github-personal/labca
1
0
Fork 0
mirror of https://github.com/outbackdingo/labca.git synced 2026-01-27 10:19:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'release/20.09'

Browse Source 
* release/20.09:
  Bump boulder version to release-2020-09-09
  Bump boulder version to release-2020-08-18
  Bump boulder version to release-2020-07-13
  Bump boulder version to release-2020-06-08
  Bump boulder version to release-2020-06-08
  Bump boulder version to release-2020-05-18
  Bump boulder version to release-2020-04-27
  Cosmetic: fix audit log truncation issue
  Cosmetic: nicer spacing between buttons; debug versions are newer so do not report them as older
This commit is contained in:
Arjan H
2020-09-12 09:28:16 +02:00
parent cc766c5bd5 c3da7d6d44
commit 2fc5ab55a2
21 changed files with 383 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
bad-key-revoker_main.patch Normal file
View File

@@ -0,0 +1,74 @@
diff --git a/cmd/bad-key-revoker/main.go b/cmd/bad-key-revoker/main.go
index 563ce678c..1e53d875c 100644
--- a/cmd/bad-key-revoker/main.go
+++ b/cmd/bad-key-revoker/main.go
@@ -13,6 +13,7 @@ import (
"strings"
"time"
+ "github.com/letsencrypt/boulder/bdns"
"github.com/letsencrypt/boulder/cmd"
"github.com/letsencrypt/boulder/core"
corepb "github.com/letsencrypt/boulder/core/proto"
@@ -345,6 +346,9 @@ func main() {
TLS cmd.TLSConfig
RAService *cmd.GRPCClientConfig
+ DNSTries int
+ DNSResolvers []string
+
// MaximumRevocations specifies the maximum number of certificates associated with
// a key hash that bad-key-revoker will attempt to revoke. If the number of certificates
// is higher than MaximumRevocations bad-key-revoker will error out and refuse to
@@ -371,6 +375,12 @@ func main() {
}
Syslog cmd.SyslogConfig
+
+ Common struct {
+ DNSResolver string
+ DNSTimeout string
+ DNSAllowLoopbackAddresses bool
+ }
}
configPath := flag.String("config", "", "File path to the configuration file for this service")
flag.Parse()
@@ -404,6 +414,30 @@ func main() {
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
rac := rapb.NewRegistrationAuthorityClient(conn)
+ dnsTimeout, err := time.ParseDuration(config.Common.DNSTimeout)
+ cmd.FailOnError(err, "Couldn't parse DNS timeout")
+ dnsTries := config.BadKeyRevoker.DNSTries
+ if dnsTries < 1 {
+ dnsTries = 1
+ }
+ var resolver bdns.DNSClient
+ if len(config.Common.DNSResolver) != 0 {
+ config.BadKeyRevoker.DNSResolvers = append(config.BadKeyRevoker.DNSResolvers, config.Common.DNSResolver)
+ }
+ if !config.Common.DNSAllowLoopbackAddresses {
+ r := bdns.NewDNSClientImpl(
+ dnsTimeout,
+ config.BadKeyRevoker.DNSResolvers,
+ scope,
+ clk,
+ dnsTries,
+ logger)
+ resolver = r
+ } else {
+ r := bdns.NewTestDNSClientImpl(dnsTimeout, config.BadKeyRevoker.DNSResolvers, scope, clk, dnsTries, logger)
+ resolver = r
+ }
+
var smtpRoots *x509.CertPool
if config.BadKeyRevoker.Mailer.SMTPTrustedRootFile != "" {
pem, err := ioutil.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile)
@@ -425,6 +459,7 @@ func main() {
config.BadKeyRevoker.Mailer.Username,
smtpPassword,
smtpRoots,
+ resolver,
*fromAddress,
logger,
scope,

11
commander
View File

@@ -39,13 +39,10 @@ case $txt in
cd /home/labca/boulder
docker-compose stop &>>$LOGFILE
wait_down $PS_MYSQL &>>$LOGFILE
wait_down $PS_BHSM &>>$LOGFILE
wait_down $PS_LABCA &>>$LOGFILE
wait_down $PS_BOULDER &>>$LOGFILE
docker-compose rm -f bhsm &>>$LOGFILE
docker-compose up -d &>>$LOGFILE
wait_up $PS_MYSQL &>>$LOGFILE
wait_up $PS_BHSM &>>$LOGFILE
wait_up $PS_LABCA &>>$LOGFILE
wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE
;;
@@ -134,34 +131,26 @@ case $txt in
"boulder-start")
cd /home/labca/boulder
docker-compose up -d bmysql
docker-compose up -d bhsm
docker-compose up -d boulder
wait_up $PS_MYSQL &>>$LOGFILE
wait_up $PS_BHSM &>>$LOGFILE
wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE
;;
"boulder-stop")
cd /home/labca/boulder
docker-compose stop boulder
docker-compose stop bhsm
docker-compose stop bmysql
wait_down $PS_MYSQL &>>$LOGFILE
wait_down $PS_BHSM &>>$LOGFILE
wait_down $PS_BOULDER &>>$LOGFILE
;;
"boulder-restart")
cd /home/labca/boulder
docker-compose stop boulder
docker-compose stop bhsm
docker-compose stop bmysql
wait_down $PS_MYSQL &>>$LOGFILE
wait_down $PS_BHSM &>>$LOGFILE
wait_down $PS_BOULDER &>>$LOGFILE
docker-compose up -d bmysql
docker-compose up -d bhsm
docker-compose up -d boulder
wait_up $PS_MYSQL &>>$LOGFILE
wait_up $PS_BHSM &>>$LOGFILE
wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE
;;
"labca-restart")

32
config_bad-key-revoker.patch Normal file
View File

@@ -0,0 +1,32 @@
diff --git a/test/config/bad-key-revoker.json b/test/config/bad-key-revoker.json
index 482fd85fc..3e678aa5b 100644
--- a/test/config/bad-key-revoker.json
+++ b/test/config/bad-key-revoker.json
@@ -3,6 +3,11 @@
"dbConnectFile": "test/secrets/badkeyrevoker_dburl",
"maxDBConns": 10,
"debugAddr": ":8020",
+ "dnsTries": 3,
+ "dnsResolvers": [
+ "127.0.0.1:8053",
+ "127.0.0.1:8054"
+ ],
"tls": {
"caCertFile": "test/grpc-creds/minica.pem",
"certFile": "test/grpc-creds/bad-key-revoker.boulder/cert.pem",
@@ -24,10 +29,14 @@
},
"maximumRevocations": 15,
"findCertificatesBatchSize": 10,
- "interval": "1s"
+ "interval": "5m"
},
"syslog": {
"stdoutlevel": 6,
"sysloglevel": 4
+ },
+ "common": {
+ "dnsTimeout": "3s",
+ "dnsAllowLoopbackAddresses": true
}
}

6
config_expiration-mailer.patch
View File

@@ -2,7 +2,7 @@ diff --git a/test/config/expiration-mailer.json b/test/config/expiration-mailer.
index 444beae43..e9bd228ef 100644
--- a/test/config/expiration-mailer.json
+++ b/test/config/expiration-mailer.json
@@ -12,6 +12,11 @@
@@ -11,6 +12,11 @@
"nagCheckInterval": "24h",
"emailTemplate": "test/example-expiration-template",
"debugAddr": ":8008",
@@ -14,10 +14,10 @@ index 444beae43..e9bd228ef 100644
"tls": {
"caCertFile": "test/grpc-creds/minica.pem",
"certFile": "test/grpc-creds/expiration-mailer.boulder/cert.pem",
@@ -28,5 +33,10 @@
@@ -27,5 +33,10 @@
"syslog": {
"stdoutlevel": 6,
"sysloglevel": 4
"sysloglevel": 6
+ },
+
+ "common": {

25
config_notify-mailer.patch Normal file
View File

@@ -0,0 +1,25 @@
diff --git a/test/config/notify-mailer.json b/test/config/notify-mailer.json
index 73864aeb5..93b17c28e 100644
--- a/test/config/notify-mailer.json
+++ b/test/config/notify-mailer.json
@@ -2,11 +2,20 @@
"notifyMailer": {
"server": "localhost",
"port": "9380",
+ "hostnamePolicyFile": "test/hostname-policy.yaml",
"username": "cert-manager@example.com",
+ "from": "notify mailer <test@example.com>",
"passwordFile": "test/secrets/smtp_password",
"dbConnectFile": "test/secrets/mailer_dburl",
"maxDBConns": 10
},
+ "pa": {
+ "challenges": {
+ "http-01": true,
+ "dns-01": true,
+ "tls-alpn-01": true
+ }
+ },
"syslog": {
"stdoutLevel": 7,
"syslogLevel": 7

12
core_interfaces.patch Normal file
View File

@@ -0,0 +1,12 @@
diff --git a/core/interfaces.go b/core/interfaces.go
index 3e0d3f1ae..ffbbe7d11 100644
--- a/core/interfaces.go
+++ b/core/interfaces.go
@@ -113,6 +113,7 @@ type PolicyAuthority interface {
WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error
ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error)
ChallengeTypeEnabled(t AcmeChallenge) bool
+ ValidEmail(address string) error
}
// StorageGetter are the Boulder SA's read-only methods

45
docker-compose.patch
View File

@@ -1,27 +1,27 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index e34704a4d..46365bdcf 100644
index 5f93fe866..b4a0b75e0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -6,7 +6,7 @@ services:
@@ -5,7 +5,7 @@ services:
image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.15}:2020-08-12
environment:
FAKE_DNS: 10.77.77.77
PKCS11_PROXY_SOCKET: tcp://boulder-hsm:5657
- BOULDER_CONFIG_DIR: test/config
+ BOULDER_CONFIG_DIR: labca/config
GO111MODULE: "on"
GOFLAGS: "-mod=vendor"
- FAKE_DNS=10.77.77.77
- - BOULDER_CONFIG_DIR=test/config
+ - BOULDER_CONFIG_DIR=labca/config
- GOFLAGS=-mod=vendor
# This is required so Python doesn't throw an error when printing
@@ -14,6 +14,7 @@ services:
PYTHONIOENCODING: "utf-8"
# non-ASCII to stdout.
@@ -18,6 +18,7 @@ services:
- RACE
volumes:
- .:/go/src/github.com/letsencrypt/boulder
- .:/go/src/github.com/letsencrypt/boulder:cached
+ - /home/labca/boulder_labca:/go/src/github.com/letsencrypt/boulder/labca
- ./.gocache:/root/.cache/go-build
- ./.gocache:/root/.cache/go-build:cached
networks:
bluenet:
@@ -54,8 +55,14 @@ services:
@@ -57,10 +58,18 @@ services:
- 8055:8055 # dns-test-srv updates
depends_on:
- bhsm
- bmysql
- entrypoint: test/entrypoint.sh
+ entrypoint: labca/entrypoint.sh
@@ -31,19 +31,6 @@ index e34704a4d..46365bdcf 100644
+ options:
+ max-size: "500k"
+ max-file: "5"
+ restart: always
bhsm:
# To minimize fetching this should be the same version used above
image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-04-08
@@ -68,8 +75,16 @@ services:
bluenet:
aliases:
- boulder-hsm
+ logging:
+ driver: "json-file"
+ options:
+ max-size: "500k"
+ max-file: "5"
+ restart: always
bmysql:
image: mariadb:10.3
@@ -52,7 +39,7 @@ index e34704a4d..46365bdcf 100644
networks:
bluenet:
aliases:
@@ -83,20 +98,36 @@ services:
@@ -74,20 +83,36 @@ services:
# small.
command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
logging:
@@ -64,7 +51,7 @@ index e34704a4d..46365bdcf 100644
+ max-file: "5"
+ restart: always
+ labca:
image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-04-08
image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.15}:2020-08-12
- environment:
- GO111MODULE: "on"
- GOFLAGS: "-mod=vendor"

17
entrypoint.patch Normal file
View File

@@ -0,0 +1,17 @@
diff --git a/test/entrypoint.sh b/test/entrypoint.sh
index 5ca9929..f18e1d8 100755
--- a/test/entrypoint.sh
+++ b/test/entrypoint.sh
@@ -36,6 +36,12 @@ wait_tcp_port boulder-mysql 3306
# create the database
MYSQL_CONTAINER=1 $DIR/create_db.sh
+#softhsm2-util --show-slots
+softhsm2-util --init-token --slot 0 --label "intermediate signing key (rsa)" --pin 1234 --so-pin 5678 | /bin/true
+softhsm2-util --import labca/test-ca.p8 --id 333333 --force --token "intermediate signing key (rsa)" --pin 1234 --so-pin 5678 --label 'intermediate_key'
+softhsm2-util --init-token --slot 1 --label "root signing key (rsa)" --pin 1234 --so-pin 5678 | /bin/true
+softhsm2-util --import labca/test-root.p8 --id 777777 --force --token "root signing key (rsa)" --pin 1234 --so-pin 5678 --label 'root_key'
+
if [[ $# -eq 0 ]]; then
exec python3 ./start.py
fi

21
gui/apply-boulder
View File

@@ -3,8 +3,13 @@
set -e
perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/va.json
perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/va-remote-a.json
perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/va-remote-b.json
perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/bad-key-revoker.json
perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/expiration-mailer.json
sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va.json
sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va-remote-a.json
sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va-remote-b.json
sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_DOMAIN\"/" config/wfe.json
sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_DOMAIN\"/" config/wfe2.json
@@ -40,10 +45,18 @@ if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then
sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/orphan-finder.json
fi
sed -i -e "s/\"server\": \".*\"/\"server\": \"$PKI_EMAIL_SERVER\"/" config/bad-key-revoker.json
sed -i -e "s/\"port\": \".*\"/\"port\": \"$PKI_EMAIL_PORT\"/" config/bad-key-revoker.json
sed -i -e "s/\"username\": \".*\"/\"username\": \"$PKI_EMAIL_USER\"/" config/bad-key-revoker.json
sed -i -e "s/\"from\": \".*\"/\"from\": \"$PKI_EMAIL_FROM\"/" config/bad-key-revoker.json
sed -i -e "s/\"server\": \".*\"/\"server\": \"$PKI_EMAIL_SERVER\"/" config/expiration-mailer.json
sed -i -e "s/\"port\": \".*\"/\"port\": \"$PKI_EMAIL_PORT\"/" config/expiration-mailer.json
sed -i -e "s/\"username\": \".*\"/\"username\": \"$PKI_EMAIL_USER\"/" config/expiration-mailer.json
sed -i -e "s/\"from\": \".*\"/\"from\": \"$PKI_EMAIL_FROM\"/" config/expiration-mailer.json
sed -i -e "s/\"server\": \".*\"/\"server\": \"$PKI_EMAIL_SERVER\"/" config/notify-mailer.json
sed -i -e "s/\"port\": \".*\"/\"port\": \"$PKI_EMAIL_PORT\"/" config/notify-mailer.json
sed -i -e "s/\"username\": \".*\"/\"username\": \"$PKI_EMAIL_USER\"/" config/notify-mailer.json
sed -i -e "s/\"from\": \".*\"/\"from\": \"$PKI_EMAIL_FROM\"/" config/notify-mailer.json
sed -i -e "s/\"purgeInterval\": \".*\"/\"purgeInterval\": \"1s\"/" config/akamai-purger.json
if [ "$PKI_EMAIL_PASS" != "" ]; then
@@ -54,18 +67,22 @@ rm -f test-ca.key
rm -f test-ca.key.der
rm -f test-ca.pem
rm -f test-ca.der
rm -f test-ca.p8
rm -f test-root.key
rm -f test-root.key.der
rm -f test-root.pem
rm -f test-root.der
rm -f test-root.p8
cp -p $PKI_INT_CERT_BASE.key test-ca.key
cp -p $PKI_INT_CERT_BASE.key.der test-ca.key.der
cp -p $PKI_INT_CERT_BASE.pem test-ca.pem
openssl rsa -in $PKI_INT_CERT_BASE.key -pubout > test-ca.pubkey.der
openssl rsa -in $PKI_INT_CERT_BASE.key -pubout > test-ca.pubkey.pem
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in test-ca.key -out test-ca.p8
cp -p $PKI_ROOT_CERT_BASE.key test-root.key
cp -p $PKI_ROOT_CERT_BASE.key.der test-root.key.der
cp -p $PKI_ROOT_CERT_BASE.pem test-root.pem
openssl rsa -in $PKI_ROOT_CERT_BASE.key -pubout > test-root.pubkey.der
openssl rsa -in $PKI_ROOT_CERT_BASE.key -pubout > test-root.pubkey.pem
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in test-root.key -out test-root.p8
chown -R `ls -l rate-limit-policies.yml | cut -d" " -f 3,4 | sed 's/ /:/g'` .

4
gui/dashboard.go
View File

@@ -86,13 +86,13 @@ func _parseLine(line string, loc *time.Location) Activity {
message = message[0:strings.Index(message, ",")]
}
if strings.Index(message, "Validation result") > -1 {
message = message[0:17]
message = message[0:30]
}
idx = strings.Index(message, " csr=[")
if idx > -1 {
message = message[0:idx]
}
idx = strings.Index(message, " precertificate=[")
idx = strings.Index(message, " certificate=[")
if idx > -1 {
message = message[0:idx]
}

4
gui/main.go
View File

@@ -259,6 +259,10 @@ func checkUpdates(forced bool) ([]string, []string) {
if *release.Name == version {
newer = false
}
if strings.HasPrefix(version, *release.Name + "-") { // git describe format
newer = false
latest = version
}
if newer {
versions = append(versions, *release.Name)
descriptions = append(descriptions, *release.Body)

7
gui/templates/views/manage.tmpl
View File

@@ -44,7 +44,9 @@
<button class="btn btn-outline btn-reg {{ $btn.Class }}" type="button" id="{{ $btn.Id }}" title="{{ $btn.Title }}">{{ $btn.Label }}</button>
{{ end }}
{{ if eq $item.Name "LabCA Application" }}
<br/>
<span id="version-conditional-break" class="{{ if not $.UpdateAvailable }}hidden{{ end }}"/>
<br/>
</span>
<button class="btn btn-outline btn-wide btn-warning mt5 {{ if not $.UpdateAvailable }}hidden{{ end }}" type="button" id="version-update" title="Update to latest version">Update LabCA</button>
<br/>
<button class="btn btn-outline btn-wide btn-success mt5" type="button" id="version-check" title="Check if there is a newer version available">Check for updates</button>
@@ -628,6 +630,7 @@
if (data.Success) {
if (data.UpdateAvailable) {
$("#version-update").removeClass("hidden");
$("#version-conditional-break").removeClass("hidden");
var notes = "<span class=\"rel-notes-title\">RELEASE NOTES</span><br/><br/>";
jQuery.each(data.Versions, function(idx, val) {
@@ -647,6 +650,8 @@
});
} else {
$("#version-update").addClass("hidden")
$("#version-conditional-break").addClass("hidden");
BootstrapDialog.show({
title: 'No new version',
message: 'There is currently no newer version available.',

34
install
View File

@@ -24,7 +24,7 @@ dockerComposeVersion="1.22.0"
labcaUrl="https://github.com/hakwerk/labca/"
boulderUrl="https://github.com/letsencrypt/boulder/"
boulderTag="release-2020-04-13"
boulderTag="release-2020-09-09"
#
# Color configuration
@@ -480,9 +480,15 @@ config_boulder() {
sudo -u labca patch -p1 < $cloneDir/docker-compose.patch &>>$installLog
cp docker-compose.yml "$boulderLabCADir/.backup/"
sudo -u labca patch -p1 < $cloneDir/core_interfaces.patch &>>$installLog
cp core/interfaces.go "$boulderLabCADir/.backup/"
sudo -u labca patch -p1 < $cloneDir/policy_pa.patch &>>$installLog
cp policy/pa.go "$boulderLabCADir/.backup/"
sudo -u labca patch -p1 < $cloneDir/ra_ra.patch &>>$installLog
cp ra/ra.go "$boulderLabCADir/.backup/"
sudo -u labca patch -p1 < $cloneDir/mail_mailer.patch &>>$installLog
cp mail/mailer.go "$boulderLabCADir/.backup/"
@@ -492,10 +498,19 @@ config_boulder() {
sudo -u labca patch -p1 < $cloneDir/notify-mailer_main.patch &>>$installLog
cp cmd/notify-mailer/main.go "$boulderLabCADir/.backup/"
sudo -u labca patch -p1 < $cloneDir/bad-key-revoker_main.patch &>>$installLog
cp cmd/bad-key-revoker/main.go "$boulderLabCADir/.backup/"
sudo -u labca patch -p1 -o "$boulderLabCADir/entrypoint.sh" < $cloneDir/entrypoint.patch &>>$installLog
sudo -u labca patch -p1 -o "$boulderLabCADir/startservers.py" < $cloneDir/startservers.patch &>>$installLog
sudo -u labca patch -p1 < $cloneDir/startservers.patch &>>$installLog
sudo -u labca patch -p1 -o "$boulderLabCADir/config/ca-a.json" < $cloneDir/test_config_ca_a.patch &>>$installLog
sudo -u labca patch -p1 -o "$boulderLabCADir/config/ca-b.json" < $cloneDir/test_config_ca_b.patch &>>$installLog
sudo -u labca patch -p1 -o "$boulderLabCADir/config/expiration-mailer.json" < $cloneDir/config_expiration-mailer.patch &>>$installLog
sudo -u labca patch -p1 -o "$boulderLabCADir/config/notify-mailer.json" < $cloneDir/config_notify-mailer.patch &>>$installLog
sudo -u labca patch -p1 -o "$boulderLabCADir/config/bad-key-revoker.json" < $cloneDir/config_bad-key-revoker.patch &>>$installLog
sed -i -e "s|https://letsencrypt.org/docs/rate-limits/|http://$LABCA_FQDN/rate-limits|" errors/errors.go &>>$installLog
cp errors/errors.go "$boulderLabCADir/.backup/"
@@ -513,8 +528,19 @@ config_boulder() {
sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ra.json
sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe.json
sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe2.json
sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/akamai-purger.json
sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-responder.json
sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-updater.json
sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/publisher.json
sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json
sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe.json
sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json
sed -i -e "s/5001/443/g" config/va.json
sed -i -e "s/5002/80/g" config/va.json
sed -i -e "s/5001/443/g" config/va-remote-a.json
sed -i -e "s/5002/80/g" config/va-remote-a.json
sed -i -e "s/5001/443/g" config/va-remote-b.json
sed -i -e "s/5002/80/g" config/va-remote-b.json
sed -i -e "s|http://boulder:4000/terms/v1|http://$LABCA_FQDN/terms/v1|" config/wfe.json
sed -i -e "s|https://boulder:4431/terms/v7|https://$LABCA_FQDN/terms/v1|" config/wfe2.json
sed -i -e "s|http://boulder:4430/acme/issuer-cert|http://$LABCA_FQDN/acme/issuer-cert|" config/ca-a.json
@@ -536,6 +562,8 @@ config_boulder() {
sed -i -e "s/ocspURL.Path = encodedReq/ocspURL.Path += encodedReq/" ocsp/helper/helper.go
sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/ra.json
sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va.json
sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-a.json
sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-b.json
for file in `find . -type f | grep -v .git`; do
sed -i -e "s|test/|labca/|g" $file
@@ -610,10 +638,11 @@ startup() {
msg_info "$msg (this will take a while!!)"
docker-compose stop &>>$installLog || true
docker stop boulder_bhsm_1 &>>$installLog | /bin/true
wait_down $PS_MYSQL &>>$installLog
wait_down $PS_BHSM &>>$installLog
wait_down $PS_LABCA &>>$installLog
wait_down $PS_BOULDER &>>$installLog
docker rm -f boulder_bhsm_1 &>>$installLog | /bin/true
docker-compose up -d &>>$installLog
[ -h "/etc/init.d/labca" ] || ln -s "$cloneDir/init_d" /etc/init.d/labca
@@ -625,7 +654,6 @@ startup() {
wait_up $PS_SERVICE &>>$installLog
wait_up $PS_MYSQL &>>$installLog
wait_up $PS_BHSM &>>$installLog
wait_up $PS_LABCA &>>$installLog
wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$installLog

2
mail_mailer.patch
View File

@@ -63,7 +63,7 @@ index de6b1de20..60c58128b 100644
+ addrs, err := di.dnsClient.LookupHost(ctx, di.server)
if err != nil {
- return nil, err
+ problem := probs.DNS("%v", err)
+ problem := probs.DNS("%v")
+ return nil, problem
}
- client, err := smtp.NewClient(conn, di.server)

54
notify-mailer_main.patch
View File

@@ -1,8 +1,50 @@
diff --git a/cmd/notify-mailer/main.go b/cmd/notify-mailer/main.go
index bb8945236..e278cdc16 100644
index 0445a04c0..ba2be9e2f 100644
--- a/cmd/notify-mailer/main.go
+++ b/cmd/notify-mailer/main.go
@@ -468,6 +468,7 @@ func main() {
@@ -37,6 +37,7 @@ type mailer struct {
destinations []recipient
targetRange interval
sleepInterval time.Duration
+ pa *policy.AuthorityImpl
}
// interval defines a range of email addresses to send to, alphabetically.
@@ -146,7 +147,7 @@ func (m *mailer) run() error {
m.log.Debugf("skipping %q: out of target range")
continue
}
- if err := policy.ValidEmail(address); err != nil {
+ if err := m.pa.ValidEmail(address); err != nil {
m.log.Infof("skipping %q: %s", address, err)
continue
}
@@ -410,7 +411,9 @@ func main() {
cmd.PasswordConfig
cmd.SMTPConfig
Features map[string]bool
+ cmd.HostnamePolicyConfig
}
+ PA cmd.PAConfig
Syslog cmd.SyslogConfig
}
configFile := flag.String("config", "", "File containing a JSON config.")
@@ -461,6 +464,14 @@ func main() {
end: *end,
}
+ // Validate PA config and set defaults if needed
+ cmd.FailOnError(cfg.PA.CheckChallenges(), "Invalid PA configuration")
+
+ pa, err := policy.New(cfg.PA.Challenges)
+ cmd.FailOnError(err, "Failed to create PA")
+ err = pa.SetHostnamePolicyFile(cfg.NotifyMailer.HostnamePolicyFile)
+ cmd.FailOnError(err, "Failed to load HostnamePolicyFile")
+
var mailClient bmail.Mailer
if *dryRun {
log.Infof("Doing a dry run.")
@@ -474,6 +485,7 @@ func main() {
cfg.NotifyMailer.Username,
smtpPassword,
nil,
@@ -10,3 +52,11 @@ index bb8945236..e278cdc16 100644
*address,
log,
metrics.NoopRegisterer,
@@ -491,6 +503,7 @@ func main() {
emailTemplate: template,
targetRange: targetRange,
sleepInterval: *sleep,
+ pa: pa,
}
err = m.run()

50
policy_pa.patch
View File

@@ -1,8 +1,8 @@
diff --git a/policy/pa.go b/policy/pa.go
index f6c908363..5de2d9ddc 100644
index 599dcdb10..084cb3ba8 100644
--- a/policy/pa.go
+++ b/policy/pa.go
@@ -29,6 +29,8 @@ type AuthorityImpl struct {
@@ -30,6 +30,8 @@ type AuthorityImpl struct {
blocklist map[string]bool
exactBlocklist map[string]bool
wildcardExactBlocklist map[string]bool
@@ -10,8 +10,8 @@ index f6c908363..5de2d9ddc 100644
+ lockdown map[string]bool
blocklistMu sync.RWMutex
enabledChallenges map[string]bool
@@ -69,6 +71,9 @@ type blockedNamesPolicy struct {
enabledChallenges map[core.AcmeChallenge]bool
@@ -70,6 +72,9 @@ type blockedNamesPolicy struct {
// time above and beyond the high-risk domains. Managing these entries separately
// from HighRiskBlockedNames makes it easier to vet changes accurately.
AdminBlockedNames []string `yaml:"AdminBlockedNames"`
@@ -21,7 +21,7 @@ index f6c908363..5de2d9ddc 100644
}
// SetHostnamePolicyFile will load the given policy file, returning error if it
@@ -137,10 +142,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error
@@ -138,10 +143,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error
// wildcardNameMap to block issuance for `*.`+parts[1]
wildcardNameMap[parts[1]] = true
}
@@ -42,7 +42,16 @@ index f6c908363..5de2d9ddc 100644
pa.blocklistMu.Unlock()
return nil
}
@@ -280,6 +295,14 @@ func (pa *AuthorityImpl) ValidDomain(domain string) error {
@@ -214,7 +229,7 @@ var (
// * exactly equal to an IANA registered TLD
//
// It does _not_ check that the domain isn't on any PA blocked lists.
-func ValidDomain(domain string) error {
+func (pa *AuthorityImpl) ValidDomain(domain string) error {
if domain == "" {
return errEmptyName
}
@@ -281,6 +296,14 @@ func ValidDomain(domain string) error {
}
}
@@ -57,7 +66,30 @@ index f6c908363..5de2d9ddc 100644
// Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD.
icannTLD, err := iana.ExtractSuffix(domain)
if err != nil {
@@ -322,14 +345,44 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
@@ -308,7 +331,7 @@ var forbiddenMailDomains = map[string]bool{
// ValidEmail returns an error if the input doesn't parse as an email address,
// the domain isn't a valid hostname in Preferred Name Syntax, or its on the
// list of domains forbidden for mail (because they are often used in examples).
-func ValidEmail(address string) error {
+func (pa *AuthorityImpl) ValidEmail(address string) error {
email, err := mail.ParseAddress(address)
if err != nil {
if len(address) > 254 {
@@ -318,7 +341,7 @@ func ValidEmail(address string) error {
}
splitEmail := strings.SplitN(email.Address, "@", -1)
domain := strings.ToLower(splitEmail[len(splitEmail)-1])
- if err := ValidDomain(domain); err != nil {
+ if err := pa.ValidDomain(domain); err != nil {
return berrors.InvalidEmailError(
"contact email %q has invalid domain : %s",
email.Address, err)
@@ -357,10 +380,14 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
}
domain := id.Value
- if err := ValidDomain(domain); err != nil {
+ if err := pa.ValidDomain(domain); err != nil {
return err
}
@@ -67,10 +99,8 @@ index f6c908363..5de2d9ddc 100644
+
// Require no match against hostname block lists
if err := pa.checkHostLists(domain); err != nil {
+ fmt.Print("*** oopsie hij komt niet door checkhostlists...\n")
return err
}
@@ -369,6 +396,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
return nil
}

21
ra_ra.patch Normal file
View File

@@ -0,0 +1,21 @@
diff --git a/ra/ra.go b/ra/ra.go
index a92965189..aeccb9c3c 100644
--- a/ra/ra.go
+++ b/ra/ra.go
@@ -28,7 +28,6 @@ import (
"github.com/letsencrypt/boulder/identifier"
blog "github.com/letsencrypt/boulder/log"
"github.com/letsencrypt/boulder/metrics"
- "github.com/letsencrypt/boulder/policy"
"github.com/letsencrypt/boulder/probs"
rapb "github.com/letsencrypt/boulder/ra/proto"
"github.com/letsencrypt/boulder/ratelimit"
@@ -399,7 +398,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
contact,
)
}
- if err := policy.ValidEmail(parsed.Opaque); err != nil {
+ if err := ra.PA.ValidEmail(parsed.Opaque); err != nil {
return err
}
}

14
startservers.patch Normal file
View File

@@ -0,0 +1,14 @@
diff --git a/test/startservers.py b/test/startservers.py
index ec8ada190..be5b7a2f2 100644
--- a/test/startservers.py
+++ b/test/startservers.py
@@ -146,6 +146,9 @@ processes = []
challSrvProcess = None
def setupHierarchy():
+ pass
+
+def setupHierarchyOriginal():
e = os.environ.copy()
e.setdefault("GOBIN", "%s/bin" % os.getcwd())
try:

12
test_config_ca_a.patch
View File

@@ -1,15 +1,17 @@
diff --git a/test/config/ca-a.json b/test/config/ca-a.json
index 355cfae2..c93fa5a3 100644
index be064a52e..e7ef8fcf6 100644
--- a/test/config/ca-a.json
+++ b/test/config/ca-a.json
@@ -29,10 +29,6 @@
@@ -30,11 +30,7 @@
},
"Issuers": [{
"ConfigFile": "test/test-ca.key-pkcs11.json",
- "CertFile": "test/test-ca2.pem",
- "CertFile": "/tmp/intermediate-cert-rsa-a.pem",
- "NumSessions": 2
- }, {
- },{
- "ConfigFile": "test/test-ca.key-pkcs11.json",
"CertFile": "test/test-ca.pem",
- "CertFile": "/tmp/intermediate-cert-rsa-b.pem",
+ "CertFile": "test/test-ca.pem",
"NumSessions": 2
}],
"expiry": "2160h",

12
test_config_ca_b.patch
View File

@@ -1,15 +1,17 @@
diff --git a/test/config/ca-b.json b/test/config/ca-b.json
index 355cfae2..c93fa5a3 100644
index ed2498f1a..4d24ffa94 100644
--- a/test/config/ca-b.json
+++ b/test/config/ca-b.json
@@ -29,10 +29,6 @@
@@ -30,11 +30,7 @@
},
"Issuers": [{
"ConfigFile": "test/test-ca.key-pkcs11.json",
- "CertFile": "test/test-ca2.pem",
- "CertFile": "/tmp/intermediate-cert-rsa-a.pem",
- "NumSessions": 2
- }, {
- },{
- "ConfigFile": "test/test-ca.key-pkcs11.json",
"CertFile": "test/test-ca.pem",
- "CertFile": "/tmp/intermediate-cert-rsa-b.pem",
+ "CertFile": "test/test-ca.pem",
"NumSessions": 2
}],
"expiry": "2160h",

1
utils.sh
View File

@@ -6,7 +6,6 @@ export PS_LABCA="bin/labca"
export PS_BOULDER="bin/boulder"
export PS_BOULDER_COUNT=12
export PS_MYSQL="mysqld"
export PS_BHSM="pkcs11"
export PS_SERVICE="sudo___tcpserver"
LOOPCOUNT=120