diff --git a/certbot-ci/certbot_integration_tests/assets/boulder-rate-limit-policies.yml b/certbot-ci/certbot_integration_tests/assets/boulder-rate-limit-policies.yml new file mode 100644 index 000000000..289de7021 --- /dev/null +++ b/certbot-ci/certbot_integration_tests/assets/boulder-rate-limit-policies.yml @@ -0,0 +1,55 @@ +# See https://github.com/letsencrypt/boulder/blob/main/cmd/shell.go for +# definitions of these rate limits. +certificatesPerName: + window: 2160h + threshold: 99 + overrides: + ratelimit.me: 1 + lim.it: 0 + # Hostnames used by the letsencrypt client integration test. + le.wtf: 9999 + le1.wtf: 9999 + le2.wtf: 9999 + le3.wtf: 9999 + le4.wtf: 9999 + nginx.wtf: 9999 + good-caa-reserved.com: 9999 + bad-caa-reserved.com: 9999 + ecdsa.le.wtf: 9999 + must-staple.le.wtf: 9999 + registrationOverrides: + 101: 1000 +registrationsPerIP: + window: 168h # 1 week + threshold: 9999 + overrides: + 127.0.0.1: 999990 +registrationsPerIPRange: + window: 168h # 1 week + threshold: 99999 + overrides: + 127.0.0.1: 1000000 +pendingAuthorizationsPerAccount: + window: 168h # 1 week, should match pending authorization lifetime. + threshold: 999 +newOrdersPerAccount: + window: 3h + threshold: 9999 +certificatesPerFQDNSet: + window: 168h + threshold: 99999 + overrides: + le.wtf: 9999 + le1.wtf: 9999 + le2.wtf: 9999 + le3.wtf: 9999 + le.wtf,le1.wtf: 9999 + good-caa-reserved.com: 9999 + nginx.wtf: 9999 + ecdsa.le.wtf: 9999 + must-staple.le.wtf: 9999 +certificatesPerFQDNSetFast: + window: 2h + threshold: 20 + overrides: + le.wtf: 9 diff --git a/certbot-ci/certbot_integration_tests/utils/acme_server.py b/certbot-ci/certbot_integration_tests/utils/acme_server.py index b75c412d5..78fb628f1 100755 --- a/certbot-ci/certbot_integration_tests/utils/acme_server.py +++ b/certbot-ci/certbot_integration_tests/utils/acme_server.py @@ -29,6 +29,11 @@ from certbot_integration_tests.utils import pebble_artifacts from certbot_integration_tests.utils import proxy from certbot_integration_tests.utils.constants import * +if sys.version_info >= (3, 9): # pragma: no cover + import importlib.resources as importlib_resources +else: # pragma: no cover + import importlib_resources + class ACMEServer: """ @@ -185,8 +190,10 @@ class ACMEServer: process.wait(MAX_SUBPROCESS_WAIT) # Allow Boulder to ignore usual limit rate policies, useful for tests. - os.rename(join(instance_path, 'test/rate-limit-policies-b.yml'), - join(instance_path, 'test/rate-limit-policies.yml')) + ref = importlib_resources.files("certbot_integration_tests") + ref = ref / "assets" / "boulder-rate-limit-policies.yml" + with importlib_resources.as_file(ref) as path: + shutil.copyfile(path, join(instance_path, 'test/rate-limit-policies.yml')) if self._dns_server: # Change Boulder config to use the provided DNS server @@ -215,7 +222,7 @@ class ACMEServer: # Wait for the ACME CA server to be up. print('=> Waiting for boulder instance to respond...') misc.check_until_timeout( - self.acme_xdist['directory_url'], attempts=300) + self.acme_xdist['directory_url'], attempts=480) if not self._dns_server: # Configure challtestsrv to answer any A record request with ip of the docker host.