diff --git a/bad-key-revoker_main.patch b/bad-key-revoker_main.patch new file mode 100644 index 0000000..d6bf11c --- /dev/null +++ b/bad-key-revoker_main.patch @@ -0,0 +1,74 @@ +diff --git a/cmd/bad-key-revoker/main.go b/cmd/bad-key-revoker/main.go +index 563ce678c..1e53d875c 100644 +--- a/cmd/bad-key-revoker/main.go ++++ b/cmd/bad-key-revoker/main.go +@@ -13,6 +13,7 @@ import ( + "strings" + "time" + ++ "github.com/letsencrypt/boulder/bdns" + "github.com/letsencrypt/boulder/cmd" + "github.com/letsencrypt/boulder/core" + corepb "github.com/letsencrypt/boulder/core/proto" +@@ -345,6 +346,9 @@ func main() { + TLS cmd.TLSConfig + RAService *cmd.GRPCClientConfig + ++ DNSTries int ++ DNSResolvers []string ++ + // MaximumRevocations specifies the maximum number of certificates associated with + // a key hash that bad-key-revoker will attempt to revoke. If the number of certificates + // is higher than MaximumRevocations bad-key-revoker will error out and refuse to +@@ -371,6 +375,12 @@ func main() { + } + + Syslog cmd.SyslogConfig ++ ++ Common struct { ++ DNSResolver string ++ DNSTimeout string ++ DNSAllowLoopbackAddresses bool ++ } + } + configPath := flag.String("config", "", "File path to the configuration file for this service") + flag.Parse() +@@ -404,6 +414,30 @@ func main() { + cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA") + rac := rapb.NewRegistrationAuthorityClient(conn) + ++ dnsTimeout, err := time.ParseDuration(config.Common.DNSTimeout) ++ cmd.FailOnError(err, "Couldn't parse DNS timeout") ++ dnsTries := config.BadKeyRevoker.DNSTries ++ if dnsTries < 1 { ++ dnsTries = 1 ++ } ++ var resolver bdns.DNSClient ++ if len(config.Common.DNSResolver) != 0 { ++ config.BadKeyRevoker.DNSResolvers = append(config.BadKeyRevoker.DNSResolvers, config.Common.DNSResolver) ++ } ++ if !config.Common.DNSAllowLoopbackAddresses { ++ r := bdns.NewDNSClientImpl( ++ dnsTimeout, ++ config.BadKeyRevoker.DNSResolvers, ++ scope, ++ clk, ++ dnsTries, ++ logger) ++ resolver = r ++ } else { ++ r := bdns.NewTestDNSClientImpl(dnsTimeout, config.BadKeyRevoker.DNSResolvers, scope, clk, dnsTries, logger) ++ resolver = r ++ } ++ + var smtpRoots *x509.CertPool + if config.BadKeyRevoker.Mailer.SMTPTrustedRootFile != "" { + pem, err := ioutil.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile) +@@ -425,6 +459,7 @@ func main() { + config.BadKeyRevoker.Mailer.Username, + smtpPassword, + smtpRoots, ++ resolver, + *fromAddress, + logger, + scope, diff --git a/commander b/commander index 2a7c11f..bbff3ff 100755 --- a/commander +++ b/commander @@ -39,13 +39,10 @@ case $txt in cd /home/labca/boulder docker-compose stop &>>$LOGFILE wait_down $PS_MYSQL &>>$LOGFILE - wait_down $PS_BHSM &>>$LOGFILE wait_down $PS_LABCA &>>$LOGFILE wait_down $PS_BOULDER &>>$LOGFILE - docker-compose rm -f bhsm &>>$LOGFILE docker-compose up -d &>>$LOGFILE wait_up $PS_MYSQL &>>$LOGFILE - wait_up $PS_BHSM &>>$LOGFILE wait_up $PS_LABCA &>>$LOGFILE wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE ;; @@ -134,34 +131,26 @@ case $txt in "boulder-start") cd /home/labca/boulder docker-compose up -d bmysql - docker-compose up -d bhsm docker-compose up -d boulder wait_up $PS_MYSQL &>>$LOGFILE - wait_up $PS_BHSM &>>$LOGFILE wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE ;; "boulder-stop") cd /home/labca/boulder docker-compose stop boulder - docker-compose stop bhsm docker-compose stop bmysql wait_down $PS_MYSQL &>>$LOGFILE - wait_down $PS_BHSM &>>$LOGFILE wait_down $PS_BOULDER &>>$LOGFILE ;; "boulder-restart") cd /home/labca/boulder docker-compose stop boulder - docker-compose stop bhsm docker-compose stop bmysql wait_down $PS_MYSQL &>>$LOGFILE - wait_down $PS_BHSM &>>$LOGFILE wait_down $PS_BOULDER &>>$LOGFILE docker-compose up -d bmysql - docker-compose up -d bhsm docker-compose up -d boulder wait_up $PS_MYSQL &>>$LOGFILE - wait_up $PS_BHSM &>>$LOGFILE wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE ;; "labca-restart") diff --git a/config_bad-key-revoker.patch b/config_bad-key-revoker.patch new file mode 100644 index 0000000..9498e06 --- /dev/null +++ b/config_bad-key-revoker.patch @@ -0,0 +1,32 @@ +diff --git a/test/config/bad-key-revoker.json b/test/config/bad-key-revoker.json +index 482fd85fc..3e678aa5b 100644 +--- a/test/config/bad-key-revoker.json ++++ b/test/config/bad-key-revoker.json +@@ -3,6 +3,11 @@ + "dbConnectFile": "test/secrets/badkeyrevoker_dburl", + "maxDBConns": 10, + "debugAddr": ":8020", ++ "dnsTries": 3, ++ "dnsResolvers": [ ++ "127.0.0.1:8053", ++ "127.0.0.1:8054" ++ ], + "tls": { + "caCertFile": "test/grpc-creds/minica.pem", + "certFile": "test/grpc-creds/bad-key-revoker.boulder/cert.pem", +@@ -24,10 +29,14 @@ + }, + "maximumRevocations": 15, + "findCertificatesBatchSize": 10, +- "interval": "1s" ++ "interval": "5m" + }, + "syslog": { + "stdoutlevel": 6, + "sysloglevel": 4 ++ }, ++ "common": { ++ "dnsTimeout": "3s", ++ "dnsAllowLoopbackAddresses": true + } + } diff --git a/config_expiration-mailer.patch b/config_expiration-mailer.patch index 1d05693..419dad3 100644 --- a/config_expiration-mailer.patch +++ b/config_expiration-mailer.patch @@ -2,7 +2,7 @@ diff --git a/test/config/expiration-mailer.json b/test/config/expiration-mailer. index 444beae43..e9bd228ef 100644 --- a/test/config/expiration-mailer.json +++ b/test/config/expiration-mailer.json -@@ -12,6 +12,11 @@ +@@ -11,6 +12,11 @@ "nagCheckInterval": "24h", "emailTemplate": "test/example-expiration-template", "debugAddr": ":8008", @@ -14,10 +14,10 @@ index 444beae43..e9bd228ef 100644 "tls": { "caCertFile": "test/grpc-creds/minica.pem", "certFile": "test/grpc-creds/expiration-mailer.boulder/cert.pem", -@@ -28,5 +33,10 @@ +@@ -27,5 +33,10 @@ "syslog": { "stdoutlevel": 6, - "sysloglevel": 4 + "sysloglevel": 6 + }, + + "common": { diff --git a/config_notify-mailer.patch b/config_notify-mailer.patch new file mode 100644 index 0000000..bb75295 --- /dev/null +++ b/config_notify-mailer.patch @@ -0,0 +1,25 @@ +diff --git a/test/config/notify-mailer.json b/test/config/notify-mailer.json +index 73864aeb5..93b17c28e 100644 +--- a/test/config/notify-mailer.json ++++ b/test/config/notify-mailer.json +@@ -2,11 +2,20 @@ + "notifyMailer": { + "server": "localhost", + "port": "9380", ++ "hostnamePolicyFile": "test/hostname-policy.yaml", + "username": "cert-manager@example.com", ++ "from": "notify mailer ", + "passwordFile": "test/secrets/smtp_password", + "dbConnectFile": "test/secrets/mailer_dburl", + "maxDBConns": 10 + }, ++ "pa": { ++ "challenges": { ++ "http-01": true, ++ "dns-01": true, ++ "tls-alpn-01": true ++ } ++ }, + "syslog": { + "stdoutLevel": 7, + "syslogLevel": 7 diff --git a/core_interfaces.patch b/core_interfaces.patch new file mode 100644 index 0000000..3366687 --- /dev/null +++ b/core_interfaces.patch @@ -0,0 +1,12 @@ +diff --git a/core/interfaces.go b/core/interfaces.go +index 3e0d3f1ae..ffbbe7d11 100644 +--- a/core/interfaces.go ++++ b/core/interfaces.go +@@ -113,6 +113,7 @@ type PolicyAuthority interface { + WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error + ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error) + ChallengeTypeEnabled(t AcmeChallenge) bool ++ ValidEmail(address string) error + } + + // StorageGetter are the Boulder SA's read-only methods diff --git a/docker-compose.patch b/docker-compose.patch index c60c8ce..837ee8d 100644 --- a/docker-compose.patch +++ b/docker-compose.patch @@ -1,27 +1,27 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index e34704a4d..46365bdcf 100644 +index 5f93fe866..b4a0b75e0 100644 --- a/docker-compose.yml +++ b/docker-compose.yml -@@ -6,7 +6,7 @@ services: +@@ -5,7 +5,7 @@ services: + image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.15}:2020-08-12 environment: - FAKE_DNS: 10.77.77.77 - PKCS11_PROXY_SOCKET: tcp://boulder-hsm:5657 -- BOULDER_CONFIG_DIR: test/config -+ BOULDER_CONFIG_DIR: labca/config - GO111MODULE: "on" - GOFLAGS: "-mod=vendor" + - FAKE_DNS=10.77.77.77 +- - BOULDER_CONFIG_DIR=test/config ++ - BOULDER_CONFIG_DIR=labca/config + - GOFLAGS=-mod=vendor # This is required so Python doesn't throw an error when printing -@@ -14,6 +14,7 @@ services: - PYTHONIOENCODING: "utf-8" + # non-ASCII to stdout. +@@ -18,6 +18,7 @@ services: + - RACE volumes: - - .:/go/src/github.com/letsencrypt/boulder + - .:/go/src/github.com/letsencrypt/boulder:cached + - /home/labca/boulder_labca:/go/src/github.com/letsencrypt/boulder/labca - - ./.gocache:/root/.cache/go-build + - ./.gocache:/root/.cache/go-build:cached networks: bluenet: -@@ -54,8 +55,14 @@ services: +@@ -57,10 +58,18 @@ services: + - 8055:8055 # dns-test-srv updates depends_on: - - bhsm - bmysql - entrypoint: test/entrypoint.sh + entrypoint: labca/entrypoint.sh @@ -31,19 +31,6 @@ index e34704a4d..46365bdcf 100644 + options: + max-size: "500k" + max-file: "5" -+ restart: always - bhsm: - # To minimize fetching this should be the same version used above - image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-04-08 -@@ -68,8 +75,16 @@ services: - bluenet: - aliases: - - boulder-hsm -+ logging: -+ driver: "json-file" -+ options: -+ max-size: "500k" -+ max-file: "5" + restart: always bmysql: image: mariadb:10.3 @@ -52,7 +39,7 @@ index e34704a4d..46365bdcf 100644 networks: bluenet: aliases: -@@ -83,20 +98,36 @@ services: +@@ -74,20 +83,36 @@ services: # small. command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON logging: @@ -64,7 +51,7 @@ index e34704a4d..46365bdcf 100644 + max-file: "5" + restart: always + labca: - image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-04-08 + image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.15}:2020-08-12 - environment: - GO111MODULE: "on" - GOFLAGS: "-mod=vendor" diff --git a/entrypoint.patch b/entrypoint.patch new file mode 100644 index 0000000..0833a76 --- /dev/null +++ b/entrypoint.patch @@ -0,0 +1,17 @@ +diff --git a/test/entrypoint.sh b/test/entrypoint.sh +index 5ca9929..f18e1d8 100755 +--- a/test/entrypoint.sh ++++ b/test/entrypoint.sh +@@ -36,6 +36,12 @@ wait_tcp_port boulder-mysql 3306 + # create the database + MYSQL_CONTAINER=1 $DIR/create_db.sh + ++#softhsm2-util --show-slots ++softhsm2-util --init-token --slot 0 --label "intermediate signing key (rsa)" --pin 1234 --so-pin 5678 | /bin/true ++softhsm2-util --import labca/test-ca.p8 --id 333333 --force --token "intermediate signing key (rsa)" --pin 1234 --so-pin 5678 --label 'intermediate_key' ++softhsm2-util --init-token --slot 1 --label "root signing key (rsa)" --pin 1234 --so-pin 5678 | /bin/true ++softhsm2-util --import labca/test-root.p8 --id 777777 --force --token "root signing key (rsa)" --pin 1234 --so-pin 5678 --label 'root_key' ++ + if [[ $# -eq 0 ]]; then + exec python3 ./start.py + fi diff --git a/gui/apply-boulder b/gui/apply-boulder index 8b92431..97bfeee 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -3,8 +3,13 @@ set -e perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/va.json +perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/va-remote-a.json +perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/va-remote-b.json +perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/bad-key-revoker.json perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/expiration-mailer.json sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va.json +sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va-remote-a.json +sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va-remote-b.json sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_DOMAIN\"/" config/wfe.json sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_DOMAIN\"/" config/wfe2.json @@ -40,10 +45,18 @@ if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/orphan-finder.json fi +sed -i -e "s/\"server\": \".*\"/\"server\": \"$PKI_EMAIL_SERVER\"/" config/bad-key-revoker.json +sed -i -e "s/\"port\": \".*\"/\"port\": \"$PKI_EMAIL_PORT\"/" config/bad-key-revoker.json +sed -i -e "s/\"username\": \".*\"/\"username\": \"$PKI_EMAIL_USER\"/" config/bad-key-revoker.json +sed -i -e "s/\"from\": \".*\"/\"from\": \"$PKI_EMAIL_FROM\"/" config/bad-key-revoker.json sed -i -e "s/\"server\": \".*\"/\"server\": \"$PKI_EMAIL_SERVER\"/" config/expiration-mailer.json sed -i -e "s/\"port\": \".*\"/\"port\": \"$PKI_EMAIL_PORT\"/" config/expiration-mailer.json sed -i -e "s/\"username\": \".*\"/\"username\": \"$PKI_EMAIL_USER\"/" config/expiration-mailer.json sed -i -e "s/\"from\": \".*\"/\"from\": \"$PKI_EMAIL_FROM\"/" config/expiration-mailer.json +sed -i -e "s/\"server\": \".*\"/\"server\": \"$PKI_EMAIL_SERVER\"/" config/notify-mailer.json +sed -i -e "s/\"port\": \".*\"/\"port\": \"$PKI_EMAIL_PORT\"/" config/notify-mailer.json +sed -i -e "s/\"username\": \".*\"/\"username\": \"$PKI_EMAIL_USER\"/" config/notify-mailer.json +sed -i -e "s/\"from\": \".*\"/\"from\": \"$PKI_EMAIL_FROM\"/" config/notify-mailer.json sed -i -e "s/\"purgeInterval\": \".*\"/\"purgeInterval\": \"1s\"/" config/akamai-purger.json if [ "$PKI_EMAIL_PASS" != "" ]; then @@ -54,18 +67,22 @@ rm -f test-ca.key rm -f test-ca.key.der rm -f test-ca.pem rm -f test-ca.der +rm -f test-ca.p8 rm -f test-root.key rm -f test-root.key.der rm -f test-root.pem rm -f test-root.der +rm -f test-root.p8 cp -p $PKI_INT_CERT_BASE.key test-ca.key cp -p $PKI_INT_CERT_BASE.key.der test-ca.key.der cp -p $PKI_INT_CERT_BASE.pem test-ca.pem -openssl rsa -in $PKI_INT_CERT_BASE.key -pubout > test-ca.pubkey.der +openssl rsa -in $PKI_INT_CERT_BASE.key -pubout > test-ca.pubkey.pem +openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in test-ca.key -out test-ca.p8 cp -p $PKI_ROOT_CERT_BASE.key test-root.key cp -p $PKI_ROOT_CERT_BASE.key.der test-root.key.der cp -p $PKI_ROOT_CERT_BASE.pem test-root.pem -openssl rsa -in $PKI_ROOT_CERT_BASE.key -pubout > test-root.pubkey.der +openssl rsa -in $PKI_ROOT_CERT_BASE.key -pubout > test-root.pubkey.pem +openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in test-root.key -out test-root.p8 chown -R `ls -l rate-limit-policies.yml | cut -d" " -f 3,4 | sed 's/ /:/g'` . diff --git a/gui/dashboard.go b/gui/dashboard.go index c47157b..210c3b1 100644 --- a/gui/dashboard.go +++ b/gui/dashboard.go @@ -86,13 +86,13 @@ func _parseLine(line string, loc *time.Location) Activity { message = message[0:strings.Index(message, ",")] } if strings.Index(message, "Validation result") > -1 { - message = message[0:17] + message = message[0:30] } idx = strings.Index(message, " csr=[") if idx > -1 { message = message[0:idx] } - idx = strings.Index(message, " precertificate=[") + idx = strings.Index(message, " certificate=[") if idx > -1 { message = message[0:idx] } diff --git a/gui/main.go b/gui/main.go index bc4487c..f6b1d9f 100644 --- a/gui/main.go +++ b/gui/main.go @@ -259,6 +259,10 @@ func checkUpdates(forced bool) ([]string, []string) { if *release.Name == version { newer = false } + if strings.HasPrefix(version, *release.Name + "-") { // git describe format + newer = false + latest = version + } if newer { versions = append(versions, *release.Name) descriptions = append(descriptions, *release.Body) diff --git a/gui/templates/views/manage.tmpl b/gui/templates/views/manage.tmpl index bdfd3d9..03631cb 100644 --- a/gui/templates/views/manage.tmpl +++ b/gui/templates/views/manage.tmpl @@ -44,7 +44,9 @@ {{ end }} {{ if eq $item.Name "LabCA Application" }} -
+ +
+
@@ -628,6 +630,7 @@ if (data.Success) { if (data.UpdateAvailable) { $("#version-update").removeClass("hidden"); + $("#version-conditional-break").removeClass("hidden"); var notes = "RELEASE NOTES

"; jQuery.each(data.Versions, function(idx, val) { @@ -647,6 +650,8 @@ }); } else { $("#version-update").addClass("hidden") + $("#version-conditional-break").addClass("hidden"); + BootstrapDialog.show({ title: 'No new version', message: 'There is currently no newer version available.', diff --git a/install b/install index 93c0a1f..c683818 100755 --- a/install +++ b/install @@ -24,7 +24,7 @@ dockerComposeVersion="1.22.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2020-04-13" +boulderTag="release-2020-09-09" # # Color configuration @@ -480,9 +480,15 @@ config_boulder() { sudo -u labca patch -p1 < $cloneDir/docker-compose.patch &>>$installLog cp docker-compose.yml "$boulderLabCADir/.backup/" + sudo -u labca patch -p1 < $cloneDir/core_interfaces.patch &>>$installLog + cp core/interfaces.go "$boulderLabCADir/.backup/" + sudo -u labca patch -p1 < $cloneDir/policy_pa.patch &>>$installLog cp policy/pa.go "$boulderLabCADir/.backup/" + sudo -u labca patch -p1 < $cloneDir/ra_ra.patch &>>$installLog + cp ra/ra.go "$boulderLabCADir/.backup/" + sudo -u labca patch -p1 < $cloneDir/mail_mailer.patch &>>$installLog cp mail/mailer.go "$boulderLabCADir/.backup/" @@ -492,10 +498,19 @@ config_boulder() { sudo -u labca patch -p1 < $cloneDir/notify-mailer_main.patch &>>$installLog cp cmd/notify-mailer/main.go "$boulderLabCADir/.backup/" + sudo -u labca patch -p1 < $cloneDir/bad-key-revoker_main.patch &>>$installLog + cp cmd/bad-key-revoker/main.go "$boulderLabCADir/.backup/" + + sudo -u labca patch -p1 -o "$boulderLabCADir/entrypoint.sh" < $cloneDir/entrypoint.patch &>>$installLog + sudo -u labca patch -p1 -o "$boulderLabCADir/startservers.py" < $cloneDir/startservers.patch &>>$installLog + sudo -u labca patch -p1 < $cloneDir/startservers.patch &>>$installLog + sudo -u labca patch -p1 -o "$boulderLabCADir/config/ca-a.json" < $cloneDir/test_config_ca_a.patch &>>$installLog sudo -u labca patch -p1 -o "$boulderLabCADir/config/ca-b.json" < $cloneDir/test_config_ca_b.patch &>>$installLog sudo -u labca patch -p1 -o "$boulderLabCADir/config/expiration-mailer.json" < $cloneDir/config_expiration-mailer.patch &>>$installLog + sudo -u labca patch -p1 -o "$boulderLabCADir/config/notify-mailer.json" < $cloneDir/config_notify-mailer.patch &>>$installLog + sudo -u labca patch -p1 -o "$boulderLabCADir/config/bad-key-revoker.json" < $cloneDir/config_bad-key-revoker.patch &>>$installLog sed -i -e "s|https://letsencrypt.org/docs/rate-limits/|http://$LABCA_FQDN/rate-limits|" errors/errors.go &>>$installLog cp errors/errors.go "$boulderLabCADir/.backup/" @@ -513,8 +528,19 @@ config_boulder() { sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ra.json sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe.json sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe2.json + sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/akamai-purger.json + sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-responder.json + sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-updater.json + sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/publisher.json + sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json + sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe.json + sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json sed -i -e "s/5001/443/g" config/va.json sed -i -e "s/5002/80/g" config/va.json + sed -i -e "s/5001/443/g" config/va-remote-a.json + sed -i -e "s/5002/80/g" config/va-remote-a.json + sed -i -e "s/5001/443/g" config/va-remote-b.json + sed -i -e "s/5002/80/g" config/va-remote-b.json sed -i -e "s|http://boulder:4000/terms/v1|http://$LABCA_FQDN/terms/v1|" config/wfe.json sed -i -e "s|https://boulder:4431/terms/v7|https://$LABCA_FQDN/terms/v1|" config/wfe2.json sed -i -e "s|http://boulder:4430/acme/issuer-cert|http://$LABCA_FQDN/acme/issuer-cert|" config/ca-a.json @@ -536,6 +562,8 @@ config_boulder() { sed -i -e "s/ocspURL.Path = encodedReq/ocspURL.Path += encodedReq/" ocsp/helper/helper.go sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/ra.json sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va.json + sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-a.json + sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-b.json for file in `find . -type f | grep -v .git`; do sed -i -e "s|test/|labca/|g" $file @@ -610,10 +638,11 @@ startup() { msg_info "$msg (this will take a while!!)" docker-compose stop &>>$installLog || true + docker stop boulder_bhsm_1 &>>$installLog | /bin/true wait_down $PS_MYSQL &>>$installLog - wait_down $PS_BHSM &>>$installLog wait_down $PS_LABCA &>>$installLog wait_down $PS_BOULDER &>>$installLog + docker rm -f boulder_bhsm_1 &>>$installLog | /bin/true docker-compose up -d &>>$installLog [ -h "/etc/init.d/labca" ] || ln -s "$cloneDir/init_d" /etc/init.d/labca @@ -625,7 +654,6 @@ startup() { wait_up $PS_SERVICE &>>$installLog wait_up $PS_MYSQL &>>$installLog - wait_up $PS_BHSM &>>$installLog wait_up $PS_LABCA &>>$installLog wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$installLog diff --git a/mail_mailer.patch b/mail_mailer.patch index e3a3aa0..33fcb4c 100644 --- a/mail_mailer.patch +++ b/mail_mailer.patch @@ -63,7 +63,7 @@ index de6b1de20..60c58128b 100644 + addrs, err := di.dnsClient.LookupHost(ctx, di.server) if err != nil { - return nil, err -+ problem := probs.DNS("%v", err) ++ problem := probs.DNS("%v") + return nil, problem } - client, err := smtp.NewClient(conn, di.server) diff --git a/notify-mailer_main.patch b/notify-mailer_main.patch index daff61d..7576a1e 100644 --- a/notify-mailer_main.patch +++ b/notify-mailer_main.patch @@ -1,8 +1,50 @@ diff --git a/cmd/notify-mailer/main.go b/cmd/notify-mailer/main.go -index bb8945236..e278cdc16 100644 +index 0445a04c0..ba2be9e2f 100644 --- a/cmd/notify-mailer/main.go +++ b/cmd/notify-mailer/main.go -@@ -468,6 +468,7 @@ func main() { +@@ -37,6 +37,7 @@ type mailer struct { + destinations []recipient + targetRange interval + sleepInterval time.Duration ++ pa *policy.AuthorityImpl + } + + // interval defines a range of email addresses to send to, alphabetically. +@@ -146,7 +147,7 @@ func (m *mailer) run() error { + m.log.Debugf("skipping %q: out of target range") + continue + } +- if err := policy.ValidEmail(address); err != nil { ++ if err := m.pa.ValidEmail(address); err != nil { + m.log.Infof("skipping %q: %s", address, err) + continue + } +@@ -410,7 +411,9 @@ func main() { + cmd.PasswordConfig + cmd.SMTPConfig + Features map[string]bool ++ cmd.HostnamePolicyConfig + } ++ PA cmd.PAConfig + Syslog cmd.SyslogConfig + } + configFile := flag.String("config", "", "File containing a JSON config.") +@@ -461,6 +464,14 @@ func main() { + end: *end, + } + ++ // Validate PA config and set defaults if needed ++ cmd.FailOnError(cfg.PA.CheckChallenges(), "Invalid PA configuration") ++ ++ pa, err := policy.New(cfg.PA.Challenges) ++ cmd.FailOnError(err, "Failed to create PA") ++ err = pa.SetHostnamePolicyFile(cfg.NotifyMailer.HostnamePolicyFile) ++ cmd.FailOnError(err, "Failed to load HostnamePolicyFile") ++ + var mailClient bmail.Mailer + if *dryRun { + log.Infof("Doing a dry run.") +@@ -474,6 +485,7 @@ func main() { cfg.NotifyMailer.Username, smtpPassword, nil, @@ -10,3 +52,11 @@ index bb8945236..e278cdc16 100644 *address, log, metrics.NoopRegisterer, +@@ -491,6 +503,7 @@ func main() { + emailTemplate: template, + targetRange: targetRange, + sleepInterval: *sleep, ++ pa: pa, + } + + err = m.run() diff --git a/policy_pa.patch b/policy_pa.patch index d2bbef2..951bf15 100644 --- a/policy_pa.patch +++ b/policy_pa.patch @@ -1,8 +1,8 @@ diff --git a/policy/pa.go b/policy/pa.go -index f6c908363..5de2d9ddc 100644 +index 599dcdb10..084cb3ba8 100644 --- a/policy/pa.go +++ b/policy/pa.go -@@ -29,6 +29,8 @@ type AuthorityImpl struct { +@@ -30,6 +30,8 @@ type AuthorityImpl struct { blocklist map[string]bool exactBlocklist map[string]bool wildcardExactBlocklist map[string]bool @@ -10,8 +10,8 @@ index f6c908363..5de2d9ddc 100644 + lockdown map[string]bool blocklistMu sync.RWMutex - enabledChallenges map[string]bool -@@ -69,6 +71,9 @@ type blockedNamesPolicy struct { + enabledChallenges map[core.AcmeChallenge]bool +@@ -70,6 +72,9 @@ type blockedNamesPolicy struct { // time above and beyond the high-risk domains. Managing these entries separately // from HighRiskBlockedNames makes it easier to vet changes accurately. AdminBlockedNames []string `yaml:"AdminBlockedNames"` @@ -21,7 +21,7 @@ index f6c908363..5de2d9ddc 100644 } // SetHostnamePolicyFile will load the given policy file, returning error if it -@@ -137,10 +142,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error +@@ -138,10 +143,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error // wildcardNameMap to block issuance for `*.`+parts[1] wildcardNameMap[parts[1]] = true } @@ -42,7 +42,16 @@ index f6c908363..5de2d9ddc 100644 pa.blocklistMu.Unlock() return nil } -@@ -280,6 +295,14 @@ func (pa *AuthorityImpl) ValidDomain(domain string) error { +@@ -214,7 +229,7 @@ var ( + // * exactly equal to an IANA registered TLD + // + // It does _not_ check that the domain isn't on any PA blocked lists. +-func ValidDomain(domain string) error { ++func (pa *AuthorityImpl) ValidDomain(domain string) error { + if domain == "" { + return errEmptyName + } +@@ -281,6 +296,14 @@ func ValidDomain(domain string) error { } } @@ -57,7 +66,30 @@ index f6c908363..5de2d9ddc 100644 // Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD. icannTLD, err := iana.ExtractSuffix(domain) if err != nil { -@@ -322,14 +345,44 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { +@@ -308,7 +331,7 @@ var forbiddenMailDomains = map[string]bool{ + // ValidEmail returns an error if the input doesn't parse as an email address, + // the domain isn't a valid hostname in Preferred Name Syntax, or its on the + // list of domains forbidden for mail (because they are often used in examples). +-func ValidEmail(address string) error { ++func (pa *AuthorityImpl) ValidEmail(address string) error { + email, err := mail.ParseAddress(address) + if err != nil { + if len(address) > 254 { +@@ -318,7 +341,7 @@ func ValidEmail(address string) error { + } + splitEmail := strings.SplitN(email.Address, "@", -1) + domain := strings.ToLower(splitEmail[len(splitEmail)-1]) +- if err := ValidDomain(domain); err != nil { ++ if err := pa.ValidDomain(domain); err != nil { + return berrors.InvalidEmailError( + "contact email %q has invalid domain : %s", + email.Address, err) +@@ -357,10 +380,14 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { + } + domain := id.Value + +- if err := ValidDomain(domain); err != nil { ++ if err := pa.ValidDomain(domain); err != nil { return err } @@ -67,10 +99,8 @@ index f6c908363..5de2d9ddc 100644 + // Require no match against hostname block lists if err := pa.checkHostLists(domain); err != nil { -+ fmt.Print("*** oopsie hij komt niet door checkhostlists...\n") return err - } - +@@ -369,6 +396,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { return nil } diff --git a/ra_ra.patch b/ra_ra.patch new file mode 100644 index 0000000..7296023 --- /dev/null +++ b/ra_ra.patch @@ -0,0 +1,21 @@ +diff --git a/ra/ra.go b/ra/ra.go +index a92965189..aeccb9c3c 100644 +--- a/ra/ra.go ++++ b/ra/ra.go +@@ -28,7 +28,6 @@ import ( + "github.com/letsencrypt/boulder/identifier" + blog "github.com/letsencrypt/boulder/log" + "github.com/letsencrypt/boulder/metrics" +- "github.com/letsencrypt/boulder/policy" + "github.com/letsencrypt/boulder/probs" + rapb "github.com/letsencrypt/boulder/ra/proto" + "github.com/letsencrypt/boulder/ratelimit" +@@ -399,7 +398,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta + contact, + ) + } +- if err := policy.ValidEmail(parsed.Opaque); err != nil { ++ if err := ra.PA.ValidEmail(parsed.Opaque); err != nil { + return err + } + } diff --git a/startservers.patch b/startservers.patch new file mode 100644 index 0000000..332fc8b --- /dev/null +++ b/startservers.patch @@ -0,0 +1,14 @@ +diff --git a/test/startservers.py b/test/startservers.py +index ec8ada190..be5b7a2f2 100644 +--- a/test/startservers.py ++++ b/test/startservers.py +@@ -146,6 +146,9 @@ processes = [] + challSrvProcess = None + + def setupHierarchy(): ++ pass ++ ++def setupHierarchyOriginal(): + e = os.environ.copy() + e.setdefault("GOBIN", "%s/bin" % os.getcwd()) + try: diff --git a/test_config_ca_a.patch b/test_config_ca_a.patch index 7af9aef..1b316d6 100644 --- a/test_config_ca_a.patch +++ b/test_config_ca_a.patch @@ -1,15 +1,17 @@ diff --git a/test/config/ca-a.json b/test/config/ca-a.json -index 355cfae2..c93fa5a3 100644 +index be064a52e..e7ef8fcf6 100644 --- a/test/config/ca-a.json +++ b/test/config/ca-a.json -@@ -29,10 +29,6 @@ +@@ -30,11 +30,7 @@ }, "Issuers": [{ "ConfigFile": "test/test-ca.key-pkcs11.json", -- "CertFile": "test/test-ca2.pem", +- "CertFile": "/tmp/intermediate-cert-rsa-a.pem", - "NumSessions": 2 -- }, { +- },{ - "ConfigFile": "test/test-ca.key-pkcs11.json", - "CertFile": "test/test-ca.pem", +- "CertFile": "/tmp/intermediate-cert-rsa-b.pem", ++ "CertFile": "test/test-ca.pem", "NumSessions": 2 }], + "expiry": "2160h", diff --git a/test_config_ca_b.patch b/test_config_ca_b.patch index 527bd58..04eeaeb 100644 --- a/test_config_ca_b.patch +++ b/test_config_ca_b.patch @@ -1,15 +1,17 @@ diff --git a/test/config/ca-b.json b/test/config/ca-b.json -index 355cfae2..c93fa5a3 100644 +index ed2498f1a..4d24ffa94 100644 --- a/test/config/ca-b.json +++ b/test/config/ca-b.json -@@ -29,10 +29,6 @@ +@@ -30,11 +30,7 @@ }, "Issuers": [{ "ConfigFile": "test/test-ca.key-pkcs11.json", -- "CertFile": "test/test-ca2.pem", +- "CertFile": "/tmp/intermediate-cert-rsa-a.pem", - "NumSessions": 2 -- }, { +- },{ - "ConfigFile": "test/test-ca.key-pkcs11.json", - "CertFile": "test/test-ca.pem", +- "CertFile": "/tmp/intermediate-cert-rsa-b.pem", ++ "CertFile": "test/test-ca.pem", "NumSessions": 2 }], + "expiry": "2160h", diff --git a/utils.sh b/utils.sh index fb760c9..a76938a 100644 --- a/utils.sh +++ b/utils.sh @@ -6,7 +6,6 @@ export PS_LABCA="bin/labca" export PS_BOULDER="bin/boulder" export PS_BOULDER_COUNT=12 export PS_MYSQL="mysqld" -export PS_BHSM="pkcs11" export PS_SERVICE="sudo___tcpserver" LOOPCOUNT=120