diff --git a/gui/apply-boulder b/gui/apply-boulder index 645c658..a261057 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -175,9 +175,10 @@ rm -f config/ca-a.json rm -f config/ca-b.json INT_BASE_NAME=$(basename $PKI_INT_CERT_BASE.pem) +INT_CRL_BASE_NAME=${INT_BASE_NAME/-cert/-crl} sed -i -e "s|\"issuerURL\": \".*\"|\"issuerURL\": \"http://$PKI_FQDN/certs/$INT_BASE_NAME\"|" config/ca.json sed -i -e "s|\"ocspURL\": \".*\"|\"ocspURL\": \"http://$PKI_FQDN/ocsp/\"|" config/ca.json -sed -i -e "s|\"crlURLBase\": \".*\"|\"crlURLBase\": \"http://$PKI_FQDN/crl/\"|" config/ca.json +sed -i -e "s|\"crlURLBase\": \".*\"|\"crlURLBase\": \"http://$PKI_FQDN/crl/$INT_CRL_BASE_NAME\"|" config/ca.json if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ca.json diff --git a/gui/certificate.go b/gui/certificate.go index 8a373b7..e3794e2 100644 --- a/gui/certificate.go +++ b/gui/certificate.go @@ -325,8 +325,8 @@ func (ci *CertificateInfo) CeremonyIssuer(seqnr, rootseqnr string, use_existing_ "Country": ci.Country, "NotBefore": notbefore.UTC().Format("2006-01-02 15:04:05"), "NotAfter": notafter.UTC().Format("2006-01-02 15:04:05"), - "CrlUrl": fmt.Sprintf("http://%s/crl", fqdn), - "IssuerUrl": fmt.Sprintf("http://%s/aia/issuer", fqdn), // TODO: fix this + "CrlUrl": fmt.Sprintf("http://%s/crl/root-%s-crl.pem", fqdn, rootseqnr), + "IssuerUrl": fmt.Sprintf("http://%s/certs/root-%s-cert.pem", fqdn, rootseqnr), }) if err != nil { ci.Errors["Generate"] = "error preparing for issuer cert ceremony, see logs for details" diff --git a/install b/install index 29fa819..5011dec 100755 --- a/install +++ b/install @@ -626,7 +626,6 @@ config_boulder() { cp cmd/cert-checker/main.go "$boulderLabCADir/.backup/" cp cmd/log-validator/main.go "$boulderLabCADir/.backup/" cp cmd/boulder/main.go "$boulderLabCADir/.backup/" - cp ratelimit/rate-limits.go "$boulderLabCADir/.backup/" cp errors/errors.go "$boulderLabCADir/.backup/" cp log/log.go "$boulderLabCADir/.backup/" cp sa/db/boulder_sa/20230419000000_CombinedSchema.sql "$boulderLabCADir/.backup/" diff --git a/patch.sh b/patch.sh index c5af52d..77da55f 100755 --- a/patch.sh +++ b/patch.sh @@ -38,6 +38,7 @@ $SUDO patch -p1 < $cloneDir/patches/db_migrations4.patch $SUDO patch -p1 < $cloneDir/patches/db_migrations5.patch $SUDO patch -p1 < $cloneDir/patches/expiration-mailer_main.patch $SUDO patch -p1 < $cloneDir/patches/issuance_crl.patch +$SUDO patch -p1 < $cloneDir/patches/issuance_issuer.patch $SUDO patch -p1 < $cloneDir/patches/linter_linter.patch $SUDO patch -p1 < $cloneDir/patches/log_prod_prefix.patch $SUDO patch -p1 < $cloneDir/patches/log_test_prefix.patch diff --git a/patches/issuance_crl.patch b/patches/issuance_crl.patch index e69de29..f5fee98 100644 --- a/patches/issuance_crl.patch +++ b/patches/issuance_crl.patch @@ -0,0 +1,25 @@ +diff --git a/issuance/crl.go b/issuance/crl.go +index 9e2de44a6..5447faf7e 100644 +--- a/issuance/crl.go ++++ b/issuance/crl.go +@@ -5,6 +5,7 @@ import ( + "crypto/x509" + "fmt" + "math/big" ++ "strings" + "time" + + "github.com/zmap/zlint/v3/lint" +@@ -61,7 +62,11 @@ type CRLRequest struct { + + // crlURL combines the CRL URL base with a shard, and adds a suffix. + func (i *Issuer) crlURL(shard int) string { +- return fmt.Sprintf("%s%d.crl", i.crlURLBase, shard) ++ if strings.HasSuffix(i.crlURLBase, "/") { ++ return fmt.Sprintf("%s%d.crl", i.crlURLBase, shard) ++ } ++ ++ return i.crlURLBase + } + + func (i *Issuer) IssueCRL(prof *CRLProfile, req *CRLRequest) ([]byte, error) { diff --git a/patches/issuance_issuer.patch b/patches/issuance_issuer.patch new file mode 100644 index 0000000..62be085 --- /dev/null +++ b/patches/issuance_issuer.patch @@ -0,0 +1,23 @@ +diff --git a/issuance/issuer.go b/issuance/issuer.go +index 950ce44ce..b2264e86a 100644 +--- a/issuance/issuer.go ++++ b/issuance/issuer.go +@@ -162,7 +162,7 @@ type IssuerConfig struct { + + IssuerURL string `validate:"required,url"` + OCSPURL string `validate:"required,url"` +- CRLURLBase string `validate:"required,url,startswith=http://,endswith=/"` ++ CRLURLBase string `validate:"required,url,startswith=http://"` + + // Number of CRL shards. + // This must be nonzero if adding CRLDistributionPoints to certificates +@@ -252,9 +252,6 @@ func newIssuer(config IssuerConfig, cert *Certificate, signer crypto.Signer, clk + if !strings.HasPrefix(config.CRLURLBase, "http://") { + return nil, fmt.Errorf("crlURLBase must use HTTP scheme, got %q", config.CRLURLBase) + } +- if !strings.HasSuffix(config.CRLURLBase, "/") { +- return nil, fmt.Errorf("crlURLBase must end with exactly one forward slash, got %q", config.CRLURLBase) +- } + + // We require that all of our issuers be capable of both issuing certs and + // providing revocation information. diff --git a/patches/test_config_ca.patch b/patches/test_config_ca.patch index 1800138..085300e 100644 --- a/patches/test_config_ca.patch +++ b/patches/test_config_ca.patch @@ -1,31 +1,31 @@ diff --git a/test/config/ca.json b/test/config/ca.json -index a61df7e7c..2db5a771d 100644 +index a61df7e7c..9fa88c730 100644 --- a/test/config/ca.json +++ b/test/config/ca.json -@@ -50,7 +50,7 @@ +@@ -50,7 +50,8 @@ "allowMustStaple": true, "maxValidityPeriod": "7776000s", "maxValidityBackdate": "1h5m", - "lintConfig": "test/config-next/zlint.toml", ++ "includeCRLDistributionPoints": true, + "lintConfig": "test/config/zlint.toml", "ignoredLints": [ "w_subject_common_name_included", "w_ext_subject_key_identifier_not_recommended_subscriber" -@@ -64,7 +64,7 @@ +@@ -64,7 +65,8 @@ "omitSKID": true, "maxValidityPeriod": "583200s", "maxValidityBackdate": "1h5m", - "lintConfig": "test/config-next/zlint.toml", ++ "includeCRLDistributionPoints": true, + "lintConfig": "test/config/zlint.toml", "ignoredLints": [ "w_ext_subject_key_identifier_missing_sub_cert" ] -@@ -75,39 +75,6 @@ - "maxBackdate": "1h5m" - }, +@@ -77,39 +79,7 @@ "issuers": [ -- { -- "active": true, + { + "active": true, - "issuerURL": "http://ca.example.org:4502/int-ecdsa-a", - "ocspURL": "http://ca.example.org:4002/", - "crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/43104258997432926/", @@ -57,10 +57,13 @@ index a61df7e7c..2db5a771d 100644 - "numSessions": 2 - } - }, - { - "active": true, +- { +- "active": true, ++ "crlShards": 1, "issuerURL": "http://ca.example.org:4502/int-rsa-a", -@@ -118,28 +85,6 @@ + "ocspURL": "http://ca.example.org:4002/", + "crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/29947985078257530/", +@@ -118,28 +88,6 @@ "certFile": "test/certs/webpki/int-rsa-a.cert.pem", "numSessions": 2 }