eggsampler
Add support for testing ARI in Pebble
This change is dependent upon a Pebble change I made here: https://github.com/letsencrypt/pebble/pull/461
- Added
makeReplacementOrderFinalizedwhich issues a replacement order and progresses through the entire issuance workflow. It does not create a new account each time it's called which is different from the existingmakeOrderandmakeOrderFinalised. - Refactored iterating over every authorization and validating its challenges into a separate helper function
validateChallenges.
Testing pebble and this change was performed as follows:
# Run challtestsrv, version doesn't particularly matter because we're not touching this code
$ docker rm challtestsrv 2>&1; docker run -p 5001:5001 -p 5002:5002 -p 5003:5003 -p 8053:8053 -p 8055:8055 -p 8443:8443 --name challtestsrv ghcr.io/letsencrypt/pebble-challtestsrv:latest
# Get the IP of that container
$ CHALLTESTSRV=$(docker inspect challtestsrv | jq -r '.[].NetworkSettings.Networks.bridge.IPAddress')
# Run pebble
$ go run cmd/pebble/main.go -config ./test/config/pebble-config.json -dnsserver ${CHALLTESTSRV}:8053
-----------------------------
# In the eggsampler repo
$ export PEBBLE_PATH=/path/to/pebble/on/your/computer
$ go test -test.run TestClient_IssueReplacementCert
which should result in
$ go test -run TestClient_IssueReplacementCert -v
2024/05/17 15:09:33 error reading: /home/phil/.gvm/pkgsets/go1.22.2/global/src/github.com/letsencrypt/boulder/.hierarchy/root-cert-ecdsa.pem - open /home/phil/.gvm/pkgsets/go1.22.2/global/src/github.com/letsencrypt/boulder/.hierarchy/root-cert-ecdsa.pem: no such file or directory
2024/05/17 15:09:33 error reading: /home/phil/.gvm/pkgsets/go1.22.2/global/src/github.com/letsencrypt/boulder/.hierarchy/root-cert-rsa.pem - open /home/phil/.gvm/pkgsets/go1.22.2/global/src/github.com/letsencrypt/boulder/.hierarchy/root-cert-rsa.pem: no such file or directory
2024/05/17 15:09:33 error creating client for http://localhost:4001/directory - acme: error fetching response: Get "http://localhost:4001/directory": dial tcp [::1]:4001: connect: connection refused
2024/05/17 15:09:33 using pebble directory at: https://localhost:14000/dir
=== RUN TestClient_IssueReplacementCert
ari_test.go:65: Issuing initial order
ari_test.go:72: Issuing first replacement order
ari_test.go:79: Issuing second replacement order
ari_test.go:86: Should not be able to create a duplicate replacement
--- PASS: TestClient_IssueReplacementCert (18.59s)
PASS
ok github.com/eggsampler/acme/v3 18.604s
$ go test -run TestClient_FailedReplacementOrderAllowsAnotherReplacement -v
2024/05/21 15:56:23 error reading: /home/phil/.gvm/pkgsets/go1.22.2/global/src/github.com/letsencrypt/boulder/.hierarchy/root-cert-ecdsa.pem - open /home/phil/.gvm/pkgsets/go1.22.2/global/src/github.com/letsencrypt/boulder/.hierarchy/root-cert-ecdsa.pem: no such file or directory
2024/05/21 15:56:23 error reading: /home/phil/.gvm/pkgsets/go1.22.2/global/src/github.com/letsencrypt/boulder/.hierarchy/root-cert-rsa.pem - open /home/phil/.gvm/pkgsets/go1.22.2/global/src/github.com/letsencrypt/boulder/.hierarchy/root-cert-rsa.pem: no such file or directory
2024/05/21 15:56:23 using pebble directory at: https://localhost:14000/dir
=== RUN TestClient_FailedReplacementOrderAllowsAnotherReplacement
ari_test.go:94: Issuing initial order
ari_test.go:112: Issuing replacement order which will intentionally fail
ari_test.go:119: Issuing replacement order for a parent order who previously had a failed replacement order
--- PASS: TestClient_FailedReplacementOrderAllowsAnotherReplacement (16.55s)
PASS
ok github.com/eggsampler/acme/v3 16.571s
@eggsampler ARI support has landed in Pebble as of a few moments ago. https://github.com/letsencrypt/pebble/pull/461
Would you mind taking a look at this when you can, please?
Code looks good, thankyou!
My only query is, should there be some form of guard on the ari test code where the acme server in test does not support ari? ie,
https://github.com/eggsampler/acme/blob/79b263fb796ce674c8e8bf08ff719d88291365e5/order_test.go#L138-L141
It's not super critical as this is primarily for boulder and pebble anyway, but when I first ran the make pebble test, I didn't realise the pebble ari code hadn't been tagged in a release and some of the tests failed.
There probably should be, that's a good point. I'll update it as soon as I find myself back at a real keyboard. Thank you for taking a look.
On Fri, May 24, 2024, 6:48 PM Isaac Truscott @.***> wrote:
Code looks good, thankyou!
My only query is, should there be some form of guard on the ari test code where the acme server in test does not support ari? ie,
https://github.com/eggsampler/acme/blob/79b263fb796ce674c8e8bf08ff719d88291365e5/order_test.go#L138-L141
It's not super critical as this is primarily for boulder and pebble anyway, but when I first ran the make pebble test, I didn't realise the pebble ari code hadn't been tagged in a release and some of the tests failed.
— Reply to this email directly, view it on GitHub https://github.com/eggsampler/acme/pull/24#issuecomment-2130480884, or unsubscribe https://github.com/notifications/unsubscribe-auth/AASFVZI4YQQYHUORQVKWRGTZD67TDAVCNFSM6AAAAABH4VCWBWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMZQGQ4DAOBYGQ . You are receiving this because you authored the thread.Message ID: @.***>
@eggsampler I've just cut pebble v2.6.0 which has ARI support, rather than having to pull the main branch.