github.com/letsencrypt/boulder@v0.20251208.0/test/certs/generate.sh

github.com/letsencrypt/boulder@v0.20251208.0/test/certs/generate.sh (about)

     1  #!/bin/bash
     2  set -e
     3  
     4  cd "$(realpath -- $(dirname -- "$0"))"
     5  
     6  # Check that `minica` is installed
     7  command -v minica >/dev/null 2>&1 || {
     8    echo >&2 "No 'minica' command available.";
     9    echo >&2 "Check your GOPATH and run: 'go install github.com/jsha/minica@latest'.";
    10    exit 1;
    11  }
    12  
    13  ipki() (
    14    # Minica generates everything in-place, so we need to cd into the subdirectory.
    15    # This function executes in a subshell, so this cd does not affect the parent
    16    # script.
    17    mkdir ipki
    18    cd ipki
    19  
    20    # Create a generic cert which can be used by our test-only services that
    21    # aren't sophisticated enough to present a different name. This first
    22    # invocation also creates the issuer key, so the loops below can run in the
    23    # background without racing to create it.
    24    minica -domains localhost --ip-addresses 127.0.0.1
    25  
    26    # Used by challtestsrv to negotiate DoH handshakes. Even though we think of
    27    # challtestsrv as being external to our infrastructure (because it hosts the
    28    # DNS records that the tests validate), it *also* takes the place of our
    29    # recursive resolvers, so the DoH certificate that it presents to the VAs is
    30    # part of our internal PKI.
    31    minica -ip-addresses 10.77.77.77,10.88.88.88
    32  
    33    # Presented by the WFE's TLS server, when configured. Normally the WFE lives
    34    # behind another TLS-terminating server like nginx or apache, so the cert that
    35    # it presents to that layer is also part of the internal PKI.
    36    minica -domains "boulder"
    37  
    38    # Presented by the test redis cluster. Contains IP addresses because Boulder
    39    # components find individual redis servers via SRV records.
    40    minica -domains redis -ip-addresses 10.77.77.4,10.77.77.5
    41  
    42    # Used by Boulder gRPC services as both server and client mTLS certificates.
    43    for SERVICE in admin consul wfe bad-key-revoker \
    44      crl-updater crl-storer health-checker sfe email-exporter; do
    45      minica -domains "${SERVICE}.boulder" &
    46    done
    47  
    48    # Same as above, for services that we run multiple copies of.
    49    for SERVICE in publisher nonce ra ca sa va rva ; do
    50      minica -domains "${SERVICE}.boulder,${SERVICE}1.boulder,${SERVICE}2.boulder" &
    51    done
    52  
    53    wait
    54  
    55    # minica sets restrictive directory permissions, but we don't want that
    56    chmod -R go+rX .
    57  )
    58  
    59  webpki() (
    60    # Because it invokes the ceremony tool, webpki.go expects to be invoked with
    61    # the root of the boulder repo as the current working directory.
    62    # This function executes in a subshell, so this cd does not affect the parent
    63    # script.
    64    cd ../..
    65    make build
    66    mkdir ./test/certs/webpki
    67    go run ./test/certs/webpki.go
    68  )
    69  
    70  if ! [ -d ipki ]; then
    71    echo "Generating ipki/..."
    72    ipki
    73  fi
    74  
    75  if ! [ -d webpki ]; then
    76    echo "Generating webpki/..."
    77    webpki
    78  fi