From af69bd5ff405de66ba19e6f77d1c78745a87a710 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Mon, 29 Nov 2021 19:51:06 +0100 Subject: [PATCH 1/8] Encode freshly generated keys to base64 (#27) On the very first run, the authorization and encryption keys are generated as []byte but they should be stored base64 encoded so they match the value as loaded in consecutive runs --- gui/main.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gui/main.go b/gui/main.go index 646dfd2..dbd9b88 100644 --- a/gui/main.go +++ b/gui/main.go @@ -2405,7 +2405,7 @@ func init() { if key == nil { panic(fmt.Errorf("fatal error random key")) } - viper.Set("keys.auth", key) + viper.Set("keys.auth", base64.StdEncoding.EncodeToString(key)) viper.WriteConfig() } if viper.Get("keys.enc") == nil { @@ -2413,7 +2413,7 @@ func init() { if key == nil { panic(fmt.Errorf("fatal error random key")) } - viper.Set("keys.enc", key) + viper.Set("keys.enc", base64.StdEncoding.EncodeToString(key)) viper.WriteConfig() } From 503d1e51ef3cb1ce4cf2e3a771d18c1258b533cd Mon Sep 17 00:00:00 2001 From: Arjan H Date: Fri, 3 Dec 2021 20:31:55 +0100 Subject: [PATCH 2/8] Enable more than one local domain to issue certificates for (#24) --- gui/apply-boulder | 16 ++++++++++++---- gui/templates/views/manage.tmpl | 8 ++++---- gui/templates/views/setup.tmpl | 8 ++++---- 3 files changed, 20 insertions(+), 12 deletions(-) diff --git a/gui/apply-boulder b/gui/apply-boulder index a2e20d5..b59ab01 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -25,11 +25,15 @@ cat hostname-policy.yaml | tr '\n' '\r' | sed -e "s/Lockdown:.*//" | tr '\r' '\n cat hostname-policy.yaml | tr '\n' '\r' | sed -e "s/Whitelist:.*//" | tr '\r' '\n' > hostname-policy.yaml.bak && mv hostname-policy.yaml.bak hostname-policy.yaml if [ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]; then echo "Lockdown:" >> hostname-policy.yaml - echo " - \"$PKI_LOCKDOWN_DOMAINS\"" >> hostname-policy.yaml + for d in $(echo $PKI_LOCKDOWN_DOMAINS | sed -e "s/\\\r\\\n/ /g" | tr '\r' ' '); do + echo " - \"$d\"" >> hostname-policy.yaml + done fi if [ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]; then echo "Whitelist:" >> hostname-policy.yaml - echo " - \"$PKI_WHITELIST_DOMAINS\"" >> hostname-policy.yaml + for d in $(echo $PKI_WHITELIST_DOMAINS | sed -e "s/\\\r\\\n/ /g" | tr '\r' ' '); do + echo " - \"$d\"" >> hostname-policy.yaml + done fi if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ]; then sed -i -e "s/\(\"n_subject_common_name_included\"\)/\1,\"e_dnsname_not_valid_tld\"/" config/ca-a.json @@ -37,10 +41,14 @@ if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ] REPLACEMENT="" if [ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]; then - REPLACEMENT=" $PKI_LOCKDOWN_DOMAINS: 10000\n" + for d in $(echo $PKI_LOCKDOWN_DOMAINS | sed -e "s/\\\r\\\n/ /g" | tr '\r' ' '); do + REPLACEMENT+=" $d: 10000\n" + done fi if [ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]; then - REPLACEMENT=" $PKI_WHITELIST_DOMAINS: 10000\n" + for d in $(echo $PKI_WHITELIST_DOMAINS | sed -e "s/\\\r\\\n/ /g" | tr '\r' ' '); do + REPLACEMENT=" $d: 10000\n" + done fi cat rate-limit-policies.yml | tr '\n' '\r' | sed -e "s/\(must-staple.le.wtf: 10000\).*\( registrationOverrides:\)/\1\n$REPLACEMENT\2/" | tr '\r' '\n' > rate-limit-policies.yml.bak && mv rate-limit-policies.yml.bak rate-limit-policies.yml cat rate-limit-policies.yml | tr '\n' '\r' | sed -e "s/\(certificatesPerFQDNSet:.*must-staple.le.wtf: 10000\).*/\1\n$REPLACEMENT/" | tr '\r' '\n' > rate-limit-policies.yml.bak && mv rate-limit-policies.yml.bak rate-limit-policies.yml diff --git a/gui/templates/views/manage.tmpl b/gui/templates/views/manage.tmpl index d2c6794..b3f10f4 100644 --- a/gui/templates/views/manage.tmpl +++ b/gui/templates/views/manage.tmpl @@ -163,13 +163,13 @@

- Lockdown to only this domain:
- + Lockdown to only these domains (one per line):
+
- Next to all official domains, also allow this domain (whitelist):
- + Next to all official domains, also allow these domains (whitelist; one per line):
+
diff --git a/gui/templates/views/setup.tmpl b/gui/templates/views/setup.tmpl index f4537d0..44b5064 100644 --- a/gui/templates/views/setup.tmpl +++ b/gui/templates/views/setup.tmpl @@ -25,14 +25,14 @@ {{ with .Errors.DomainMode }} {{ . }}
{{ end }} - Lockdown to only this domain:
-
+ Lockdown to only these domains (one per line):
+
{{ with .Errors.LockdownDomains }} {{ . }}
{{ end }} - Next to all official domains, also allow this domain (whitelist):
-
+ Next to all official domains, also allow these domains (whitelist; one per line):
+
{{ with .Errors.WhitelistDomains }} {{ . }}
{{ end }} From 74571033edb2e825aafd4e1de73bcfb10e501861 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Sat, 4 Dec 2021 13:38:19 +0100 Subject: [PATCH 3/8] Disable redis containers (#29) The boulder team have recently introduced a redis cluster for OCSP. As these are taking up quite a bit of resources and it appears we don't need it for LabCA, we disable it for now. --- install | 10 +++ patches/docker-compose-redis.patch | 111 +++++++++++++++++++++++++++++ 2 files changed, 121 insertions(+) create mode 100644 patches/docker-compose-redis.patch diff --git a/install b/install index 747a0ec..2875c3e 100755 --- a/install +++ b/install @@ -26,6 +26,9 @@ labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" boulderTag="release-2021-11-09" +# Feature flags +flag_skip_redis=true + # # Color configuration # @@ -532,6 +535,9 @@ config_boulder() { cd "$boulderDir" sudo -u labca -H patch -p1 < $cloneDir/patches/docker-compose.patch &>>$installLog + if [ "$flag_skip_redis" == true ]; then + sudo -u labca -H patch -p1 < $cloneDir/patches/docker-compose-redis.patch &>>$installLog + fi cp docker-compose.yml "$boulderLabCADir/.backup/" sudo -u labca -H patch -p1 < $cloneDir/patches/cmd_shell.patch &>>$installLog @@ -644,6 +650,10 @@ config_boulder() { sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-a.json sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-b.json + if [ "$flag_skip_redis" == true ]; then + sed -i -e "s/^\(.*wait-for-it.sh.*4218\)/#\1/" entrypoint.sh + fi + for file in `find . -type f | grep -v .git`; do sed -i -e "s|test/|labca/|g" $file done diff --git a/patches/docker-compose-redis.patch b/patches/docker-compose-redis.patch new file mode 100644 index 0000000..ad65784 --- /dev/null +++ b/patches/docker-compose-redis.patch @@ -0,0 +1,111 @@ +diff --git a/docker-compose.yml b/docker-compose.yml +index c1d54f23..2b6de7cb 100644 +--- a/docker-compose.yml ++++ b/docker-compose.yml +@@ -17,8 +17,6 @@ services: + ipv4_address: 10.77.77.77 + rednet: + ipv4_address: 10.88.88.88 +- redisnet: +- ipv4_address: 10.33.33.33 + # Use sd-test-srv as a backup to Docker's embedded DNS server + # (https://docs.docker.com/config/containers/container-networking/#dns-services). + # If there's a name Docker's DNS server doesn't know about, it will +@@ -36,7 +34,6 @@ services: + - 8055:8055 # dns-test-srv updates + depends_on: + - bmysql +- - bredis_clusterer + entrypoint: labca/entrypoint.sh + working_dir: &boulder_working_dir /go/src/github.com/letsencrypt/boulder + logging: +@@ -69,78 +66,6 @@ services: + max-file: "5" + restart: always + +- bredis_1: +- image: redis:latest +- volumes: +- - ./test/:/test/:cached +- command: redis-server /test/redis.config +- networks: +- redisnet: +- ipv4_address: 10.33.33.2 +- +- bredis_2: +- image: redis:latest +- volumes: +- - ./test/:/test/:cached +- command: redis-server /test/redis.config +- networks: +- redisnet: +- ipv4_address: 10.33.33.3 +- +- bredis_3: +- image: redis:latest +- volumes: +- - ./test/:/test/:cached +- command: redis-server /test/redis.config +- networks: +- redisnet: +- ipv4_address: 10.33.33.4 +- +- bredis_4: +- image: redis:latest +- volumes: +- - ./test/:/test/:cached +- command: redis-server /test/redis.config +- networks: +- redisnet: +- ipv4_address: 10.33.33.5 +- +- bredis_5: +- image: redis:latest +- volumes: +- - ./test/:/test/:cached +- command: redis-server /test/redis.config +- networks: +- redisnet: +- ipv4_address: 10.33.33.6 +- +- bredis_6: +- image: redis:latest +- volumes: +- - ./test/:/test/:cached +- command: redis-server /test/redis.config +- networks: +- redisnet: +- ipv4_address: 10.33.33.7 +- +- bredis_clusterer: +- image: redis:latest +- volumes: +- - ./test/:/test/:cached +- - ./cluster/:/cluster/:cached +- command: /test/wait-for-it.sh 10.33.33.2 4218 /test/redis-create.sh +- depends_on: +- - bredis_1 +- - bredis_2 +- - bredis_3 +- - bredis_4 +- - bredis_5 +- - bredis_6 +- networks: +- redisnet: +- ipv4_address: 10.33.33.10 +- aliases: +- - boulder-redis-clusterer + + labca: + image: *boulder_image +@@ -181,10 +106,3 @@ networks: + driver: default + config: + - subnet: 10.88.88.0/24 +- +- redisnet: +- driver: bridge +- ipam: +- driver: default +- config: +- - subnet: 10.33.33.0/24 From fcab9f6b2d27876598befcacf14c830a77f48930 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Sat, 4 Dec 2021 13:40:49 +0100 Subject: [PATCH 4/8] Add comment to hostname-policy.yaml for whitelist/lockdown section --- gui/apply-boulder | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/gui/apply-boulder b/gui/apply-boulder index b59ab01..7914b81 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -21,15 +21,20 @@ sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_D [ -e config/ca.json ] && rm config/ca.json || true [ -e config/expired-authz-purger2.json ] && rm config/expired-authz-purger2.json || true [ -e config/janitor.json ] && rm config/janitor.json || true -cat hostname-policy.yaml | tr '\n' '\r' | sed -e "s/Lockdown:.*//" | tr '\r' '\n' > hostname-policy.yaml.bak && mv hostname-policy.yaml.bak hostname-policy.yaml -cat hostname-policy.yaml | tr '\n' '\r' | sed -e "s/Whitelist:.*//" | tr '\r' '\n' > hostname-policy.yaml.bak && mv hostname-policy.yaml.bak hostname-policy.yaml +cat hostname-policy.yaml | tr '\n' '\r' | sed -e "s/\r# Lockdown.*//" | tr '\r' '\n' > hostname-policy.yaml.bak && mv hostname-policy.yaml.bak hostname-policy.yaml +cat hostname-policy.yaml | tr '\n' '\r' | sed -e "s/\r# Whitelist.*//" | tr '\r' '\n' > hostname-policy.yaml.bak && mv hostname-policy.yaml.bak hostname-policy.yaml if [ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]; then + echo >> hostname-policy.yaml + echo "# Lockdown are the domains that this LabCA instance can issue certificates for" >> hostname-policy.yaml echo "Lockdown:" >> hostname-policy.yaml for d in $(echo $PKI_LOCKDOWN_DOMAINS | sed -e "s/\\\r\\\n/ /g" | tr '\r' ' '); do echo " - \"$d\"" >> hostname-policy.yaml done fi if [ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]; then + echo >> hostname-policy.yaml + echo "# Whitelist are the domains that this LabCA instance can issue certificates for" >> hostname-policy.yaml + echo "in *addition* to all normal public domains" >> hostname-policy.yaml echo "Whitelist:" >> hostname-policy.yaml for d in $(echo $PKI_WHITELIST_DOMAINS | sed -e "s/\\\r\\\n/ /g" | tr '\r' ' '); do echo " - \"$d\"" >> hostname-policy.yaml From d7c1cbe118062fcd289b16f7ec5b01cbecb7bd61 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Sat, 4 Dec 2021 15:29:34 +0100 Subject: [PATCH 5/8] Make initial setup process a bit more clear --- commander | 4 ++++ gui/templates/views/cert.tmpl | 16 ++++++++++++---- gui/templates/views/polling.tmpl | 2 +- gui/templates/views/wrapup.tmpl | 2 +- install | 2 ++ 5 files changed, 20 insertions(+), 6 deletions(-) diff --git a/commander b/commander index 3c9b6eb..8102763 100755 --- a/commander +++ b/commander @@ -41,6 +41,10 @@ case $txt in cp /etc/nginx/ssl/labca_cert.pem /usr/local/share/ca-certificates/labca_cert.crt cp ~labca/admin/data/root-ca.pem /usr/local/share/ca-certificates/root-ca.crt update-ca-certificates &>>$LOGFILE + echo "Waiting for initial startup of the docker containers..." &>>$LOGFILE + wait_up $PS_MYSQL &>>$LOGFILE + wait_up $PS_LABCA &>>$LOGFILE + wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE ;; "docker-restart") cd /home/labca/boulder diff --git a/gui/templates/views/cert.tmpl b/gui/templates/views/cert.tmpl index 8dda835..e5ccf9f 100644 --- a/gui/templates/views/cert.tmpl +++ b/gui/templates/views/cert.tmpl @@ -2,7 +2,7 @@
{{with .CertificateInfo}} -

{{ if .IsRoot }}Root{{ else }}Issuer (2nd level){{ end }} Certificate

+

{{ if .IsRoot }}Root{{ else }}Issuer (2nd level){{ end }} Certificate

  • @@ -19,7 +19,7 @@

    -
    +
    @@ -73,7 +73,7 @@

    - +

    @@ -101,7 +101,7 @@


    - +
    @@ -137,6 +137,8 @@
    + {{end}} {{ template "partials/progress.tmpl" . }} {{end}} @@ -149,6 +151,12 @@ $(window).resize(); }, 250); }); +{{ if not .CertificateInfo.IsRoot }} + + $(".form-cert").submit(function() { + $("#processing").removeClass("hidden"); + }); +{{end}} }); {{end}} diff --git a/gui/templates/views/polling.tmpl b/gui/templates/views/polling.tmpl index a8b6d67..bf857b8 100644 --- a/gui/templates/views/polling.tmpl +++ b/gui/templates/views/polling.tmpl @@ -3,7 +3,7 @@

    Restart

    - Please install the root certificate in the Trusted Root Certification Authorities store of this machine now.
    + Please install the root certificate in the Trusted Root Certification Authorities store of your client machine now.
    Windows (.der) format | Linux (.pem) format

    Then, restart LabCA

    diff --git a/gui/templates/views/wrapup.tmpl b/gui/templates/views/wrapup.tmpl index 73480db..491a2d5 100644 --- a/gui/templates/views/wrapup.tmpl +++ b/gui/templates/views/wrapup.tmpl @@ -2,7 +2,7 @@

    Restart

    -

    Almost there! Now we will request a certificate for this website and restart one more time...
    +

    Almost there!
    Now we will request a certificate for this website and restart one more time...

    {{ template "partials/progress.tmpl" . }} {{end}} diff --git a/install b/install index 2875c3e..0a648f7 100755 --- a/install +++ b/install @@ -634,6 +634,8 @@ config_boulder() { sed -i -e "s|http://127.0.0.1:4000/acme/issuer-cert|http://$LABCA_FQDN/certs/ca-int.der|" config/ca-b.json sed -i -e "s|http://boulder:4430/acme/issuer-cert|http://$LABCA_FQDN/acme/issuer-cert|" config/wfe2.json sed -i -e "s|http://127.0.0.1:4000/acme/issuer-cert|https://$LABCA_FQDN/acme/issuer-cert|" config/wfe2.json + sed -i -e "s|letsencrypt/boulder|hakwerk/labca|" config/wfe.json + sed -i -e "s|letsencrypt/boulder|hakwerk/labca|" config/wfe2.json sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-a.json sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-b.json sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca-a.json From b5cdcbb414afa49606ca92fc1f7c7c8cc61e6ea9 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Sun, 5 Dec 2021 10:02:15 +0100 Subject: [PATCH 6/8] Fix cert-checker for whitelist/lockdown domains --- gui/apply-boulder | 5 +++ install | 3 ++ patches/cert-checker_main.patch | 68 +++++++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+) create mode 100644 patches/cert-checker_main.patch diff --git a/gui/apply-boulder b/gui/apply-boulder index 7914b81..c2ee912 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -15,6 +15,11 @@ sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_DOMAIN\"/" config/wfe.json sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_DOMAIN\"/" config/wfe2.json +if ([ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]) || ([ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]); then + perl -i -p0e "s/(\"badResultsOnly\":.*?\n)/\1 \"skipForbiddenDomains\": true,\n/igs" config/cert-checker.json + perl -i -p0e "s/(\s+\"ignoredLints\": \[\n)/\1 \"e_dnsname_not_valid_tld\",\n/igs" config/cert-checker.json +fi + [ -e ../test/hostname-policy.yaml ] && cp ../test/hostname-policy.yaml ./ || true [ -e ../boulder/test/hostname-policy.yaml ] && cp ../boulder/test/hostname-policy.yaml ./ || true [ -e hostname-policy.json ] && rm hostname-policy.json || true diff --git a/install b/install index 0a648f7..09868ec 100755 --- a/install +++ b/install @@ -570,6 +570,9 @@ config_boulder() { sudo -u labca -H patch -p1 < $cloneDir/patches/bad-key-revoker_main.patch &>>$installLog cp cmd/bad-key-revoker/main.go "$boulderLabCADir/.backup/" + sudo -u labca -H patch -p1 < $cloneDir/patches/cert-checker_main.patch &>>$installLog + cp cmd/cert-checker/main.go "$boulderLabCADir/.backup/" + sudo -u labca -H patch -p1 < $cloneDir/patches/log-validator_main.patch &>>$installLog cp cmd/log-validator/main.go "$boulderLabCADir/.backup/" diff --git a/patches/cert-checker_main.patch b/patches/cert-checker_main.patch new file mode 100644 index 0000000..42d553e --- /dev/null +++ b/patches/cert-checker_main.patch @@ -0,0 +1,68 @@ +diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go +index fbdd9bb8..dc7fa4fd 100644 +--- a/cmd/cert-checker/main.go ++++ b/cmd/cert-checker/main.go +@@ -90,9 +90,10 @@ type certChecker struct { + issuedReport report + checkPeriod time.Duration + acceptableValidityDurations map[time.Duration]bool ++ skipForbiddenDomains bool + } + +-func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, period time.Duration, avd map[time.Duration]bool) certChecker { ++func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, period time.Duration, avd map[time.Duration]bool, sfd bool) certChecker { + return certChecker{ + pa: pa, + dbMap: saDbMap, +@@ -102,6 +103,7 @@ func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, period + issuedReport: report{Entries: make(map[string]reportEntry)}, + checkPeriod: period, + acceptableValidityDurations: avd, ++ skipForbiddenDomains: sfd, + } + } + +@@ -271,7 +273,7 @@ func (c *certChecker) checkCert(cert core.Certificate, ignoredLints map[string]b + err = c.pa.WillingToIssueWildcards([]identifier.ACMEIdentifier{id}) + if err != nil { + problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err)) +- } else { ++ } else if !c.skipForbiddenDomains { + // For defense-in-depth, even if the PA was willing to issue for a name + // we double check it against a list of forbidden domains. This way even + // if the hostnamePolicyFile malfunctions we will flag the forbidden +@@ -309,11 +311,12 @@ type config struct { + DB cmd.DBConfig + cmd.HostnamePolicyConfig + +- Workers int +- ReportDirectoryPath string +- UnexpiredOnly bool +- BadResultsOnly bool +- CheckPeriod cmd.ConfigDuration ++ Workers int ++ ReportDirectoryPath string ++ UnexpiredOnly bool ++ BadResultsOnly bool ++ SkipForbiddenDomains bool ++ CheckPeriod cmd.ConfigDuration + + // AcceptableValidityDurations is a list of durations which are + // acceptable for certificates we issue. +@@ -364,6 +367,8 @@ func main() { + acceptableValidityDurations[ninetyDays] = true + } + ++ skipForbiddenDomains := config.CertChecker.SkipForbiddenDomains ++ + // Validate PA config and set defaults if needed. + cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration") + +@@ -412,6 +417,7 @@ func main() { + pa, + config.CertChecker.CheckPeriod.Duration, + acceptableValidityDurations, ++ skipForbiddenDomains, + ) + fmt.Fprintf(os.Stderr, "# Getting certificates issued in the last %s\n", config.CertChecker.CheckPeriod) + From dda8ecd4baba988087cf3e592813785910bde4de Mon Sep 17 00:00:00 2001 From: Arjan H Date: Sun, 5 Dec 2021 10:12:29 +0100 Subject: [PATCH 7/8] Downgrade some errors to warnings on dashboard --- gui/dashboard.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/gui/dashboard.go b/gui/dashboard.go index 9d3613f..47fd3e5 100644 --- a/gui/dashboard.go +++ b/gui/dashboard.go @@ -106,6 +106,12 @@ func _parseLine(line string, loc *time.Location) Activity { message = message[0:idx] } } + if strings.Index(message, "failed to complete security handshake") > -1 { + activity.Class = "warning" + } + if strings.Index(message, "failed to receive the preface from client") > -1 { + activity.Class = "warning" + } activity.Message = message return activity From 37738780587aae86e476a9d382846da949e0bb38 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Wed, 8 Dec 2021 20:33:41 +0100 Subject: [PATCH 8/8] Bump boulder version to release-2021-12-06 --- install | 2 +- patches/expiration-mailer_main.patch | 4 ++-- patches/ra_ra.patch | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/install b/install index 09868ec..cc96a60 100755 --- a/install +++ b/install @@ -24,7 +24,7 @@ dockerComposeVersion="1.28.5" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2021-11-09" +boulderTag="release-2021-12-06" # Feature flags flag_skip_redis=true diff --git a/patches/expiration-mailer_main.patch b/patches/expiration-mailer_main.patch index 3b87d03..0f88520 100644 --- a/patches/expiration-mailer_main.patch +++ b/patches/expiration-mailer_main.patch @@ -42,7 +42,7 @@ index 862ed2fe7..e8b0aac3d 100644 } func initStats(stats prometheus.Registerer) mailerStats { -@@ -534,6 +544,32 @@ func main() { +@@ -535,6 +545,32 @@ func main() { cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA") sac := sapb.NewStorageAuthorityClient(conn) @@ -75,7 +75,7 @@ index 862ed2fe7..e8b0aac3d 100644 var smtpRoots *x509.CertPool if c.Mailer.SMTPTrustedRootFile != "" { pem, err := ioutil.ReadFile(c.Mailer.SMTPTrustedRootFile) -@@ -569,6 +605,7 @@ func main() { +@@ -570,6 +606,7 @@ func main() { c.Mailer.Username, smtpPassword, smtpRoots, diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index 8a5f7ff..ce4de6b 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -10,7 +10,7 @@ index 275e64a95..873d5c943 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -444,7 +443,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta +@@ -448,7 +447,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta contact, ) }