github-personal/labca
1
0
Fork 0
mirror of https://github.com/outbackdingo/labca.git synced 2026-01-27 18:19:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'release/21.11.1'

Browse Source 
* release/21.11.1:
  Fix issuer cert link in generated vertificates
  Bump boulder version to release-2021-11-09
  Add flag to install to skip git pull to help in testing
  Remove explicit maxConnectionAge from CA grpc config (#26)
  Fix email tester; include it in main boulder binary
  Bump boulder version to release-2021-11-02
This commit is contained in:
Arjan H
2021-11-10 21:30:06 +01:00
parent 154fb33f9c 1f0c444f77
commit 1569b03698
17 changed files with 143 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
gui/apply-boulder
View File

@@ -7,6 +7,8 @@ perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs"
perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/va-remote-b.json
perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/bad-key-revoker.json
perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/expiration-mailer.json
perl -i -p0e "s/(\s+\"maxConnectionAge\":[^\n]+)//igs" config/ca-a.json
perl -i -p0e "s/(\s+\"maxConnectionAge\":[^\n]+)//igs" config/ca-b.json
sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va.json
sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va-remote-a.json
sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va-remote-b.json
@@ -16,6 +18,9 @@ sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_D
[ -e ../test/hostname-policy.yaml ] && cp ../test/hostname-policy.yaml ./ || true
[ -e ../boulder/test/hostname-policy.yaml ] && cp ../boulder/test/hostname-policy.yaml ./ || true
[ -e hostname-policy.json ] && rm hostname-policy.json || true
[ -e config/ca.json ] && rm config/ca.json || true
[ -e config/expired-authz-purger2.json ] && rm config/expired-authz-purger2.json || true
[ -e config/janitor.json ] && rm config/janitor.json || true
cat hostname-policy.yaml | tr '\n' '\r' | sed -e "s/Lockdown:.*//" | tr '\r' '\n' > hostname-policy.yaml.bak && mv hostname-policy.yaml.bak hostname-policy.yaml
cat hostname-policy.yaml | tr '\n' '\r' | sed -e "s/Whitelist:.*//" | tr '\r' '\n' > hostname-policy.yaml.bak && mv hostname-policy.yaml.bak hostname-policy.yaml
if [ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]; then
@@ -49,12 +54,12 @@ if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then
sed -i -e "s/\"timeout\": \"20s\"/\"timeout\": \"40s\"/" config/wfe.json
sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/wfe2.json
sed -i -e "s/\"timeout\": \"20s\"/\"timeout\": \"40s\"/" config/wfe2.json
sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ca.json
sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/expiration-mailer.json
sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ra.json
sed -i -e "s/\"timeout\": \"20s\"/\"timeout\": \"40s\"/" config/ra.json
sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ocsp-updater.json
sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/orphan-finder.json
sed -i -e "s/\"timeout\": \"1s\"/\"timeout\": \"5s\"/" config/health-checker.json
fi
sed -i -e "s/\"server\": \".*\"/\"server\": \"$PKI_EMAIL_SERVER\"/" config/bad-key-revoker.json

71
install
View File

@@ -24,7 +24,7 @@ dockerComposeVersion="1.28.5"
labcaUrl="https://github.com/hakwerk/labca/"
boulderUrl="https://github.com/letsencrypt/boulder/"
boulderTag="release-2021-08-31"
boulderTag="release-2021-11-09"
#
# Color configuration
@@ -52,6 +52,7 @@ source "$dn/utils.sh" &>/dev/null || true
cmdlineFqdn=""
cmdlineBranch=""
fullCmdline=""
keepLocal=0
#
# Helper functions for informing the user and logging to file
@@ -241,17 +242,24 @@ prompt_and_export() {
# Parse the command line options, if any
parse_cmdline() {
fullCmdline="$@"
local parsed=$(getopt --options=n:,b: --longoptions=name:,fqdn:,branch: --name "$0" -- "$@" 2>>$installLog) || msg_fatal "Could not process commandline parameters"
local parsed=$(getopt --options=n:,b:,k --longoptions=name:,fqdn:,branch:,keep --name "$0" -- "$@" 2>>$installLog) || msg_fatal "Could not process commandline parameters"
eval set -- "$parsed"
while true; do
case "$1" in
-n|--name|--fqdn)
cmdlineFqdn="$2"
shift 2
msg_ok "option: using FQDN name '$cmdlineFqdn'"
;;
-b|--branch)
cmdlineBranch="$2"
shift 2
msg_ok "option: using branch '$cmdlineBranch'"
;;
-k|--keep)
keepLocal=1
shift 1
msg_ok "option: keeping local version as is"
;;
--)
shift
@@ -428,6 +436,7 @@ static_web() {
mkdir -p .well-known/acme-challenge
mkdir -p crl
[ -e cert ] || ln -s certs cert
cp -rp $cloneDir/www/* .
sed -i -e "s|\[LABCA_CPS_LOCATION\]|http://$LABCA_FQDN/cps/|g" cps/index.html
sed -i -e "s|\[LABCA_CERTS_LOCATION\]|http://$LABCA_FQDN/certs/|g" cps/index.html
@@ -515,6 +524,8 @@ config_boulder() {
[ ! -e "$boulderLabCADir/secrets/smtp_password_PRESERVE" ] || mv "$boulderLabCADir/secrets/smtp_password_PRESERVE" "$boulderLabCADir/secrets/smtp_password"
chown -R labca:labca "$boulderLabCADir"
rm -rf authz-filler challtestsrv gsb-test-srv
msg_ok "$msg"
msg="Configure the boulder application"
msg_info "$msg"
@@ -577,6 +588,7 @@ config_boulder() {
mkdir -p "cmd/mail-tester"
cp $cloneDir/mail-tester.go cmd/mail-tester/main.go
perl -i -p0e "s/(\n\t\"github.com\/letsencrypt\/boulder\/cmd\")/\t_ \"github.com\/letsencrypt\/boulder\/cmd\/mail-tester\"\n\t\1/igs" cmd/boulder/main.go &>>$installLog
sudo -u labca -H patch -p1 < $cloneDir/patches/db_migrations.patch &>>$installLog
cp sa/_db/migrations/20210223140000_CombinedSchema.sql "$boulderLabCADir/.backup/"
@@ -591,17 +603,17 @@ config_boulder() {
sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ra.json
sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe.json
sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe2.json
sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/akamai-purger.json
sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-responder.json
sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-updater.json
sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/publisher.json
sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json
sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe.json
sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json
sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" config/publisher.json
sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" integration-test.py
sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" helpers.py
sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" v1_integration.py
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/akamai-purger.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-responder.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-updater.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/publisher.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" config/publisher.json
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" integration-test.py
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" helpers.py
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" v1_integration.py
sed -i -e "s/5001/443/g" config/va.json
sed -i -e "s/5002/80/g" config/va.json
sed -i -e "s/5001/443/g" config/va-remote-a.json
@@ -610,10 +622,10 @@ config_boulder() {
sed -i -e "s/5002/80/g" config/va-remote-b.json
sed -i -e "s|http://boulder:4000/terms/v1|http://$LABCA_FQDN/terms/v1|" config/wfe.json
sed -i -e "s|https://boulder:4431/terms/v7|https://$LABCA_FQDN/terms/v1|" config/wfe2.json
sed -i -e "s|http://boulder:4430/acme/issuer-cert|http://$LABCA_FQDN/acme/issuer-cert|" config/ca-a.json
sed -i -e "s|http://boulder:4430/acme/issuer-cert|http://$LABCA_FQDN/acme/issuer-cert|" config/ca-b.json
sed -i -e "s|http://127.0.0.1:4000/acme/issuer-cert|http://$LABCA_FQDN/acme/issuer-cert|" config/ca-a.json
sed -i -e "s|http://127.0.0.1:4000/acme/issuer-cert|http://$LABCA_FQDN/acme/issuer-cert|" config/ca-b.json
sed -i -e "s|http://boulder:4430/acme/issuer-cert|http://$LABCA_FQDN/certs/ca-int.der|" config/ca-a.json
sed -i -e "s|http://boulder:4430/acme/issuer-cert|http://$LABCA_FQDN/certs/ca-int.der|" config/ca-b.json
sed -i -e "s|http://127.0.0.1:4000/acme/issuer-cert|http://$LABCA_FQDN/certs/ca-int.der|" config/ca-a.json
sed -i -e "s|http://127.0.0.1:4000/acme/issuer-cert|http://$LABCA_FQDN/certs/ca-int.der|" config/ca-b.json
sed -i -e "s|http://boulder:4430/acme/issuer-cert|http://$LABCA_FQDN/acme/issuer-cert|" config/wfe2.json
sed -i -e "s|http://127.0.0.1:4000/acme/issuer-cert|https://$LABCA_FQDN/acme/issuer-cert|" config/wfe2.json
sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-a.json
@@ -622,8 +634,8 @@ config_boulder() {
sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca-b.json
sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca-a.json
sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca-b.json
sed -i -e 's| "crl_url": "http://example.com/crl",||g' config/ca-a.json
sed -i -e 's| "crl_url": "http://example.com/crl",||g' config/ca-b.json
perl -i -p0e "s/(\s+\"crlURL\":[^\n]*)//igs" config/ca-a.json
perl -i -p0e "s/(\s+\"crlURL\":[^\n]*)//igs" config/ca-b.json
sed -i -e "s/Do What Thou Wilt/This PKI is only meant for internal (lab) usage; do NOT use this on the open internet\!/g" config/ca-a.json
sed -i -e "s/Do What Thou Wilt/This PKI is only meant for internal (lab) usage; do NOT use this on the open internet\!/g" config/ca-b.json
sed -i -e "s/ocspURL.Path = encodedReq/ocspURL.Path += encodedReq/" ocsp/helper/helper.go
@@ -665,6 +677,11 @@ config_boulder() {
export PKI_EMAIL_FROM="Expiry bot <test@example.com>"
fi
local extended_timeout=$(grep extended_timeout $adminDir/data/config.json | grep true)
if [ "$extended_timeout" != "" ]; then
export PKI_EXTENDED_TIMEOUT=1
fi
$adminDir/apply-boulder &>>$installLog
else
chown -R labca:labca "$boulderLabCADir"
@@ -715,11 +732,15 @@ startup() {
msg_info "$msg (this will take a while!!)"
docker-compose stop &>>$installLog || true
[ -z "$(docker ps | grep boulder_bhsm_1)" ] || docker stop boulder_bhsm_1 &>>$installLog
for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6; do
[ -z "$(docker ps | grep $ct)" ] || docker stop $ct &>>$installLog
done
wait_down $PS_MYSQL &>>$installLog
wait_down $PS_LABCA &>>$installLog
wait_down $PS_BOULDER &>>$installLog
[ -z "$(docker ps | grep boulder_bhsm_1)" ] || docker rm -f boulder_bhsm_1 &>>$installLog
for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6; do
[ -z "$(docker ps -a | grep -e "$ct\$")" ] || docker rm -f $ct &>>$installLog
done
docker-compose up -d &>>$installLog
[ -h "/etc/init.d/labca" ] || ln -s "$cloneDir/init_d" /etc/init.d/labca
@@ -777,9 +798,11 @@ main() {
[ ! -e "$cloneDir/cron_d" ] || chown labca:labca "$cloneDir/cron_d"
parse_cmdline "$@"
clone_or_pull "$cloneDir" "$labcaUrl" "$cmdlineBranch"
checkout_release "$cmdlineBranch"
restart_if_updated "$checksum"
if [ $keepLocal -eq 0 ]; then
clone_or_pull "$cloneDir" "$labcaUrl" "$cmdlineBranch"
checkout_release "$cmdlineBranch"
restart_if_updated "$checksum"
fi
get_fqdn
copy_admin

33
mail-tester.go
View File

@@ -1,4 +1,4 @@
package main
package notmain
import (
"flag"
@@ -25,19 +25,38 @@ args:
type config struct {
Mailer struct {
cmd.ServiceConfig
cmd.DBConfig
DB cmd.DBConfig
cmd.SMTPConfig
From string
Subject string
CertLimit int
NagTimes []string
// How much earlier (than configured nag intervals) to
// send reminders, to account for the expected delay
// before the next expiration-mailer invocation.
NagCheckInterval string
// Path to a text/template email template
EmailTemplate string
Frequency cmd.ConfigDuration
TLS cmd.TLSConfig
SAService *cmd.GRPCClientConfig
DNSTries int
DNSResolvers []string
// Path to a file containing a list of trusted root certificates for use
// during the SMTP connection (as opposed to the gRPC connections).
SMTPTrustedRootFile string
Features map[string]bool
}
Syslog cmd.SyslogConfig
Beeline cmd.BeelineConfig
Common struct {
DNSResolver string
@@ -54,13 +73,13 @@ func main() {
configFile := flag.String("config", "", "File path to the configuration file for this service")
flag.Parse()
args := flag.Args()
recipient := args[0]
if len(os.Args) <= 3 || *configFile == "" {
usage()
}
args := flag.Args()
recipient := args[0]
var c config
err := cmd.ReadConfigFile(*configFile, &c)
cmd.FailOnError(err, "Reading JSON config file into config structure")
@@ -126,3 +145,7 @@ func main() {
err = mailClient.SendMail(recipients, "Test Email from LabCA", "Test sending email from the LabCA server")
cmd.FailOnError(err, "mail-tester has failed")
}
func init() {
cmd.RegisterCommand("mail-tester", main)
}

2
patches/cmd_shell.patch
View File

@@ -2,7 +2,7 @@ diff --git a/cmd/shell.go b/cmd/shell.go
index 38f1edaf4..795815483 100644
--- a/cmd/shell.go
+++ b/cmd/shell.go
@@ -163,7 +163,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger {
@@ -165,7 +165,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger {
// Boulder's conception of time.
go func() {
for {

4
patches/config_expiration-mailer.patch
View File

@@ -2,7 +2,7 @@ diff --git a/test/config/expiration-mailer.json b/test/config/expiration-mailer.
index 4519fe4d..f52a408c 100644
--- a/test/config/expiration-mailer.json
+++ b/test/config/expiration-mailer.json
@@ -13,6 +13,11 @@
@@ -14,6 +14,11 @@
"nagCheckInterval": "24h",
"emailTemplate": "test/example-expiration-template",
"debugAddr": ":8008",
@@ -14,7 +14,7 @@ index 4519fe4d..f52a408c 100644
"tls": {
"caCertFile": "test/grpc-creds/minica.pem",
"certFile": "test/grpc-creds/expiration-mailer.boulder/cert.pem",
@@ -33,5 +38,9 @@
@@ -34,5 +39,9 @@
"beeline": {
"mute": true,
"dataset": "Test"

10
patches/config_ocsp-responder.patch
View File

@@ -1,15 +1,15 @@
diff --git a/test/config/ocsp-responder.json b/test/config/ocsp-responder.json
index fd2c4a8..a5e65d2 100644
index ed874d3..a1a78f3 100644
--- a/test/config/ocsp-responder.json
+++ b/test/config/ocsp-responder.json
@@ -7,9 +7,7 @@
"path": "/",
"listenAddress": "0.0.0.0:4002",
"issuerCerts": [
- "/tmp/intermediate-cert-rsa-a.pem",
- "/tmp/intermediate-cert-rsa-b.pem",
- "/tmp/intermediate-cert-ecdsa-a.pem"
+ "/tmp/intermediate-cert-rsa-a.pem"
- "/hierarchy/intermediate-cert-rsa-a.pem",
- "/hierarchy/intermediate-cert-rsa-b.pem",
- "/hierarchy/intermediate-cert-ecdsa-a.pem"
+ "/hierarchy/intermediate-cert-rsa-a.pem"
],
"maxAge": "10s",
"timeout": "4.9s",

18
patches/config_publisher.patch
View File

@@ -1,23 +1,23 @@
diff --git a/test/config/publisher.json b/test/config/publisher.json
index 6c75f71..54fb877 100644
index 6e0337c..1e5ed7b 100644
--- a/test/config/publisher.json
+++ b/test/config/publisher.json
@@ -6,18 +6,6 @@
[
"/tmp/intermediate-cert-rsa-a.pem",
"/tmp/root-cert-rsa.pem"
"/hierarchy/intermediate-cert-rsa-a.pem",
"/hierarchy/root-cert-rsa.pem"
- ],
- [
- "/tmp/intermediate-cert-rsa-b.pem",
- "/tmp/root-cert-rsa.pem"
- "/hierarchy/intermediate-cert-rsa-b.pem",
- "/hierarchy/root-cert-rsa.pem"
- ],
- [
- "/tmp/intermediate-cert-ecdsa-a.pem",
- "/tmp/root-cert-ecdsa.pem"
- "/hierarchy/intermediate-cert-ecdsa-a.pem",
- "/hierarchy/root-cert-ecdsa.pem"
- ],
- [
- "/tmp/intermediate-cert-ecdsa-b.pem",
- "/tmp/root-cert-ecdsa.pem"
- "/hierarchy/intermediate-cert-ecdsa-b.pem",
- "/hierarchy/root-cert-ecdsa.pem"
]
],
"debugAddr": ":8009",

4
patches/core_interfaces.patch
View File

@@ -2,11 +2,9 @@ diff --git a/core/interfaces.go b/core/interfaces.go
index d19eb4fb8..3ae50d737 100644
--- a/core/interfaces.go
+++ b/core/interfaces.go
@@ -91,6 +91,7 @@ type PolicyAuthority interface {
@@ -50,4 +50,5 @@ type PolicyAuthority interface {
WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error
ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error)
ChallengeTypeEnabled(t AcmeChallenge) bool
+ ValidEmail(address string) error
}
// StorageGetter are the Boulder SA's read-only methods

24
patches/docker-compose.patch
View File

@@ -1,9 +1,9 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index 713667d60..0a384c8ab 100644
index f515225e4..c1d54f235 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,10 +4,11 @@ services:
image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.16.6_2021-07-12}
image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.17_2021-10-22}
environment:
FAKE_DNS: 10.77.77.77
- BOULDER_CONFIG_DIR: test/config
@@ -13,12 +13,12 @@ index 713667d60..0a384c8ab 100644
- .:/go/src/github.com/letsencrypt/boulder:cached
+ - /home/labca/boulder_labca:/go/src/github.com/letsencrypt/boulder/labca
- ./.gocache:/root/.cache/go-build:cached
networks:
bluenet:
@@ -49,11 +50,19 @@ services:
- 8055:8055 # dns-test-srv updates
- ./.hierarchy:/hierarchy/:cached
- ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
@@ -36,11 +37,19 @@ services:
depends_on:
- bmysql
- bredis_clusterer
- entrypoint: test/entrypoint.sh
+ entrypoint: labca/entrypoint.sh
working_dir: &boulder_working_dir /go/src/github.com/letsencrypt/boulder
@@ -36,7 +36,7 @@ index 713667d60..0a384c8ab 100644
networks:
bluenet:
aliases:
@@ -67,22 +76,37 @@ services:
@@ -54,7 +63,11 @@ services:
# small.
command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
logging:
@@ -47,6 +47,12 @@ index 713667d60..0a384c8ab 100644
+ max-file: "5"
+ restart: always
bredis_1:
image: redis:latest
@@ -129,18 +142,31 @@ services:
aliases:
- boulder-redis-clusterer
- netaccess:
+ labca:
image: *boulder_image
@@ -67,8 +73,8 @@ index 713667d60..0a384c8ab 100644
+ - /home/labca/boulder_labca:/boulder/labca
+ ports:
+ - 3000:3000
depends_on:
- bmysql
+ depends_on:
+ - bmysql
+ working_dir: /go/src/labca
+ command: ./setup.sh
+ logging:

2
patches/entrypoint.patch
View File

@@ -2,7 +2,7 @@ diff --git a/test/entrypoint.sh b/test/entrypoint.sh
index 5ca9929..f18e1d8 100755
--- a/test/entrypoint.sh
+++ b/test/entrypoint.sh
@@ -36,6 +36,18 @@ wait_tcp_port boulder-mysql 3306
@@ -17,6 +17,18 @@ wait_tcp_port boulder-mysql 3306
# create the database
MYSQL_CONTAINER=1 $DIR/create_db.sh

18
patches/expiration-mailer_main.patch
View File

@@ -1,16 +1,16 @@
diff --git a/cmd/expiration-mailer/main.go b/cmd/expiration-mailer/main.go
index f6b02976e..0b00b794d 100644
index 862ed2fe7..e8b0aac3d 100644
--- a/cmd/expiration-mailer/main.go
+++ b/cmd/expiration-mailer/main.go
@@ -20,6 +20,7 @@ import (
"github.com/honeycombio/beeline-go"
@@ -22,6 +22,7 @@ import (
"github.com/jmhodges/clock"
"google.golang.org/grpc"
+ "github.com/letsencrypt/boulder/bdns"
"github.com/letsencrypt/boulder/cmd"
"github.com/letsencrypt/boulder/core"
corepb "github.com/letsencrypt/boulder/core/proto"
@@ -36,7 +37,7 @@ import (
@@ -38,7 +39,7 @@ import (
const (
defaultNagCheckInterval = 24 * time.Hour
@@ -19,7 +19,7 @@ index f6b02976e..0b00b794d 100644
)
type regStore interface {
@@ -385,6 +386,9 @@ type config struct {
@@ -408,6 +409,9 @@ type config struct {
TLS cmd.TLSConfig
SAService *cmd.GRPCClientConfig
@@ -29,7 +29,7 @@ index f6b02976e..0b00b794d 100644
// Path to a file containing a list of trusted root certificates for use
// during the SMTP connection (as opposed to the gRPC connections).
SMTPTrustedRootFile string
@@ -394,6 +398,12 @@ type config struct {
@@ -417,6 +421,12 @@ type config struct {
Syslog cmd.SyslogConfig
Beeline cmd.BeelineConfig
@@ -42,9 +42,9 @@ index f6b02976e..0b00b794d 100644
}
func initStats(stats prometheus.Registerer) mailerStats {
@@ -511,6 +521,32 @@ func main() {
@@ -534,6 +544,32 @@ func main() {
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
sac := bgrpc.NewStorageAuthorityClient(sapb.NewStorageAuthorityClient(conn))
sac := sapb.NewStorageAuthorityClient(conn)
+ dnsTimeout, err := time.ParseDuration(c.Common.DNSTimeout)
+ cmd.FailOnError(err, "Couldn't parse DNS timeout")
@@ -75,7 +75,7 @@ index f6b02976e..0b00b794d 100644
var smtpRoots *x509.CertPool
if c.Mailer.SMTPTrustedRootFile != "" {
pem, err := ioutil.ReadFile(c.Mailer.SMTPTrustedRootFile)
@@ -546,6 +582,7 @@ func main() {
@@ -569,6 +605,7 @@ func main() {
c.Mailer.Username,
smtpPassword,
smtpRoots,

4
patches/log-validator_main.patch
View File

@@ -1,8 +1,8 @@
diff --git a/cmd/log-validator/main.go b/cmd/log-validator/main.go
index fdab2ac6..bb136880 100644
index 24df67e90..565de0c3c 100644
--- a/cmd/log-validator/main.go
+++ b/cmd/log-validator/main.go
@@ -52,8 +52,8 @@ func lineValid(text string) error {
@@ -65,8 +65,8 @@ func lineValid(text string) error {
if strings.Contains(text, errorPrefix) {
return nil
}

14
patches/policy_pa.patch
View File

@@ -1,5 +1,5 @@
diff --git a/policy/pa.go b/policy/pa.go
index 7950970f4..03cfb937e 100644
index 7dd9c37cd..43410e3f9 100644
--- a/policy/pa.go
+++ b/policy/pa.go
@@ -31,6 +31,8 @@ type AuthorityImpl struct {
@@ -42,7 +42,7 @@ index 7950970f4..03cfb937e 100644
pa.blocklistMu.Unlock()
return nil
}
@@ -215,7 +230,7 @@ var (
@@ -213,7 +228,7 @@ var (
// * exactly equal to an IANA registered TLD
//
// It does _not_ check that the domain isn't on any PA blocked lists.
@@ -51,7 +51,7 @@ index 7950970f4..03cfb937e 100644
if domain == "" {
return errEmptyName
}
@@ -282,6 +297,14 @@ func ValidDomain(domain string) error {
@@ -289,6 +304,14 @@ func ValidDomain(domain string) error {
}
}
@@ -66,7 +66,7 @@ index 7950970f4..03cfb937e 100644
// Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD.
icannTLD, err := iana.ExtractSuffix(domain)
if err != nil {
@@ -309,7 +332,7 @@ var forbiddenMailDomains = map[string]bool{
@@ -316,7 +339,7 @@ var forbiddenMailDomains = map[string]bool{
// ValidEmail returns an error if the input doesn't parse as an email address,
// the domain isn't a valid hostname in Preferred Name Syntax, or its on the
// list of domains forbidden for mail (because they are often used in examples).
@@ -75,7 +75,7 @@ index 7950970f4..03cfb937e 100644
email, err := mail.ParseAddress(address)
if err != nil {
if len(address) > 254 {
@@ -319,7 +342,7 @@ func ValidEmail(address string) error {
@@ -326,7 +349,7 @@ func ValidEmail(address string) error {
}
splitEmail := strings.SplitN(email.Address, "@", -1)
domain := strings.ToLower(splitEmail[len(splitEmail)-1])
@@ -84,7 +84,7 @@ index 7950970f4..03cfb937e 100644
return berrors.InvalidEmailError(
"contact email %q has invalid domain : %s",
email.Address, err)
@@ -358,10 +381,14 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
@@ -365,10 +388,14 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
}
domain := id.Value
@@ -100,7 +100,7 @@ index 7950970f4..03cfb937e 100644
// Require no match against hostname block lists
if err := pa.checkHostLists(domain); err != nil {
return err
@@ -370,6 +397,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
@@ -377,6 +404,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
return nil
}

4
patches/ra_ra.patch
View File

@@ -1,5 +1,5 @@
diff --git a/ra/ra.go b/ra/ra.go
index 1023d0232..3f8d86d87 100644
index 275e64a95..873d5c943 100644
--- a/ra/ra.go
+++ b/ra/ra.go
@@ -31,7 +31,6 @@ import (
@@ -10,7 +10,7 @@ index 1023d0232..3f8d86d87 100644
"github.com/letsencrypt/boulder/probs"
pubpb "github.com/letsencrypt/boulder/publisher/proto"
rapb "github.com/letsencrypt/boulder/ra/proto"
@@ -435,7 +434,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
@@ -444,7 +443,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
contact,
)
}

4
patches/startservers.patch
View File

@@ -1,5 +1,5 @@
diff --git a/test/startservers.py b/test/startservers.py
index ec8ada190..be5b7a2f2 100644
index 0df56a4..14aa548 100644
--- a/test/startservers.py
+++ b/test/startservers.py
@@ -146,6 +146,9 @@ processes = []
@@ -9,6 +9,6 @@ index ec8ada190..be5b7a2f2 100644
+ pass
+
+def setupHierarchyOriginal():
"""Set up the issuance hierarchy. Must have called install() before this."""
e = os.environ.copy()
e.setdefault("GOBIN", "%s/bin" % os.getcwd())
try:

6
patches/test_config_ca_a.patch
View File

@@ -1,12 +1,12 @@
diff --git a/test/config/ca-a.json b/test/config/ca-a.json
index 92b32f094..e220d7d4f 100644
index 0be07e4..cd5de49 100644
--- a/test/config/ca-a.json
+++ b/test/config/ca-a.json
@@ -60,19 +60,7 @@
"crlURL": "http://example.com/crl",
"location": {
"configFile": "test/test-ca.key-pkcs11.json",
- "certFile": "/tmp/intermediate-cert-rsa-a.pem",
- "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
- "numSessions": 2
- }
- },
@@ -18,7 +18,7 @@ index 92b32f094..e220d7d4f 100644
- "crlURL": "http://example.com/crl",
- "location": {
- "configFile": "test/test-ca.key-pkcs11.json",
- "certFile": "/tmp/intermediate-cert-rsa-b.pem",
- "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
+ "certFile": "test/test-ca.pem",
"numSessions": 2
}

6
patches/test_config_ca_b.patch
View File

@@ -1,12 +1,12 @@
diff --git a/test/config/ca-b.json b/test/config/ca-b.json
index 6c7d9d272..4e428bc4a 100644
index baf5483..0aa6fd4 100644
--- a/test/config/ca-b.json
+++ b/test/config/ca-b.json
@@ -60,19 +60,7 @@
"crlURL": "http://example.com/crl",
"location": {
"configFile": "test/test-ca.key-pkcs11.json",
- "certFile": "/tmp/intermediate-cert-rsa-a.pem",
- "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
- "numSessions": 2
- }
- },
@@ -18,7 +18,7 @@ index 6c7d9d272..4e428bc4a 100644
- "crlURL": "http://example.com/crl",
- "location": {
- "configFile": "test/test-ca.key-pkcs11.json",
- "certFile": "/tmp/intermediate-cert-rsa-b.pem",
- "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
+ "certFile": "test/test-ca.pem",
"numSessions": 2
}