mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 13:51:36 +00:00
feat(M45): ACME certificate profile selection, ARI RFC 9773 renumber, 45-day renewal positioning
Three related ACME ecosystem changes shipped as a single milestone: 1. ACME Certificate Profile Selection: Custom JWS-signed newOrder POST with `profile` field (e.g., `tlsserver`, `shortlived` for 6-day certs) bypassing acme.Client.AuthorizeOrder() since golang.org/x/crypto lacks profile support. ES256 JWS signing with kid mode, nonce management, directory discovery. Empty profile delegates to standard library path (zero behavior change). Configurable via CERTCTL_ACME_PROFILE env var. GUI: profile dropdown on ACME issuer config. 2. ARI RFC 9702 → 9773 Renumber: All 25+ references updated across Go source, docs, README, and examples. Zero remaining occurrences of RFC 9702. 3. 45-Day / Short-Lived Certificate Positioning: 5 domain tests validating renewal thresholds against SC-081v3 validity reduction timeline (200→100→47 days) and Let's Encrypt 45-day/6-day profiles. ARI (RFC 9773) is the expected renewal path for 6-day shortlived certs. New tests: 13 profile + 5 domain threshold + 1 frontend = 19 new tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
shankar0123
@@ -2,7 +2,7 @@ package domain
|
||||
|
||||
import "time"
|
||||
|
||||
// RenewalInfo represents ACME Renewal Information (ARI) per RFC 9702.
|
||||
// RenewalInfo represents ACME Renewal Information (ARI) per RFC 9773.
|
||||
// It provides CA-directed renewal timing via a suggested renewal window.
|
||||
type RenewalInfo struct {
|
||||
// SuggestedWindowStart is the beginning of the time window during which the CA suggests renewal.
|
||||
@@ -27,7 +27,7 @@ func (r *RenewalInfo) ShouldRenewNow() bool {
|
||||
}
|
||||
|
||||
// OptimalRenewalTime returns the midpoint of the suggested renewal window,
|
||||
// which is the recommended time to initiate renewal per RFC 9702.
|
||||
// which is the recommended time to initiate renewal per RFC 9773.
|
||||
// This can be used for scheduling if the current time is before the window.
|
||||
func (r *RenewalInfo) OptimalRenewalTime() time.Time {
|
||||
duration := r.SuggestedWindowEnd.Sub(r.SuggestedWindowStart)
|
||||
|
||||
@@ -78,3 +78,129 @@ func TestRenewalPolicy_EffectiveAlertThresholds_Nil(t *testing.T) {
|
||||
t.Errorf("expected %d thresholds, got %d", len(expected), len(result))
|
||||
}
|
||||
}
|
||||
|
||||
// --- 45-Day / Short-Lived Certificate Renewal Threshold Tests ---
|
||||
// These tests validate that certctl's renewal logic works correctly with shorter-lived
|
||||
// certificates as the industry transitions from 90-day to 45-day validity (SC-081v3)
|
||||
// and Let's Encrypt introduces 6-day "shortlived" profiles.
|
||||
|
||||
func TestRenewalThresholds_45DayCert(t *testing.T) {
|
||||
// A 45-day cert with default thresholds [30, 14, 7, 0]:
|
||||
// - 30-day alert fires when cert is 15 days old (45 - 30 = 15 days remaining)
|
||||
// - 14-day alert fires when cert is 31 days old
|
||||
// - 7-day alert fires when cert is 38 days old
|
||||
// - 0-day alert fires at expiry
|
||||
// The 30-day threshold fires at the 1/3 lifetime mark — this is correct
|
||||
// (Let's Encrypt recommends renewal at 2/3 through lifetime, i.e. day 30).
|
||||
thresholds := DefaultAlertThresholds()
|
||||
|
||||
certLifetimeDays := 45
|
||||
for _, threshold := range thresholds {
|
||||
daysCertAge := certLifetimeDays - threshold
|
||||
if daysCertAge < 0 {
|
||||
t.Errorf("threshold %d days exceeds cert lifetime %d days", threshold, certLifetimeDays)
|
||||
}
|
||||
}
|
||||
|
||||
// Verify the first alert (30 days) fires when 15 days remain
|
||||
// This means the cert is 15 days old — at 1/3 of its lifetime
|
||||
firstAlertDaysRemaining := certLifetimeDays - (certLifetimeDays - thresholds[0])
|
||||
if firstAlertDaysRemaining != 30 {
|
||||
t.Errorf("expected first alert at 30 days remaining, got %d", firstAlertDaysRemaining)
|
||||
}
|
||||
|
||||
// The renewal window query (31 days ahead) will find 45-day certs
|
||||
// when they have 31 or fewer days remaining — at day 14 of a 45-day cert.
|
||||
renewalWindowDays := 31
|
||||
certAgeAtRenewalCheck := certLifetimeDays - renewalWindowDays
|
||||
if certAgeAtRenewalCheck != 14 {
|
||||
t.Errorf("expected renewal check to find cert at age %d, got %d", 14, certAgeAtRenewalCheck)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRenewalThresholds_6DayCert(t *testing.T) {
|
||||
// A 6-day "shortlived" cert with default thresholds [30, 14, 7, 0]:
|
||||
// - The 30-day, 14-day, and 7-day thresholds can NEVER fire (cert expires before reaching them)
|
||||
// - Only the 0-day threshold fires at expiry
|
||||
// For 6-day certs, ARI (RFC 9773) is the expected renewal path — the CA directs timing.
|
||||
// Short-lived certs also skip CRL/OCSP (revocation via expiry, per M15b).
|
||||
thresholds := DefaultAlertThresholds()
|
||||
certLifetimeDays := 6
|
||||
|
||||
firingThresholds := 0
|
||||
for _, threshold := range thresholds {
|
||||
if threshold < certLifetimeDays {
|
||||
firingThresholds++
|
||||
}
|
||||
}
|
||||
|
||||
// Only the 0-day threshold can fire (0 < 6).
|
||||
// The 7-day threshold means "alert when 7 days remain" — a 6-day cert
|
||||
// never has 7 days remaining, so it never fires.
|
||||
// For 6-day certs, ARI (RFC 9773) is the expected renewal path.
|
||||
if firingThresholds != 1 {
|
||||
t.Errorf("expected 1 threshold to fire for 6-day cert, got %d", firingThresholds)
|
||||
}
|
||||
|
||||
// The renewal window query (31 days ahead) will find 6-day certs immediately
|
||||
// (they're always within the 31-day window from the moment they're issued).
|
||||
renewalWindowDays := 31
|
||||
if certLifetimeDays < renewalWindowDays {
|
||||
// This is expected — 6-day certs are always in the renewal window.
|
||||
// ARI should override the threshold-based logic for these certs.
|
||||
}
|
||||
}
|
||||
|
||||
func TestRenewalThresholds_47DayCert(t *testing.T) {
|
||||
// SC-081v3 mandates 47-day max validity by March 2029.
|
||||
// Default thresholds [30, 14, 7, 0] should work correctly.
|
||||
thresholds := DefaultAlertThresholds()
|
||||
certLifetimeDays := 47
|
||||
|
||||
for _, threshold := range thresholds {
|
||||
if threshold > certLifetimeDays {
|
||||
t.Errorf("threshold %d exceeds cert lifetime %d", threshold, certLifetimeDays)
|
||||
}
|
||||
}
|
||||
|
||||
// With RenewalWindowDays=30, renewal triggers at day 17 (47-30=17).
|
||||
// That's at the 36% mark of the cert's lifetime — reasonable.
|
||||
renewalWindowDays := 30
|
||||
renewalDay := certLifetimeDays - renewalWindowDays
|
||||
if renewalDay != 17 {
|
||||
t.Errorf("expected renewal at day 17, got %d", renewalDay)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRenewalThresholds_200DayCert(t *testing.T) {
|
||||
// SC-081v3 Phase 1: 200-day max validity (March 2026).
|
||||
// All default thresholds should fire normally.
|
||||
thresholds := DefaultAlertThresholds()
|
||||
certLifetimeDays := 200
|
||||
|
||||
for _, threshold := range thresholds {
|
||||
if threshold > certLifetimeDays {
|
||||
t.Errorf("threshold %d exceeds cert lifetime %d", threshold, certLifetimeDays)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestRenewalThresholds_100DayCert(t *testing.T) {
|
||||
// SC-081v3 Phase 2: 100-day max validity (March 2027).
|
||||
thresholds := DefaultAlertThresholds()
|
||||
certLifetimeDays := 100
|
||||
|
||||
for _, threshold := range thresholds {
|
||||
if threshold > certLifetimeDays {
|
||||
t.Errorf("threshold %d exceeds cert lifetime %d", threshold, certLifetimeDays)
|
||||
}
|
||||
}
|
||||
|
||||
// With default 31-day renewal window, renewal triggers at day 69 — at 69% of lifetime.
|
||||
// This is close to Let's Encrypt's recommended 2/3 mark.
|
||||
renewalWindowDays := 31
|
||||
renewalDay := certLifetimeDays - renewalWindowDays
|
||||
if renewalDay != 69 {
|
||||
t.Errorf("expected renewal at day 69, got %d", renewalDay)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user