github-personal/labca
1
0
Fork 0
mirror of https://github.com/outbackdingo/labca.git synced 2026-01-27 10:19:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix CRL shard detection when revoking certs (#158)

Browse Source 
Also fix admin.boulder ipki cert for older installations that only still
have admin-revoker.boulder ipki cert
This commit is contained in:
Arjan H
2025-03-04 21:45:47 +01:00
parent 99bba73978
commit 8b7f5145a8
3 changed files with 21 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
gui/apply-boulder
View File

@@ -182,7 +182,7 @@ sed -i -e "s|\"crlURLBase\": \".*\"|\"crlURLBase\": \"http://$PKI_FQDN/crl/$INT_
if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then
sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ca.json
sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/admin-revoker.json
sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/admin.json
sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/wfe2.json
sed -i -e "s/\"timeout\": \"20s\"/\"timeout\": \"40s\"/" config/wfe2.json
sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/expiration-mailer.json

12
patches/ra_ra.patch
View File

@@ -1,5 +1,5 @@
diff --git a/ra/ra.go b/ra/ra.go
index 82244d216..a247512ed 100644
index 82244d216..10d15a624 100644
--- a/ra/ra.go
+++ b/ra/ra.go
@@ -44,7 +44,6 @@ import (
@@ -19,3 +19,13 @@ index 82244d216..a247512ed 100644
if err != nil {
return err
}
@@ -1933,6 +1932,9 @@ func crlShard(cert *x509.Certificate) (int64, error) {
return 0, fmt.Errorf("malformed CRLDistributionPoint %q", url)
}
shardStr := url[lastIndex+1:]
+ if strings.HasSuffix(shardStr, "-crl.pem") {
+ return 1, nil
+ }
shardIdx, err := strconv.Atoi(shardStr)
if err != nil {
return 0, fmt.Errorf("parsing CRLDistributionPoint: %s", err)

11
patches/test_certs_generate.patch
View File

@@ -1,5 +1,5 @@
diff --git a/test/certs/generate.sh b/test/certs/generate.sh
index 7386e7992..50ec741f3 100755
index 3f0e03d2c..7a57d0b3d 100755
--- a/test/certs/generate.sh
+++ b/test/certs/generate.sh
@@ -63,9 +63,9 @@ webpki() (
@@ -15,10 +15,17 @@ index 7386e7992..50ec741f3 100755
)
if ! [ -d ipki ]; then
@@ -73,6 +73,17 @@ if ! [ -d ipki ]; then
@@ -73,6 +73,24 @@ if ! [ -d ipki ]; then
ipki
fi
+# For updating older LabCA installations...
+if ! [ -d ipki/admin.boulder ]; then
+ cd ipki
+ minica -domains "admin.boulder" &
+ cd -
+fi
+
+end_date=$(openssl x509 -enddate -noout -in ipki/boulder/cert.pem | cut -d= -f2)
+end_date_seconds=$(date -d "$end_date" +%s)
+current_date_seconds=$(date +%s)