I am using LE Boulder system in test environment to generate a leaf certificate for our use.
The root CA that boulder is using for signing seems to be expiring tomorrow.
openssl x509 -noout -text -in test/test-root.pem |grep Not
Not Before: Oct 21 20:11:52 2015 GMT
Not After : Oct 19 20:11:52 2020 GMT
The system by default seems to be using test/test-root.pem as root CA and test/test-ca2.pem as intermediate CA.
May i know when the root CA will be rotated? Or do i have to make any changes in any boulder configuration to point it to use some other CA?
You're using a local boulder instance, right? In that case you probably could just replace the root cert yourself: the private key is included, so you wouldn't even have to replace the intermediates if you'd generate a root with the same contents and the same keypair, but just set the "Not After" date in the far future.
Also, I'm not sure how your local root would be updated if it is updated in the Boulder source. How do you update Boulder anyway?
@jsha Could you perhaps shed some light on this? Should I open an issue for the upcoming expiry of test-root.pem? Or is that irrelevant due to the updates I mentioned above?
Yes, i am using a local boulder instance. Ok, i will try replacing the root CA cert by generating one using the "test-root.key".
For updating, i am just pulling the updated source code from git and restarting my instance.
(Note: I still haven't tried with the updated git source, i just compared the test-root.pem with updated source and it seems to be same)
@Osiris is on the money, #4832 changed things so that when you run Boulder via docker-compose, it generates everything using the certificate ceremony tool, the configuration for which you can find here.
So if you intend to use the older release of Boulder, you will have to replace the static root CA and intermediates yourself.
@_az But @shobhit doesn't run a docker instance, at least I think that's not the case, as he/she's pulling the code directly from git. Does that change anything?
I think it's quite likely that OP is running Boulder via the docker-compose setup that comes with the repo. I can't imagine that anybody outside of the Let's Encrypt team has the slightest clue how to run it otherwise, there's an incredible number of moving parts.
Something like below:
docker-compose run --use-aliases -e FAKE_DNS=127.0.0.1 --service-ports boulder ./start.py
I will try updating the root CA/Intermediate CA (locally generated one), and keep using the older Boulder release (starting it via docker-compose).
We will plan to update the boulder release later.
Well spotted, @Osiris! You're correct, test-root.pem isn't used in our integration tests (or docker-compose up) anymore. It's still used in some unittests but we'd like to clean that up.