diff --git a/gui/apply-boulder b/gui/apply-boulder index dc43038..7609e7a 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -53,11 +53,11 @@ else fi -perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/va.json -perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/va-remote-a.json -perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/va-remote-b.json -perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/bad-key-revoker.json -perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/expiration-mailer.json +perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va.json +perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va-remote-a.json +perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va-remote-b.json +perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/bad-key-revoker.json +perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/expiration-mailer.json for fl in $(grep -Rl maxConnectionAge config/); do perl -i -p0e "s/(\s+\"maxConnectionAge\":[^\n]+)//igs" $fl done @@ -109,18 +109,31 @@ if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ] sed -i -e "s/\(\"n_subject_common_name_included\"\).*\]/\1,\"e_dnsname_not_valid_tld\"\]/" config/ca.json REPLACEMENT="" + LABCA_DOMAINS="" if [ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]; then for d in $(echo $PKI_LOCKDOWN_DOMAINS | sed -e "s/\\\r/ /g" | sed -e "s/\\\n/ /g" | tr '\r' ' '); do REPLACEMENT+=" $d: 10000\r" + if [ "$LABCA_DOMAINS" != "" ]; then + LABCA_DOMAINS+=",\n" + fi + LABCA_DOMAINS+="\t\t\t\"$d\"" done fi if [ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]; then for d in $(echo $PKI_WHITELIST_DOMAINS | sed -e "s/\\\r/ /g" | sed -e "s/\\\n/ /g" | tr '\r' ' '); do REPLACEMENT+=" $d: 10000\r" + if [ "$LABCA_DOMAINS" != "" ]; then + LABCA_DOMAINS+=",\n" + fi + LABCA_DOMAINS+="\t\t\t\"$d\"" done fi cat rate-limit-policies.yml | tr '\n' '\r' | sed -e "s/\(must-staple.le.wtf: 10000\).*\( registrationOverrides:\)/\1\n$REPLACEMENT\2/" | tr '\r' '\n' > rate-limit-policies.yml.bak && mv rate-limit-policies.yml.bak rate-limit-policies.yml cat rate-limit-policies.yml | tr '\n' '\r' | sed -e "s|\(certificatesPerFQDNSet:.*must-staple.le.wtf: 10000\).*\(certificatesPerFQDNSetFast:.*\)|\1\n${REPLACEMENT}rateLimitsURL: http://$PKI_FQDN/rate-limits\n\2|" | tr '\r' '\n' > rate-limit-policies.yml.bak && mv rate-limit-policies.yml.bak rate-limit-policies.yml + + perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va.json + perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va-remote-a.json + perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va-remote-b.json fi CRLINT=24h diff --git a/patch-cfg.sh b/patch-cfg.sh index 9a47be5..1682726 100755 --- a/patch-cfg.sh +++ b/patch-cfg.sh @@ -32,6 +32,9 @@ cp test/config/va*.json "$boulderLabCADir/config/" perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va.json perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va-remote-a.json perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va-remote-b.json +perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va.json +perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va-remote-a.json +perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va-remote-b.json if [ "$flag_skip_redis" == true ]; then perl -i -p0e "s/\n \"redis\": \{\n.*? \},//igs" $boulderLabCADir/config/ocsp-responder.json diff --git a/patch.sh b/patch.sh index 99affe4..1fb1d07 100755 --- a/patch.sh +++ b/patch.sh @@ -53,6 +53,8 @@ $SUDO patch -p1 < $cloneDir/patches/storer_storer.patch $SUDO patch -p1 < $cloneDir/patches/test_health-checker_main.patch $SUDO patch -p1 < $cloneDir/patches/updater_updater.patch $SUDO patch -p1 < $cloneDir/patches/updater_continuous.patch +$SUDO patch -p1 < $cloneDir/patches/va_http.patch +$SUDO patch -p1 < $cloneDir/patches/va_va.patch $SUDO patch -p1 < $cloneDir/patches/wfe2_main.patch sed -i -e "s|./test|./labca|" start.py diff --git a/patches/boulder-va_main.patch b/patches/boulder-va_main.patch index e568406..f8e8b07 100644 --- a/patches/boulder-va_main.patch +++ b/patches/boulder-va_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go -index b28ec1134..78f5a7879 100644 +index 495acf823..7dfc2ae89 100644 --- a/cmd/boulder-va/main.go +++ b/cmd/boulder-va/main.go @@ -27,7 +27,8 @@ type Config struct { @@ -12,7 +12,15 @@ index b28ec1134..78f5a7879 100644 DNSTimeout config.Duration `validate:"required"` DNSAllowLoopbackAddresses bool -@@ -79,7 +80,7 @@ func main() { +@@ -37,6 +38,7 @@ type Config struct { + Features features.Config + + AccountURIPrefixes []string `validate:"min=1,dive,required,url"` ++ LabCADomains []string + } + + Syslog cmd.SyslogConfig +@@ -79,7 +81,7 @@ func main() { } clk := cmd.Clock() @@ -21,7 +29,7 @@ index b28ec1134..78f5a7879 100644 cmd.Fail("Must specify dnsProvider") } -@@ -88,8 +89,13 @@ func main() { +@@ -88,8 +90,13 @@ func main() { if features.Get().DOH { proto = "tcp" } @@ -37,3 +45,13 @@ index b28ec1134..78f5a7879 100644 defer servers.Stop() tlsConfig, err := c.VA.TLS.Load(scope) +@@ -144,7 +151,8 @@ func main() { + scope, + clk, + logger, +- c.VA.AccountURIPrefixes) ++ c.VA.AccountURIPrefixes, ++ c.VA.LabCADomains) + cmd.FailOnError(err, "Unable to create VA server") + + start, err := bgrpc.NewServer(c.VA.GRPC, logger).Add( diff --git a/patches/va_http.patch b/patches/va_http.patch new file mode 100644 index 0000000..c863656 --- /dev/null +++ b/patches/va_http.patch @@ -0,0 +1,22 @@ +diff --git a/va/http.go b/va/http.go +index 8700b2a03..6583710fe 100644 +--- a/va/http.go ++++ b/va/http.go +@@ -333,7 +333,16 @@ func (va *ValidationAuthorityImpl) extractRequestTarget(req *http.Request) (stri + } + + if _, err := iana.ExtractSuffix(reqHost); err != nil { +- return "", 0, berrors.ConnectionFailureError("Invalid hostname in redirect target, must end in IANA registered TLD") ++ isLabca := false ++ for _, domain := range va.labcaDomains { ++ if strings.HasSuffix(reqHost, "."+domain) { ++ isLabca = true ++ } ++ } ++ ++ if !isLabca { ++ return "", 0, berrors.ConnectionFailureError("Invalid hostname in redirect target, must end in IANA registered TLD") ++ } + } + + return reqHost, reqPort, nil diff --git a/patches/va_va.patch b/patches/va_va.patch new file mode 100644 index 0000000..dc2858a --- /dev/null +++ b/patches/va_va.patch @@ -0,0 +1,28 @@ +diff --git a/va/va.go b/va/va.go +index 103896574..2e120ab52 100644 +--- a/va/va.go ++++ b/va/va.go +@@ -264,6 +264,7 @@ type ValidationAuthorityImpl struct { + maxRemoteFailures int + accountURIPrefixes []string + singleDialTimeout time.Duration ++ labcaDomains []string + + metrics *vaMetrics + } +@@ -279,6 +280,7 @@ func NewValidationAuthorityImpl( + clk clock.Clock, + logger blog.Logger, + accountURIPrefixes []string, ++ labcaDomains []string, + ) (*ValidationAuthorityImpl, error) { + + if len(accountURIPrefixes) == 0 { +@@ -305,6 +307,7 @@ func NewValidationAuthorityImpl( + // used for the DialContext operations that take place during an + // HTTP-01 challenge validation. + singleDialTimeout: 10 * time.Second, ++ labcaDomains: labcaDomains, + } + + return va, nil