Merge branch 'release/22.03'

* release/22.03:
  Bump boulder version to release-2022-03-22
  Clarify troubleshooting tips a bit more
  Clarify troubleshooting tips a bit

README.md

@@ -11,6 +11,7 @@
 - [Background](#background)
 - [Install](#install)
 - [Usage](#usage)
+- [Troubleshooting](#troubleshooting)
 - [Contributing](#contributing)
 - [License](#license)
 
@@ -93,9 +94,9 @@ The end users in your organization / lab can visit the public pages of you LabCA
 
 <img src="https://user-images.githubusercontent.com/44847421/48658731-f727ef80-ea46-11e8-985c-1ea64f340220.jpg" width="300"> <img src="https://user-images.githubusercontent.com/44847421/48658733-fa22e000-ea46-11e8-9fb1-901fddc9ee12.jpg" width="300">
 
-### Troubleshooting
+## Troubleshooting
 
-Some log files to check in case of issues are:
+After installing sometimes the application is not starting up properly and it can be quite hard to figure out why. Some log files to check in case of issues are:
 * /etc/nginx/ssl/acme_tiny.log
 * /home/labca/logs/commander.log
 * cd /home/labca/boulder; docker-compose logs labca
@@ -103,12 +104,15 @@ Some log files to check in case of issues are:
 * /var/log/labca.err
 * possibly /var/log/nginx/error.log
 
-If you get "No valid IP addresses found for <hostname>" in /etc/nginx/ssl/acme_tiny.log, solve it by entering the hostname in your local DNS. Same for "Could not resolve host: <hostname>" in /var/log/labca.err.
+### Common error messages
 
-When issuing a certificate, LabCA/boulder checks for CAA (Certification Authority Authorization) records in DNS, which specify what CAs are allowed to issue certificates for the domain. If you get an error like "SERVFAIL looking up CAA for internal" or "CAA record for ca01.foo.internal prevents issuance", you can try to add something like this to your DNS domain:
+If you get "**No valid IP addresses found for <hostname>**" in /etc/nginx/ssl/acme_tiny.log, solve it by entering the hostname in your local DNS. Same for "**Could not resolve host: <hostname>**" in /var/log/labca.err.
+
+When issuing a certificate, LabCA/boulder checks for CAA (Certification Authority Authorization) records in DNS, which specify what CAs are allowed to issue certificates for the domain. If you get an error like "**SERVFAIL looking up CAA for internal**" or "**CAA record for ca01.foo.internal prevents issuance**", you can try to add something like this to your DNS domain:
 ```
 foo.internal. CAA 0 issue "foo.internal"
 ```
+The value in the issue field should be the domain of your LabCA instance, not the hostname. This value can be found in the issuerDomain property in the /home/labca/boulder_labca/config/va.json file.
 See also the [Let's Encrypt&trade; page on CAA](https://letsencrypt.org/docs/caa/).
 
 ### NOTE

install

@@ -24,7 +24,7 @@ dockerComposeVersion="1.28.5"
 
 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2022-02-14"
+boulderTag="release-2022-03-22"
 
 # Feature flags
 flag_skip_redis=true

patches/cert-checker_main.patch

@@ -58,7 +58,7 @@ index cfc72632..de4b01ca 100644
  	// Validate PA config and set defaults if needed.
  	cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
  
-@@ -421,6 +426,7 @@ func main() {
+@@ -420,6 +425,7 @@ func main() {
  		kp,
  		config.CertChecker.CheckPeriod.Duration,
  		acceptableValidityDurations,

patches/config_rocsp-tool.patch

@@ -12,5 +12,5 @@ index 9b0a1d13..eace2cf9 100644
 -      ".hierarchy/intermediate-cert-rsa-b.pem": 4
 +      ".hierarchy/intermediate-cert-rsa-a.pem": 1
      }
-   }
- }
+   },
+   "syslog": {

patches/config_wfe2.patch

@@ -2,7 +2,7 @@ diff --git a/test/config/wfe2.json b/test/config/wfe2.json
 index c0093044..e8ba4263 100644
 --- a/test/config/wfe2.json
 +++ b/test/config/wfe2.json
-@@ -43,18 +43,6 @@
+@@ -45,18 +45,6 @@
        [
          "/hierarchy/intermediate-cert-rsa-a.pem",
          "/hierarchy/root-cert-rsa.pem"

patches/docker-compose-redis.patch

@@ -1,8 +1,8 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index c1d54f23..2b6de7cb 100644
+index e88f7c19f..d771aa011 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
-@@ -17,8 +17,6 @@ services:
+@@ -26,8 +26,6 @@ services:
          ipv4_address: 10.77.77.77
        rednet:
          ipv4_address: 10.88.88.88
@@ -11,15 +11,15 @@ index c1d54f23..2b6de7cb 100644
      # Use sd-test-srv as a backup to Docker's embedded DNS server
      # (https://docs.docker.com/config/containers/container-networking/#dns-services).
      # If there's a name Docker's DNS server doesn't know about, it will
-@@ -34,7 +32,6 @@ services:
-       - 8055:8055 # dns-test-srv updates
+@@ -41,7 +39,6 @@ services:
+       - 4003:4003 # OCSP
      depends_on:
        - bmysql
 -      - bredis_clusterer
      entrypoint: labca/entrypoint.sh
-     working_dir: &boulder_working_dir /go/src/github.com/letsencrypt/boulder
+     working_dir: &boulder_working_dir /boulder
      logging:
-@@ -67,78 +64,6 @@ services:
+@@ -74,78 +71,6 @@ services:
          max-file: "5"
      restart: always
  
@@ -98,7 +98,7 @@ index c1d54f23..2b6de7cb 100644
  
    labca:
      image: *boulder_image
-@@ -179,10 +104,3 @@ networks:
+@@ -186,10 +111,3 @@ networks:
        driver: default
        config:
          - subnet: 10.88.88.0/24

patches/docker-compose.patch

@@ -1,27 +1,31 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index f515225e4..c1d54f235 100644
+index b0c235a91..d72c08883 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
-@@ -4,10 +4,11 @@ services:
+@@ -8,7 +8,7 @@ services:
      image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.17.7_2022-02-10}
      environment:
        FAKE_DNS: 10.77.77.77
 -      BOULDER_CONFIG_DIR: test/config
 +      BOULDER_CONFIG_DIR: labca/config
        GOFLAGS: -mod=vendor
+       # Go 1.18 turns off SHA-1 validation on CSRs (and certs, but that doesn't
+       # affect us). It also turns off TLS 1.0 and TLS 1.1. Temporarily go back
+@@ -17,6 +17,7 @@ services:
+       GODEBUG: x509sha1=1,tls10default=1
      volumes:
-       - .:/go/src/github.com/letsencrypt/boulder:cached
-+      - /home/labca/boulder_labca:/go/src/github.com/letsencrypt/boulder/labca
+       - .:/boulder:cached
++      - /home/labca/boulder_labca:/boulder/labca
        - ./.gocache:/root/.cache/go-build:cached
        - ./.hierarchy:/hierarchy/:cached
        - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
-@@ -34,11 +35,19 @@ services:
+@@ -41,11 +42,19 @@ services:
      depends_on:
        - bmysql
        - bredis_clusterer
 -    entrypoint: test/entrypoint.sh
 +    entrypoint: labca/entrypoint.sh
-     working_dir: &boulder_working_dir /go/src/github.com/letsencrypt/boulder
+     working_dir: &boulder_working_dir /boulder
 +    logging:
 +      driver: "json-file"
 +      options:
@@ -36,7 +40,7 @@ index f515225e4..c1d54f235 100644
      networks:
        bluenet:
          aliases:
-@@ -52,7 +61,11 @@ services:
+@@ -59,7 +68,11 @@ services:
      # small.
      command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
      logging:
@@ -49,7 +53,7 @@ index f515225e4..c1d54f235 100644
  
    bredis_1:
      image: redis:latest
-@@ -127,18 +140,31 @@ services:
+@@ -134,18 +147,31 @@ services:
            aliases:
              - boulder-redis-clusterer
  
@@ -63,13 +67,12 @@ index f515225e4..c1d54f235 100644
      networks:
        - bluenet
      volumes:
--      - .:/go/src/github.com/letsencrypt/boulder
--    working_dir: *boulder_working_dir
--    entrypoint: test/entrypoint-netaccess.sh
 +      - /home/labca/admin:/go/src/labca
 +      - ./.gocache:/root/.cache/go-build
 +      - /var/www/html:/wwwstatic
-+      - .:/boulder
+       - .:/boulder
+-    working_dir: *boulder_working_dir
+-    entrypoint: test/entrypoint-netaccess.sh
 +      - /home/labca/boulder_labca:/boulder/labca
 +    ports:
 +      - 3000:3000

patches/expiration-mailer_main.patch

@@ -19,7 +19,7 @@ index f488b73c..ef2ed34a 100644
  )
  
  type regStore interface {
-@@ -409,6 +410,9 @@ type Config struct {
+@@ -407,6 +408,9 @@ type Config struct {
  		TLS       cmd.TLSConfig
  		SAService *cmd.GRPCClientConfig
  
@@ -29,7 +29,7 @@ index f488b73c..ef2ed34a 100644
  		// Path to a file containing a list of trusted root certificates for use
  		// during the SMTP connection (as opposed to the gRPC connections).
  		SMTPTrustedRootFile string
-@@ -418,6 +422,12 @@ type Config struct {
+@@ -416,6 +420,12 @@ type Config struct {
  
  	Syslog  cmd.SyslogConfig
  	Beeline cmd.BeelineConfig
@@ -42,7 +42,7 @@ index f488b73c..ef2ed34a 100644
  }
  
  func initStats(stats prometheus.Registerer) mailerStats {
-@@ -520,6 +530,32 @@ func main() {
+@@ -518,6 +528,32 @@ func main() {
  	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
  	sac := sapb.NewStorageAuthorityClient(conn)
  
@@ -75,7 +75,7 @@ index f488b73c..ef2ed34a 100644
  	var smtpRoots *x509.CertPool
  	if c.Mailer.SMTPTrustedRootFile != "" {
  		pem, err := ioutil.ReadFile(c.Mailer.SMTPTrustedRootFile)
-@@ -555,6 +591,7 @@ func main() {
+@@ -553,6 +589,7 @@ func main() {
  		c.Mailer.Username,
  		smtpPassword,
  		smtpRoots,

patches/ra_ra.patch

@@ -1,8 +1,8 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index 1ea20982..937f2859 100644
+index 63d0ce8ef..c33f23180 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
-@@ -31,7 +31,6 @@ import (
+@@ -32,7 +32,6 @@ import (
  	"github.com/letsencrypt/boulder/issuance"
  	blog "github.com/letsencrypt/boulder/log"
  	"github.com/letsencrypt/boulder/metrics"
@@ -10,7 +10,7 @@ index 1ea20982..937f2859 100644
  	"github.com/letsencrypt/boulder/probs"
  	pubpb "github.com/letsencrypt/boulder/publisher/proto"
  	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -454,7 +453,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
+@@ -477,7 +476,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
  				contact,
  			)
  		}