diff --git a/README.md b/README.md
index 248b9cd..dc9d3ee 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,7 @@
- [Background](#background)
- [Install](#install)
- [Usage](#usage)
+- [Troubleshooting](#troubleshooting)
- [Contributing](#contributing)
- [License](#license)
@@ -93,9 +94,9 @@ The end users in your organization / lab can visit the public pages of you LabCA
-### Troubleshooting
+## Troubleshooting
-Some log files to check in case of issues are:
+After installing sometimes the application is not starting up properly and it can be quite hard to figure out why. Some log files to check in case of issues are:
* /etc/nginx/ssl/acme_tiny.log
* /home/labca/logs/commander.log
* cd /home/labca/boulder; docker-compose logs labca
@@ -103,12 +104,15 @@ Some log files to check in case of issues are:
* /var/log/labca.err
* possibly /var/log/nginx/error.log
-If you get "No valid IP addresses found for " in /etc/nginx/ssl/acme_tiny.log, solve it by entering the hostname in your local DNS. Same for "Could not resolve host: " in /var/log/labca.err.
+### Common error messages
-When issuing a certificate, LabCA/boulder checks for CAA (Certification Authority Authorization) records in DNS, which specify what CAs are allowed to issue certificates for the domain. If you get an error like "SERVFAIL looking up CAA for internal" or "CAA record for ca01.foo.internal prevents issuance", you can try to add something like this to your DNS domain:
+If you get "**No valid IP addresses found for **" in /etc/nginx/ssl/acme_tiny.log, solve it by entering the hostname in your local DNS. Same for "**Could not resolve host: **" in /var/log/labca.err.
+
+When issuing a certificate, LabCA/boulder checks for CAA (Certification Authority Authorization) records in DNS, which specify what CAs are allowed to issue certificates for the domain. If you get an error like "**SERVFAIL looking up CAA for internal**" or "**CAA record for ca01.foo.internal prevents issuance**", you can try to add something like this to your DNS domain:
```
foo.internal. CAA 0 issue "foo.internal"
```
+The value in the issue field should be the domain of your LabCA instance, not the hostname. This value can be found in the issuerDomain property in the /home/labca/boulder_labca/config/va.json file.
See also the [Let's Encrypt™ page on CAA](https://letsencrypt.org/docs/caa/).
### NOTE
diff --git a/install b/install
index 60cc1bd..d66e674 100755
--- a/install
+++ b/install
@@ -24,7 +24,7 @@ dockerComposeVersion="1.28.5"
labcaUrl="https://github.com/hakwerk/labca/"
boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2022-02-14"
+boulderTag="release-2022-03-22"
# Feature flags
flag_skip_redis=true
diff --git a/patches/cert-checker_main.patch b/patches/cert-checker_main.patch
index 070caef..16304b1 100644
--- a/patches/cert-checker_main.patch
+++ b/patches/cert-checker_main.patch
@@ -58,7 +58,7 @@ index cfc72632..de4b01ca 100644
// Validate PA config and set defaults if needed.
cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
-@@ -421,6 +426,7 @@ func main() {
+@@ -420,6 +425,7 @@ func main() {
kp,
config.CertChecker.CheckPeriod.Duration,
acceptableValidityDurations,
diff --git a/patches/config_rocsp-tool.patch b/patches/config_rocsp-tool.patch
index 5dbb5b2..5f2b82f 100644
--- a/patches/config_rocsp-tool.patch
+++ b/patches/config_rocsp-tool.patch
@@ -12,5 +12,5 @@ index 9b0a1d13..eace2cf9 100644
- ".hierarchy/intermediate-cert-rsa-b.pem": 4
+ ".hierarchy/intermediate-cert-rsa-a.pem": 1
}
- }
- }
+ },
+ "syslog": {
diff --git a/patches/config_wfe2.patch b/patches/config_wfe2.patch
index ba850be..929d6ef 100644
--- a/patches/config_wfe2.patch
+++ b/patches/config_wfe2.patch
@@ -2,7 +2,7 @@ diff --git a/test/config/wfe2.json b/test/config/wfe2.json
index c0093044..e8ba4263 100644
--- a/test/config/wfe2.json
+++ b/test/config/wfe2.json
-@@ -43,18 +43,6 @@
+@@ -45,18 +45,6 @@
[
"/hierarchy/intermediate-cert-rsa-a.pem",
"/hierarchy/root-cert-rsa.pem"
diff --git a/patches/docker-compose-redis.patch b/patches/docker-compose-redis.patch
index 24aac52..4c36191 100644
--- a/patches/docker-compose-redis.patch
+++ b/patches/docker-compose-redis.patch
@@ -1,8 +1,8 @@
diff --git a/docker-compose.yml b/docker-compose.yml
-index c1d54f23..2b6de7cb 100644
+index e88f7c19f..d771aa011 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
-@@ -17,8 +17,6 @@ services:
+@@ -26,8 +26,6 @@ services:
ipv4_address: 10.77.77.77
rednet:
ipv4_address: 10.88.88.88
@@ -11,15 +11,15 @@ index c1d54f23..2b6de7cb 100644
# Use sd-test-srv as a backup to Docker's embedded DNS server
# (https://docs.docker.com/config/containers/container-networking/#dns-services).
# If there's a name Docker's DNS server doesn't know about, it will
-@@ -34,7 +32,6 @@ services:
- - 8055:8055 # dns-test-srv updates
+@@ -41,7 +39,6 @@ services:
+ - 4003:4003 # OCSP
depends_on:
- bmysql
- - bredis_clusterer
entrypoint: labca/entrypoint.sh
- working_dir: &boulder_working_dir /go/src/github.com/letsencrypt/boulder
+ working_dir: &boulder_working_dir /boulder
logging:
-@@ -67,78 +64,6 @@ services:
+@@ -74,78 +71,6 @@ services:
max-file: "5"
restart: always
@@ -98,7 +98,7 @@ index c1d54f23..2b6de7cb 100644
labca:
image: *boulder_image
-@@ -179,10 +104,3 @@ networks:
+@@ -186,10 +111,3 @@ networks:
driver: default
config:
- subnet: 10.88.88.0/24
diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch
index 4f75f02..597d3b8 100644
--- a/patches/docker-compose.patch
+++ b/patches/docker-compose.patch
@@ -1,27 +1,31 @@
diff --git a/docker-compose.yml b/docker-compose.yml
-index f515225e4..c1d54f235 100644
+index b0c235a91..d72c08883 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
-@@ -4,10 +4,11 @@ services:
+@@ -8,7 +8,7 @@ services:
image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.17.7_2022-02-10}
environment:
FAKE_DNS: 10.77.77.77
- BOULDER_CONFIG_DIR: test/config
+ BOULDER_CONFIG_DIR: labca/config
GOFLAGS: -mod=vendor
+ # Go 1.18 turns off SHA-1 validation on CSRs (and certs, but that doesn't
+ # affect us). It also turns off TLS 1.0 and TLS 1.1. Temporarily go back
+@@ -17,6 +17,7 @@ services:
+ GODEBUG: x509sha1=1,tls10default=1
volumes:
- - .:/go/src/github.com/letsencrypt/boulder:cached
-+ - /home/labca/boulder_labca:/go/src/github.com/letsencrypt/boulder/labca
+ - .:/boulder:cached
++ - /home/labca/boulder_labca:/boulder/labca
- ./.gocache:/root/.cache/go-build:cached
- ./.hierarchy:/hierarchy/:cached
- ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
-@@ -34,11 +35,19 @@ services:
+@@ -41,11 +42,19 @@ services:
depends_on:
- bmysql
- bredis_clusterer
- entrypoint: test/entrypoint.sh
+ entrypoint: labca/entrypoint.sh
- working_dir: &boulder_working_dir /go/src/github.com/letsencrypt/boulder
+ working_dir: &boulder_working_dir /boulder
+ logging:
+ driver: "json-file"
+ options:
@@ -36,7 +40,7 @@ index f515225e4..c1d54f235 100644
networks:
bluenet:
aliases:
-@@ -52,7 +61,11 @@ services:
+@@ -59,7 +68,11 @@ services:
# small.
command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
logging:
@@ -49,7 +53,7 @@ index f515225e4..c1d54f235 100644
bredis_1:
image: redis:latest
-@@ -127,18 +140,31 @@ services:
+@@ -134,18 +147,31 @@ services:
aliases:
- boulder-redis-clusterer
@@ -63,13 +67,12 @@ index f515225e4..c1d54f235 100644
networks:
- bluenet
volumes:
-- - .:/go/src/github.com/letsencrypt/boulder
-- working_dir: *boulder_working_dir
-- entrypoint: test/entrypoint-netaccess.sh
+ - /home/labca/admin:/go/src/labca
+ - ./.gocache:/root/.cache/go-build
+ - /var/www/html:/wwwstatic
-+ - .:/boulder
+ - .:/boulder
+- working_dir: *boulder_working_dir
+- entrypoint: test/entrypoint-netaccess.sh
+ - /home/labca/boulder_labca:/boulder/labca
+ ports:
+ - 3000:3000
diff --git a/patches/expiration-mailer_main.patch b/patches/expiration-mailer_main.patch
index db83d7c..89c580d 100644
--- a/patches/expiration-mailer_main.patch
+++ b/patches/expiration-mailer_main.patch
@@ -19,7 +19,7 @@ index f488b73c..ef2ed34a 100644
)
type regStore interface {
-@@ -409,6 +410,9 @@ type Config struct {
+@@ -407,6 +408,9 @@ type Config struct {
TLS cmd.TLSConfig
SAService *cmd.GRPCClientConfig
@@ -29,7 +29,7 @@ index f488b73c..ef2ed34a 100644
// Path to a file containing a list of trusted root certificates for use
// during the SMTP connection (as opposed to the gRPC connections).
SMTPTrustedRootFile string
-@@ -418,6 +422,12 @@ type Config struct {
+@@ -416,6 +420,12 @@ type Config struct {
Syslog cmd.SyslogConfig
Beeline cmd.BeelineConfig
@@ -42,7 +42,7 @@ index f488b73c..ef2ed34a 100644
}
func initStats(stats prometheus.Registerer) mailerStats {
-@@ -520,6 +530,32 @@ func main() {
+@@ -518,6 +528,32 @@ func main() {
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
sac := sapb.NewStorageAuthorityClient(conn)
@@ -75,7 +75,7 @@ index f488b73c..ef2ed34a 100644
var smtpRoots *x509.CertPool
if c.Mailer.SMTPTrustedRootFile != "" {
pem, err := ioutil.ReadFile(c.Mailer.SMTPTrustedRootFile)
-@@ -555,6 +591,7 @@ func main() {
+@@ -553,6 +589,7 @@ func main() {
c.Mailer.Username,
smtpPassword,
smtpRoots,
diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch
index ac5f31e..bb8de64 100644
--- a/patches/ra_ra.patch
+++ b/patches/ra_ra.patch
@@ -1,8 +1,8 @@
diff --git a/ra/ra.go b/ra/ra.go
-index 1ea20982..937f2859 100644
+index 63d0ce8ef..c33f23180 100644
--- a/ra/ra.go
+++ b/ra/ra.go
-@@ -31,7 +31,6 @@ import (
+@@ -32,7 +32,6 @@ import (
"github.com/letsencrypt/boulder/issuance"
blog "github.com/letsencrypt/boulder/log"
"github.com/letsencrypt/boulder/metrics"
@@ -10,7 +10,7 @@ index 1ea20982..937f2859 100644
"github.com/letsencrypt/boulder/probs"
pubpb "github.com/letsencrypt/boulder/publisher/proto"
rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -454,7 +453,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
+@@ -477,7 +476,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
contact,
)
}