github.com/letsencrypt/boulder@v0.20251208.0/test/integration/ratelimit_test.go

github.com/letsencrypt/boulder@v0.20251208.0/test/integration/ratelimit_test.go (about)

     1  //go:build integration
     2  
     3  package integration
     4  
     5  import (
     6  	"crypto/rand"
     7  	"encoding/hex"
     8  	"fmt"
     9  	"testing"
    10  
    11  	"github.com/eggsampler/acme/v3"
    12  
    13  	"github.com/letsencrypt/boulder/test"
    14  )
    15  
    16  func TestDuplicateFQDNRateLimit(t *testing.T) {
    17  	t.Parallel()
    18  	idents := []acme.Identifier{
    19  		{Type: "dns", Value: random_domain()},
    20  		{Type: "ip", Value: "64.112.117.122"},
    21  	}
    22  
    23  	// The global rate limit for a duplicate certificates is 2 per 3 hours.
    24  	_, err := authAndIssue(nil, nil, idents, true, "shortlived")
    25  	test.AssertNotError(t, err, "Failed to issue first certificate")
    26  
    27  	_, err = authAndIssue(nil, nil, idents, true, "shortlived")
    28  	test.AssertNotError(t, err, "Failed to issue second certificate")
    29  
    30  	_, err = authAndIssue(nil, nil, idents, true, "shortlived")
    31  	test.AssertError(t, err, "Somehow managed to issue third certificate")
    32  
    33  	test.AssertContains(t, err.Error(), "too many certificates (2) already issued for this exact set of identifiers in the last 3h0m0s")
    34  }
    35  
    36  func TestCertificatesPerDomain(t *testing.T) {
    37  	t.Parallel()
    38  
    39  	randomDomain := random_domain()
    40  	randomSubDomain := func() string {
    41  		var bytes [3]byte
    42  		rand.Read(bytes[:])
    43  		return fmt.Sprintf("%s.%s", hex.EncodeToString(bytes[:]), randomDomain)
    44  	}
    45  
    46  	firstSubDomain := randomSubDomain()
    47  	_, err := authAndIssue(nil, nil, []acme.Identifier{{Type: "dns", Value: firstSubDomain}}, true, "")
    48  	test.AssertNotError(t, err, "Failed to issue first certificate")
    49  
    50  	_, err = authAndIssue(nil, nil, []acme.Identifier{{Type: "dns", Value: randomSubDomain()}}, true, "")
    51  	test.AssertNotError(t, err, "Failed to issue second certificate")
    52  
    53  	_, err = authAndIssue(nil, nil, []acme.Identifier{{Type: "dns", Value: randomSubDomain()}}, true, "")
    54  	test.AssertError(t, err, "Somehow managed to issue third certificate")
    55  
    56  	test.AssertContains(t, err.Error(), fmt.Sprintf("too many certificates (2) already issued for %q in the last 2160h0m0s", randomDomain))
    57  
    58  	// Issue a certificate for the first subdomain, which should succeed because
    59  	// it's a renewal.
    60  	_, err = authAndIssue(nil, nil, []acme.Identifier{{Type: "dns", Value: firstSubDomain}}, true, "")
    61  	test.AssertNotError(t, err, "Failed to issue renewal certificate")
    62  }