Separate TLS-ALPN-01 and HTTPS HTTP-01 in challtestsrv #3962
Labels
Comments
This was referenced Nov 30, 2018
cpu
pushed a commit
to letsencrypt/challtestsrv
that referenced
this issue
Dec 5, 2018
Boulder has a nice handy [`challtestsrv` package and command](https://github.com/letsencrypt/boulder/tree/9e39680e3f78c410e2d780a7badfe200a31698eb/test/challtestsrv) used for integration tests. Its small and useful enough to live in its own repo. This will make it easy for Boulder's load-generator to use the common package and for Pebble's pebble-challtestsrv command to use it as well. The `challtestsrv` package is ported over from Boulder mostly-as is with a few small improvements. Notably: * The TLS-ALPN-01 and HTTPS HTTP-01 features were split into two separate binds. This helps us preserve strict TLS-ALPN-01 challenge responses while also supporting HTTP-01 -> HTTPS HTTP-01 redirects. (See letsencrypt/boulder#3962) * The "FAKE_DNS" env var is removed. Now there is a default IPv4 and a default IPv6 address that can be set via the management API. These default addresses are used for A/AAAA query responses when there is not a more specific mock. * Hardcoded Boulder specific mock DNS data is removed. In its place are new management API functions for adding/removing mock A, AAAA, and CAA records * The output is less noisy now. The DNS server no longer prints a line per reply.
jsha
added a commit
to letsencrypt/challtestsrv
that referenced
this issue
Dec 6, 2018
Boulder has a nice handy [`challtestsrv` package and command][1] used for integration tests. It's small, stand-alone, and useful enough to live in its own repo. This will make it easy for Boulder's load-generator to use the common package and for Pebble's pebble-challtestsrv command to use it as well. The `challtestsrv` package is ported over from Boulder mostly-as is with a few small improvements. Notably: * The TLS-ALPN-01 and HTTPS HTTP-01 features were split into two separate binds. This helps us preserve strict TLS-ALPN-01 challenge responses while also supporting HTTP-01 -> HTTPS HTTP-01 redirects. (See letsencrypt/boulder#3962) * The "FAKE_DNS" env var is removed. Now there is a default IPv4 and a default IPv6 address that can be set via the management API. These default addresses are used for A/AAAA query responses when there is not a more specific mock. * Hardcoded Boulder specific mock DNS data is removed. In its place are new management API functions for adding/removing mock A, AAAA, and CAA records * The output is less noisy now. The DNS server no longer prints a line per reply. [1]: https://github.com/letsencrypt/boulder/tree/9e39680e3f78c410e2d780a7badfe200a31698eb/test/challtestsrv
cpu
added a commit
that referenced
this issue
Dec 12, 2018
Now that Pebble has a `pebble-challtestsrv` we can remove the `challtestrv` package and associated command from Boulder. I switched CI to use `pebble-challtestsrv`. Notably this means that we have to add our expected mock data using the HTTP management interface. The Boulder-tools images are regenerated to include the `pebble-challtestsrv` command. Using this approach also allows separating the TLS-ALPN-01 and HTTPS HTTP-01 challenges by binding each challenge type in the `pebble-challtestsrv` to different interfaces both using the same VA HTTPS port. Mock DNS directs the VA to the correct interface. The load-generator command that was previously using the `challtestsrv` package from Boulder is updated to use a vendored copy of the new `github.org/letsencrypt/challtestsrv` package. Vendored dependencies change in two ways: 1) Gomock is updated to the latest release (matching what the Bouldertools image provides) 2) A couple of new subpackages in `golang.org/x/net/` are added by way of transitive dependency through the challtestsrv package. Unit tests are confirmed to pass for `gomock`: ``` ~/go/src/github.com/golang/mock/gomock$ git log --pretty=format:'%h' -n 1 51421b9 ~/go/src/github.com/golang/mock/gomock$ go test ./... ok github.com/golang/mock/gomock 0.002s ? github.com/golang/mock/gomock/internal/mock_matcher [no test files] ``` For `/x/net` all tests pass except two `/x/net/icmp` `TestDiag.go` test cases that we have agreed are OK to ignore. Resolves #3962 and #3951
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In #3960 I implemented the HTTPS HTTP-01 support using the TLS-ALPN-01 server so that we could have one binary bound to the VA's HTTPS port. A side-effect of this was removing an error that would be returned if the VA ever created a TLS-ALPN-01 request with an incorrect
SupportedProtosvalue in the TLS client hello.Discussing this with the other boulderdevs the best path forward seems to be creating another bind interface for HTTPS HTTP-01, removing the self-signed cert code from the TLS-ALPN-01 server (restoring the error), and starting the challtestsrv with HTTPS HTTP-01 bound to :443 on one interface and TLS-ALPN-01 bound to :443 on another. We'll use fake DNS entries to direct challenge integration tests to the correct interface based on the hostname being tested.
Since this is a little bit involved we plan to merge #3960 knowing it slightly reduces our TLS-ALPN-01 test confidence and this issue can be tackled as a follow-up to restore that confidence while maintaining the other new integration tests & bugfixes.
The text was updated successfully, but these errors were encountered: