edge icon indicating copy to clipboard operation
edge copied to clipboard
verified publisher icon storj

Create a test that checks whether certificates are renewed in secure custom domain support

Open amwolff opened this issue 2 years ago • 2 comments

Goal

We should be testing whether certificates are renewed in secure custom domain support on every commit to ensure we don't break anything.

Acceptance Criteria

There's an additional test run as part of integration tests (so ideally after #313 is completed) that tests whether certificates are renewed in secure custom domain support.

Three scenarios need to be tested:

(there's a renewal threshold that makes sense for this test and is left for the decision to the assignee)

<--------------------------------cert's lifetime-------------------------------->
<---don't renew---renewal threshold's start---renew---renewal threshold's end--->
  1. Certificates with expiration before the renewal threshold's start shouldn't be renewed
  2. Certificates with expiration after the renewal threshold's start should be renewed
  3. Certificates with expiration after the renewal threshold's end should be renewed

Links

  • A ticket that this issue is an outcome of: #306

amwolff avatar Feb 27 '23 12:02 amwolff

This will be tricky to test (the test plan that this issue is a result of assumes white box testing), and there's little benefit to testing this from our end as for all of that, we use CertMagic, and it's well tested there hence I'm allowing myself to make this the lowest priority possible. I'd rather spend this time creating more tests that hit our non-prod/QA/prod environments and check whether certs are renewed timely and not constantly (in short: correctly). /cc @ferristocrat

amwolff avatar Feb 27 '23 12:02 amwolff

#313 is completed and added an integration test using Pebble (a test ACME server). One thing it supports is setting certificateValidityPeriod (this is set to 600 seconds for #313). We could add a new test that sets this period to something smaller, allowing enough time for the initial cert to be issued, and test within the renewal window. Note that CertMagic sets 1/3 of the certificate lifetime for the renewal window by default, but it can be adjusted in the config for a much smaller certificate lifetime: https://github.com/caddyserver/certmagic/blob/master/maintain.go#L643

halkyon avatar Apr 04 '23 06:04 halkyon