//go:build integration package integration import ( "crypto/rand" "encoding/hex" "fmt" "os" "testing" "github.com/eggsampler/acme/v3" "github.com/letsencrypt/boulder/test" ) func TestDuplicateFQDNRateLimit(t *testing.T) { t.Parallel() idents := []acme.Identifier{{Type: "dns", Value: random_domain()}} // TODO(#8235): Remove this conditional once IP address identifiers are // enabled in test/config. if os.Getenv("BOULDER_CONFIG_DIR") == "test/config-next" { idents = append(idents, acme.Identifier{Type: "ip", Value: "64.112.117.122"}) } // The global rate limit for a duplicate certificates is 2 per 3 hours. _, err := authAndIssue(nil, nil, idents, true, "shortlived") test.AssertNotError(t, err, "Failed to issue first certificate") _, err = authAndIssue(nil, nil, idents, true, "shortlived") test.AssertNotError(t, err, "Failed to issue second certificate") _, err = authAndIssue(nil, nil, idents, true, "shortlived") test.AssertError(t, err, "Somehow managed to issue third certificate") test.AssertContains(t, err.Error(), "too many certificates (2) already issued for this exact set of identifiers in the last 3h0m0s") } func TestCertificatesPerDomain(t *testing.T) { t.Parallel() randomDomain := random_domain() randomSubDomain := func() string { var bytes [3]byte rand.Read(bytes[:]) return fmt.Sprintf("%s.%s", hex.EncodeToString(bytes[:]), randomDomain) } firstSubDomain := randomSubDomain() _, err := authAndIssue(nil, nil, []acme.Identifier{{Type: "dns", Value: firstSubDomain}}, true, "") test.AssertNotError(t, err, "Failed to issue first certificate") _, err = authAndIssue(nil, nil, []acme.Identifier{{Type: "dns", Value: randomSubDomain()}}, true, "") test.AssertNotError(t, err, "Failed to issue second certificate") _, err = authAndIssue(nil, nil, []acme.Identifier{{Type: "dns", Value: randomSubDomain()}}, true, "") test.AssertError(t, err, "Somehow managed to issue third certificate") test.AssertContains(t, err.Error(), fmt.Sprintf("too many certificates (2) already issued for %q in the last 2160h0m0s", randomDomain)) // Issue a certificate for the first subdomain, which should succeed because // it's a renewal. _, err = authAndIssue(nil, nil, []acme.Identifier{{Type: "dns", Value: firstSubDomain}}, true, "") test.AssertNotError(t, err, "Failed to issue renewal certificate") }