diff --git a/gui/apply-boulder b/gui/apply-boulder index 9af048c..a2e20d5 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -7,6 +7,8 @@ perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/va-remote-b.json perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/bad-key-revoker.json perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/expiration-mailer.json +perl -i -p0e "s/(\s+\"maxConnectionAge\":[^\n]+)//igs" config/ca-a.json +perl -i -p0e "s/(\s+\"maxConnectionAge\":[^\n]+)//igs" config/ca-b.json sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va.json sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va-remote-a.json sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va-remote-b.json @@ -16,6 +18,9 @@ sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_D [ -e ../test/hostname-policy.yaml ] && cp ../test/hostname-policy.yaml ./ || true [ -e ../boulder/test/hostname-policy.yaml ] && cp ../boulder/test/hostname-policy.yaml ./ || true [ -e hostname-policy.json ] && rm hostname-policy.json || true +[ -e config/ca.json ] && rm config/ca.json || true +[ -e config/expired-authz-purger2.json ] && rm config/expired-authz-purger2.json || true +[ -e config/janitor.json ] && rm config/janitor.json || true cat hostname-policy.yaml | tr '\n' '\r' | sed -e "s/Lockdown:.*//" | tr '\r' '\n' > hostname-policy.yaml.bak && mv hostname-policy.yaml.bak hostname-policy.yaml cat hostname-policy.yaml | tr '\n' '\r' | sed -e "s/Whitelist:.*//" | tr '\r' '\n' > hostname-policy.yaml.bak && mv hostname-policy.yaml.bak hostname-policy.yaml if [ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]; then @@ -49,12 +54,12 @@ if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then sed -i -e "s/\"timeout\": \"20s\"/\"timeout\": \"40s\"/" config/wfe.json sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/wfe2.json sed -i -e "s/\"timeout\": \"20s\"/\"timeout\": \"40s\"/" config/wfe2.json - sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ca.json sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/expiration-mailer.json sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ra.json sed -i -e "s/\"timeout\": \"20s\"/\"timeout\": \"40s\"/" config/ra.json sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ocsp-updater.json sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/orphan-finder.json + sed -i -e "s/\"timeout\": \"1s\"/\"timeout\": \"5s\"/" config/health-checker.json fi sed -i -e "s/\"server\": \".*\"/\"server\": \"$PKI_EMAIL_SERVER\"/" config/bad-key-revoker.json diff --git a/install b/install index 9f494a3..747a0ec 100755 --- a/install +++ b/install @@ -24,7 +24,7 @@ dockerComposeVersion="1.28.5" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2021-08-31" +boulderTag="release-2021-11-09" # # Color configuration @@ -52,6 +52,7 @@ source "$dn/utils.sh" &>/dev/null || true cmdlineFqdn="" cmdlineBranch="" fullCmdline="" +keepLocal=0 # # Helper functions for informing the user and logging to file @@ -241,17 +242,24 @@ prompt_and_export() { # Parse the command line options, if any parse_cmdline() { fullCmdline="$@" - local parsed=$(getopt --options=n:,b: --longoptions=name:,fqdn:,branch: --name "$0" -- "$@" 2>>$installLog) || msg_fatal "Could not process commandline parameters" + local parsed=$(getopt --options=n:,b:,k --longoptions=name:,fqdn:,branch:,keep --name "$0" -- "$@" 2>>$installLog) || msg_fatal "Could not process commandline parameters" eval set -- "$parsed" while true; do case "$1" in -n|--name|--fqdn) cmdlineFqdn="$2" shift 2 + msg_ok "option: using FQDN name '$cmdlineFqdn'" ;; -b|--branch) cmdlineBranch="$2" shift 2 + msg_ok "option: using branch '$cmdlineBranch'" + ;; + -k|--keep) + keepLocal=1 + shift 1 + msg_ok "option: keeping local version as is" ;; --) shift @@ -428,6 +436,7 @@ static_web() { mkdir -p .well-known/acme-challenge mkdir -p crl + [ -e cert ] || ln -s certs cert cp -rp $cloneDir/www/* . sed -i -e "s|\[LABCA_CPS_LOCATION\]|http://$LABCA_FQDN/cps/|g" cps/index.html sed -i -e "s|\[LABCA_CERTS_LOCATION\]|http://$LABCA_FQDN/certs/|g" cps/index.html @@ -515,6 +524,8 @@ config_boulder() { [ ! -e "$boulderLabCADir/secrets/smtp_password_PRESERVE" ] || mv "$boulderLabCADir/secrets/smtp_password_PRESERVE" "$boulderLabCADir/secrets/smtp_password" chown -R labca:labca "$boulderLabCADir" + rm -rf authz-filler challtestsrv gsb-test-srv + msg_ok "$msg" msg="Configure the boulder application" msg_info "$msg" @@ -577,6 +588,7 @@ config_boulder() { mkdir -p "cmd/mail-tester" cp $cloneDir/mail-tester.go cmd/mail-tester/main.go + perl -i -p0e "s/(\n\t\"github.com\/letsencrypt\/boulder\/cmd\")/\t_ \"github.com\/letsencrypt\/boulder\/cmd\/mail-tester\"\n\t\1/igs" cmd/boulder/main.go &>>$installLog sudo -u labca -H patch -p1 < $cloneDir/patches/db_migrations.patch &>>$installLog cp sa/_db/migrations/20210223140000_CombinedSchema.sql "$boulderLabCADir/.backup/" @@ -591,17 +603,17 @@ config_boulder() { sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ra.json sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe.json sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe2.json - sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/akamai-purger.json - sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-responder.json - sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-updater.json - sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/publisher.json - sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json - sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe.json - sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json - sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" config/publisher.json - sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" integration-test.py - sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" helpers.py - sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" v1_integration.py + sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/akamai-purger.json + sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-responder.json + sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-updater.json + sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/publisher.json + sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json + sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe.json + sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json + sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" config/publisher.json + sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" integration-test.py + sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" helpers.py + sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" v1_integration.py sed -i -e "s/5001/443/g" config/va.json sed -i -e "s/5002/80/g" config/va.json sed -i -e "s/5001/443/g" config/va-remote-a.json @@ -610,10 +622,10 @@ config_boulder() { sed -i -e "s/5002/80/g" config/va-remote-b.json sed -i -e "s|http://boulder:4000/terms/v1|http://$LABCA_FQDN/terms/v1|" config/wfe.json sed -i -e "s|https://boulder:4431/terms/v7|https://$LABCA_FQDN/terms/v1|" config/wfe2.json - sed -i -e "s|http://boulder:4430/acme/issuer-cert|http://$LABCA_FQDN/acme/issuer-cert|" config/ca-a.json - sed -i -e "s|http://boulder:4430/acme/issuer-cert|http://$LABCA_FQDN/acme/issuer-cert|" config/ca-b.json - sed -i -e "s|http://127.0.0.1:4000/acme/issuer-cert|http://$LABCA_FQDN/acme/issuer-cert|" config/ca-a.json - sed -i -e "s|http://127.0.0.1:4000/acme/issuer-cert|http://$LABCA_FQDN/acme/issuer-cert|" config/ca-b.json + sed -i -e "s|http://boulder:4430/acme/issuer-cert|http://$LABCA_FQDN/certs/ca-int.der|" config/ca-a.json + sed -i -e "s|http://boulder:4430/acme/issuer-cert|http://$LABCA_FQDN/certs/ca-int.der|" config/ca-b.json + sed -i -e "s|http://127.0.0.1:4000/acme/issuer-cert|http://$LABCA_FQDN/certs/ca-int.der|" config/ca-a.json + sed -i -e "s|http://127.0.0.1:4000/acme/issuer-cert|http://$LABCA_FQDN/certs/ca-int.der|" config/ca-b.json sed -i -e "s|http://boulder:4430/acme/issuer-cert|http://$LABCA_FQDN/acme/issuer-cert|" config/wfe2.json sed -i -e "s|http://127.0.0.1:4000/acme/issuer-cert|https://$LABCA_FQDN/acme/issuer-cert|" config/wfe2.json sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-a.json @@ -622,8 +634,8 @@ config_boulder() { sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca-b.json sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca-a.json sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca-b.json - sed -i -e 's| "crl_url": "http://example.com/crl",||g' config/ca-a.json - sed -i -e 's| "crl_url": "http://example.com/crl",||g' config/ca-b.json + perl -i -p0e "s/(\s+\"crlURL\":[^\n]*)//igs" config/ca-a.json + perl -i -p0e "s/(\s+\"crlURL\":[^\n]*)//igs" config/ca-b.json sed -i -e "s/Do What Thou Wilt/This PKI is only meant for internal (lab) usage; do NOT use this on the open internet\!/g" config/ca-a.json sed -i -e "s/Do What Thou Wilt/This PKI is only meant for internal (lab) usage; do NOT use this on the open internet\!/g" config/ca-b.json sed -i -e "s/ocspURL.Path = encodedReq/ocspURL.Path += encodedReq/" ocsp/helper/helper.go @@ -665,6 +677,11 @@ config_boulder() { export PKI_EMAIL_FROM="Expiry bot " fi + local extended_timeout=$(grep extended_timeout $adminDir/data/config.json | grep true) + if [ "$extended_timeout" != "" ]; then + export PKI_EXTENDED_TIMEOUT=1 + fi + $adminDir/apply-boulder &>>$installLog else chown -R labca:labca "$boulderLabCADir" @@ -715,11 +732,15 @@ startup() { msg_info "$msg (this will take a while!!)" docker-compose stop &>>$installLog || true - [ -z "$(docker ps | grep boulder_bhsm_1)" ] || docker stop boulder_bhsm_1 &>>$installLog + for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6; do + [ -z "$(docker ps | grep $ct)" ] || docker stop $ct &>>$installLog + done wait_down $PS_MYSQL &>>$installLog wait_down $PS_LABCA &>>$installLog wait_down $PS_BOULDER &>>$installLog - [ -z "$(docker ps | grep boulder_bhsm_1)" ] || docker rm -f boulder_bhsm_1 &>>$installLog + for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6; do + [ -z "$(docker ps -a | grep -e "$ct\$")" ] || docker rm -f $ct &>>$installLog + done docker-compose up -d &>>$installLog [ -h "/etc/init.d/labca" ] || ln -s "$cloneDir/init_d" /etc/init.d/labca @@ -777,9 +798,11 @@ main() { [ ! -e "$cloneDir/cron_d" ] || chown labca:labca "$cloneDir/cron_d" parse_cmdline "$@" - clone_or_pull "$cloneDir" "$labcaUrl" "$cmdlineBranch" - checkout_release "$cmdlineBranch" - restart_if_updated "$checksum" + if [ $keepLocal -eq 0 ]; then + clone_or_pull "$cloneDir" "$labcaUrl" "$cmdlineBranch" + checkout_release "$cmdlineBranch" + restart_if_updated "$checksum" + fi get_fqdn copy_admin diff --git a/mail-tester.go b/mail-tester.go index 3658f21..7e23c18 100644 --- a/mail-tester.go +++ b/mail-tester.go @@ -1,4 +1,4 @@ -package main +package notmain import ( "flag" @@ -25,19 +25,38 @@ args: type config struct { Mailer struct { cmd.ServiceConfig - cmd.DBConfig + DB cmd.DBConfig cmd.SMTPConfig From string Subject string + CertLimit int + NagTimes []string + // How much earlier (than configured nag intervals) to + // send reminders, to account for the expected delay + // before the next expiration-mailer invocation. + NagCheckInterval string + // Path to a text/template email template + EmailTemplate string + + Frequency cmd.ConfigDuration + + TLS cmd.TLSConfig + SAService *cmd.GRPCClientConfig + DNSTries int DNSResolvers []string + // Path to a file containing a list of trusted root certificates for use + // during the SMTP connection (as opposed to the gRPC connections). + SMTPTrustedRootFile string + Features map[string]bool } Syslog cmd.SyslogConfig + Beeline cmd.BeelineConfig Common struct { DNSResolver string @@ -54,13 +73,13 @@ func main() { configFile := flag.String("config", "", "File path to the configuration file for this service") flag.Parse() - args := flag.Args() - recipient := args[0] - if len(os.Args) <= 3 || *configFile == "" { usage() } + args := flag.Args() + recipient := args[0] + var c config err := cmd.ReadConfigFile(*configFile, &c) cmd.FailOnError(err, "Reading JSON config file into config structure") @@ -126,3 +145,7 @@ func main() { err = mailClient.SendMail(recipients, "Test Email from LabCA", "Test sending email from the LabCA server") cmd.FailOnError(err, "mail-tester has failed") } + +func init() { + cmd.RegisterCommand("mail-tester", main) +} diff --git a/patches/cmd_shell.patch b/patches/cmd_shell.patch index e082fac..ec343b0 100644 --- a/patches/cmd_shell.patch +++ b/patches/cmd_shell.patch @@ -2,7 +2,7 @@ diff --git a/cmd/shell.go b/cmd/shell.go index 38f1edaf4..795815483 100644 --- a/cmd/shell.go +++ b/cmd/shell.go -@@ -163,7 +163,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger { +@@ -165,7 +165,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger { // Boulder's conception of time. go func() { for { diff --git a/patches/config_expiration-mailer.patch b/patches/config_expiration-mailer.patch index fe02054..474a431 100644 --- a/patches/config_expiration-mailer.patch +++ b/patches/config_expiration-mailer.patch @@ -2,7 +2,7 @@ diff --git a/test/config/expiration-mailer.json b/test/config/expiration-mailer. index 4519fe4d..f52a408c 100644 --- a/test/config/expiration-mailer.json +++ b/test/config/expiration-mailer.json -@@ -13,6 +13,11 @@ +@@ -14,6 +14,11 @@ "nagCheckInterval": "24h", "emailTemplate": "test/example-expiration-template", "debugAddr": ":8008", @@ -14,7 +14,7 @@ index 4519fe4d..f52a408c 100644 "tls": { "caCertFile": "test/grpc-creds/minica.pem", "certFile": "test/grpc-creds/expiration-mailer.boulder/cert.pem", -@@ -33,5 +38,9 @@ +@@ -34,5 +39,9 @@ "beeline": { "mute": true, "dataset": "Test" diff --git a/patches/config_ocsp-responder.patch b/patches/config_ocsp-responder.patch index 7d1e9ac..971d05c 100644 --- a/patches/config_ocsp-responder.patch +++ b/patches/config_ocsp-responder.patch @@ -1,15 +1,15 @@ diff --git a/test/config/ocsp-responder.json b/test/config/ocsp-responder.json -index fd2c4a8..a5e65d2 100644 +index ed874d3..a1a78f3 100644 --- a/test/config/ocsp-responder.json +++ b/test/config/ocsp-responder.json @@ -7,9 +7,7 @@ "path": "/", "listenAddress": "0.0.0.0:4002", "issuerCerts": [ -- "/tmp/intermediate-cert-rsa-a.pem", -- "/tmp/intermediate-cert-rsa-b.pem", -- "/tmp/intermediate-cert-ecdsa-a.pem" -+ "/tmp/intermediate-cert-rsa-a.pem" +- "/hierarchy/intermediate-cert-rsa-a.pem", +- "/hierarchy/intermediate-cert-rsa-b.pem", +- "/hierarchy/intermediate-cert-ecdsa-a.pem" ++ "/hierarchy/intermediate-cert-rsa-a.pem" ], "maxAge": "10s", "timeout": "4.9s", diff --git a/patches/config_publisher.patch b/patches/config_publisher.patch index f22ae0b..28d9fc8 100644 --- a/patches/config_publisher.patch +++ b/patches/config_publisher.patch @@ -1,23 +1,23 @@ diff --git a/test/config/publisher.json b/test/config/publisher.json -index 6c75f71..54fb877 100644 +index 6e0337c..1e5ed7b 100644 --- a/test/config/publisher.json +++ b/test/config/publisher.json @@ -6,18 +6,6 @@ [ - "/tmp/intermediate-cert-rsa-a.pem", - "/tmp/root-cert-rsa.pem" + "/hierarchy/intermediate-cert-rsa-a.pem", + "/hierarchy/root-cert-rsa.pem" - ], - [ -- "/tmp/intermediate-cert-rsa-b.pem", -- "/tmp/root-cert-rsa.pem" +- "/hierarchy/intermediate-cert-rsa-b.pem", +- "/hierarchy/root-cert-rsa.pem" - ], - [ -- "/tmp/intermediate-cert-ecdsa-a.pem", -- "/tmp/root-cert-ecdsa.pem" +- "/hierarchy/intermediate-cert-ecdsa-a.pem", +- "/hierarchy/root-cert-ecdsa.pem" - ], - [ -- "/tmp/intermediate-cert-ecdsa-b.pem", -- "/tmp/root-cert-ecdsa.pem" +- "/hierarchy/intermediate-cert-ecdsa-b.pem", +- "/hierarchy/root-cert-ecdsa.pem" ] ], "debugAddr": ":8009", diff --git a/patches/core_interfaces.patch b/patches/core_interfaces.patch index 8a7fa56..da24fea 100644 --- a/patches/core_interfaces.patch +++ b/patches/core_interfaces.patch @@ -2,11 +2,9 @@ diff --git a/core/interfaces.go b/core/interfaces.go index d19eb4fb8..3ae50d737 100644 --- a/core/interfaces.go +++ b/core/interfaces.go -@@ -91,6 +91,7 @@ type PolicyAuthority interface { +@@ -50,4 +50,5 @@ type PolicyAuthority interface { WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error) ChallengeTypeEnabled(t AcmeChallenge) bool + ValidEmail(address string) error } - - // StorageGetter are the Boulder SA's read-only methods diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch index 2bd7a87..b2b7314 100644 --- a/patches/docker-compose.patch +++ b/patches/docker-compose.patch @@ -1,9 +1,9 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 713667d60..0a384c8ab 100644 +index f515225e4..c1d54f235 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,10 +4,11 @@ services: - image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.16.6_2021-07-12} + image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.17_2021-10-22} environment: FAKE_DNS: 10.77.77.77 - BOULDER_CONFIG_DIR: test/config @@ -13,12 +13,12 @@ index 713667d60..0a384c8ab 100644 - .:/go/src/github.com/letsencrypt/boulder:cached + - /home/labca/boulder_labca:/go/src/github.com/letsencrypt/boulder/labca - ./.gocache:/root/.cache/go-build:cached - networks: - bluenet: -@@ -49,11 +50,19 @@ services: - - 8055:8055 # dns-test-srv updates + - ./.hierarchy:/hierarchy/:cached + - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached +@@ -36,11 +37,19 @@ services: depends_on: - bmysql + - bredis_clusterer - entrypoint: test/entrypoint.sh + entrypoint: labca/entrypoint.sh working_dir: &boulder_working_dir /go/src/github.com/letsencrypt/boulder @@ -36,7 +36,7 @@ index 713667d60..0a384c8ab 100644 networks: bluenet: aliases: -@@ -67,22 +76,37 @@ services: +@@ -54,7 +63,11 @@ services: # small. command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON logging: @@ -47,6 +47,12 @@ index 713667d60..0a384c8ab 100644 + max-file: "5" + restart: always + bredis_1: + image: redis:latest +@@ -129,18 +142,31 @@ services: + aliases: + - boulder-redis-clusterer + - netaccess: + labca: image: *boulder_image @@ -67,8 +73,8 @@ index 713667d60..0a384c8ab 100644 + - /home/labca/boulder_labca:/boulder/labca + ports: + - 3000:3000 - depends_on: - - bmysql ++ depends_on: ++ - bmysql + working_dir: /go/src/labca + command: ./setup.sh + logging: diff --git a/patches/entrypoint.patch b/patches/entrypoint.patch index aca8e21..2c1f59b 100644 --- a/patches/entrypoint.patch +++ b/patches/entrypoint.patch @@ -2,7 +2,7 @@ diff --git a/test/entrypoint.sh b/test/entrypoint.sh index 5ca9929..f18e1d8 100755 --- a/test/entrypoint.sh +++ b/test/entrypoint.sh -@@ -36,6 +36,18 @@ wait_tcp_port boulder-mysql 3306 +@@ -17,6 +17,18 @@ wait_tcp_port boulder-mysql 3306 # create the database MYSQL_CONTAINER=1 $DIR/create_db.sh diff --git a/patches/expiration-mailer_main.patch b/patches/expiration-mailer_main.patch index 06f172d..3b87d03 100644 --- a/patches/expiration-mailer_main.patch +++ b/patches/expiration-mailer_main.patch @@ -1,16 +1,16 @@ diff --git a/cmd/expiration-mailer/main.go b/cmd/expiration-mailer/main.go -index f6b02976e..0b00b794d 100644 +index 862ed2fe7..e8b0aac3d 100644 --- a/cmd/expiration-mailer/main.go +++ b/cmd/expiration-mailer/main.go -@@ -20,6 +20,7 @@ import ( - "github.com/honeycombio/beeline-go" +@@ -22,6 +22,7 @@ import ( "github.com/jmhodges/clock" + "google.golang.org/grpc" + "github.com/letsencrypt/boulder/bdns" "github.com/letsencrypt/boulder/cmd" "github.com/letsencrypt/boulder/core" corepb "github.com/letsencrypt/boulder/core/proto" -@@ -36,7 +37,7 @@ import ( +@@ -38,7 +39,7 @@ import ( const ( defaultNagCheckInterval = 24 * time.Hour @@ -19,7 +19,7 @@ index f6b02976e..0b00b794d 100644 ) type regStore interface { -@@ -385,6 +386,9 @@ type config struct { +@@ -408,6 +409,9 @@ type config struct { TLS cmd.TLSConfig SAService *cmd.GRPCClientConfig @@ -29,7 +29,7 @@ index f6b02976e..0b00b794d 100644 // Path to a file containing a list of trusted root certificates for use // during the SMTP connection (as opposed to the gRPC connections). SMTPTrustedRootFile string -@@ -394,6 +398,12 @@ type config struct { +@@ -417,6 +421,12 @@ type config struct { Syslog cmd.SyslogConfig Beeline cmd.BeelineConfig @@ -42,9 +42,9 @@ index f6b02976e..0b00b794d 100644 } func initStats(stats prometheus.Registerer) mailerStats { -@@ -511,6 +521,32 @@ func main() { +@@ -534,6 +544,32 @@ func main() { cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA") - sac := bgrpc.NewStorageAuthorityClient(sapb.NewStorageAuthorityClient(conn)) + sac := sapb.NewStorageAuthorityClient(conn) + dnsTimeout, err := time.ParseDuration(c.Common.DNSTimeout) + cmd.FailOnError(err, "Couldn't parse DNS timeout") @@ -75,7 +75,7 @@ index f6b02976e..0b00b794d 100644 var smtpRoots *x509.CertPool if c.Mailer.SMTPTrustedRootFile != "" { pem, err := ioutil.ReadFile(c.Mailer.SMTPTrustedRootFile) -@@ -546,6 +582,7 @@ func main() { +@@ -569,6 +605,7 @@ func main() { c.Mailer.Username, smtpPassword, smtpRoots, diff --git a/patches/log-validator_main.patch b/patches/log-validator_main.patch index dc811d5..818786a 100644 --- a/patches/log-validator_main.patch +++ b/patches/log-validator_main.patch @@ -1,8 +1,8 @@ diff --git a/cmd/log-validator/main.go b/cmd/log-validator/main.go -index fdab2ac6..bb136880 100644 +index 24df67e90..565de0c3c 100644 --- a/cmd/log-validator/main.go +++ b/cmd/log-validator/main.go -@@ -52,8 +52,8 @@ func lineValid(text string) error { +@@ -65,8 +65,8 @@ func lineValid(text string) error { if strings.Contains(text, errorPrefix) { return nil } diff --git a/patches/policy_pa.patch b/patches/policy_pa.patch index a86fbdd..736bd06 100644 --- a/patches/policy_pa.patch +++ b/patches/policy_pa.patch @@ -1,5 +1,5 @@ diff --git a/policy/pa.go b/policy/pa.go -index 7950970f4..03cfb937e 100644 +index 7dd9c37cd..43410e3f9 100644 --- a/policy/pa.go +++ b/policy/pa.go @@ -31,6 +31,8 @@ type AuthorityImpl struct { @@ -42,7 +42,7 @@ index 7950970f4..03cfb937e 100644 pa.blocklistMu.Unlock() return nil } -@@ -215,7 +230,7 @@ var ( +@@ -213,7 +228,7 @@ var ( // * exactly equal to an IANA registered TLD // // It does _not_ check that the domain isn't on any PA blocked lists. @@ -51,7 +51,7 @@ index 7950970f4..03cfb937e 100644 if domain == "" { return errEmptyName } -@@ -282,6 +297,14 @@ func ValidDomain(domain string) error { +@@ -289,6 +304,14 @@ func ValidDomain(domain string) error { } } @@ -66,7 +66,7 @@ index 7950970f4..03cfb937e 100644 // Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD. icannTLD, err := iana.ExtractSuffix(domain) if err != nil { -@@ -309,7 +332,7 @@ var forbiddenMailDomains = map[string]bool{ +@@ -316,7 +339,7 @@ var forbiddenMailDomains = map[string]bool{ // ValidEmail returns an error if the input doesn't parse as an email address, // the domain isn't a valid hostname in Preferred Name Syntax, or its on the // list of domains forbidden for mail (because they are often used in examples). @@ -75,7 +75,7 @@ index 7950970f4..03cfb937e 100644 email, err := mail.ParseAddress(address) if err != nil { if len(address) > 254 { -@@ -319,7 +342,7 @@ func ValidEmail(address string) error { +@@ -326,7 +349,7 @@ func ValidEmail(address string) error { } splitEmail := strings.SplitN(email.Address, "@", -1) domain := strings.ToLower(splitEmail[len(splitEmail)-1]) @@ -84,7 +84,7 @@ index 7950970f4..03cfb937e 100644 return berrors.InvalidEmailError( "contact email %q has invalid domain : %s", email.Address, err) -@@ -358,10 +381,14 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { +@@ -365,10 +388,14 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { } domain := id.Value @@ -100,7 +100,7 @@ index 7950970f4..03cfb937e 100644 // Require no match against hostname block lists if err := pa.checkHostLists(domain); err != nil { return err -@@ -370,6 +397,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { +@@ -377,6 +404,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { return nil } diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index 18541c8..8a5f7ff 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -1,5 +1,5 @@ diff --git a/ra/ra.go b/ra/ra.go -index 1023d0232..3f8d86d87 100644 +index 275e64a95..873d5c943 100644 --- a/ra/ra.go +++ b/ra/ra.go @@ -31,7 +31,6 @@ import ( @@ -10,7 +10,7 @@ index 1023d0232..3f8d86d87 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -435,7 +434,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta +@@ -444,7 +443,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta contact, ) } diff --git a/patches/startservers.patch b/patches/startservers.patch index 332fc8b..1ee694c 100644 --- a/patches/startservers.patch +++ b/patches/startservers.patch @@ -1,5 +1,5 @@ diff --git a/test/startservers.py b/test/startservers.py -index ec8ada190..be5b7a2f2 100644 +index 0df56a4..14aa548 100644 --- a/test/startservers.py +++ b/test/startservers.py @@ -146,6 +146,9 @@ processes = [] @@ -9,6 +9,6 @@ index ec8ada190..be5b7a2f2 100644 + pass + +def setupHierarchyOriginal(): + """Set up the issuance hierarchy. Must have called install() before this.""" e = os.environ.copy() e.setdefault("GOBIN", "%s/bin" % os.getcwd()) - try: diff --git a/patches/test_config_ca_a.patch b/patches/test_config_ca_a.patch index 1e54b15..0bb1249 100644 --- a/patches/test_config_ca_a.patch +++ b/patches/test_config_ca_a.patch @@ -1,12 +1,12 @@ diff --git a/test/config/ca-a.json b/test/config/ca-a.json -index 92b32f094..e220d7d4f 100644 +index 0be07e4..cd5de49 100644 --- a/test/config/ca-a.json +++ b/test/config/ca-a.json @@ -60,19 +60,7 @@ "crlURL": "http://example.com/crl", "location": { "configFile": "test/test-ca.key-pkcs11.json", -- "certFile": "/tmp/intermediate-cert-rsa-a.pem", +- "certFile": "/hierarchy/intermediate-cert-rsa-a.pem", - "numSessions": 2 - } - }, @@ -18,7 +18,7 @@ index 92b32f094..e220d7d4f 100644 - "crlURL": "http://example.com/crl", - "location": { - "configFile": "test/test-ca.key-pkcs11.json", -- "certFile": "/tmp/intermediate-cert-rsa-b.pem", +- "certFile": "/hierarchy/intermediate-cert-rsa-b.pem", + "certFile": "test/test-ca.pem", "numSessions": 2 } diff --git a/patches/test_config_ca_b.patch b/patches/test_config_ca_b.patch index beb0a85..1ba90a2 100644 --- a/patches/test_config_ca_b.patch +++ b/patches/test_config_ca_b.patch @@ -1,12 +1,12 @@ diff --git a/test/config/ca-b.json b/test/config/ca-b.json -index 6c7d9d272..4e428bc4a 100644 +index baf5483..0aa6fd4 100644 --- a/test/config/ca-b.json +++ b/test/config/ca-b.json @@ -60,19 +60,7 @@ "crlURL": "http://example.com/crl", "location": { "configFile": "test/test-ca.key-pkcs11.json", -- "certFile": "/tmp/intermediate-cert-rsa-a.pem", +- "certFile": "/hierarchy/intermediate-cert-rsa-a.pem", - "numSessions": 2 - } - }, @@ -18,7 +18,7 @@ index 6c7d9d272..4e428bc4a 100644 - "crlURL": "http://example.com/crl", - "location": { - "configFile": "test/test-ca.key-pkcs11.json", -- "certFile": "/tmp/intermediate-cert-rsa-b.pem", +- "certFile": "/hierarchy/intermediate-cert-rsa-b.pem", + "certFile": "test/test-ca.pem", "numSessions": 2 }