diff --git a/config_bad-key-revoker.patch b/config_bad-key-revoker.patch index 4defc20..227278f 100644 --- a/config_bad-key-revoker.patch +++ b/config_bad-key-revoker.patch @@ -2,9 +2,9 @@ diff --git a/test/config/bad-key-revoker.json b/test/config/bad-key-revoker.json index 482fd85fc..3e678aa5b 100644 --- a/test/config/bad-key-revoker.json +++ b/test/config/bad-key-revoker.json -@@ -3,6 +3,11 @@ - "dbConnectFile": "test/secrets/badkeyrevoker_dburl", - "maxOpenConns": 10, +@@ -5,6 +5,11 @@ + "maxOpenConns": 10 + }, "debugAddr": ":8020", + "dnsTries": 3, + "dnsResolvers": [ @@ -14,7 +14,7 @@ index 482fd85fc..3e678aa5b 100644 "tls": { "caCertFile": "test/grpc-creds/minica.pem", "certFile": "test/grpc-creds/bad-key-revoker.boulder/cert.pem", -@@ -24,10 +29,14 @@ +@@ -26,10 +31,14 @@ }, "maximumRevocations": 15, "findCertificatesBatchSize": 10, diff --git a/config_expiration-mailer.patch b/config_expiration-mailer.patch index 419dad3..50f59f6 100644 --- a/config_expiration-mailer.patch +++ b/config_expiration-mailer.patch @@ -1,8 +1,8 @@ diff --git a/test/config/expiration-mailer.json b/test/config/expiration-mailer.json -index 444beae43..e9bd228ef 100644 +index 566585628..09ff81a2c 100644 --- a/test/config/expiration-mailer.json +++ b/test/config/expiration-mailer.json -@@ -11,6 +12,11 @@ +@@ -13,6 +13,11 @@ "nagCheckInterval": "24h", "emailTemplate": "test/example-expiration-template", "debugAddr": ":8008", @@ -14,7 +14,7 @@ index 444beae43..e9bd228ef 100644 "tls": { "caCertFile": "test/grpc-creds/minica.pem", "certFile": "test/grpc-creds/expiration-mailer.boulder/cert.pem", -@@ -27,5 +33,10 @@ +@@ -29,5 +34,10 @@ "syslog": { "stdoutlevel": 6, "sysloglevel": 6 diff --git a/config_notify-mailer.patch b/config_notify-mailer.patch index 39e0492..2fd540e 100644 --- a/config_notify-mailer.patch +++ b/config_notify-mailer.patch @@ -1,8 +1,8 @@ diff --git a/test/config/notify-mailer.json b/test/config/notify-mailer.json -index 1d17012..0d061b5 100644 +index 261b689e4..15b2be0b8 100644 --- a/test/config/notify-mailer.json +++ b/test/config/notify-mailer.json -@@ -2,11 +2,20 @@ +@@ -2,13 +2,22 @@ "notifyMailer": { "server": "localhost", "port": "9380", @@ -10,8 +10,10 @@ index 1d17012..0d061b5 100644 "username": "cert-manager@example.com", + "from": "notify mailer ", "passwordFile": "test/secrets/smtp_password", - "dbConnectFile": "test/secrets/mailer_dburl", - "maxOpenConns": 10 + "db": { + "dbConnectFile": "test/secrets/mailer_dburl", + "maxOpenConns": 10 + } }, + "pa": { + "challenges": { diff --git a/config_ocsp-responder.patch b/config_ocsp-responder.patch new file mode 100644 index 0000000..7d1e9ac --- /dev/null +++ b/config_ocsp-responder.patch @@ -0,0 +1,15 @@ +diff --git a/test/config/ocsp-responder.json b/test/config/ocsp-responder.json +index fd2c4a8..a5e65d2 100644 +--- a/test/config/ocsp-responder.json ++++ b/test/config/ocsp-responder.json +@@ -7,9 +7,7 @@ + "path": "/", + "listenAddress": "0.0.0.0:4002", + "issuerCerts": [ +- "/tmp/intermediate-cert-rsa-a.pem", +- "/tmp/intermediate-cert-rsa-b.pem", +- "/tmp/intermediate-cert-ecdsa-a.pem" ++ "/tmp/intermediate-cert-rsa-a.pem" + ], + "maxAge": "10s", + "timeout": "4.9s", diff --git a/config_publisher.patch b/config_publisher.patch new file mode 100644 index 0000000..f22ae0b --- /dev/null +++ b/config_publisher.patch @@ -0,0 +1,23 @@ +diff --git a/test/config/publisher.json b/test/config/publisher.json +index 6c75f71..54fb877 100644 +--- a/test/config/publisher.json ++++ b/test/config/publisher.json +@@ -6,18 +6,6 @@ + [ + "/tmp/intermediate-cert-rsa-a.pem", + "/tmp/root-cert-rsa.pem" +- ], +- [ +- "/tmp/intermediate-cert-rsa-b.pem", +- "/tmp/root-cert-rsa.pem" +- ], +- [ +- "/tmp/intermediate-cert-ecdsa-a.pem", +- "/tmp/root-cert-ecdsa.pem" +- ], +- [ +- "/tmp/intermediate-cert-ecdsa-b.pem", +- "/tmp/root-cert-ecdsa.pem" + ] + ], + "debugAddr": ":8009", diff --git a/core_interfaces.patch b/core_interfaces.patch index 3366687..2c54808 100644 --- a/core_interfaces.patch +++ b/core_interfaces.patch @@ -1,8 +1,8 @@ diff --git a/core/interfaces.go b/core/interfaces.go -index 3e0d3f1ae..ffbbe7d11 100644 +index 06576845c..a854745fd 100644 --- a/core/interfaces.go +++ b/core/interfaces.go -@@ -113,6 +113,7 @@ type PolicyAuthority interface { +@@ -95,6 +95,7 @@ type PolicyAuthority interface { WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error) ChallengeTypeEnabled(t AcmeChallenge) bool diff --git a/docker-compose.patch b/docker-compose.patch index 7c26670..5593dc2 100644 --- a/docker-compose.patch +++ b/docker-compose.patch @@ -1,86 +1,85 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 13cc6a54b..afbfd4bdf 100644 +index c5d84e1c6..8a57bc326 100644 --- a/docker-compose.yml +++ b/docker-compose.yml -@@ -5,7 +5,7 @@ services: - image: letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.15.7_2021-02-25} - environment: - - FAKE_DNS=10.77.77.77 -- - BOULDER_CONFIG_DIR=test/config -+ - BOULDER_CONFIG_DIR=labca/config - - GOFLAGS=-mod=vendor - # This is required so Python doesn't throw an error when printing - # non-ASCII to stdout. -@@ -18,6 +18,7 @@ services: - - RACE - volumes: - - .:/go/src/github.com/letsencrypt/boulder:cached -+ - /home/labca/boulder_labca:/go/src/github.com/letsencrypt/boulder/labca - - ./.gocache:/root/.cache/go-build:cached - networks: - bluenet: -@@ -57,10 +58,18 @@ services: - - 8055:8055 # dns-test-srv updates - depends_on: - - bmysql -- entrypoint: test/entrypoint.sh -+ entrypoint: labca/entrypoint.sh - working_dir: /go/src/github.com/letsencrypt/boulder -+ logging: -+ driver: "json-file" -+ options: -+ max-size: "500k" -+ max-file: "5" -+ restart: always - bmysql: - image: mariadb:10.5 -+ volumes: -+ - dbdata:/var/lib/mysql - networks: - bluenet: - aliases: -@@ -74,20 +83,36 @@ services: - # small. - command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON - logging: -- driver: none -- netaccess: -+ driver: "json-file" -+ options: -+ max-size: "500k" -+ max-file: "5" -+ restart: always -+ labca: - image: letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.15.7_2021-02-25} -- environment: -- GO111MODULE: "on" -- GOFLAGS: "-mod=vendor" - networks: - - bluenet - volumes: -- - .:/go/src/github.com/letsencrypt/boulder -- working_dir: /go/src/github.com/letsencrypt/boulder -- entrypoint: test/entrypoint-netaccess.sh -+ - /home/labca/admin:/go/src/labca -+ - ./.gocache:/root/.cache/go-build -+ - /var/www/html:/wwwstatic -+ - .:/boulder -+ - /home/labca/boulder_labca:/boulder/labca -+ ports: -+ - 3000:3000 - depends_on: - - bmysql -+ working_dir: /go/src/labca -+ command: ./setup.sh -+ logging: -+ driver: "json-file" -+ options: -+ max-size: "500k" -+ max-file: "5" -+ restart: always +@@ -4,10 +4,11 @@ services: + image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.15.7_2021-03-26} + environment: + FAKE_DNS: 10.77.77.77 +- BOULDER_CONFIG_DIR: test/config ++ BOULDER_CONFIG_DIR: labca/config + GOFLAGS: -mod=vendor + volumes: + - .:/go/src/github.com/letsencrypt/boulder:cached ++ - /home/labca/boulder_labca:/go/src/github.com/letsencrypt/boulder/labca + - ./.gocache:/root/.cache/go-build:cached + networks: + bluenet: +@@ -47,11 +48,19 @@ services: + - 8055:8055 # dns-test-srv updates + depends_on: + - bmysql +- entrypoint: test/entrypoint.sh ++ entrypoint: labca/entrypoint.sh + working_dir: &boulder_working_dir /go/src/github.com/letsencrypt/boulder ++ logging: ++ driver: "json-file" ++ options: ++ max-size: "500k" ++ max-file: "5" ++ restart: always + + bmysql: + image: mariadb:10.5 ++ volumes: ++ - dbdata:/var/lib/mysql + networks: + bluenet: + aliases: +@@ -65,22 +74,37 @@ services: + # small. + command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON + logging: +- driver: none ++ driver: "json-file" ++ options: ++ max-size: "500k" ++ max-file: "5" ++ restart: always + +- netaccess: ++ labca: + image: *boulder_image +- environment: +- GO111MODULE: "on" +- GOFLAGS: -mod=vendor +- BOULDER_CONFIG_DIR: test/config + networks: + - bluenet + volumes: +- - .:/go/src/github.com/letsencrypt/boulder +- working_dir: *boulder_working_dir +- entrypoint: test/entrypoint-netaccess.sh ++ - /home/labca/admin:/go/src/labca ++ - ./.gocache:/root/.cache/go-build ++ - /var/www/html:/wwwstatic ++ - .:/boulder ++ - /home/labca/boulder_labca:/boulder/labca ++ ports: ++ - 3000:3000 + depends_on: + - bmysql ++ working_dir: /go/src/labca ++ command: ./setup.sh ++ logging: ++ driver: "json-file" ++ options: ++ max-size: "500k" ++ max-file: "5" ++ restart: always + +volumes: -+ dbdata: ++ dbdata: networks: bluenet: diff --git a/gui/apply-boulder b/gui/apply-boulder index 985b5bf..9af048c 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -27,8 +27,8 @@ if [ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]; echo " - \"$PKI_WHITELIST_DOMAINS\"" >> hostname-policy.yaml fi if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ]; then - sed -i -e "s/^\(.*\)\(\"n_subject_common_name_included\"\)/\1\2,\n\1\"e_dnsname_not_valid_tld\"/" config/ca-a.json - sed -i -e "s/^\(.*\)\(\"n_subject_common_name_included\"\)/\1\2,\n\1\"e_dnsname_not_valid_tld\"/" config/ca-b.json + sed -i -e "s/\(\"n_subject_common_name_included\"\)/\1,\"e_dnsname_not_valid_tld\"/" config/ca-a.json + sed -i -e "s/\(\"n_subject_common_name_included\"\)/\1,\"e_dnsname_not_valid_tld\"/" config/ca-b.json REPLACEMENT="" if [ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]; then diff --git a/install b/install index 9e0b6eb..66773cc 100755 --- a/install +++ b/install @@ -24,7 +24,7 @@ dockerComposeVersion="1.28.5" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2021-03-01" +boulderTag="release-2021-03-29" # # Color configuration @@ -367,6 +367,7 @@ update_upgrade() { msg_info "Making sure all software is up-to-date" apt update &>>$installLog apt upgrade -y &>>$installLog + apt autoremove -y &>>$installLog msg_ok "Software is up-to-date" } @@ -553,6 +554,8 @@ config_boulder() { sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/expiration-mailer.json" < $cloneDir/config_expiration-mailer.patch &>>$installLog sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/notify-mailer.json" < $cloneDir/config_notify-mailer.patch &>>$installLog sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/bad-key-revoker.json" < $cloneDir/config_bad-key-revoker.patch &>>$installLog + sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/ocsp-responder.json" < $cloneDir/config_ocsp-responder.patch &>>$installLog + sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/publisher.json" < $cloneDir/config_publisher.patch &>>$installLog sed -i -e "s|https://letsencrypt.org/docs/rate-limits/|http://$LABCA_FQDN/rate-limits|" errors/errors.go &>>$installLog cp errors/errors.go "$boulderLabCADir/.backup/" @@ -583,6 +586,10 @@ config_boulder() { sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe.json sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json + sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" config/publisher.json + sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" integration-test.py + sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" helpers.py + sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" v1_integration.py sed -i -e "s/5001/443/g" config/va.json sed -i -e "s/5002/80/g" config/va.json sed -i -e "s/5001/443/g" config/va-remote-a.json @@ -620,6 +627,7 @@ config_boulder() { sed -i -e "s/names/name\(s\)/" example-expiration-template rm test-ca2.pem + ([ -e mock-vendor.go ] && rm mock-vendor.go) || /bin/true local have_config=$(grep restarted $adminDir/data/config.json | grep true) if [ "$have_config" != "" ]; then @@ -694,11 +702,11 @@ startup() { msg_info "$msg (this will take a while!!)" docker-compose stop &>>$installLog || true - docker stop boulder_bhsm_1 &>>$installLog | /bin/true + [ -z "$(docker ps | grep boulder_bhsm_1)" ] || docker stop boulder_bhsm_1 &>>$installLog wait_down $PS_MYSQL &>>$installLog wait_down $PS_LABCA &>>$installLog wait_down $PS_BOULDER &>>$installLog - docker rm -f boulder_bhsm_1 &>>$installLog | /bin/true + [ -z "$(docker ps | grep boulder_bhsm_1)" ] || docker rm -f boulder_bhsm_1 &>>$installLog docker-compose up -d &>>$installLog [ -h "/etc/init.d/labca" ] || ln -s "$cloneDir/init_d" /etc/init.d/labca @@ -711,6 +719,7 @@ startup() { wait_up $PS_MYSQL &>>$installLog wait_up $PS_LABCA &>>$installLog + docker exec -it boulder_bmysql_1 mysql_upgrade &>>$installLog [ -f "$boulderLabCADir/setup_complete" ] && wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$installLog || /bin/true msg_ok "$msg" diff --git a/ra_ra.patch b/ra_ra.patch index 7e69753..cd93566 100644 --- a/ra_ra.patch +++ b/ra_ra.patch @@ -1,5 +1,5 @@ diff --git a/ra/ra.go b/ra/ra.go -index cefe8ad1..faaeae66 100644 +index 16e277e9d..159f74f29 100644 --- a/ra/ra.go +++ b/ra/ra.go @@ -30,7 +30,6 @@ import ( @@ -8,9 +8,9 @@ index cefe8ad1..faaeae66 100644 "github.com/letsencrypt/boulder/metrics" - "github.com/letsencrypt/boulder/policy" "github.com/letsencrypt/boulder/probs" + pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" - "github.com/letsencrypt/boulder/ratelimit" -@@ -406,7 +405,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta +@@ -442,7 +441,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta contact, ) } diff --git a/test_config_ca_a.patch b/test_config_ca_a.patch index 0fe67c5..52cac89 100644 --- a/test_config_ca_a.patch +++ b/test_config_ca_a.patch @@ -1,17 +1,25 @@ diff --git a/test/config/ca-a.json b/test/config/ca-a.json -index 51f8416..7668fd5 100644 +index 92b32f094..e220d7d4f 100644 --- a/test/config/ca-a.json +++ b/test/config/ca-a.json -@@ -122,11 +122,7 @@ - "ecdsaProfile": "ecdsaEE", - "issuers": [{ - "configFile": "test/test-ca.key-pkcs11.json", -- "certFile": "/tmp/intermediate-cert-rsa-a.pem", -- "numSessions": 2 -- },{ -- "configFile": "test/test-ca.key-pkcs11.json", -- "certFile": "/tmp/intermediate-cert-rsa-b.pem", -+ "certFile": "test/test-ca.pem", - "numSessions": 2 - }], - "expiry": "2160h", +@@ -58,19 +58,7 @@ + "crlURL": "http://example.com/crl", + "location": { + "configFile": "test/test-ca.key-pkcs11.json", +- "certFile": "/tmp/intermediate-cert-rsa-a.pem", +- "numSessions": 2 +- } +- }, +- { +- "useForRSALeaves": false, +- "useForECDSALeaves": false, +- "issuerURL": "http://127.0.0.1:4000/acme/issuer-cert", +- "ocspURL": "http://127.0.0.1:4002/", +- "crlURL": "http://example.com/crl", +- "location": { +- "configFile": "test/test-ca.key-pkcs11.json", +- "certFile": "/tmp/intermediate-cert-rsa-b.pem", ++ "certFile": "test/test-ca.pem", + "numSessions": 2 + } + } diff --git a/test_config_ca_b.patch b/test_config_ca_b.patch index 078ea9d..0e59588 100644 --- a/test_config_ca_b.patch +++ b/test_config_ca_b.patch @@ -1,17 +1,25 @@ diff --git a/test/config/ca-b.json b/test/config/ca-b.json -index 6478be1..6e1e828 100644 +index 6c7d9d272..4e428bc4a 100644 --- a/test/config/ca-b.json +++ b/test/config/ca-b.json -@@ -122,11 +122,7 @@ - "ecdsaProfile": "ecdsaEE", - "issuers": [{ - "configFile": "test/test-ca.key-pkcs11.json", -- "certFile": "/tmp/intermediate-cert-rsa-a.pem", -- "numSessions": 2 -- },{ -- "configFile": "test/test-ca.key-pkcs11.json", -- "certFile": "/tmp/intermediate-cert-rsa-b.pem", -+ "certFile": "test/test-ca.pem", - "numSessions": 2 - }], - "expiry": "2160h", +@@ -58,19 +58,7 @@ + "crlURL": "http://example.com/crl", + "location": { + "configFile": "test/test-ca.key-pkcs11.json", +- "certFile": "/tmp/intermediate-cert-rsa-a.pem", +- "numSessions": 2 +- } +- }, +- { +- "useForRSALeaves": false, +- "useForECDSALeaves": false, +- "issuerURL": "http://127.0.0.1:4000/acme/issuer-cert", +- "ocspURL": "http://127.0.0.1:4002/", +- "crlURL": "http://example.com/crl", +- "location": { +- "configFile": "test/test-ca.key-pkcs11.json", +- "certFile": "/tmp/intermediate-cert-rsa-b.pem", ++ "certFile": "test/test-ca.pem", + "numSessions": 2 + } + }