diff --git a/bad-key-revoker_main.patch b/bad-key-revoker_main.patch new file mode 100644 index 0000000..b4d448c --- /dev/null +++ b/bad-key-revoker_main.patch @@ -0,0 +1,74 @@ +diff --git a/cmd/bad-key-revoker/main.go b/cmd/bad-key-revoker/main.go +index 33ad8cdfb..3aaa489c9 100644 +--- a/cmd/bad-key-revoker/main.go ++++ b/cmd/bad-key-revoker/main.go +@@ -13,6 +13,7 @@ import ( + "strings" + "time" + ++ "github.com/letsencrypt/boulder/bdns" + "github.com/letsencrypt/boulder/cmd" + "github.com/letsencrypt/boulder/core" + corepb "github.com/letsencrypt/boulder/core/proto" +@@ -348,6 +349,9 @@ func main() { + TLS cmd.TLSConfig + RAService *cmd.GRPCClientConfig + ++ DNSTries int ++ DNSResolvers []string ++ + // MaximumRevocations specifies the maximum number of certificates associated with + // a key hash that bad-key-revoker will attempt to revoke. If the number of certificates + // is higher than MaximumRevocations bad-key-revoker will error out and refuse to +@@ -374,6 +378,12 @@ func main() { + } + + Syslog cmd.SyslogConfig ++ ++ Common struct { ++ DNSResolver string ++ DNSTimeout string ++ DNSAllowLoopbackAddresses bool ++ } + } + configPath := flag.String("config", "", "File path to the configuration file for this service") + flag.Parse() +@@ -407,6 +417,30 @@ func main() { + cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA") + rac := rapb.NewRegistrationAuthorityClient(conn) + ++ dnsTimeout, err := time.ParseDuration(config.Common.DNSTimeout) ++ cmd.FailOnError(err, "Couldn't parse DNS timeout") ++ dnsTries := config.BadKeyRevoker.DNSTries ++ if dnsTries < 1 { ++ dnsTries = 1 ++ } ++ var resolver bdns.DNSClient ++ if len(config.Common.DNSResolver) != 0 { ++ config.BadKeyRevoker.DNSResolvers = append(config.BadKeyRevoker.DNSResolvers, config.Common.DNSResolver) ++ } ++ if !config.Common.DNSAllowLoopbackAddresses { ++ r := bdns.NewDNSClientImpl( ++ dnsTimeout, ++ config.BadKeyRevoker.DNSResolvers, ++ scope, ++ clk, ++ dnsTries, ++ logger) ++ resolver = r ++ } else { ++ r := bdns.NewTestDNSClientImpl(dnsTimeout, config.BadKeyRevoker.DNSResolvers, scope, clk, dnsTries, logger) ++ resolver = r ++ } ++ + var smtpRoots *x509.CertPool + if config.BadKeyRevoker.Mailer.SMTPTrustedRootFile != "" { + pem, err := ioutil.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile) +@@ -428,6 +462,7 @@ func main() { + config.BadKeyRevoker.Mailer.Username, + smtpPassword, + smtpRoots, ++ resolver, + *fromAddress, + logger, + scope, diff --git a/config_bad-key-revoker.patch b/config_bad-key-revoker.patch new file mode 100644 index 0000000..9ad58fd --- /dev/null +++ b/config_bad-key-revoker.patch @@ -0,0 +1,32 @@ +diff --git a/test/config/bad-key-revoker.json b/test/config/bad-key-revoker.json +index 7d1b704..1bead8d 100644 +--- a/test/config/bad-key-revoker.json ++++ b/test/config/bad-key-revoker.json +@@ -3,6 +3,10 @@ + "dbConnectFile": "labca/secrets/badkeyrevoker_dburl", + "maxDBConns": 10, + "debugAddr": ":8020", ++ "dnsTries": 3, ++ "dnsResolvers": [ ++ "127.0.0.1:8053", ++ "127.0.0.1:8054" ++ ], + "tls": { + "caCertFile": "labca/grpc-creds/minica.pem", + "certFile": "labca/grpc-creds/bad-key-revoker.boulder/cert.pem", +@@ -24,10 +28,14 @@ + }, + "maximumRevocations": 15, + "findCertificatesBatchSize": 10, +- "interval": "1s" ++ "interval": "1h" + }, + "syslog": { + "stdoutlevel": 6, + "sysloglevel": 4 ++ }, ++ "common": { ++ "dnsTimeout": "3s", ++ "dnsAllowLoopbackAddresses": true + } + } diff --git a/config_expiration-mailer.patch b/config_expiration-mailer.patch index 1d05693..771c885 100644 --- a/config_expiration-mailer.patch +++ b/config_expiration-mailer.patch @@ -17,7 +17,7 @@ index 444beae43..e9bd228ef 100644 @@ -28,5 +33,10 @@ "syslog": { "stdoutlevel": 6, - "sysloglevel": 4 + "sysloglevel": 6 + }, + + "common": { diff --git a/docker-compose.patch b/docker-compose.patch index c60c8ce..761a14c 100644 --- a/docker-compose.patch +++ b/docker-compose.patch @@ -1,5 +1,5 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index e34704a4d..46365bdcf 100644 +index e67d892a6..9b097c8b6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,7 +6,7 @@ services: @@ -19,13 +19,19 @@ index e34704a4d..46365bdcf 100644 - ./.gocache:/root/.cache/go-build networks: bluenet: -@@ -54,8 +55,14 @@ services: +@@ -54,7 +55,7 @@ services: depends_on: - bhsm - bmysql - entrypoint: test/entrypoint.sh + entrypoint: labca/entrypoint.sh working_dir: /go/src/github.com/letsencrypt/boulder + # This works around a kernel bug that is tickled by Go 1.14: + # https://github.com/golang/go/issues/37436 +@@ -63,6 +64,12 @@ services: + memlock: + soft: -1 + hard: -1 + logging: + driver: "json-file" + options: @@ -34,8 +40,8 @@ index e34704a4d..46365bdcf 100644 + restart: always bhsm: # To minimize fetching this should be the same version used above - image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-04-08 -@@ -68,8 +75,16 @@ services: + image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.14.1}:2020-04-23 +@@ -75,8 +82,16 @@ services: bluenet: aliases: - boulder-hsm @@ -52,7 +58,7 @@ index e34704a4d..46365bdcf 100644 networks: bluenet: aliases: -@@ -83,20 +98,36 @@ services: +@@ -90,20 +105,36 @@ services: # small. command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON logging: @@ -64,7 +70,7 @@ index e34704a4d..46365bdcf 100644 + max-file: "5" + restart: always + labca: - image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-04-08 + image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.14.1}:2020-04-23 - environment: - GO111MODULE: "on" - GOFLAGS: "-mod=vendor" diff --git a/install b/install index 93c0a1f..874daa9 100755 --- a/install +++ b/install @@ -24,7 +24,7 @@ dockerComposeVersion="1.22.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2020-04-13" +boulderTag="release-2020-04-27" # # Color configuration @@ -492,10 +492,14 @@ config_boulder() { sudo -u labca patch -p1 < $cloneDir/notify-mailer_main.patch &>>$installLog cp cmd/notify-mailer/main.go "$boulderLabCADir/.backup/" + sudo -u labca patch -p1 < $cloneDir/bad-key-revoker_main.patch &>>$installLog + cp cmd/bad-key-revoker/main.go "$boulderLabCADir/.backup/" + sudo -u labca patch -p1 -o "$boulderLabCADir/config/ca-a.json" < $cloneDir/test_config_ca_a.patch &>>$installLog sudo -u labca patch -p1 -o "$boulderLabCADir/config/ca-b.json" < $cloneDir/test_config_ca_b.patch &>>$installLog sudo -u labca patch -p1 -o "$boulderLabCADir/config/expiration-mailer.json" < $cloneDir/config_expiration-mailer.patch &>>$installLog + #sudo -u labca patch -p1 -o "$boulderLabCADir/config/bad-key-revoker.json" < $cloneDir/config_bad-key-revoker.patch &>>$installLog sed -i -e "s|https://letsencrypt.org/docs/rate-limits/|http://$LABCA_FQDN/rate-limits|" errors/errors.go &>>$installLog cp errors/errors.go "$boulderLabCADir/.backup/" diff --git a/mail_mailer.patch b/mail_mailer.patch index e3a3aa0..33fcb4c 100644 --- a/mail_mailer.patch +++ b/mail_mailer.patch @@ -63,7 +63,7 @@ index de6b1de20..60c58128b 100644 + addrs, err := di.dnsClient.LookupHost(ctx, di.server) if err != nil { - return nil, err -+ problem := probs.DNS("%v", err) ++ problem := probs.DNS("%v") + return nil, problem } - client, err := smtp.NewClient(conn, di.server)