use our own boulder rate limit file (#9889)

* use our own rate limit file * clarify path
2026-01-26 07:41:33 +03:00 · 2024-02-07 17:33:07 -08:00
parent b7ef536ec3
commit 8b5a017b05
2 changed files with 65 additions and 3 deletions
--- a/certbot-ci/certbot_integration_tests/assets/boulder-rate-limit-policies.yml
+++ b/certbot-ci/certbot_integration_tests/assets/boulder-rate-limit-policies.yml
@@ -0,0 +1,55 @@
+# See https://github.com/letsencrypt/boulder/blob/main/cmd/shell.go for
+# definitions of these rate limits.
+certificatesPerName:
+  window: 2160h
+  threshold: 99
+  overrides:
+    ratelimit.me: 1
+    lim.it: 0
+    # Hostnames used by the letsencrypt client integration test.
+    le.wtf: 9999
+    le1.wtf: 9999
+    le2.wtf: 9999
+    le3.wtf: 9999
+    le4.wtf: 9999
+    nginx.wtf: 9999
+    good-caa-reserved.com: 9999
+    bad-caa-reserved.com: 9999
+    ecdsa.le.wtf: 9999
+    must-staple.le.wtf: 9999
+  registrationOverrides:
+    101: 1000
+registrationsPerIP:
+  window: 168h # 1 week
+  threshold: 9999
+  overrides:
+    127.0.0.1: 999990
+registrationsPerIPRange:
+  window: 168h # 1 week
+  threshold: 99999
+  overrides:
+    127.0.0.1: 1000000
+pendingAuthorizationsPerAccount:
+  window: 168h # 1 week, should match pending authorization lifetime.
+  threshold: 999
+newOrdersPerAccount:
+  window: 3h
+  threshold: 9999
+certificatesPerFQDNSet:
+  window: 168h
+  threshold: 99999
+  overrides:
+    le.wtf: 9999
+    le1.wtf: 9999
+    le2.wtf: 9999
+    le3.wtf: 9999
+    le.wtf,le1.wtf: 9999
+    good-caa-reserved.com: 9999
+    nginx.wtf: 9999
+    ecdsa.le.wtf: 9999
+    must-staple.le.wtf: 9999
+certificatesPerFQDNSetFast:
+  window: 2h
+  threshold: 20
+  overrides:
+    le.wtf: 9
--- a/certbot-ci/certbot_integration_tests/utils/acme_server.py
+++ b/certbot-ci/certbot_integration_tests/utils/acme_server.py
@@ -29,6 +29,11 @@ from certbot_integration_tests.utils import pebble_artifacts
 from certbot_integration_tests.utils import proxy
 from certbot_integration_tests.utils.constants import *

+if sys.version_info >= (3, 9):  # pragma: no cover
+    import importlib.resources as importlib_resources
+else:  # pragma: no cover
+    import importlib_resources
+

 class ACMEServer:
    """
@@ -185,8 +190,10 @@ class ACMEServer:
        process.wait(MAX_SUBPROCESS_WAIT)

        # Allow Boulder to ignore usual limit rate policies, useful for tests.
-        os.rename(join(instance_path, 'test/rate-limit-policies-b.yml'),
-                  join(instance_path, 'test/rate-limit-policies.yml'))
+        ref = importlib_resources.files("certbot_integration_tests")
+        ref = ref / "assets" / "boulder-rate-limit-policies.yml"
+        with importlib_resources.as_file(ref) as path:
+            shutil.copyfile(path, join(instance_path, 'test/rate-limit-policies.yml'))

        if self._dns_server:
            # Change Boulder config to use the provided DNS server
@@ -215,7 +222,7 @@ class ACMEServer:
            # Wait for the ACME CA server to be up.
            print('=> Waiting for boulder instance to respond...')
            misc.check_until_timeout(
-                self.acme_xdist['directory_url'], attempts=300)
+                self.acme_xdist['directory_url'], attempts=480)

            if not self._dns_server:
                # Configure challtestsrv to answer any A record request with ip of the docker host.