boulder icon indicating copy to clipboard operation
boulder copied to clipboard
verified publisher icon letsencrypt

exposing locally generated roots for integration tests

Open icing opened this issue 5 years ago • 10 comments

After updating to current boulder, my ocsp stapling tests fail. Reason being that the openssl client fails with Verification error: unable to get local issuer certificate.

I am giving the call -CAfile $BOULDER/test/test-root.pemand that worked until the boulder update. (I had not updated for some time, so the change might have been done months ago in your timeline.)

I assume the pem has moved somewhere else?

icing avatar Jun 19 '20 07:06 icing

I think #4832 changed things around so that the root and intermediates are generated at runtime using the new ceremony tool.

PKI.md got updated as well:

The private keys are stored in SoftHSM, and the public keys and certificates are written out to /tmp

Doesn't look like they're exported out of the container by default when using docker-compose.

alexzorin avatar Jun 19 '20 07:06 alexzorin

@alexzorin has got it exactly right, as usual. :-) We now generate a fresh hierarchy with each run. Sorry for the breakage! We don't currently export the certs, but I am open to ideas on how to do it for integration tests that incorporate Boulder.

jsha avatar Jun 22 '20 23:06 jsha

@jsha not sure I have a bright idea here. I added to my test suite code that copies docker:/tmp/*.pem into a local ca.pem and use that. The older path was reverse engineer also, so I cannot really complain. ;)

I guess, offering a ca.pem resource from some web server would work for an "official" test api endpoint. Maybe even for the live servers it wouldn't hurt?

icing avatar Jun 24 '20 13:06 icing

Coming back to this, I need an "official" point to get the root certificates for my test suite. I am prepared to do a docker cat from somewhere.

After hacking the location between different master revisions, I am currently unable to see any recent .pem in the boulder file system. Maybe its only in memory/database now?

icing avatar Dec 09 '20 12:12 icing

The generated roots should still be in /tmp/*.pem. The call path is test/startservers.py:setupHierarchy -> test/cert-ceremonies/generate.go, which in turn loads config files from test/cert-ceremonies/*.yaml. Those yamls configure the output paths. For instance, https://github.com/letsencrypt/boulder/blob/main/test/cert-ceremonies/intermediate-ceremony-rsa.yaml#L9 outputs to /tmp/root-cert-rsa.pem. Note that there are some small shenanigans in generate.go that rewrite some output paths, but not for the root, and everything still gets put in /tmp/.

jsha avatar Dec 09 '20 16:12 jsha

Thanks jacob. For some reasons, the files were not there. I removed all docker things and updated everything and now it's running fine again.

Should have done that right away. Sorry for the noise.

icing avatar Dec 09 '20 22:12 icing

No problem. Always nice hearing from you. :-)

jsha avatar Dec 09 '20 22:12 jsha

@aarongable is there any appetite for serving the root CA cert from the docker container at runtime at a stable path? (or is this issue closed because this is done already?)

acharis-do avatar Apr 18 '22 15:04 acharis-do

Yes, I think there's some appetite for that. From the discussion about, @icing was able to get it out by docker cating (presumably docker exec boulder cat /path/to/file) the files from /tmp/root-cert-rsa.pem (and now /tmp/root-cert-ecdsa.pem). Does that work for you? We could just commit to those paths being medium-term stable, since they haven't changed in a while and we don't expect them to change soon.

jsha avatar Apr 18 '22 17:04 jsha

i think they're in /hierarchy now, rather than /tmp if i'm reading things correctly. i was hoping one of the services started by startservers would expose them at an endpoint.

acharis-do avatar Apr 18 '22 17:04 acharis-do