mattjackson220 opened a new pull request #4625: updated to store Lets Encrypt user account information URL: https://github.com/apache/trafficcontrol/pull/4625 <!-- ************ STOP!! ************ If this Pull Request is intended to fix a security vulnerability, DO NOT submit it! Instead, contact the Apache Software Foundation Security Team at [email protected] and follow the guidelines at https://www.apache.org/security/ regarding vulnerability disclosure. --> ## What does this PR (Pull Request) do? <!-- Explain the changes you made here. If this fixes an Issue, identify it by replacing the text in the checkbox item with the Issue number e.g. - [x] This PR fixes #9001 OR is not related to any Issue ^ This will automatically close Issue number 9001 when the Pull Request is merged (The '#' is important). Be sure you check the box properly, see the "The following criteria are ALL met by this PR" section for details. --> - [x] This PR is not related to any Issue <!-- You can check for an issue here: https://github.com/apache/trafficcontrol/issues --> This PR updates the Let's Encrypt integration to store user account information in order to use it later and avoid LE's rate limits. ## Which Traffic Control components are affected by this PR? <!-- Please delete all components from this list that are NOT affected by this Pull Request. Also, feel free to add the name of a tool or script that is affected but not on the list. Additionally, if this Pull Request does NOT affect documentation, please explain why documentation is not required. --> - Documentation - Traffic Ops ## What is the best way to verify this PR? <!-- Please include here ALL the steps necessary to test your Pull Request. If it includes tests (and most should), outline here the steps needed to run the tests. If not, lay out the manual testing procedure and please explain why tests are unnecessary for this Pull Request. --> Run this version of TO in an environment that is publicly accessible. Ensure that an email address has been provided for Let's Encrypt and that it is pointed to the LE staging environment in the cdn.conf file like so: "lets_encrypt" : { "user_email" : "youremail", "send_expiration_email": false, "convert_self_signed": false, "renew_days_before_expiration": 30, "environment": "staging" } Go to an https enabled delivery service and generate new certs using Let's Encrypt. Verify that it works and that the account information is now stored in the lets_encrypt_account table. Re-generate new certificates and verify that it 1) successfully gets new certs 2) does NOT store anything in the dnschallenges table (when using a user account for a domain for which you've already proven ownership this is not necessary) 3) a debug level alert was logged in TO saying "Found existing account with Let's Encrypt" Then regenerate new certs over 50 times. In staging the rate limit is 50 new accounts per 3 hours from a single IP address so if it goes over 50 successfully then it has successfully used your account to bypass the rate limit. note 50 sounds really high but in their prod environment its 10 so that is why this is important ## If this is a bug fix, what versions of Traffic Control are affected? <!-- If this PR fixes a bug, please list here all of the affected versions - to the best of your knowledge. It's also pretty helpful to include a commit hash of where 'master' is at the time this PR is opened (if it affects master), because what 'master' means will change over time. For example, if this PR fixes a bug that's present in master (at commit hash '1df853c8'), in v4.0.0, and in the current 4.0.1 Release candidate (e.g. RC1), then this list would look like: - master (1df853c8) - 4.0.0 - 4.0.1 (RC1) If you don't know what other versions might have this bug, AND don't know how to find the commit hash of 'master', then feel free to leave this section blank (or, preferably, delete it entirely). --> ## The following criteria are ALL met by this PR <!-- Check the boxes to signify that the associated statement is true. To "check a box", replace the space inside of the square brackets with an 'x'. e.g. - [ x] <- Wrong - [x ] <- Wrong - [] <- Wrong - [*] <- Wrong - [x] <- Correct! --> This PR does not require test or CHANGELOG updates as it is an upgrade / bug fix for existing code - [x] I have explained why tests are unnecessary - [x] This PR includes documentation - [x] This PR does not require an update to CHANGELOG.md - [x] This PR includes any and all required license headers - [x] This PR does not include a database migration - [x] This PR **DOES NOT FIX A SERIOUS SECURITY VULNERABILITY** (see [the Apache Software Foundation's security guidelines](https://www.apache.org/security/) for details) ## Additional Information <!-- If you would like to include any additional information on the PR for potential reviewers please put it here. Some examples of this would be: - Before and after screenshots/gifs of the Traffic Portal if it is affected - Links to other dependent Pull Requests - References to relevant context (e.g. new/updates to dependent libraries, mailing list records, blueprints) Feel free to leave this section blank (or, preferably, delete it entirely). --> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -->
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
