integration: add test for early renewal from ARI

[jsha]

This depends on a pending Pebble pull request and so will fail integration tests until/unless that lands: letsencrypt/pebble#501

However, I'd appreciate some eyes on this PR in this regard: is the interface we're using in Pebble useful and appropriate? If not, we can adjust the Pebble PR.

Inspired based on conversation on #10307, but note that this just tests the general case; it does not test the "default server differs from lineage server" case yet; when I try adding that I get some bugs that may reflect a problem in #10307 I need to fix (or may reflect that I need to inhibit the --server flag rather than trying to override it late in the command line).

[ohemorange]

As mentioned in the comment, I recommend moving the pebble management code into utils, something like set_immediate_ari_period. But otherwise the api makes sense to me.

[ohemorange]

I would suggest moving this all (# Tell Pebble to make ARI look urgent...assert resp.status_code == 200) into certbot-ci/src/certbot_integration_tests/utils/misc.py; then suppress_x509_verification_warnings can stay in internal, but more importantly it can be used in other cases, and makes it clear what this test is actually testing

[ohemorange]

I have a bunch of style nits. Other than that, does pebble now give a normal ari response by default? If not, we should probably add a test with a future ari period. If it does, I'm having trouble imagining a case where we'd want anything other than "already passed," in which case the api could be even simpler for the caller. Unless there's something you had in mind? Maybe for the other upcoming test?

[jsha]

does pebble now give a normal ari response by default? If not, we should probably add a test with a future ari period. If it does, I'm having trouble imagining a case where we'd want anything other than "already passed," in which case the api could be even simpler for the caller.

Yeah, Pebble already returned a default renewal period of 2/3, even before my changes in v2.8.0.

Two minor reasons I wanted Pebble's hooks to allow setting an arbitrary response:

• It potentially allows clients to test how they handle to a malformed ARI response.
• It potentially allows clients to test handling an explanationURL (which was one of the mentioned interesting cases for the issue filed on Pebble).

I don't have particular plans to add integration tests either of these cases to Certbot but could if you feel they are important!

[ohemorange]

My hesitation comes from the idea that these tests are generally nice and modular (unlike many of our other tests...) and so you don't really have to know what it's doing under the hood to test a specific feature. But I guess you wouldn't really want an ARI response set unless you're testing ARI in particular; otherwise you'd just use --force-renew if you had to. I suspect it feels less uncomfortable to you because you're more familiar with boulder/pebble and therefore setting an esoterically formatted datetime might be something you know off the top of your head. My general feeling for the detail level of these integration tests is "could I figure out how to do this thing without having to explicitly copy code from somewhere else?" But like I said, it probably doesn't really matter either way, we can always change it in either direction should we write more tests (that is, a second test saying "renew now" shouldn't have to explicitly copy the code setting the parameters, imo, but it's 8 lines, it's really not a giant deal either way, I won't block this PR on that).

As for the specific examples, tbh I'd probably just throw that sort of thing in unit tests if anything. I don't know that we need either but if you're excited about them I wouldn't stop you.