create a replacement self-signed server certificate with 10 years lif… (

#4009)

…espan

This certificate is only used for testing, so 10 years lifespan is
acceptable.

fixes: #3998

<!-- start metadata -->
---

**Checklist**

Complete the checklist (and note appropriate exceptions) before the PR
is marked ready-for-review.

- [x] Changes are compatible[^1]
- [x] Documentation[^2] completed
- [x] Performance impact assessed and acceptable
- Tests added and passing[^3]
    - [x] Unit Tests
    - [ ] Integration Tests
    - [ ] Manual Tests

**Exceptions**

*Note any exceptions here*

**Notes**

[^1]: It may be appropriate to bring upcoming changes to the attention
of other (impacted) groups. Please endeavour to do this before seeking
PR approval. The mechanism for doing this will vary considerably, so use
your judgement as to how and when to do this.
[^2]: Configuration is an important part of many changes. Where
applicable please try to document configuration examples.
[^3]: Tick whichever testing boxes are applicable. If you are adding
Manual Tests, please document the manual testing (extensively) in the
Exceptions.

.changesets/maint_garypen_3998_fix_tls.md

@@ -0,0 +1,5 @@
+### Create a replacement self-signed server certificate: 10 years lifespan ([Issue #3998](https://github.com/apollographql/router/issues/3998))
+
+This certificate is only used for testing, so 10 years lifespan is acceptable.
+
+By [@garypen](https://github.com/garypen) in https://github.com/apollographql/router/pull/4009

apollo-router/src/services/subgraph_service.rs

@@ -2781,7 +2781,18 @@ mod tests {
         server.await.unwrap()
     }
 
-    #[ignore]
+    // Note: This test relies on a checked in certificate with the following validity
+    // characteristics:
+    //         Validity
+    //           Not Before: Oct 10 07:32:39 2023 GMT
+    //           Not After : Oct  7 07:32:39 2033 GMT
+    // If this test fails and it is October 7th 2033, you will need to generate a
+    // new self signed cert. Currently, we use openssl to do this, in the future I
+    // hope we have something better...
+    // In the testdata directory run:
+    // openssl x509 -req -in server_self_signed.csr -signkey server.key -out server_self_signed.crt -extfile server.ext -days 3650
+    // That will give you another 10 years, assuming nothing else in the signing
+    // framework has expired.
     #[tokio::test(flavor = "multi_thread")]
     async fn tls_self_signed() {
         let certificate_pem = include_str!("./testdata/server_self_signed.crt");

apollo-router/src/services/testdata/server_self_signed.crt

@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIFmTCCA4GgAwIBAgIUDJn4No8XZo+1xUEEMqpAqRi1xmUwDQYJKoZIhvcNAQEL
+MIIFmTCCA4GgAwIBAgIUclTyqDAyR3+sL7KvR1kkGIQY+cgwDQYJKoZIhvcNAQEL
 BQAwJjELMAkGA1UEBhMCRlIxFzAVBgNVBAoMDkFwb2xsbyBHcmFwaFFMMB4XDTIz
-MDkwODE1MjM1M1oXDTIzMTAwODE1MjM1M1owJjELMAkGA1UEBhMCRlIxFzAVBgNV
+MTAxMDA3MzIzOVoXDTMzMTAwNzA3MzIzOVowJjELMAkGA1UEBhMCRlIxFzAVBgNV
 BAoMDkFwb2xsbyBHcmFwaFFMMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
 AgEAsJ8bwoJJ8OLL0U5lrhYUeWpYej+eS5yibX02yWXCpzEgmailiugChwWwJrPE
 laarKQUYPTAlhgmFj342TWjTu8fYVAJO3AoHchJtkaQnyJSipagOB+nZQ936T0E6
@@ -16,17 +16,17 @@ EgRFuJ/D80PFRmPtxKxlPhBvgfD/1U1dWI2XO97Gp3a70RAdJhDkAKIQQesPFHFe
 zb9ExT7BcLJCkmXy21oY4Xf+nudfj0ts50yyZcmmFF0Yig0CAwEAAaOBvjCBuzAd
 BgNVHQ4EFgQUgv2yxjcZxbXqJBASiv1MdiesIo4wYQYDVR0jBFowWIAUgv2yxjcZ
 xbXqJBASiv1MdiesIo6hKqQoMCYxCzAJBgNVBAYTAkZSMRcwFQYDVQQKDA5BcG9s
-bG8gR3JhcGhRTIIUDJn4No8XZo+1xUEEMqpAqRi1xmUwCwYDVR0PBAQDAgL8MBQG
+bG8gR3JhcGhRTIIUclTyqDAyR3+sL7KvR1kkGIQY+cgwCwYDVR0PBAQDAgL8MBQG
 A1UdEQQNMAuCCWxvY2FsaG9zdDAUBgNVHRIEDTALgglsb2NhbGhvc3QwDQYJKoZI
-hvcNAQELBQADggIBACjN3nhmJD2k6i3vSDAmfLtdzuSIbRSHPUXMyv4kRS1XaRw2
-QyRhnZN+7LDoGyzI8IkSNs14xeUtixw5Nl0kFiq9cEuTvptAUNbPi4n/UuI3tSDf
-8VX/0WCoJonD5QlnQ9RPBGqbVmyzn1nDIdLyKsbUpK4igdDkj+DeLva8bO41/MMk
-e4PONDwHO4dyA00OlzyYazxK72tSDAEUomgDNvYtaNAi7uxXWnAYPkuXX77JgGxS
-hTBdMXPIUhcUCLotL5sIKj4UMk1BWUom9egL21W+M6A97M9+uCr72nktM29E8IGc
-euuqgq5bgALRthgaecsUPu/MlnUumLK9v7+osFtIAl6fGYQMvcdX90jII0QWoAdk
-uleVU8Ae18588e527clV5B+TnGjMucbxoPr4AbWR9slvdNVBB5UMHg67UsqF/Kyq
-F1WK5Zr5RD5r3yEwEmVkzQops/TmNRfmm+rFqrOMwRxpb8eW0jR4qfGPcFKfoZu3
-8xif2zKl9w21xQZ6VFVpgir8QJf0uswsHdlMRABAfiBBReP4Pg+jFFbmijajdU/i
-w46qc4whI5dbF+nAGdg3NsC8P+zeBTXQJEoF7E+M+eu35pOxi8xi46NKHsqfNNtG
-hLT0oWvdWPRH009SPHcA1fTZ347pkOeGtz94IJjTPm+HI1sHWv7avHX3U4Pr
+hvcNAQELBQADggIBAAdqg16CpfT/Cpj184D+NJwQlnqDWS+Fkc/gq9+7Dov65wlS
+SCm6hFwIC0XX/lGo54ZvtSGTB0XvO4sUy1pSd6iXAQ/30BZi+CIpBigbf7Hkoa9y
+4O3RiwqwfaZOMyUPyGD9ppQVyLkVKR+8AGqnXrSMvD9wHMVZHVor/n9vsesAAOdW
+nGK7lVxhO3h6VKmp5iHLir/tH8nOyR+eC1Ii/ftCZj+510uZzmBtYuWakl9fS78F
+VHhtzgMO0jF9dYrlTnMwRnkNG6iVoCPs4A7F8NgngAWn9paA6nM3/CoOk+nQ0YYC
+5BlrnZCtnF/z+tPZmOWZHoUn9SmEz/cyJuQP7W8luJwjakgVkWH3EcvbL9ZPA+LF
+nsX7/H1Elo5OgPwIEqaI3Xvb9JmA/01cVncs5Bblo9obYCG9U1dr9cXnaFFjvs6D
+pcxHlqkFfYxQ2y5NFhvJR+hcfHEkATuga3b5cKA6sHsuSsVZZGfUs2jdDRkFg+vy
+SY3RjVj9r6w4Ericoee0+6YbgHBrVTibpwO0RxcqEuLmrcNez3VBzFHffcsbm3t0
+dXtWfOm8PYd5CVO4uMHcLEX9rtyoKqagYLmEsZ2p8yF/uJnHugxl0lZ5BW8jgsb2
+JoR7orr+kk3ekowpCVhy2UGfcbUULxnasVSUW9WnBRGXTPfaZwOIqyg6+G4p
 -----END CERTIFICATE-----