67 lines
2.3 KiB
Go
67 lines
2.3 KiB
Go
//go:build integration
|
|
|
|
package integration
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"encoding/hex"
|
|
"fmt"
|
|
"os"
|
|
"testing"
|
|
|
|
"github.com/eggsampler/acme/v3"
|
|
|
|
"github.com/letsencrypt/boulder/test"
|
|
)
|
|
|
|
func TestDuplicateFQDNRateLimit(t *testing.T) {
|
|
t.Parallel()
|
|
idents := []acme.Identifier{{Type: "dns", Value: random_domain()}}
|
|
|
|
// TODO(#8235): Remove this conditional once IP address identifiers are
|
|
// enabled in test/config.
|
|
if os.Getenv("BOULDER_CONFIG_DIR") == "test/config-next" {
|
|
idents = append(idents, acme.Identifier{Type: "ip", Value: "64.112.117.122"})
|
|
}
|
|
|
|
// The global rate limit for a duplicate certificates is 2 per 3 hours.
|
|
_, err := authAndIssue(nil, nil, idents, true, "shortlived")
|
|
test.AssertNotError(t, err, "Failed to issue first certificate")
|
|
|
|
_, err = authAndIssue(nil, nil, idents, true, "shortlived")
|
|
test.AssertNotError(t, err, "Failed to issue second certificate")
|
|
|
|
_, err = authAndIssue(nil, nil, idents, true, "shortlived")
|
|
test.AssertError(t, err, "Somehow managed to issue third certificate")
|
|
|
|
test.AssertContains(t, err.Error(), "too many certificates (2) already issued for this exact set of identifiers in the last 3h0m0s")
|
|
}
|
|
|
|
func TestCertificatesPerDomain(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
randomDomain := random_domain()
|
|
randomSubDomain := func() string {
|
|
var bytes [3]byte
|
|
rand.Read(bytes[:])
|
|
return fmt.Sprintf("%s.%s", hex.EncodeToString(bytes[:]), randomDomain)
|
|
}
|
|
|
|
firstSubDomain := randomSubDomain()
|
|
_, err := authAndIssue(nil, nil, []acme.Identifier{{Type: "dns", Value: firstSubDomain}}, true, "")
|
|
test.AssertNotError(t, err, "Failed to issue first certificate")
|
|
|
|
_, err = authAndIssue(nil, nil, []acme.Identifier{{Type: "dns", Value: randomSubDomain()}}, true, "")
|
|
test.AssertNotError(t, err, "Failed to issue second certificate")
|
|
|
|
_, err = authAndIssue(nil, nil, []acme.Identifier{{Type: "dns", Value: randomSubDomain()}}, true, "")
|
|
test.AssertError(t, err, "Somehow managed to issue third certificate")
|
|
|
|
test.AssertContains(t, err.Error(), fmt.Sprintf("too many certificates (2) already issued for %q in the last 2160h0m0s", randomDomain))
|
|
|
|
// Issue a certificate for the first subdomain, which should succeed because
|
|
// it's a renewal.
|
|
_, err = authAndIssue(nil, nil, []acme.Identifier{{Type: "dns", Value: firstSubDomain}}, true, "")
|
|
test.AssertNotError(t, err, "Failed to issue renewal certificate")
|
|
}
|