pebble icon indicating copy to clipboard operation
pebble copied to clipboard

Published 20 hours ago verified publisher icon letsencrypt

HTTP Management Interface

Open cpu opened this issue 6 years ago • 6 comments

Discussion on https://github.com/letsencrypt/pebble/pull/39 indicated that there are users who would find it valuable to be able to inject test data into Pebble to help support integration testing with an ACME client.

Similarly, in https://github.com/letsencrypt/boulder/issues/2697 there was a desire for a way to signal "Reject the next n requests as if they had a badNonce".

Pebble should offer a basic HTTP "admin"/"test" interface on a different path/port than the ACME API that can be used to do management tasks like the two listed above.

cpu avatar Dec 13 '17 14:12 cpu

Another potential use case (from https://github.com/letsencrypt/pebble/issues/177): checking which certificates have been revoked as a light-weight alternative to OCSP or trying to revoke the certificate again.

cpu avatar Nov 26 '18 14:11 cpu

As discussed in #242, I would like to propose some basic spec around this feature.

I propose to expose every admin/test related stuff endpoint at the root context /, listening to a port defined in a new adminPort field in the Pebble JSON configuration file. The one proposed in the GIT repo will have the default value of 4000. Not specifying this field in a given configuration will disable the interface. The protocol will be HTTPS, using the same certificate than on port 14000 for the ACME protocol, and so consumes the existing configuration fields on that matter.

What do you think of that @cpu @jsha?

adferrand avatar Jun 26 '19 16:06 adferrand

@adferrand That sounds great :+1: I like the idea of putting it on a separate port and disabling the administrative interface outright if it isn't configured. Thanks for volunteering to spec this out/implement it!

The one proposed in the GIT repo will have the default value of 4000

This is totally a bike-shed comment but I think I'd prefer 15000 as the default port. We use :4000 for HTTP access to the legacy ACME v1 API in Boulder and I'd prefer to avoid confusing someone into thinking any part of this management interface relates to ACME v1.

cpu avatar Jun 27 '19 16:06 cpu

I'm going to re-open this issue since while there is a separate HTTP(s) management interface thanks to @adferrand (:tada:) it doesn't yet let you inject test data, query expiration data, or otherwise affect validation. There is probably an argument to be made for splitting those into separate issues but for now we can use this one.

cpu avatar Jul 11 '19 14:07 cpu

I guess it is a good idea to list all PRs here which add functionality to the new management interface.

#252 (recently merged) allows to retrieve certificate revocation status (and also the certificate itself) by the certificate's serial number.

felixfontein avatar Jul 29 '19 09:07 felixfontein

I would appreciate the ability to trigger/untrigger pebble's responses so that:

  • the next order(s) will be considered: [x] pending (current behavior) [] invalid [] ready [] processing [] valid

  • the next authorizations(s) will be considered: [x] pending (current behavior) [] valid [] invalid [] deactivated [] expired [] revoked

  • authorization challenges start as: [x] pending (current behavior) [] processing [] valid [] invalid

A use-case is that I would be able to use hooks in an ACME-client's test script to ensure the client is dealing with every situation/response appropriately. Most clients I have seen will only consider pending/valid in their logic, then bubble up exceptions for other situations; I'd like my client to run tests against pebble on every possible permutation of responses.

jvanasco avatar Feb 03 '20 20:02 jvanasco