Added test unit for LETSENCRYPT_MIN_VALIDITY environment variable

Modified Boulder to issue certificates with 88 day lifetime

Author: Greek64

test/config.sh

@@ -12,6 +12,7 @@ imageTests+=(
 	certs_single
 	certs_san
 	force_renew
+	certs_validity
 	container_restart
 	permissions_default
 	permissions_custom

test/setup/setup-boulder.sh

@@ -11,12 +11,22 @@ setup_boulder() {
       $GOPATH/src/github.com/letsencrypt/boulder
   pushd $GOPATH/src/github.com/letsencrypt/boulder
   if [[ "$(uname)" == 'Darwin' ]]; then
+    # Set Standard Ports
     sed -i '' 's/ 5002/ 80/g' test/config/va.json
     sed -i '' 's/ 5001/ 443/g' test/config/va.json
+    # Set certificate lifetime to 88 days
+    sed -i '' 's/2160h/2112h/g' test/config/ca-a.json
+    sed -i '' 's/2160h/2112h/g' test/config/ca-b.json
+    # Modify custom rate limit
     sed -i '' 's/le.wtf,le1.wtf/le1.wtf,le2.wtf,le3.wtf/g' test/rate-limit-policies.yml
   else
+    # Set Standard Ports
     sed --in-place 's/ 5002/ 80/g' test/config/va.json
     sed --in-place 's/ 5001/ 443/g' test/config/va.json
+    # Set certificate lifetime to 88 days
+    sed --in-place 's/2160h/2112h/g' test/config/ca-a.json
+    sed --in-place 's/2160h/2112h/g' test/config/ca-b.json
+    # Modify custom rate limit
     sed --in-place 's/le.wtf,le1.wtf/le1.wtf,le2.wtf,le3.wtf/g' test/rate-limit-policies.yml
   fi
   docker-compose build --pull

test/tests/certs_validity/expected-std-out.txt

@@ -0,0 +1,13 @@
+Started letsencrypt container for test certs_validity
+Started test web server for le1.wtf
+Started test web server for le2.wtf
+Started test web server for le3.wtf
+Symlink to le1.wtf certificate has been generated.
+The link is pointing to the file ./le1.wtf/fullchain.pem
+Symlink to le2.wtf certificate has been generated.
+The link is pointing to the file ./le2.wtf/fullchain.pem
+Symlink to le3.wtf certificate has been generated.
+The link is pointing to the file ./le3.wtf/fullchain.pem
+Certificate for le1.wtf was not renewed.
+Certificate for le2.wtf was not renewed.
+Certificate for le3.wtf was renewed.

test/tests/certs_validity/run.sh

@@ -0,0 +1,93 @@
+#!/bin/bash
+
+## Test for the LETSENCRYPT_MIN_VALIDITY environment variable.
+
+if [[ -z $TRAVIS_CI ]]; then
+  le_container_name="$(basename ${0%/*})_$(date "+%Y-%m-%d_%H.%M.%S")"
+else
+  le_container_name="$(basename ${0%/*})"
+fi
+run_le_container ${1:?} "$le_container_name"
+
+# Create the $domains array from comma separated domains in TEST_DOMAINS.
+IFS=',' read -r -a domains <<< "$TEST_DOMAINS"
+
+# Cleanup function with EXIT trap
+function cleanup {
+  # Remove any remaining Nginx container(s) silently.
+  for domain in "${domains[@]}"; do
+    docker rm --force "$domain" > /dev/null 2>&1
+  done
+  # Cleanup the files created by this run of the test to avoid foiling following test(s).
+  docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf*'
+  # Stop the LE container
+  docker stop "$le_container_name" > /dev/null
+}
+trap cleanup EXIT
+
+# Run a separate nginx container for each domain in the $domains array.
+# Default validity
+docker run --rm -d \
+  --name "${domains[0]}" \
+  -e "VIRTUAL_HOST=${domains[0]}" \
+  -e "LETSENCRYPT_HOST=${domains[0]}" \
+  --network boulder_bluenet \
+  nginx:alpine > /dev/null && echo "Started test web server for ${domains[0]}"
+# Manual validity (same as default)
+docker run --rm -d \
+  --name "${domains[1]}" \
+  -e "VIRTUAL_HOST=${domains[1]}" \
+  -e "LETSENCRYPT_HOST=${domains[1]}" \
+  -e "LETSENCRYPT_MIN_VALIDITY=2592000" \
+  --network boulder_bluenet \
+  nginx:alpine > /dev/null && echo "Started test web server for ${domains[1]}"
+# Manual validity (few seconds shy of MIN_VALIDITY_CAP=7603200)
+docker run --rm -d \
+  --name "${domains[2]}" \
+  -e "VIRTUAL_HOST=${domains[2]}" \
+  -e "LETSENCRYPT_HOST=${domains[2]}" \
+  -e "LETSENCRYPT_MIN_VALIDITY=7603190" \
+  --network boulder_bluenet \
+  nginx:alpine > /dev/null && echo "Started test web server for ${domains[2]}"
+
+# Wait for a symlinks
+wait_for_symlink "${domains[0]}" "$le_container_name"
+wait_for_symlink "${domains[1]}" "$le_container_name"
+wait_for_symlink "${domains[2]}" "$le_container_name"
+# Grab the expiration times of the certificates
+first_cert_expire_1="$(get_cert_expiration_epoch "${domains[0]}" "$le_container_name")"
+first_cert_expire_2="$(get_cert_expiration_epoch "${domains[1]}" "$le_container_name")"
+first_cert_expire_3="$(get_cert_expiration_epoch "${domains[2]}" "$le_container_name")"
+
+# Wait for ${domains[2]} set certificate validity to expire
+sleep 10
+
+# Manually trigger letsencrypt_service
+docker exec "$le_container_name" /bin/bash -c "source /app/letsencrypt_service --source-only; update_certs" > /dev/null 2>&1
+
+# Grab the new expiration times of the certificates
+second_cert_expire_1="$(get_cert_expiration_epoch "${domains[0]}" "$le_container_name")"
+second_cert_expire_2="$(get_cert_expiration_epoch "${domains[1]}" "$le_container_name")"
+second_cert_expire_3="$(get_cert_expiration_epoch "${domains[2]}" "$le_container_name")"
+
+if [[ $second_cert_expire_1 -eq $first_cert_expire_1 ]]; then
+  echo "Certificate for ${domains[0]} was not renewed."
+else
+  echo "Certificate for ${domains[0]} was incorrectly renewed."
+  echo "First certificate expiration epoch : $first_cert_expire_1."
+  echo "Second certificate expiration epoch : $second_cert_expire_1."
+fi
+if [[ $second_cert_expire_2 -eq $first_cert_expire_2 ]]; then
+  echo "Certificate for ${domains[1]} was not renewed."
+else
+  echo "Certificate for ${domains[1]} was incorrectly renewed."
+  echo "First certificate expiration epoch : $first_cert_expire_2."
+  echo "Second certificate expiration epoch : $second_cert_expire_2."
+fi
+if [[ $second_cert_expire_3 -gt $first_cert_expire_3 ]]; then
+  echo "Certificate for ${domains[2]} was renewed."
+else
+  echo "Certificate for ${domains[2]} was not renewed."
+  echo "First certificate expiration epoch : $first_cert_expire_3."
+  echo "Second certificate expiration epoch : $second_cert_expire_3."
+fi