Merge branch 'release/21.12'

* release/21.12: Bump boulder version to release-2021-12-06 Downgrade some errors to warnings on dashboard Fix cert-checker for whitelist/lockdown domains Make initial setup process a bit more clear Add comment to hostname-policy.yaml for whitelist/lockdown section Disable redis containers (#29) Enable more than one local domain to issue certificates for (#24) Encode freshly generated keys to base64 (#27)
2026-01-27 18:19:33 +00:00 · 2021-12-08 20:35:01 +01:00
parent 1569b03698 3773878058
commit 3719f6abe7
14 changed files with 256 additions and 26 deletions
--- a/4
+++ b/4
@@ -41,6 +41,10 @@ case $txt in
    cp /etc/nginx/ssl/labca_cert.pem /usr/local/share/ca-certificates/labca_cert.crt
    cp ~labca/admin/data/root-ca.pem /usr/local/share/ca-certificates/root-ca.crt
    update-ca-certificates &>>$LOGFILE
+    echo "Waiting for initial startup of the docker containers..." &>>$LOGFILE
+    wait_up $PS_MYSQL &>>$LOGFILE
+    wait_up $PS_LABCA &>>$LOGFILE
+    wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE
    ;;
 "docker-restart")
    cd /home/labca/boulder
--- a/gui/apply-boulder
+++ b/gui/apply-boulder
@@ -15,21 +15,35 @@ sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config
 sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_DOMAIN\"/" config/wfe.json
 sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_DOMAIN\"/" config/wfe2.json

+if ([ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]) || ([ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]); then
+    perl -i -p0e "s/(\"badResultsOnly\":.*?\n)/\1    \"skipForbiddenDomains\": true,\n/igs" config/cert-checker.json
+    perl -i -p0e "s/(\s+\"ignoredLints\": \[\n)/\1      \"e_dnsname_not_valid_tld\",\n/igs" config/cert-checker.json
+fi
+
 [ -e ../test/hostname-policy.yaml ] && cp ../test/hostname-policy.yaml ./ || true
 [ -e ../boulder/test/hostname-policy.yaml ] && cp ../boulder/test/hostname-policy.yaml ./ || true
 [ -e hostname-policy.json ] && rm hostname-policy.json || true
 [ -e config/ca.json ] && rm config/ca.json || true
 [ -e config/expired-authz-purger2.json ] && rm config/expired-authz-purger2.json || true
 [ -e config/janitor.json ] && rm config/janitor.json || true
-cat hostname-policy.yaml | tr '\n' '\r' | sed -e "s/Lockdown:.*//" | tr '\r' '\n' > hostname-policy.yaml.bak && mv hostname-policy.yaml.bak hostname-policy.yaml
-cat hostname-policy.yaml | tr '\n' '\r' | sed -e "s/Whitelist:.*//" | tr '\r' '\n' > hostname-policy.yaml.bak && mv hostname-policy.yaml.bak hostname-policy.yaml
+cat hostname-policy.yaml | tr '\n' '\r' | sed -e "s/\r# Lockdown.*//" | tr '\r' '\n' > hostname-policy.yaml.bak && mv hostname-policy.yaml.bak hostname-policy.yaml
+cat hostname-policy.yaml | tr '\n' '\r' | sed -e "s/\r# Whitelist.*//" | tr '\r' '\n' > hostname-policy.yaml.bak && mv hostname-policy.yaml.bak hostname-policy.yaml
 if [ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]; then
+    echo >> hostname-policy.yaml
+    echo "# Lockdown are the domains that this LabCA instance can issue certificates for" >> hostname-policy.yaml
    echo "Lockdown:" >> hostname-policy.yaml
-    echo "  - \"$PKI_LOCKDOWN_DOMAINS\"" >> hostname-policy.yaml
+    for d in $(echo $PKI_LOCKDOWN_DOMAINS | sed -e "s/\\\r\\\n/ /g" | tr '\r' ' '); do
+        echo "  - \"$d\"" >> hostname-policy.yaml
+    done
 fi
 if [ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]; then
+    echo >> hostname-policy.yaml
+    echo "# Whitelist are the domains that this LabCA instance can issue certificates for" >> hostname-policy.yaml
+    echo "in *addition* to all normal public domains" >> hostname-policy.yaml
    echo "Whitelist:" >> hostname-policy.yaml
-    echo "  - \"$PKI_WHITELIST_DOMAINS\"" >> hostname-policy.yaml
+    for d in $(echo $PKI_WHITELIST_DOMAINS | sed -e "s/\\\r\\\n/ /g" | tr '\r' ' '); do
+        echo "  - \"$d\"" >> hostname-policy.yaml
+    done
 fi
 if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ]; then
    sed -i -e "s/\(\"n_subject_common_name_included\"\)/\1,\"e_dnsname_not_valid_tld\"/" config/ca-a.json
@@ -37,10 +51,14 @@ if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ]

    REPLACEMENT=""
    if [ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]; then
-        REPLACEMENT="    $PKI_LOCKDOWN_DOMAINS: 10000\n"
+        for d in $(echo $PKI_LOCKDOWN_DOMAINS | sed -e "s/\\\r\\\n/ /g" | tr '\r' ' '); do
+            REPLACEMENT+="    $d: 10000\n"
+        done
    fi
    if [ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]; then
-        REPLACEMENT="    $PKI_WHITELIST_DOMAINS: 10000\n"
+        for d in $(echo $PKI_WHITELIST_DOMAINS | sed -e "s/\\\r\\\n/ /g" | tr '\r' ' '); do
+            REPLACEMENT="    $d: 10000\n"
+        done
    fi
    cat rate-limit-policies.yml | tr '\n' '\r' | sed -e "s/\(must-staple.le.wtf: 10000\).*\(  registrationOverrides:\)/\1\n$REPLACEMENT\2/" | tr '\r' '\n' > rate-limit-policies.yml.bak && mv rate-limit-policies.yml.bak rate-limit-policies.yml
    cat rate-limit-policies.yml | tr '\n' '\r' | sed -e "s/\(certificatesPerFQDNSet:.*must-staple.le.wtf: 10000\).*/\1\n$REPLACEMENT/" | tr '\r' '\n' > rate-limit-policies.yml.bak && mv rate-limit-policies.yml.bak rate-limit-policies.yml
--- a/gui/dashboard.go
+++ b/gui/dashboard.go
@@ -106,6 +106,12 @@ func _parseLine(line string, loc *time.Location) Activity {
 			message = message[0:idx]
 		}
 	}
+	if strings.Index(message, "failed to complete security handshake") > -1 {
+		activity.Class = "warning"
+	}
+	if strings.Index(message, "failed to receive the preface from client") > -1 {
+		activity.Class = "warning"
+	}
 	activity.Message = message

 	return activity
--- a/gui/main.go
+++ b/gui/main.go
@@ -2405,7 +2405,7 @@ func init() {
 		if key == nil {
 			panic(fmt.Errorf("fatal error random key"))
 		}
-		viper.Set("keys.auth", key)
+		viper.Set("keys.auth", base64.StdEncoding.EncodeToString(key))
 		viper.WriteConfig()
 	}
 	if viper.Get("keys.enc") == nil {
@@ -2413,7 +2413,7 @@ func init() {
 		if key == nil {
 			panic(fmt.Errorf("fatal error random key"))
 		}
-		viper.Set("keys.enc", key)
+		viper.Set("keys.enc", base64.StdEncoding.EncodeToString(key))
 		viper.WriteConfig()
 	}

--- a/gui/templates/views/cert.tmpl
+++ b/gui/templates/views/cert.tmpl
@@ -2,7 +2,7 @@
 </div>
 <div class="col-md-6 col-sm-12">
 {{with .CertificateInfo}}
-    <h3>{{ if .IsRoot }}Root{{ else }}Issuer (2nd level){{ end }} Certificate</h3>
+    <h3>{{ if .IsRoot }}<b>Root</b>{{ else }}<b>Issuer</b> (2nd level){{ end }} Certificate</h3>

 <ul class="nav nav-tabs">
  <li class="{{ if eq .CreateType "generate" }}active{{ end }}">
@@ -19,7 +19,7 @@
 <div class="tab-content">
  <div class="tab-pane fade {{ if eq .CreateType "generate" }}active in{{ end }}" id="generate">
  <br/>
-<form role="form" action="{{ .RequestBase }}/setup" enctype="multipart/form-data" method="POST">
+<form role="form" class="form-cert" action="{{ .RequestBase }}/setup" enctype="multipart/form-data" method="POST">
  <input type="hidden" name="cert" value="{{ if .IsRoot }}root{{ else }}issuer{{ end }}">
  <input type="hidden" name="createtype" value="generate">
  <div class="form-group">
@@ -73,7 +73,7 @@

  <div class="tab-pane fade {{ if eq .CreateType "import" }}active in{{ end }}" id="import">
  <br/>
-<form role="form" action="{{ .RequestBase }}/setup" enctype="multipart/form-data" method="POST">
+<form role="form" class="form-cert" action="{{ .RequestBase }}/setup" enctype="multipart/form-data" method="POST">
  <input type="hidden" name="cert" value="{{ if .IsRoot }}root{{ else }}issuer{{ end }}">
  <input type="hidden" name="createtype" value="import">
  <p>
@@ -101,7 +101,7 @@

  <div class="tab-pane fade {{ if eq .CreateType "upload" }}active in{{ end }}" id="upload">
  <br/>
-<form role="form" action="{{ .RequestBase }}/setup" enctype="multipart/form-data" method="POST">
+<form role="form" class="form-cert" action="{{ .RequestBase }}/setup" enctype="multipart/form-data" method="POST">
  <input type="hidden" name="cert" value="{{ if .IsRoot }}root{{ else }}issuer{{ end }}">
  <input type="hidden" name="createtype" value="upload">
  <div class="form-group">
@@ -137,6 +137,8 @@
 </form>
  </div>
 </div>
+<p id="processing" class="hidden"><br/>Setting up LabCA and applying configuration. This will take a minute...<br/>
+<img id="restart-spinner" src="static/img/spinner.gif" height="36"></p>
 {{end}}
 {{ template "partials/progress.tmpl" . }}
 {{end}}
@@ -149,6 +151,12 @@
                    $(window).resize();
                }, 250);
            });
+{{ if not .CertificateInfo.IsRoot }}
+
+            $(".form-cert").submit(function() {
+                $("#processing").removeClass("hidden");
+            });
+{{end}}
        });
    </script>
 {{end}}
--- a/gui/templates/views/manage.tmpl
+++ b/gui/templates/views/manage.tmpl
@@ -163,13 +163,13 @@
      <div class="form-group">
        <label>Domain mode:</label><br/>
        <span class="error config-error hidden" id="domainmode-error"></span>
-        <input type="radio" id="lockdown" name="domain_mode" value="lockdown" {{ if eq .DomainMode "lockdown"}}checked{{ end }}/> Lockdown to only this domain:<br/>
-        <input class="form-control non-fluid" type="text" id="lockdown_domains" name="lockdown_domains" value="{{ .LockdownDomains }}"/>
+        <input type="radio" id="lockdown" name="domain_mode" value="lockdown" {{ if eq .DomainMode "lockdown"}}checked{{ end }}/> Lockdown to only these domains (one per line):<br/>
+        <textarea class="form-control non-fluid" rows="3" cols="24" id="lockdown_domains" name="lockdown_domains">{{ .LockdownDomains }}</textarea>
        <span class="error config-error hidden" id="lockdowndomains-error"></span>
        <br/>

-        <input type="radio" id="whitelist" name="domain_mode" value="whitelist" {{ if eq .DomainMode "whitelist"}}checked{{ end }}/> Next to all official domains, also allow this domain (whitelist):<br/>
-        <input class="form-control non-fluid" type="text" id="whitelist_domains" name="whitelist_domains" value="{{ .WhitelistDomains }}"/>
+        <input type="radio" id="whitelist" name="domain_mode" value="whitelist" {{ if eq .DomainMode "whitelist"}}checked{{ end }}/> Next to all official domains, also allow these domains (whitelist; one per line):<br/>
+        <textarea class="form-control non-fluid" rows="3" cols="24" id="whitelist_domains" name="whitelist_domains">{{ .WhitelistDomains }}</textarea>
        <span class="error config-error hidden" id="whitelistdomains-error"></span>
        <br/>

--- a/gui/templates/views/polling.tmpl
+++ b/gui/templates/views/polling.tmpl
@@ -3,7 +3,7 @@
 <div class="col-md-6 col-sm-12">
    <h3>Restart</h3>
    <p id="pre-restart-1">
-      Please install the root certificate in the <b>Trusted Root Certification Authorities</b> store of this machine now.<br/>
+      Please install the root certificate in the <b>Trusted Root Certification Authorities</b> store of your client machine now.<br/>
      <a href="../certs/root-ca.der">Windows (.der) format</a>&nbsp;|&nbsp;<a href="../certs/root-ca.pem">Linux (.pem) format</a>
    </p>
    <p id="pre-restart-2">Then, <a class="button active" id="restart-button" href="javascript:void();">restart LabCA</a></p>
--- a/gui/templates/views/setup.tmpl
+++ b/gui/templates/views/setup.tmpl
@@ -25,14 +25,14 @@
    {{ with .Errors.DomainMode }}
    <span class="error">{{ . }}</span><br/>
    {{ end }}
-    <input type="radio" id="lockdown" name="domain_mode" value="lockdown" {{ if eq .DomainMode "lockdown"}}checked{{ end }}/> Lockdown to only this domain:<br/>
-    <input class="form-control non-fluid" type="text" id="lockdown_domains" name="lockdown_domains" value="{{ .LockdownDomains }}"/><br/>
+    <input type="radio" id="lockdown" name="domain_mode" value="lockdown" {{ if eq .DomainMode "lockdown"}}checked{{ end }}/> Lockdown to only these domains (one per line):<br/>
+    <textarea class="form-control non-fluid" rows="3" cols="24" id="lockdown_domains" name="lockdown_domains">{{ .LockdownDomains }}</textarea><br/>
    {{ with .Errors.LockdownDomains }}
    <span class="error">{{ . }}</span><br/>
    {{ end }}

-    <input type="radio" id="whitelist" name="domain_mode" value="whitelist" {{ if eq .DomainMode "whitelist"}}checked{{ end }}/> Next to all official domains, also allow this domain (whitelist):<br/>
-    <input class="form-control non-fluid" type="text" id="whitelist_domains" name="whitelist_domains" value="{{ .WhitelistDomains }}"/><br/>
+    <input type="radio" id="whitelist" name="domain_mode" value="whitelist" {{ if eq .DomainMode "whitelist"}}checked{{ end }}/> Next to all official domains, also allow these domains (whitelist; one per line):<br/>
+    <textarea class="form-control non-fluid" rows="3" cols="24" id="whitelist_domains" name="whitelist_domains">{{ .WhitelistDomains }}</textarea><br/>
    {{ with .Errors.WhitelistDomains }}
    <span class="error">{{ . }}</span><br/>
    {{ end }}
--- a/gui/templates/views/wrapup.tmpl
+++ b/gui/templates/views/wrapup.tmpl
@@ -2,7 +2,7 @@
 </div>
 <div class="col-md-6 col-sm-12">
    <h3>Restart</h3>
-    <p>Almost there! Now we will request a certificate for this website and restart one more time...<br/>
+    <p>Almost there!<br/>Now we will request a certificate for this website and restart one more time...<br/>
    <img id="wrapup-spinner" src="static/img/spinner.gif" height="36"></p>
 {{ template "partials/progress.tmpl" . }}
 {{end}}
--- a/17
+++ b/17
@@ -24,7 +24,10 @@ dockerComposeVersion="1.28.5"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2021-11-09"
+boulderTag="release-2021-12-06"
+
+# Feature flags
+flag_skip_redis=true

 #
 # Color configuration
@@ -532,6 +535,9 @@ config_boulder() {

    cd "$boulderDir"
    sudo -u labca -H patch -p1 < $cloneDir/patches/docker-compose.patch &>>$installLog
+    if [ "$flag_skip_redis" == true ]; then
+        sudo -u labca -H patch -p1 < $cloneDir/patches/docker-compose-redis.patch &>>$installLog
+    fi
    cp docker-compose.yml "$boulderLabCADir/.backup/"

    sudo -u labca -H patch -p1 < $cloneDir/patches/cmd_shell.patch &>>$installLog
@@ -564,6 +570,9 @@ config_boulder() {
    sudo -u labca -H patch -p1 < $cloneDir/patches/bad-key-revoker_main.patch &>>$installLog
    cp cmd/bad-key-revoker/main.go "$boulderLabCADir/.backup/"

+    sudo -u labca -H patch -p1 < $cloneDir/patches/cert-checker_main.patch &>>$installLog
+    cp cmd/cert-checker/main.go "$boulderLabCADir/.backup/"
+
    sudo -u labca -H patch -p1 < $cloneDir/patches/log-validator_main.patch &>>$installLog
    cp cmd/log-validator/main.go "$boulderLabCADir/.backup/"

@@ -628,6 +637,8 @@ config_boulder() {
    sed -i -e "s|http://127.0.0.1:4000/acme/issuer-cert|http://$LABCA_FQDN/certs/ca-int.der|" config/ca-b.json
    sed -i -e "s|http://boulder:4430/acme/issuer-cert|http://$LABCA_FQDN/acme/issuer-cert|" config/wfe2.json
    sed -i -e "s|http://127.0.0.1:4000/acme/issuer-cert|https://$LABCA_FQDN/acme/issuer-cert|" config/wfe2.json
+    sed -i -e "s|letsencrypt/boulder|hakwerk/labca|" config/wfe.json
+    sed -i -e "s|letsencrypt/boulder|hakwerk/labca|" config/wfe2.json
    sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-a.json
    sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-b.json
    sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca-a.json
@@ -644,6 +655,10 @@ config_boulder() {
    sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-a.json
    sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-b.json

+    if [ "$flag_skip_redis" == true ]; then
+        sed -i -e "s/^\(.*wait-for-it.sh.*4218\)/#\1/" entrypoint.sh
+    fi
+
    for file in `find . -type f | grep -v .git`; do
        sed -i -e "s|test/|labca/|g" $file
    done
--- a/patches/cert-checker_main.patch
+++ b/patches/cert-checker_main.patch
@@ -0,0 +1,68 @@
+diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
+index fbdd9bb8..dc7fa4fd 100644
+--- a/cmd/cert-checker/main.go
+++ b/cmd/cert-checker/main.go
+@@ -90,9 +90,10 @@ type certChecker struct {
+ 	issuedReport                report
+ 	checkPeriod                 time.Duration
+ 	acceptableValidityDurations map[time.Duration]bool
+	skipForbiddenDomains        bool
+ }
+ 
+-func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, period time.Duration, avd map[time.Duration]bool) certChecker {
+func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, period time.Duration, avd map[time.Duration]bool, sfd bool) certChecker {
+ 	return certChecker{
+ 		pa:                          pa,
+ 		dbMap:                       saDbMap,
+@@ -102,6 +103,7 @@ func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, period
+ 		issuedReport:                report{Entries: make(map[string]reportEntry)},
+ 		checkPeriod:                 period,
+ 		acceptableValidityDurations: avd,
+		skipForbiddenDomains:        sfd,
+ 	}
+ }
+ 
+@@ -271,7 +273,7 @@ func (c *certChecker) checkCert(cert core.Certificate, ignoredLints map[string]b
+ 			err = c.pa.WillingToIssueWildcards([]identifier.ACMEIdentifier{id})
+ 			if err != nil {
+ 				problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err))
+-			} else {
+			} else if !c.skipForbiddenDomains {
+ 				// For defense-in-depth, even if the PA was willing to issue for a name
+ 				// we double check it against a list of forbidden domains. This way even
+ 				// if the hostnamePolicyFile malfunctions we will flag the forbidden
+@@ -309,11 +311,12 @@ type config struct {
+ 		DB cmd.DBConfig
+ 		cmd.HostnamePolicyConfig
+ 
+-		Workers             int
+-		ReportDirectoryPath string
+-		UnexpiredOnly       bool
+-		BadResultsOnly      bool
+-		CheckPeriod         cmd.ConfigDuration
+		Workers              int
+		ReportDirectoryPath  string
+		UnexpiredOnly        bool
+		BadResultsOnly       bool
+		SkipForbiddenDomains bool
+		CheckPeriod          cmd.ConfigDuration
+ 
+ 		// AcceptableValidityDurations is a list of durations which are
+ 		// acceptable for certificates we issue.
+@@ -364,6 +367,8 @@ func main() {
+ 		acceptableValidityDurations[ninetyDays] = true
+ 	}
+ 
+	skipForbiddenDomains := config.CertChecker.SkipForbiddenDomains
+
+ 	// Validate PA config and set defaults if needed.
+ 	cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
+ 
+@@ -412,6 +417,7 @@ func main() {
+ 		pa,
+ 		config.CertChecker.CheckPeriod.Duration,
+ 		acceptableValidityDurations,
+		skipForbiddenDomains,
+ 	)
+ 	fmt.Fprintf(os.Stderr, "# Getting certificates issued in the last %s\n", config.CertChecker.CheckPeriod)
+ 
--- a/patches/docker-compose-redis.patch
+++ b/patches/docker-compose-redis.patch
@@ -0,0 +1,111 @@
+diff --git a/docker-compose.yml b/docker-compose.yml
+index c1d54f23..2b6de7cb 100644
+--- a/docker-compose.yml
+++ b/docker-compose.yml
+@@ -17,8 +17,6 @@ services:
+         ipv4_address: 10.77.77.77
+       rednet:
+         ipv4_address: 10.88.88.88
+-      redisnet:
+-        ipv4_address: 10.33.33.33
+     # Use sd-test-srv as a backup to Docker's embedded DNS server
+     # (https://docs.docker.com/config/containers/container-networking/#dns-services).
+     # If there's a name Docker's DNS server doesn't know about, it will
+@@ -36,7 +34,6 @@ services:
+       - 8055:8055 # dns-test-srv updates
+     depends_on:
+       - bmysql
+-      - bredis_clusterer
+     entrypoint: labca/entrypoint.sh
+     working_dir: &boulder_working_dir /go/src/github.com/letsencrypt/boulder
+     logging:
+@@ -69,78 +66,6 @@ services:
+         max-file: "5"
+     restart: always
+ 
+-  bredis_1:
+-    image: redis:latest
+-    volumes:
+-      - ./test/:/test/:cached
+-    command: redis-server /test/redis.config
+-    networks:
+-      redisnet:
+-          ipv4_address: 10.33.33.2
+-
+-  bredis_2:
+-    image: redis:latest
+-    volumes:
+-      - ./test/:/test/:cached
+-    command: redis-server /test/redis.config
+-    networks:
+-      redisnet:
+-          ipv4_address: 10.33.33.3
+-
+-  bredis_3:
+-    image: redis:latest
+-    volumes:
+-      - ./test/:/test/:cached
+-    command: redis-server /test/redis.config
+-    networks:
+-      redisnet:
+-          ipv4_address: 10.33.33.4
+-
+-  bredis_4:
+-    image: redis:latest
+-    volumes:
+-      - ./test/:/test/:cached
+-    command: redis-server /test/redis.config
+-    networks:
+-      redisnet:
+-          ipv4_address: 10.33.33.5
+-
+-  bredis_5:
+-    image: redis:latest
+-    volumes:
+-      - ./test/:/test/:cached
+-    command: redis-server /test/redis.config
+-    networks:
+-      redisnet:
+-          ipv4_address: 10.33.33.6
+-
+-  bredis_6:
+-    image: redis:latest
+-    volumes:
+-      - ./test/:/test/:cached
+-    command: redis-server /test/redis.config
+-    networks:
+-      redisnet:
+-          ipv4_address: 10.33.33.7
+-
+-  bredis_clusterer:
+-    image: redis:latest
+-    volumes:
+-      - ./test/:/test/:cached
+-      - ./cluster/:/cluster/:cached
+-    command: /test/wait-for-it.sh 10.33.33.2 4218 /test/redis-create.sh
+-    depends_on:
+-      - bredis_1
+-      - bredis_2
+-      - bredis_3
+-      - bredis_4
+-      - bredis_5
+-      - bredis_6
+-    networks:
+-        redisnet:
+-          ipv4_address: 10.33.33.10
+-          aliases:
+-            - boulder-redis-clusterer
+ 
+   labca:
+     image: *boulder_image
+@@ -181,10 +106,3 @@ networks:
+       driver: default
+       config:
+         - subnet: 10.88.88.0/24
+-
+-  redisnet:
+-    driver: bridge
+-    ipam:
+-      driver: default
+-      config:
+-        - subnet: 10.33.33.0/24
--- a/patches/expiration-mailer_main.patch
+++ b/patches/expiration-mailer_main.patch
@@ -42,7 +42,7 @@ index 862ed2fe7..e8b0aac3d 100644
 }
 
 func initStats(stats prometheus.Registerer) mailerStats {
-@@ -534,6 +544,32 @@ func main() {
+@@ -535,6 +545,32 @@ func main() {
 	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
 	sac := sapb.NewStorageAuthorityClient(conn)
 
@@ -75,7 +75,7 @@ index 862ed2fe7..e8b0aac3d 100644
 	var smtpRoots *x509.CertPool
 	if c.Mailer.SMTPTrustedRootFile != "" {
 		pem, err := ioutil.ReadFile(c.Mailer.SMTPTrustedRootFile)
-@@ -569,6 +605,7 @@ func main() {
+@@ -570,6 +606,7 @@ func main() {
 		c.Mailer.Username,
 		smtpPassword,
 		smtpRoots,
--- a/patches/ra_ra.patch
+++ b/patches/ra_ra.patch
@@ -10,7 +10,7 @@ index 275e64a95..873d5c943 100644
 	"github.com/letsencrypt/boulder/probs"
 	pubpb "github.com/letsencrypt/boulder/publisher/proto"
 	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -444,7 +443,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
+@@ -448,7 +447,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
 				contact,
 			)
 		}