Renewals and getting "Short time" certificate

pbreed · July 6, 2023, 1:13am

Working on my client, really want the test code to be as close as possible to the final code.
So I want to test time based renewal. Is there any way to get the staging server to serve me a certificate with a short time to expiration?

orangepizza · July 6, 2023, 1:16am

while there is no such option, if you revoke the certificate ARI for that certificate will say 'renew immediately'

rg305 · July 6, 2023, 1:55am

Essentially: No; All certs are for 90 days.
But...
The client determines what is considered "short".

How soon after issuance would you like it to think it is now "short" [on time] and should renew?

eggsampler · July 6, 2023, 2:43am

This would be possible if you spin up boulder or pebble locally and test against that.

I see lots of people testing against the staging server, and while probably fine, I see that as more once your client is developed and testing for completeness.

For development I find it easier to just run the boulder docker container.

mholt · July 6, 2023, 3:12am

This brings up an interesting question I have. I know the CA will update ARI for certificates it chooses to revoke, but does it do so if the private key holder revokes the certificate?

MikeMcQ · July 6, 2023, 3:37am

I believe so ...

webprofusion · July 6, 2023, 8:57am

You can test your client against the Google Trust services acme service: Request a certificate using Public CA and an ACME client | Certificate Manager | Google Cloud - it supports notAfter in the order.

petercooperjr · July 6, 2023, 12:04pm

I would have expected that this is exactly what Pebble would be good for, but it looks like being able to configure the lifetime has been an open issue for 4 years‽

jvanasco · July 6, 2023, 2:45pm

I don't believe Pebble even supports ARI yet.

jvanasco · July 6, 2023, 2:50pm

I assume so. I submitted a suggestion to the ARI spec essentially on this topic last week. tldr; IMHO if a client encounters a "renew now" payload, they should log it for manual auditing, because it may be due to an unwanted API action, mass event, or their configuration/scheduler is broken.

petercooperjr · July 6, 2023, 3:10pm

I wasn't really talking about ARI specifically, just configuring certificate duration, so that various time-until-renewal-due scenarios could be tested in a client.

mholt · July 6, 2023, 3:53pm

When I wrote ACMEz I tested it using Pebble by making the "renewal window ratio" a constant, and simply changing the ratio to 1 (i.e. renew with 100% of its lifetime left). Then I changed it to 0.99999 (or something; renew after a few seconds, basically), and then I assumed it worked So I set it to .33333 (renew in final 1/3 of lifetime) before releasing.

system · August 5, 2023, 3:53pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.