Suppress 'must end in IANA registered TLD' error on renewal (#114)

When using whitelist/lockdown domains, also accept them in va.extractRequestTarget().
Apparently that method only gets used on renewal but not during the original request?

gui/apply-boulder

@@ -53,11 +53,11 @@ else
 fi
 
 
-perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1      \"$PKI_DNS\"\2/igs" config/va.json
-perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1      \"$PKI_DNS\"\2/igs" config/va-remote-a.json
-perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1      \"$PKI_DNS\"\2/igs" config/va-remote-b.json
-perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1      \"$PKI_DNS\"\2/igs" config/bad-key-revoker.json
-perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1      \"$PKI_DNS\"\2/igs" config/expiration-mailer.json
+perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va.json
+perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va-remote-a.json
+perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va-remote-b.json
+perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/bad-key-revoker.json
+perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/expiration-mailer.json
 for fl in $(grep -Rl maxConnectionAge config/); do
     perl -i -p0e "s/(\s+\"maxConnectionAge\":[^\n]+)//igs" $fl
 done
@@ -109,18 +109,31 @@ if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ]
     sed -i -e "s/\(\"n_subject_common_name_included\"\).*\]/\1,\"e_dnsname_not_valid_tld\"\]/" config/ca.json
 
     REPLACEMENT=""
+    LABCA_DOMAINS=""
     if [ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]; then
         for d in $(echo $PKI_LOCKDOWN_DOMAINS | sed -e "s/\\\r/ /g" | sed -e "s/\\\n/ /g" | tr '\r' ' '); do
             REPLACEMENT+="    $d: 10000\r"
+            if [ "$LABCA_DOMAINS" != "" ]; then
+                LABCA_DOMAINS+=",\n"
+            fi
+            LABCA_DOMAINS+="\t\t\t\"$d\""
         done
     fi
     if [ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]; then
         for d in $(echo $PKI_WHITELIST_DOMAINS | sed -e "s/\\\r/ /g" | sed -e "s/\\\n/ /g" | tr '\r' ' '); do
             REPLACEMENT+="    $d: 10000\r"
+            if [ "$LABCA_DOMAINS" != "" ]; then
+                LABCA_DOMAINS+=",\n"
+            fi
+            LABCA_DOMAINS+="\t\t\t\"$d\""
         done
     fi
     cat rate-limit-policies.yml | tr '\n' '\r' | sed -e "s/\(must-staple.le.wtf: 10000\).*\(  registrationOverrides:\)/\1\n$REPLACEMENT\2/" | tr '\r' '\n' > rate-limit-policies.yml.bak && mv rate-limit-policies.yml.bak rate-limit-policies.yml
     cat rate-limit-policies.yml | tr '\n' '\r' | sed -e "s|\(certificatesPerFQDNSet:.*must-staple.le.wtf: 10000\).*\(certificatesPerFQDNSetFast:.*\)|\1\n${REPLACEMENT}rateLimitsURL: http://$PKI_FQDN/rate-limits\n\2|" | tr '\r' '\n' > rate-limit-policies.yml.bak && mv rate-limit-policies.yml.bak rate-limit-policies.yml
+
+    perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va.json
+    perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va-remote-a.json
+    perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va-remote-b.json
 fi
 
 CRLINT=24h

patch-cfg.sh

@@ -32,6 +32,9 @@ cp test/config/va*.json "$boulderLabCADir/config/"
 perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va.json
 perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va-remote-a.json
 perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va-remote-b.json
+perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va.json
+perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va-remote-a.json
+perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va-remote-b.json
 
 if [ "$flag_skip_redis" == true ]; then
     perl -i -p0e "s/\n    \"redis\": \{\n.*?    \},//igs" $boulderLabCADir/config/ocsp-responder.json

patch.sh

@@ -53,6 +53,8 @@ $SUDO patch -p1 < $cloneDir/patches/storer_storer.patch
 $SUDO patch -p1 < $cloneDir/patches/test_health-checker_main.patch
 $SUDO patch -p1 < $cloneDir/patches/updater_updater.patch
 $SUDO patch -p1 < $cloneDir/patches/updater_continuous.patch
+$SUDO patch -p1 < $cloneDir/patches/va_http.patch
+$SUDO patch -p1 < $cloneDir/patches/va_va.patch
 $SUDO patch -p1 < $cloneDir/patches/wfe2_main.patch
 
 sed -i -e "s|./test|./labca|" start.py

patches/boulder-va_main.patch

@@ -1,5 +1,5 @@
 diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
-index b28ec1134..78f5a7879 100644
+index 495acf823..7dfc2ae89 100644
 --- a/cmd/boulder-va/main.go
 +++ b/cmd/boulder-va/main.go
 @@ -27,7 +27,8 @@ type Config struct {
@@ -12,7 +12,15 @@ index b28ec1134..78f5a7879 100644
  		DNSTimeout                config.Duration  `validate:"required"`
  		DNSAllowLoopbackAddresses bool
  
-@@ -79,7 +80,7 @@ func main() {
+@@ -37,6 +38,7 @@ type Config struct {
+ 		Features features.Config
+ 
+ 		AccountURIPrefixes []string `validate:"min=1,dive,required,url"`
++		LabCADomains       []string
+ 	}
+ 
+ 	Syslog        cmd.SyslogConfig
+@@ -79,7 +81,7 @@ func main() {
  	}
  	clk := cmd.Clock()
  
@@ -21,7 +29,7 @@ index b28ec1134..78f5a7879 100644
  		cmd.Fail("Must specify dnsProvider")
  	}
  
-@@ -88,8 +89,13 @@ func main() {
+@@ -88,8 +90,13 @@ func main() {
  	if features.Get().DOH {
  		proto = "tcp"
  	}
@@ -37,3 +45,13 @@ index b28ec1134..78f5a7879 100644
  	defer servers.Stop()
  
  	tlsConfig, err := c.VA.TLS.Load(scope)
+@@ -144,7 +151,8 @@ func main() {
+ 		scope,
+ 		clk,
+ 		logger,
+-		c.VA.AccountURIPrefixes)
++		c.VA.AccountURIPrefixes,
++		c.VA.LabCADomains)
+ 	cmd.FailOnError(err, "Unable to create VA server")
+ 
+ 	start, err := bgrpc.NewServer(c.VA.GRPC, logger).Add(

patches/va_http.patch

@@ -0,0 +1,22 @@
+diff --git a/va/http.go b/va/http.go
+index 8700b2a03..6583710fe 100644
+--- a/va/http.go
++++ b/va/http.go
+@@ -333,7 +333,16 @@ func (va *ValidationAuthorityImpl) extractRequestTarget(req *http.Request) (stri
+ 	}
+ 
+ 	if _, err := iana.ExtractSuffix(reqHost); err != nil {
+-		return "", 0, berrors.ConnectionFailureError("Invalid hostname in redirect target, must end in IANA registered TLD")
++		isLabca := false
++		for _, domain := range va.labcaDomains {
++			if strings.HasSuffix(reqHost, "."+domain) {
++				isLabca = true
++			}
++		}
++
++		if !isLabca {
++			return "", 0, berrors.ConnectionFailureError("Invalid hostname in redirect target, must end in IANA registered TLD")
++		}
+ 	}
+ 
+ 	return reqHost, reqPort, nil

patches/va_va.patch

@@ -0,0 +1,28 @@
+diff --git a/va/va.go b/va/va.go
+index 103896574..2e120ab52 100644
+--- a/va/va.go
++++ b/va/va.go
+@@ -264,6 +264,7 @@ type ValidationAuthorityImpl struct {
+ 	maxRemoteFailures  int
+ 	accountURIPrefixes []string
+ 	singleDialTimeout  time.Duration
++	labcaDomains       []string
+ 
+ 	metrics *vaMetrics
+ }
+@@ -279,6 +280,7 @@ func NewValidationAuthorityImpl(
+ 	clk clock.Clock,
+ 	logger blog.Logger,
+ 	accountURIPrefixes []string,
++	labcaDomains []string,
+ ) (*ValidationAuthorityImpl, error) {
+ 
+ 	if len(accountURIPrefixes) == 0 {
+@@ -305,6 +307,7 @@ func NewValidationAuthorityImpl(
+ 		// used for the DialContext operations that take place during an
+ 		// HTTP-01 challenge validation.
+ 		singleDialTimeout: 10 * time.Second,
++		labcaDomains:      labcaDomains,
+ 	}
+ 
+ 	return va, nil