From 48494e14a3abaab5dda0c831b7c16f4f13812035 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Fri, 21 Dec 2018 13:29:43 +0100 Subject: [PATCH 1/5] Make golint happy --- gui/certificate.go | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/gui/certificate.go b/gui/certificate.go index cf90b01..6a4f408 100644 --- a/gui/certificate.go +++ b/gui/certificate.go @@ -322,11 +322,8 @@ func (ci *CertificateInfo) Upload(path string, certBase string, tmpKey string, t return reportError(err) } - if err := ioutil.WriteFile(tmpCert, []byte(ci.Certificate), 0644); err != nil { - return err - } - - return nil + err := ioutil.WriteFile(tmpCert, []byte(ci.Certificate), 0644) + return err } // ImportCerts imports both the root and the issuer certificates From e5e3dfc45ae120e705f564669ee29a2c2cce2086 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Fri, 12 Jul 2019 08:24:10 +0200 Subject: [PATCH 2/5] Bump boulder version to release-2018-06-28 --- docker-compose.patch | 25 ++++--- gui/apply-boulder | 12 ++-- gui/templates/base.tmpl | 2 +- install | 5 +- policy_pa.patch | 153 ++++++++++++++++++++-------------------- 5 files changed, 104 insertions(+), 93 deletions(-) diff --git a/docker-compose.patch b/docker-compose.patch index 95f383e..bfe6277 100644 --- a/docker-compose.patch +++ b/docker-compose.patch @@ -1,20 +1,22 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index b0e2c1f1..30426452 100644 +index 87840f02..fc6eae34 100644 --- a/docker-compose.yml +++ b/docker-compose.yml -@@ -6,9 +6,10 @@ services: +@@ -6,11 +6,12 @@ services: environment: - FAKE_DNS: 127.0.0.1 + FAKE_DNS: 10.77.77.77 PKCS11_PROXY_SOCKET: tcp://boulder-hsm:5657 - BOULDER_CONFIG_DIR: test/config + BOULDER_CONFIG_DIR: labca/config + GO111MODULE: "on" + GOFLAGS: "-mod=vendor" volumes: - .:/go/src/github.com/letsencrypt/boulder + - /home/labca/boulder_labca:/go/src/github.com/letsencrypt/boulder/labca - ./.gocache:/root/.cache/go-build networks: bluenet: -@@ -47,8 +48,14 @@ services: +@@ -51,8 +52,14 @@ services: depends_on: - bhsm - bmysql @@ -29,8 +31,8 @@ index b0e2c1f1..30426452 100644 + restart: always bhsm: # To minimize fetching this should be the same version used above - image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.11.2}:2018-11-19 -@@ -61,8 +68,16 @@ services: + image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.12}:2019-04-08 +@@ -65,8 +72,16 @@ services: bluenet: aliases: - boulder-hsm @@ -47,19 +49,22 @@ index b0e2c1f1..30426452 100644 networks: bluenet: aliases: -@@ -72,16 +87,37 @@ services: +@@ -75,20 +90,36 @@ services: + MYSQL_ALLOW_EMPTY_PASSWORD: "yes" command: mysqld --bind-address=0.0.0.0 logging: - driver: none +- driver: none - netaccess: -+ logging: + driver: "json-file" + options: + max-size: "500k" + max-file: "5" + restart: always + labca: - image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.11.2}:2018-11-19 + image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.12}:2019-04-08 +- environment: +- GO111MODULE: "on" +- GOFLAGS: "-mod=vendor" networks: - bluenet volumes: diff --git a/gui/apply-boulder b/gui/apply-boulder index da2358d..a46643b 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -2,20 +2,22 @@ set -e -perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/ra.json perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/va.json perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/expiration-mailer.json sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va.json sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_DOMAIN\"/" config/wfe.json sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_DOMAIN\"/" config/wfe2.json -[ -e ../test/hostname-policy.json ] && cp ../test/hostname-policy.json ./ || true -[ -e ../boulder/test/hostname-policy.json ] && cp ../boulder/test/hostname-policy.json ./ || true +[ -e ../test/hostname-policy.yaml ] && cp ../test/hostname-policy.yaml ./ || true +[ -e ../boulder/test/hostname-policy.yaml ] && cp ../boulder/test/hostname-policy.yaml ./ || true +[ -e hostname-policy.json ] && rm hostname-policy.json || true if [ "$PKI_DOMAIN_MODE" == "lockdown" ]; then - sed -i -e "s/ \]$/ \],\n \"Lockdown\": \[\n \"$PKI_LOCKDOWN_DOMAINS\"\n&/" hostname-policy.json + echo "Lockdown:" >> hostname-policy.yaml + echo " - \"$PKI_LOCKDOWN_DOMAINS\"" >> hostname-policy.yaml fi if [ "$PKI_DOMAIN_MODE" == "whitelist" ]; then - sed -i -e "s/ \]$/ \],\n \"Whitelist\": \[\n \"$PKI_WHITELIST_DOMAINS\"\n&/" hostname-policy.json + echo "Whitelist:" >> hostname-policy.yaml + echo " - \"$PKI_LOCKDOWN_DOMAINS\"" >> hostname-policy.yaml fi sed -i -e "s/\"server\": \".*\"/\"server\": \"$PKI_EMAIL_SERVER\"/" config/expiration-mailer.json diff --git a/gui/templates/base.tmpl b/gui/templates/base.tmpl index 56651f8..8755f3f 100644 --- a/gui/templates/base.tmpl +++ b/gui/templates/base.tmpl @@ -32,7 +32,7 @@ {{ if .Version }}Version {{ .Version }}{{ end }}
- Copyright © 2018 LabCA + Copyright © 2018-2019 LabCA
diff --git a/install b/install index 3ccc6a0..e2a7bbd 100755 --- a/install +++ b/install @@ -24,7 +24,7 @@ dockerComposeVersion="1.22.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2018-12-10" +boulderTag="release-2019-06-28" # # Color configuration @@ -417,6 +417,8 @@ get_boulder() { cd "$boulderDir" sudo -u labca git reset --hard $boulderTag &>>$installLog + sudo -u labca cp sa/_db-next/migrations/20190221140139_AddAuthz2.sql sa/_db/migrations/ + sudo -u labca cp sa/_db-next/migrations/20190524120239_AddAuthz2ExpiresIndex.sql sa/_db/migrations/ msg_ok "Boulder checkout '$boulderTag'" } @@ -480,6 +482,7 @@ config_boulder() { sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ocsp-responder.json sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ocsp-updater.json sed -i -e "s/test-ca2.pem/test-ca.pem/" config/publisher.json + sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ra.json sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe.json sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe2.json sed -i -e "s/5001/443/g" config/va.json diff --git a/policy_pa.patch b/policy_pa.patch index b39237b..65776ff 100644 --- a/policy_pa.patch +++ b/policy_pa.patch @@ -1,90 +1,91 @@ diff --git a/policy/pa.go b/policy/pa.go -index a8337bf7..83150102 100644 +index 3d097365..ce3c32e3 100644 --- a/policy/pa.go +++ b/policy/pa.go -@@ -29,6 +29,8 @@ type AuthorityImpl struct { - blacklist map[string]bool - exactBlacklist map[string]bool - wildcardExactBlacklist map[string]bool -+ whitelist map[string]bool -+ lockdown map[string]bool - blacklistMu sync.RWMutex - - enabledChallenges map[string]bool -@@ -53,6 +55,8 @@ func New(challengeTypes map[string]bool) (*AuthorityImpl, error) { - type blacklistJSON struct { - Blacklist []string - ExactBlacklist []string -+ Whitelist []string -+ Lockdown []string +@@ -30,6 +30,8 @@ type AuthorityImpl struct { + blocklist map[string]bool + exactBlocklist map[string]bool + wildcardExactBlocklist map[string]bool ++ whitelist map[string]bool ++ lockdown map[string]bool + blocklistMu sync.RWMutex + + enabledChallenges map[string]bool +@@ -70,6 +72,9 @@ type blockedNamesPolicy struct { + // time above and beyond the high-risk domains. Managing these entries separately + // from HighRiskBlockedNames makes it easier to vet changes accurately. + AdminBlockedNames []string `yaml:"AdminBlockedNames"` ++ ++ Whitelist []string `yaml:"Whitelist"` ++ Lockdown []string `yaml:"Lockdown"` } - + // SetHostnamePolicyFile will load the given policy file, returning error if it -@@ -103,10 +107,20 @@ func (pa *AuthorityImpl) loadHostnamePolicy(b []byte) error { - // wildcardNameMap to block issuance for `*.`+parts[1] - wildcardNameMap[parts[1]] = true - } -+ whiteMap := make(map[string]bool) -+ for _, v := range bl.Whitelist { -+ whiteMap[v] = true -+ } -+ lockMap := make(map[string]bool) -+ for _, v := range bl.Lockdown { -+ lockMap[v] = true -+ } - pa.blacklistMu.Lock() - pa.blacklist = nameMap - pa.exactBlacklist = exactNameMap - pa.wildcardExactBlacklist = wildcardNameMap -+ pa.whitelist = whiteMap -+ pa.lockdown = lockMap - pa.blacklistMu.Unlock() - return nil +@@ -138,10 +143,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error + // wildcardNameMap to block issuance for `*.`+parts[1] + wildcardNameMap[parts[1]] = true + } ++ whiteMap := make(map[string]bool) ++ for _, v := range policy.Whitelist { ++ whiteMap[v] = true ++ } ++ lockMap := make(map[string]bool) ++ for _, v := range policy.Lockdown { ++ lockMap[v] = true ++ } + pa.blocklistMu.Lock() + pa.blocklist = nameMap + pa.exactBlocklist = exactNameMap + pa.wildcardExactBlocklist = wildcardNameMap ++ pa.whitelist = whiteMap ++ pa.lockdown = lockMap + pa.blocklistMu.Unlock() + return nil } -@@ -288,6 +302,14 @@ func (pa *AuthorityImpl) WillingToIssue(id core.AcmeIdentifier) error { - } - } - -+ ok, err := pa.checkWhitelist(domain) -+ if err != nil { -+ return err -+ } -+ if ok { -+ return nil -+ } +@@ -287,6 +302,14 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { + } + } + ++ ok, err := pa.checkWhitelist(domain) ++ if err != nil { ++ return err ++ } ++ if ok { ++ return nil ++ } + - // Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD. - icannTLD, err := extractDomainIANASuffix(domain) - if err != nil { -@@ -413,6 +435,31 @@ func (pa *AuthorityImpl) checkHostLists(domain string) error { - return nil + // Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD. + icannTLD, err := iana.ExtractSuffix(domain) + if err != nil { +@@ -304,6 +327,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { + return nil } - + +func (pa *AuthorityImpl) checkWhitelist(domain string) (bool,error) { -+ pa.blacklistMu.RLock() -+ defer pa.blacklistMu.RUnlock() ++ pa.blocklistMu.RLock() ++ defer pa.blocklistMu.RUnlock() + -+ if (pa.whitelist == nil) || (pa.lockdown == nil) { -+ return false, fmt.Errorf("Hostname policy not yet loaded.") -+ } ++ if (pa.whitelist == nil) || (pa.lockdown == nil) { ++ return false, fmt.Errorf("Hostname policy not yet loaded.") ++ } + -+ labels := strings.Split(domain, ".") -+ for i := range labels { -+ joined := strings.Join(labels[i:], ".") -+ if pa.whitelist[joined] || pa.lockdown[joined] { -+ return true, nil -+ } -+ } ++ labels := strings.Split(domain, ".") ++ for i := range labels { ++ joined := strings.Join(labels[i:], ".") ++ if pa.whitelist[joined] || pa.lockdown[joined] { ++ return true, nil ++ } ++ } + -+ if len(pa.lockdown) > 0 { -+ // In Lockdown mode, the domain MUST be in the list, so return an error if not found -+ return false, errBlacklisted -+ } else { -+ // In Whitelist mode, if the domain is not in the list, continue with the other checks -+ return false, nil -+ } ++ if len(pa.lockdown) > 0 { ++ // In Lockdown mode, the domain MUST be in the list, so return an error if not found ++ return false, errPolicyForbidden ++ } else { ++ // In Whitelist mode, if the domain is not in the list, continue with the other checks ++ return false, nil ++ } +} + - // ChallengesFor makes a decision of what challenges, and combinations, are - // acceptable for the given identifier. If the TLSSNIRevalidation feature flag - // is set, create TLS-SNI-01 challenges for revalidation requests even if + // WillingToIssueWildcards is an extension of WillingToIssue that accepts DNS + // identifiers for well formed wildcard domains in addition to regular + // identifiers. From f8a7bebff6fb013f65050f9b0cf433c20d8b1d7a Mon Sep 17 00:00:00 2001 From: Arjan H Date: Fri, 12 Jul 2019 11:45:36 +0200 Subject: [PATCH 3/5] Optionally use different branch than master --- install | 54 ++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 40 insertions(+), 14 deletions(-) diff --git a/install b/install index e2a7bbd..6d1e5d9 100755 --- a/install +++ b/install @@ -49,6 +49,9 @@ wait_up() { dn=$(dirname $0) source "$dn/utils.sh" &>/dev/null || true +cmdlineFqdn="" +cmdlineBranch="" + # # Helper functions for informing the user and logging to file # @@ -136,14 +139,22 @@ labca_user() { clone_repo() { local dir="$1" local url="$2" + local branch="$3" local msg="Clone $url to $dir" msg_info "$msg" sudo -u labca git clone -q "$url" "$dir" &>>$installLog && msg_ok "$msg" || msg_fatal "Could not clone git repository" + + if [ "$branch" != "" ]; then + cd "$dir" + sudo -u labca git checkout $branch + cd - + fi } pull_repo() { local dir="$1" + local branch="$2" cd "$dir" &>>$installLog || msg_fatal "Could not switch to directory '$dir'" @@ -152,11 +163,18 @@ pull_repo() { sudo -u labca git stash --all --quiet &>>$installLog || true sudo -u labca git clean --quiet --force -d &>>$installLog || true sudo -u labca git pull --quiet &>>$installLog && msg_ok "$msg" || msg_fatal "Could not update local repository" + + if [ "$branch" != "" ]; then + cd "$dir" + sudo -u labca git checkout $branch + cd - + fi } clone_or_pull() { local dir="$1" local url="$2" + local branch="$3" local parentdir=$(dirname "$dir") local dirbase=$(basename "$dir") @@ -168,12 +186,12 @@ clone_or_pull() { if [ $rc -gt 0 ]; then cd "$parentdir" mv "$dirbase" "${dirbase}_${runId}" && msg_ok "Backup existing non-git directory '$dir'" - clone_repo "$dir" "$url" + clone_repo "$dir" "$url" "$branch" else - pull_repo "$dir" + pull_repo "$dir" "$branch" fi else - clone_repo "$dir" "$url" + clone_repo "$dir" "$url" "$branch" fi } @@ -209,22 +227,20 @@ prompt_and_export() { fi } -# Determine the remote address of this machine from (in order): commandline parameter, -# existing configuration or full hostname. -get_fqdn() { - local cfgFile="$adminDir/data/config.json" - local cfgFqdn=$(grep fqdn $cfgFile 2>/dev/null | grep -v LABCA_FQDN | cut -d ":" -f 2- | tr -d " \",") - LABCA_FQDN=${cfgFqdn:-$(hostname -f)} - - local parsed=$(getopt --options=n: --longoptions=name:,fqdn: --name "$0" -- "$@" 2>>$installLog) || msg_fatal "Could not process commandline parameters" +# Parse the command line options, if any +parse_cmdline() { + local parsed=$(getopt --options=n:,b: --longoptions=name:,fqdn:,branch: --name "$0" -- "$@" 2>>$installLog) || msg_fatal "Could not process commandline parameters" eval set -- "$parsed" - local cmdlineFqdn while true; do case "$1" in -n|--name|--fqdn) cmdlineFqdn="$2" shift 2 ;; + -b|--branch) + cmdlineBranch="$2" + shift 2 + ;; --) shift break @@ -234,6 +250,14 @@ get_fqdn() { ;; esac done +} + +# Determine the remote address of this machine from (in order): commandline parameter, +# existing configuration or full hostname. +get_fqdn() { + local cfgFile="$adminDir/data/config.json" + local cfgFqdn=$(grep fqdn $cfgFile 2>/dev/null | grep -v LABCA_FQDN | cut -d ":" -f 2- | tr -d " \",") + LABCA_FQDN=${cfgFqdn:-$(hostname -f)} if [ "$cfgFqdn" == "" ]; then if [ "$cmdlineFqdn" != "" ]; then @@ -640,10 +664,12 @@ main() { [ -e $this ] || this="$curdir/$0" local checksum=$(md5sum $this 2>/dev/null | cut -d' ' -f1) [ ! -e "$cloneDir/cron_d" ] || chown labca:labca "$cloneDir/cron_d" - clone_or_pull "$cloneDir" "$labcaUrl" + + parse_cmdline "$@" + clone_or_pull "$cloneDir" "$labcaUrl" "$cmdlineBranch" restart_if_updated "$checksum" - get_fqdn "$@" + get_fqdn copy_admin update_upgrade From 5a546115bfae8519fa63e44bb04c77e390903042 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Fri, 12 Jul 2019 17:42:22 +0200 Subject: [PATCH 4/5] Optional extension of timeout values --- gui/apply-boulder | 16 ++++++++++++++++ gui/main.go | 14 ++++++++++++++ gui/templates/views/manage.tmpl | 6 ++++++ 3 files changed, 36 insertions(+) diff --git a/gui/apply-boulder b/gui/apply-boulder index a46643b..8e2bcba 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -20,6 +20,22 @@ if [ "$PKI_DOMAIN_MODE" == "whitelist" ]; then echo " - \"$PKI_LOCKDOWN_DOMAINS\"" >> hostname-policy.yaml fi +if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then + sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ca-a.json + sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ca-b.json + sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/admin-revoker.json + sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/wfe.json + sed -i -e "s/\"timeout\": \"20s\"/\"timeout\": \"40s\"/" config/wfe.json + sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/wfe2.json + sed -i -e "s/\"timeout\": \"20s\"/\"timeout\": \"40s\"/" config/wfe2.json + sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ca.json + sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/expiration-mailer.json + sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ra.json + sed -i -e "s/\"timeout\": \"20s\"/\"timeout\": \"40s\"/" config/ra.json + sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ocsp-updater.json + sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/orphan-finder.json +fi + sed -i -e "s/\"server\": \".*\"/\"server\": \"$PKI_EMAIL_SERVER\"/" config/expiration-mailer.json sed -i -e "s/\"port\": \".*\"/\"port\": \"$PKI_EMAIL_PORT\"/" config/expiration-mailer.json sed -i -e "s/\"username\": \".*\"/\"username\": \"$PKI_EMAIL_USER\"/" config/expiration-mailer.json diff --git a/gui/main.go b/gui/main.go index 59fae3f..c5be64f 100644 --- a/gui/main.go +++ b/gui/main.go @@ -150,6 +150,7 @@ type SetupConfig struct { DomainMode string LockdownDomains string WhitelistDomains string + ExtendedTimeout bool RequestBase string Errors map[string]string } @@ -428,6 +429,7 @@ func _configUpdateHandler(w http.ResponseWriter, r *http.Request) { DomainMode: r.Form.Get("domain_mode"), LockdownDomains: r.Form.Get("lockdown_domains"), WhitelistDomains: r.Form.Get("whitelist_domains"), + ExtendedTimeout: (r.Form.Get("extended_timeout") == "true"), } res := struct { @@ -477,6 +479,12 @@ func _configUpdateHandler(w http.ResponseWriter, r *http.Request) { } } + extendedTimeout := cfg.ExtendedTimeout + if extendedTimeout != viper.GetBool("labca.extended_timeout") { + delta = true + viper.Set("labca.extended_timeout", cfg.ExtendedTimeout) + } + if delta { viper.WriteConfig() @@ -994,6 +1002,7 @@ func _manageGet(w http.ResponseWriter, r *http.Request) { if domainMode == "whitelist" { manageData["WhitelistDomains"] = viper.GetString("labca.whitelist") } + manageData["ExtendedTimeout"] = viper.GetBool("labca.extended_timeout") manageData["DoEmail"] = viper.GetBool("labca.email.enable") manageData["Server"] = viper.GetString("labca.email.server") @@ -1437,6 +1446,11 @@ func _applyConfig() error { os.Setenv("PKI_DOMAIN_MODE", viper.GetString("labca.domain_mode")) os.Setenv("PKI_LOCKDOWN_DOMAINS", viper.GetString("labca.lockdown")) os.Setenv("PKI_WHITELIST_DOMAINS", viper.GetString("labca.whitelist")) + if viper.GetBool("labca.extended_timeout") { + os.Setenv("PKI_EXTENDED_TIMEOUT", "1") + } else { + os.Setenv("PKI_EXTENDED_TIMEOUT", "0") + } if viper.GetBool("labca.email.enable") { os.Setenv("PKI_EMAIL_SERVER", viper.GetString("labca.email.server")) os.Setenv("PKI_EMAIL_PORT", viper.GetString("labca.email.port")) diff --git a/gui/templates/views/manage.tmpl b/gui/templates/views/manage.tmpl index 6cc9187..afb8478 100644 --- a/gui/templates/views/manage.tmpl +++ b/gui/templates/views/manage.tmpl @@ -163,6 +163,11 @@ Standard - any official domains
+
+
+ +  If you see timeout related errors on the Dashboard / Audit Log, try checking this box. +
@@ -489,6 +494,7 @@ domain_mode: ($("#standard").prop('checked') ? 'standard' : ($("#whitelist").prop('checked') ? 'whitelist' : 'lockdown')), lockdown_domains: $("#lockdown_domains").val(), whitelist_domains: $("#whitelist_domains").val(), + extended_timeout: $("#extended_timeout").prop("checked"), }, }) .done(function(data) { From 1efae0ee33fd3a509c5b64aef31807c0df3ad382 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Sat, 13 Jul 2019 08:33:48 +0200 Subject: [PATCH 5/5] Fix logging; fix patch file --- install | 8 +-- policy_pa.patch | 138 ++++++++++++++++++++++++------------------------ 2 files changed, 73 insertions(+), 73 deletions(-) diff --git a/install b/install index 6d1e5d9..a372f36 100755 --- a/install +++ b/install @@ -147,8 +147,8 @@ clone_repo() { if [ "$branch" != "" ]; then cd "$dir" - sudo -u labca git checkout $branch - cd - + sudo -u labca git checkout $branch &>>$installLog + cd - >/dev/null fi } @@ -166,8 +166,8 @@ pull_repo() { if [ "$branch" != "" ]; then cd "$dir" - sudo -u labca git checkout $branch - cd - + sudo -u labca git checkout $branch &>>$installLog + cd - >/dev/null fi } diff --git a/policy_pa.patch b/policy_pa.patch index 65776ff..a9d0fb7 100644 --- a/policy_pa.patch +++ b/policy_pa.patch @@ -1,89 +1,89 @@ diff --git a/policy/pa.go b/policy/pa.go -index 3d097365..ce3c32e3 100644 +index 3d097365..53cf6020 100644 --- a/policy/pa.go +++ b/policy/pa.go @@ -30,6 +30,8 @@ type AuthorityImpl struct { - blocklist map[string]bool - exactBlocklist map[string]bool - wildcardExactBlocklist map[string]bool -+ whitelist map[string]bool -+ lockdown map[string]bool - blocklistMu sync.RWMutex - - enabledChallenges map[string]bool + blocklist map[string]bool + exactBlocklist map[string]bool + wildcardExactBlocklist map[string]bool ++ whitelist map[string]bool ++ lockdown map[string]bool + blocklistMu sync.RWMutex + + enabledChallenges map[string]bool @@ -70,6 +72,9 @@ type blockedNamesPolicy struct { - // time above and beyond the high-risk domains. Managing these entries separately - // from HighRiskBlockedNames makes it easier to vet changes accurately. - AdminBlockedNames []string `yaml:"AdminBlockedNames"` + // time above and beyond the high-risk domains. Managing these entries separately + // from HighRiskBlockedNames makes it easier to vet changes accurately. + AdminBlockedNames []string `yaml:"AdminBlockedNames"` + -+ Whitelist []string `yaml:"Whitelist"` -+ Lockdown []string `yaml:"Lockdown"` ++ Whitelist []string `yaml:"Whitelist"` ++ Lockdown []string `yaml:"Lockdown"` } - + // SetHostnamePolicyFile will load the given policy file, returning error if it @@ -138,10 +143,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error - // wildcardNameMap to block issuance for `*.`+parts[1] - wildcardNameMap[parts[1]] = true - } -+ whiteMap := make(map[string]bool) -+ for _, v := range policy.Whitelist { -+ whiteMap[v] = true -+ } -+ lockMap := make(map[string]bool) -+ for _, v := range policy.Lockdown { -+ lockMap[v] = true -+ } - pa.blocklistMu.Lock() - pa.blocklist = nameMap - pa.exactBlocklist = exactNameMap - pa.wildcardExactBlocklist = wildcardNameMap -+ pa.whitelist = whiteMap -+ pa.lockdown = lockMap - pa.blocklistMu.Unlock() - return nil + // wildcardNameMap to block issuance for `*.`+parts[1] + wildcardNameMap[parts[1]] = true + } ++ whiteMap := make(map[string]bool) ++ for _, v := range policy.Whitelist { ++ whiteMap[v] = true ++ } ++ lockMap := make(map[string]bool) ++ for _, v := range policy.Lockdown { ++ lockMap[v] = true ++ } + pa.blocklistMu.Lock() + pa.blocklist = nameMap + pa.exactBlocklist = exactNameMap + pa.wildcardExactBlocklist = wildcardNameMap ++ pa.whitelist = whiteMap ++ pa.lockdown = lockMap + pa.blocklistMu.Unlock() + return nil } @@ -287,6 +302,14 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { - } - } - -+ ok, err := pa.checkWhitelist(domain) -+ if err != nil { -+ return err -+ } -+ if ok { -+ return nil -+ } + } + } + ++ ok, err := pa.checkWhitelist(domain) ++ if err != nil { ++ return err ++ } ++ if ok { ++ return nil ++ } + - // Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD. - icannTLD, err := iana.ExtractSuffix(domain) - if err != nil { + // Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD. + icannTLD, err := iana.ExtractSuffix(domain) + if err != nil { @@ -304,6 +327,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { - return nil + return nil } - -+func (pa *AuthorityImpl) checkWhitelist(domain string) (bool,error) { -+ pa.blocklistMu.RLock() -+ defer pa.blocklistMu.RUnlock() + ++func (pa *AuthorityImpl) checkWhitelist(domain string) (bool, error) { ++ pa.blocklistMu.RLock() ++ defer pa.blocklistMu.RUnlock() + -+ if (pa.whitelist == nil) || (pa.lockdown == nil) { -+ return false, fmt.Errorf("Hostname policy not yet loaded.") -+ } ++ if (pa.whitelist == nil) || (pa.lockdown == nil) { ++ return false, fmt.Errorf("Hostname policy not yet loaded.") ++ } + -+ labels := strings.Split(domain, ".") -+ for i := range labels { -+ joined := strings.Join(labels[i:], ".") -+ if pa.whitelist[joined] || pa.lockdown[joined] { -+ return true, nil -+ } -+ } ++ labels := strings.Split(domain, ".") ++ for i := range labels { ++ joined := strings.Join(labels[i:], ".") ++ if pa.whitelist[joined] || pa.lockdown[joined] { ++ return true, nil ++ } ++ } + -+ if len(pa.lockdown) > 0 { -+ // In Lockdown mode, the domain MUST be in the list, so return an error if not found -+ return false, errPolicyForbidden -+ } else { -+ // In Whitelist mode, if the domain is not in the list, continue with the other checks -+ return false, nil -+ } ++ if len(pa.lockdown) > 0 { ++ // In Lockdown mode, the domain MUST be in the list, so return an error if not found ++ return false, errPolicyForbidden ++ } else { ++ // In Whitelist mode, if the domain is not in the list, continue with the other checks ++ return false, nil ++ } +} + // WillingToIssueWildcards is an extension of WillingToIssue that accepts DNS