Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dynamically generate grpc-creds at integration test startup #7477

Merged
merged 14 commits into from
May 15, 2024
Merged

Dynamically generate grpc-creds at integration test startup #7477

merged 14 commits into from
May 15, 2024

Conversation

aarongable
Copy link
Contributor

@aarongable aarongable commented May 7, 2024
edited
Loading

The summary here is:

  • Move test/cert-ceremonies to test/certs
  • Move .hierarchy (generated by the above) to test/certs/webpki
  • Remove our mapping of .hierarchy to /hierarchy inside docker
  • Move test/grpc-creds to test/certs/ipki
  • Unify the generation of both test/certs/webpki and test/certs/ipki into a single script at test/certs/generate.sh
  • Make that script the entrypoint of a new docker compose service
  • Have t.sh and tn.sh invoke that service to ensure keys and certs are created before tests run

No production changes are necessary, the config changes here are just for testing purposes.

Part of #7476

@aarongable aarongable force-pushed the dynamic-test-keys branch from 83758cd to 894cd71 Compare May 9, 2024 02:27
@aarongable aarongable force-pushed the dynamic-test-keys branch from 894cd71 to 15fa729 Compare May 9, 2024 02:30
pgporada
pgporada reviewed May 9, 2024
View reviewed changes
docker-compose.yml Outdated Show resolved Hide resolved
t.sh Show resolved Hide resolved
test/certs/webpki.go Outdated Show resolved Hide resolved
tn.sh Show resolved Hide resolved
@aarongable aarongable force-pushed the dynamic-test-keys branch from af467b9 to b1b3ec8 Compare May 10, 2024 00:31
@aarongable
Copy link
Contributor Author

The unit tests pass, huzzah! Now I just need to figure out why the integration tests start, but the WFE believes it has no gRPC backends to talk to...

@pgporada
Copy link
Member

The WFE does have backends, but helpers.py needs to be changed to fix some OCSP verification checks.

Traceback (most recent call last):
  File "test/integration-test.py", line 146, in <module>
    main()
  File "test/integration-test.py", line 83, in main
    setup_twenty_days_ago()
  File "/boulder/test/helpers.py", line 170, in setup_twenty_days_ago
    f()
  File "/boulder/test/v2_integration.py", line 1696, in ocsp_resigning_setup
    ocsp_response, reason = get_ocsp_response_and_reason(
  File "/boulder/test/v2_integration.py", line 1673, in get_ocsp_response_and_reason
    output = verify_ocsp(cert_file, issuer_glob, url, None)
  File "/boulder/test/helpers.py", line 111, in verify_ocsp
    raise(lastException)
  File "/boulder/test/helpers.py", line 106, in verify_ocsp
    output = try_verify_ocsp(cert_file, issuer_file, url, status, reason)
  File "/boulder/test/helpers.py", line 126, in try_verify_ocsp
    verify_output = ocsp_verify(cert_file, issuer_file, resp)
  File "/boulder/test/helpers.py", line 84, in ocsp_verify
    output = subprocess.check_output([
  File "/usr/lib/python3.8/subprocess.py", line 415, in check_output
    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
  File "/usr/lib/python3.8/subprocess.py", line 516, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['openssl', 'ocsp', '-no_nonce', '-issuer', 'test/certs/webpki/int-rsa-a.cert.pem', '-cert', '/tmp/tmpizzvdzrw/tmpeg6wmwjs.ocsp_resigning_setup.pem', '-verify_other', 'test/certs/webpki/int-rsa-a.cert.pem', '-CAfile', '/hierarchy/root-rsa.cert.pem', '-respin', '/tmp/tmpizzvdzrw/tmpmm9tej9u']' returned non-zero exit status 1.

The fix to apply is

diff --git a/test/helpers.py b/test/helpers.py
index b0ad43146..3a7e38615 100644
--- a/test/helpers.py
+++ b/test/helpers.py
@@ -86,7 +86,7 @@ def ocsp_verify(cert_file, issuer_file, ocsp_response):
             '-issuer', issuer_file,
             '-cert', cert_file,
             '-verify_other', issuer_file,
-            '-CAfile', '/hierarchy/root-rsa.cert.pem',
+            '-CAfile', 'test/certs/webpki/root-rsa.cert.pem',

When that's done you'll progress to other cert path issues like

--- FAIL: TestAkamaiPurgerDrainQueueFails (0.00s)
    akamai_purger_drain_queue_test.go:76: reading CA cert from "test/grpc-creds/minica.pem": open test/grpc-creds/minica.pem: no such file or directory
--- FAIL: TestAkamaiPurgerDrainQueueSucceeds (0.00s)
    akamai_purger_drain_queue_test.go:108: reading CA cert from "test/grpc-creds/minica.pem": open test/grpc-creds/minica.pem: no such file or directory
FAIL
FAIL    github.com/letsencrypt/boulder/test/integration 28.859s
FAIL
Traceback (most recent call last):
  File "test/integration-test.py", line 146, in <module>
    main()
  File "test/integration-test.py", line 93, in main
    run_go_tests(args.test_case_filter)
  File "test/integration-test.py", line 47, in run_go_tests
    subprocess.check_call(cmdLine, stderr=subprocess.STDOUT)
  File "/usr/lib/python3.8/subprocess.py", line 364, in check_call
    raise CalledProcessError(retcode, cmd)

Hope that helps 👋🏼

@aarongable aarongable marked this pull request as ready for review May 13, 2024 22:16
@aarongable aarongable requested a review from a team as a code owner May 13, 2024 22:16
@aarongable aarongable requested a review from pgporada May 13, 2024 22:16
@github-actions GitHub Actions
Copy link
Contributor

@aarongable, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values.

pgporada
pgporada reviewed May 14, 2024
View reviewed changes
Copy link
Member

@pgporada pgporada left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I have a few minor things. Feel free to ignore them.

cmd/config_test.go Outdated Show resolved Hide resolved
test/certs/README.md Outdated Show resolved Hide resolved
test/certs/generate.sh Outdated Show resolved Hide resolved
@aarongable
Remove unnecessary test keys (#7486)
ab7e912 
Delete a variety of unused or lightly-used private keys, along with any
dangling references to them.

Part of #7476
@beautifulentropy beautifulentropy merged commit 6ae6aa8 into main May 15, 2024
12 checks passed
@beautifulentropy beautifulentropy deleted the dynamic-test-keys branch May 15, 2024 15:31
vbaranovskiy-plesk pushed a commit to plesk/boulder that referenced this pull request May 30, 2024
@aarongable
Dynamically generate grpc-creds at integration test startup (letsencr…
324ef96 
…ypt#7477)

The summary here is:
- Move test/cert-ceremonies to test/certs
- Move .hierarchy (generated by the above) to test/certs/webpki
- Remove our mapping of .hierarchy to /hierarchy inside docker
- Move test/grpc-creds to test/certs/ipki
- Unify the generation of both test/certs/webpki and test/certs/ipki
into a single script at test/certs/generate.sh
- Make that script the entrypoint of a new docker compose service
- Have t.sh and tn.sh invoke that service to ensure keys and certs are
created before tests run

No production changes are necessary, the config changes here are just
for testing purposes.

Part of letsencrypt#7476
vbaranovskiy-plesk pushed a commit to plesk/boulder that referenced this pull request May 30, 2024
@aarongable
Dynamically generate grpc-creds at integration test startup (letsencr…
c3eb068 
…ypt#7477)

The summary here is:
- Move test/cert-ceremonies to test/certs
- Move .hierarchy (generated by the above) to test/certs/webpki
- Remove our mapping of .hierarchy to /hierarchy inside docker
- Move test/grpc-creds to test/certs/ipki
- Unify the generation of both test/certs/webpki and test/certs/ipki
into a single script at test/certs/generate.sh
- Make that script the entrypoint of a new docker compose service
- Have t.sh and tn.sh invoke that service to ensure keys and certs are
created before tests run

No production changes are necessary, the config changes here are just
for testing purposes.

Part of letsencrypt#7476
vbaranovskiy-plesk pushed a commit to plesk/boulder that referenced this pull request May 31, 2024
@aarongable
Dynamically generate grpc-creds at integration test startup (letsencr…
b3081b8 
…ypt#7477)

The summary here is:
- Move test/cert-ceremonies to test/certs
- Move .hierarchy (generated by the above) to test/certs/webpki
- Remove our mapping of .hierarchy to /hierarchy inside docker
- Move test/grpc-creds to test/certs/ipki
- Unify the generation of both test/certs/webpki and test/certs/ipki
into a single script at test/certs/generate.sh
- Make that script the entrypoint of a new docker compose service
- Have t.sh and tn.sh invoke that service to ensure keys and certs are
created before tests run

No production changes are necessary, the config changes here are just
for testing purposes.

Part of letsencrypt#7476
vbaranovskiy-plesk pushed a commit to plesk/boulder that referenced this pull request May 31, 2024
@aarongable
Dynamically generate grpc-creds at integration test startup (letsencr…
4305106 
…ypt#7477)

The summary here is:
- Move test/cert-ceremonies to test/certs
- Move .hierarchy (generated by the above) to test/certs/webpki
- Remove our mapping of .hierarchy to /hierarchy inside docker
- Move test/grpc-creds to test/certs/ipki
- Unify the generation of both test/certs/webpki and test/certs/ipki
into a single script at test/certs/generate.sh
- Make that script the entrypoint of a new docker compose service
- Have t.sh and tn.sh invoke that service to ensure keys and certs are
created before tests run

No production changes are necessary, the config changes here are just
for testing purposes.

Part of letsencrypt#7476
AlinaADmi pushed a commit to plesk/boulder that referenced this pull request Jul 29, 2024
@aarongable
Dynamically generate grpc-creds at integration test startup (letsencr…
2a660e1 
…ypt#7477)

The summary here is:
- Move test/cert-ceremonies to test/certs
- Move .hierarchy (generated by the above) to test/certs/webpki
- Remove our mapping of .hierarchy to /hierarchy inside docker
- Move test/grpc-creds to test/certs/ipki
- Unify the generation of both test/certs/webpki and test/certs/ipki
into a single script at test/certs/generate.sh
- Make that script the entrypoint of a new docker compose service
- Have t.sh and tn.sh invoke that service to ensure keys and certs are
created before tests run

No production changes are necessary, the config changes here are just
for testing purposes.

Part of letsencrypt#7476
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@beautifulentropy beautifulentropy beautifulentropy approved these changes

@pgporada pgporada pgporada approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aarongable @pgporada @beautifulentropy