Working on my client, really want the test code to be as close as possible to the final code.
So I want to test time based renewal. Is there any way to get the staging server to serve me a certificate with a short time to expiration?
while there is no such option, if you revoke the certificate ARI for that certificate will say 'renew immediately'
Essentially: No; All certs are for 90 days.
But...
The client determines what is considered "short".
How soon after issuance would you like it to think it is now "short" [on time] and should renew?
This would be possible if you spin up boulder or pebble locally and test against that.
I see lots of people testing against the staging server, and while probably fine, I see that as more once your client is developed and testing for completeness.
For development I find it easier to just run the boulder docker container.
This brings up an interesting question I have. I know the CA will update ARI for certificates it chooses to revoke, but does it do so if the private key holder revokes the certificate?
I believe so ...
You can test your client against the Google Trust services acme service: Request a certificate using Public CA and an ACME client | Certificate Manager | Google Cloud - it supports notAfter in the order.
I would have expected that this is exactly what Pebble would be good for, but it looks like being able to configure the lifetime has been an open issue for 4 years‽
I don't believe Pebble even supports ARI yet.
I assume so. I submitted a suggestion to the ARI spec essentially on this topic last week. tldr; IMHO if a client encounters a "renew now" payload, they should log it for manual auditing, because it may be due to an unwanted API action, mass event, or their configuration/scheduler is broken.
I wasn't really talking about ARI specifically, just configuring certificate duration, so that various time-until-renewal-due scenarios could be tested in a client.
When I wrote ACMEz I tested it using Pebble by making the "renewal window ratio" a constant, and simply changing the ratio to 1 (i.e. renew with 100% of its lifetime left). Then I changed it to 0.99999 (or something; renew after a few seconds, basically), and then I assumed it worked So I set it to .33333 (renew in final 1/3 of lifetime) before releasing.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.