprint
+# produces different CA certificates. Dependent images like postgres (which
+# bake in certs at build time) may not be rebuilt, causing a CA mismatch:
+# the test provides the new CA cert but postgres still serves a cert signed
+# by the old CA.
+#
+# Fixing the CA private keys makes rebuilds safe: every build produces
+# certificates verifiable by the same CA key pair.
+cp /ca.key secrets/ca.key
+cp /ca-selective.key secrets/ca-selective.key
+
+# Create CA cert from the fixed key
 openssl req \
     -x509 \
     -days 36500 \
-    -newkey rsa:4096 \
-    -keyout secrets/ca.key \
+    -key secrets/ca.key \
     -out secrets/ca.crt \
     -sha256 \
     -batch \
     -subj "/CN=MZ RSA CA" \
-    -passin pass:$SSL_SECRET \
-    -passout pass:$SSL_SECRET
+    -passin pass:$SSL_SECRET
 
-# Create an alternative CA, used for certain tests
+# Create an alternative CA cert from the fixed key, used for certain tests
 openssl req \
     -x509 \
     -days 36500 \
-    -newkey rsa:4096 \
-    -keyout secrets/ca-selective.key \
+    -key secrets/ca-selective.key \
     -out secrets/ca-selective.crt \
     -sha256 \
     -batch \
     -subj "/CN=MZ RSA CA" \
-    -passin pass:$SSL_SECRET \
-    -passout pass:$SSL_SECRET
+    -passin pass:$SSL_SECRET
 
 # create_cert CLIENT-NAME CA-NAME COMMON-NAME
 create_cert() {