From a59839808e91e2cb4122adc353be62db45aa9767 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Mon, 28 Feb 2022 22:54:46 +0100 Subject: [PATCH 1/3] Clarify troubleshooting tips a bit --- README.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 248b9cd..19d8a1c 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,7 @@ - [Background](#background) - [Install](#install) - [Usage](#usage) +- [Troubleshooting](#troubleshooting) - [Contributing](#contributing) - [License](#license) @@ -93,9 +94,9 @@ The end users in your organization / lab can visit the public pages of you LabCA -### Troubleshooting +## Troubleshooting -Some log files to check in case of issues are: +After installing sometimes the application is not starting up properly and it can be quite hard to figure out why. Some log files to check in case of issues are: * /etc/nginx/ssl/acme_tiny.log * /home/labca/logs/commander.log * cd /home/labca/boulder; docker-compose logs labca @@ -103,9 +104,11 @@ Some log files to check in case of issues are: * /var/log/labca.err * possibly /var/log/nginx/error.log -If you get "No valid IP addresses found for " in /etc/nginx/ssl/acme_tiny.log, solve it by entering the hostname in your local DNS. Same for "Could not resolve host: " in /var/log/labca.err. +### Common error messages -When issuing a certificate, LabCA/boulder checks for CAA (Certification Authority Authorization) records in DNS, which specify what CAs are allowed to issue certificates for the domain. If you get an error like "SERVFAIL looking up CAA for internal" or "CAA record for ca01.foo.internal prevents issuance", you can try to add something like this to your DNS domain: +If you get "**No valid IP addresses found for **" in /etc/nginx/ssl/acme_tiny.log, solve it by entering the hostname in your local DNS. Same for "**Could not resolve host: **" in /var/log/labca.err. + +When issuing a certificate, LabCA/boulder checks for CAA (Certification Authority Authorization) records in DNS, which specify what CAs are allowed to issue certificates for the domain. If you get an error like "**SERVFAIL looking up CAA for internal**" or "**CAA record for ca01.foo.internal prevents issuance**", you can try to add something like this to your DNS domain: ``` foo.internal. CAA 0 issue "foo.internal" ``` From c14468af6a2ac60ed2cb5d297b4b266d364e0dc5 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Thu, 24 Mar 2022 13:41:37 +0100 Subject: [PATCH 2/3] Clarify troubleshooting tips a bit more --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 19d8a1c..dc9d3ee 100644 --- a/README.md +++ b/README.md @@ -112,6 +112,7 @@ When issuing a certificate, LabCA/boulder checks for CAA (Certification Authorit ``` foo.internal. CAA 0 issue "foo.internal" ``` +The value in the issue field should be the domain of your LabCA instance, not the hostname. This value can be found in the issuerDomain property in the /home/labca/boulder_labca/config/va.json file. See also the [Let's Encrypt™ page on CAA](https://letsencrypt.org/docs/caa/). ### NOTE From ba9feed4f43648e0f6e27d48d78a5cbe0d941aab Mon Sep 17 00:00:00 2001 From: Arjan H Date: Thu, 24 Mar 2022 18:06:57 +0100 Subject: [PATCH 3/3] Bump boulder version to release-2022-03-22 --- install | 2 +- patches/cert-checker_main.patch | 2 +- patches/config_rocsp-tool.patch | 4 ++-- patches/config_wfe2.patch | 2 +- patches/docker-compose-redis.patch | 14 +++++++------- patches/docker-compose.patch | 27 +++++++++++++++------------ patches/expiration-mailer_main.patch | 8 ++++---- patches/ra_ra.patch | 6 +++--- 8 files changed, 34 insertions(+), 31 deletions(-) diff --git a/install b/install index 60cc1bd..d66e674 100755 --- a/install +++ b/install @@ -24,7 +24,7 @@ dockerComposeVersion="1.28.5" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2022-02-14" +boulderTag="release-2022-03-22" # Feature flags flag_skip_redis=true diff --git a/patches/cert-checker_main.patch b/patches/cert-checker_main.patch index 070caef..16304b1 100644 --- a/patches/cert-checker_main.patch +++ b/patches/cert-checker_main.patch @@ -58,7 +58,7 @@ index cfc72632..de4b01ca 100644 // Validate PA config and set defaults if needed. cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration") -@@ -421,6 +426,7 @@ func main() { +@@ -420,6 +425,7 @@ func main() { kp, config.CertChecker.CheckPeriod.Duration, acceptableValidityDurations, diff --git a/patches/config_rocsp-tool.patch b/patches/config_rocsp-tool.patch index 5dbb5b2..5f2b82f 100644 --- a/patches/config_rocsp-tool.patch +++ b/patches/config_rocsp-tool.patch @@ -12,5 +12,5 @@ index 9b0a1d13..eace2cf9 100644 - ".hierarchy/intermediate-cert-rsa-b.pem": 4 + ".hierarchy/intermediate-cert-rsa-a.pem": 1 } - } - } + }, + "syslog": { diff --git a/patches/config_wfe2.patch b/patches/config_wfe2.patch index ba850be..929d6ef 100644 --- a/patches/config_wfe2.patch +++ b/patches/config_wfe2.patch @@ -2,7 +2,7 @@ diff --git a/test/config/wfe2.json b/test/config/wfe2.json index c0093044..e8ba4263 100644 --- a/test/config/wfe2.json +++ b/test/config/wfe2.json -@@ -43,18 +43,6 @@ +@@ -45,18 +45,6 @@ [ "/hierarchy/intermediate-cert-rsa-a.pem", "/hierarchy/root-cert-rsa.pem" diff --git a/patches/docker-compose-redis.patch b/patches/docker-compose-redis.patch index 24aac52..4c36191 100644 --- a/patches/docker-compose-redis.patch +++ b/patches/docker-compose-redis.patch @@ -1,8 +1,8 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index c1d54f23..2b6de7cb 100644 +index e88f7c19f..d771aa011 100644 --- a/docker-compose.yml +++ b/docker-compose.yml -@@ -17,8 +17,6 @@ services: +@@ -26,8 +26,6 @@ services: ipv4_address: 10.77.77.77 rednet: ipv4_address: 10.88.88.88 @@ -11,15 +11,15 @@ index c1d54f23..2b6de7cb 100644 # Use sd-test-srv as a backup to Docker's embedded DNS server # (https://docs.docker.com/config/containers/container-networking/#dns-services). # If there's a name Docker's DNS server doesn't know about, it will -@@ -34,7 +32,6 @@ services: - - 8055:8055 # dns-test-srv updates +@@ -41,7 +39,6 @@ services: + - 4003:4003 # OCSP depends_on: - bmysql - - bredis_clusterer entrypoint: labca/entrypoint.sh - working_dir: &boulder_working_dir /go/src/github.com/letsencrypt/boulder + working_dir: &boulder_working_dir /boulder logging: -@@ -67,78 +64,6 @@ services: +@@ -74,78 +71,6 @@ services: max-file: "5" restart: always @@ -98,7 +98,7 @@ index c1d54f23..2b6de7cb 100644 labca: image: *boulder_image -@@ -179,10 +104,3 @@ networks: +@@ -186,10 +111,3 @@ networks: driver: default config: - subnet: 10.88.88.0/24 diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch index 4f75f02..597d3b8 100644 --- a/patches/docker-compose.patch +++ b/patches/docker-compose.patch @@ -1,27 +1,31 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index f515225e4..c1d54f235 100644 +index b0c235a91..d72c08883 100644 --- a/docker-compose.yml +++ b/docker-compose.yml -@@ -4,10 +4,11 @@ services: +@@ -8,7 +8,7 @@ services: image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.17.7_2022-02-10} environment: FAKE_DNS: 10.77.77.77 - BOULDER_CONFIG_DIR: test/config + BOULDER_CONFIG_DIR: labca/config GOFLAGS: -mod=vendor + # Go 1.18 turns off SHA-1 validation on CSRs (and certs, but that doesn't + # affect us). It also turns off TLS 1.0 and TLS 1.1. Temporarily go back +@@ -17,6 +17,7 @@ services: + GODEBUG: x509sha1=1,tls10default=1 volumes: - - .:/go/src/github.com/letsencrypt/boulder:cached -+ - /home/labca/boulder_labca:/go/src/github.com/letsencrypt/boulder/labca + - .:/boulder:cached ++ - /home/labca/boulder_labca:/boulder/labca - ./.gocache:/root/.cache/go-build:cached - ./.hierarchy:/hierarchy/:cached - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached -@@ -34,11 +35,19 @@ services: +@@ -41,11 +42,19 @@ services: depends_on: - bmysql - bredis_clusterer - entrypoint: test/entrypoint.sh + entrypoint: labca/entrypoint.sh - working_dir: &boulder_working_dir /go/src/github.com/letsencrypt/boulder + working_dir: &boulder_working_dir /boulder + logging: + driver: "json-file" + options: @@ -36,7 +40,7 @@ index f515225e4..c1d54f235 100644 networks: bluenet: aliases: -@@ -52,7 +61,11 @@ services: +@@ -59,7 +68,11 @@ services: # small. command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON logging: @@ -49,7 +53,7 @@ index f515225e4..c1d54f235 100644 bredis_1: image: redis:latest -@@ -127,18 +140,31 @@ services: +@@ -134,18 +147,31 @@ services: aliases: - boulder-redis-clusterer @@ -63,13 +67,12 @@ index f515225e4..c1d54f235 100644 networks: - bluenet volumes: -- - .:/go/src/github.com/letsencrypt/boulder -- working_dir: *boulder_working_dir -- entrypoint: test/entrypoint-netaccess.sh + - /home/labca/admin:/go/src/labca + - ./.gocache:/root/.cache/go-build + - /var/www/html:/wwwstatic -+ - .:/boulder + - .:/boulder +- working_dir: *boulder_working_dir +- entrypoint: test/entrypoint-netaccess.sh + - /home/labca/boulder_labca:/boulder/labca + ports: + - 3000:3000 diff --git a/patches/expiration-mailer_main.patch b/patches/expiration-mailer_main.patch index db83d7c..89c580d 100644 --- a/patches/expiration-mailer_main.patch +++ b/patches/expiration-mailer_main.patch @@ -19,7 +19,7 @@ index f488b73c..ef2ed34a 100644 ) type regStore interface { -@@ -409,6 +410,9 @@ type Config struct { +@@ -407,6 +408,9 @@ type Config struct { TLS cmd.TLSConfig SAService *cmd.GRPCClientConfig @@ -29,7 +29,7 @@ index f488b73c..ef2ed34a 100644 // Path to a file containing a list of trusted root certificates for use // during the SMTP connection (as opposed to the gRPC connections). SMTPTrustedRootFile string -@@ -418,6 +422,12 @@ type Config struct { +@@ -416,6 +420,12 @@ type Config struct { Syslog cmd.SyslogConfig Beeline cmd.BeelineConfig @@ -42,7 +42,7 @@ index f488b73c..ef2ed34a 100644 } func initStats(stats prometheus.Registerer) mailerStats { -@@ -520,6 +530,32 @@ func main() { +@@ -518,6 +528,32 @@ func main() { cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA") sac := sapb.NewStorageAuthorityClient(conn) @@ -75,7 +75,7 @@ index f488b73c..ef2ed34a 100644 var smtpRoots *x509.CertPool if c.Mailer.SMTPTrustedRootFile != "" { pem, err := ioutil.ReadFile(c.Mailer.SMTPTrustedRootFile) -@@ -555,6 +591,7 @@ func main() { +@@ -553,6 +589,7 @@ func main() { c.Mailer.Username, smtpPassword, smtpRoots, diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index ac5f31e..bb8de64 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -1,8 +1,8 @@ diff --git a/ra/ra.go b/ra/ra.go -index 1ea20982..937f2859 100644 +index 63d0ce8ef..c33f23180 100644 --- a/ra/ra.go +++ b/ra/ra.go -@@ -31,7 +31,6 @@ import ( +@@ -32,7 +32,6 @@ import ( "github.com/letsencrypt/boulder/issuance" blog "github.com/letsencrypt/boulder/log" "github.com/letsencrypt/boulder/metrics" @@ -10,7 +10,7 @@ index 1ea20982..937f2859 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -454,7 +453,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta +@@ -477,7 +476,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta contact, ) }