diff --git a/gui/certificate.go b/gui/certificate.go
index b8d86ed..01fc855 100644
--- a/gui/certificate.go
+++ b/gui/certificate.go
@@ -324,8 +324,19 @@ func (ci *CertificateInfo) Upload(path string, certBase string, tmpKey string, t
return reportError(err)
}
- err := ioutil.WriteFile(tmpCert, []byte(ci.Certificate), 0644)
- return err
+ if err := ioutil.WriteFile(tmpCert, []byte(ci.Certificate), 0644); err != nil {
+ return err
+ }
+
+ if _, err := exeCmd("openssl x509 -in " + tmpCert + " -out " + tmpCert + "-out"); err != nil {
+ return reportError(err)
+ }
+
+ if _, err := exeCmd("mv " + tmpCert + "-out " + tmpCert); err != nil {
+ return reportError(err)
+ }
+
+ return nil
}
// ImportCerts imports both the root and the issuer certificates
diff --git a/gui/templates/base.tmpl b/gui/templates/base.tmpl
index 24d51b6..a2c07fb 100644
--- a/gui/templates/base.tmpl
+++ b/gui/templates/base.tmpl
@@ -32,7 +32,7 @@
{{ if .Version }}{{ .Version }}{{ end }}
diff --git a/install b/install
index cc96a60..d7f29ba 100755
--- a/install
+++ b/install
@@ -1,7 +1,7 @@
#!/usr/bin/env bash
# LabCA: a private Certificate Authority for internal lab usage
-# (c) 2018-2021 Arjan Hakkesteegt
+# (c) 2018-2022 Arjan Hakkesteegt
#
# Install with this command from a Linux machine (only tested with Debian 9):
# curl -sSL https://raw.githubusercontent.com/hakwerk/labca/master/install | bash
@@ -24,7 +24,7 @@ dockerComposeVersion="1.28.5"
labcaUrl="https://github.com/hakwerk/labca/"
boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2021-12-06"
+boulderTag="release-2022-02-01"
# Feature flags
flag_skip_redis=true
@@ -588,6 +588,9 @@ config_boulder() {
sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/bad-key-revoker.json" < $cloneDir/patches/config_bad-key-revoker.patch &>>$installLog
sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/ocsp-responder.json" < $cloneDir/patches/config_ocsp-responder.patch &>>$installLog
sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/publisher.json" < $cloneDir/patches/config_publisher.patch &>>$installLog
+ sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/wfe2.json" < $cloneDir/patches/config_wfe2.patch &>>$installLog
+ sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/rocsp-tool.json" < $cloneDir/patches/config_rocsp-tool.patch &>>$installLog
+ sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/orphan-finder.json" < $cloneDir/patches/config_orphan-finder.patch &>>$installLog
sed -i -e "s|https://letsencrypt.org/docs/rate-limits/|http://$LABCA_FQDN/rate-limits|" errors/errors.go &>>$installLog
cp errors/errors.go "$boulderLabCADir/.backup/"
@@ -619,7 +622,15 @@ config_boulder() {
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json
+ sed -i -e "s|.hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/rocsp-tool.json
+ sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/orphan-finder.json
+ sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" issuer-ocsp-responder.json
+ sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" cert-ceremonies/intermediate-ocsp-rsa.yaml
+ sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/root-ceremony-rsa.yaml
+ sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/intermediate-ocsp-rsa.yaml
+ sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/intermediate-ceremony-rsa.yaml
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" config/publisher.json
+ sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" config/wfe2.json
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" integration-test.py
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" helpers.py
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" v1_integration.py
@@ -746,6 +757,7 @@ startup() {
fi
msg_info "$msg (this will take a while!!)"
+ docker-compose pull -q &>>$installLog
docker-compose stop &>>$installLog || true
for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6; do
[ -z "$(docker ps | grep $ct)" ] || docker stop $ct &>>$installLog
diff --git a/patches/bad-key-revoker_main.patch b/patches/bad-key-revoker_main.patch
index 72f6fc8..db100b1 100644
--- a/patches/bad-key-revoker_main.patch
+++ b/patches/bad-key-revoker_main.patch
@@ -1,5 +1,5 @@
diff --git a/cmd/bad-key-revoker/main.go b/cmd/bad-key-revoker/main.go
-index 3f3a953d3..c02b4dfc1 100644
+index 8ae11c24..ce24a792 100644
--- a/cmd/bad-key-revoker/main.go
+++ b/cmd/bad-key-revoker/main.go
@@ -15,6 +15,7 @@ import (
@@ -10,30 +10,30 @@ index 3f3a953d3..c02b4dfc1 100644
"github.com/letsencrypt/boulder/cmd"
"github.com/letsencrypt/boulder/core"
"github.com/letsencrypt/boulder/db"
-@@ -352,6 +353,9 @@ func main() {
- TLS cmd.TLSConfig
- RAService *cmd.GRPCClientConfig
+@@ -351,6 +352,9 @@ type Config struct {
+ TLS cmd.TLSConfig
+ RAService *cmd.GRPCClientConfig
-+ DNSTries int
-+ DNSResolvers []string
++ DNSTries int
++ DNSResolvers []string
+
- // MaximumRevocations specifies the maximum number of certificates associated with
- // a key hash that bad-key-revoker will attempt to revoke. If the number of certificates
- // is higher than MaximumRevocations bad-key-revoker will error out and refuse to
-@@ -385,6 +389,12 @@ func main() {
+ // MaximumRevocations specifies the maximum number of certificates associated with
+ // a key hash that bad-key-revoker will attempt to revoke. If the number of certificates
+ // is higher than MaximumRevocations bad-key-revoker will error out and refuse to
+@@ -384,6 +388,12 @@ type Config struct {
- Syslog cmd.SyslogConfig
- Beeline cmd.BeelineConfig
+ Syslog cmd.SyslogConfig
+ Beeline cmd.BeelineConfig
+
-+ Common struct {
-+ DNSResolver string
-+ DNSTimeout string
-+ DNSAllowLoopbackAddresses bool
-+ }
- }
- configPath := flag.String("config", "", "File path to the configuration file for this service")
- flag.Parse()
-@@ -434,6 +444,32 @@ func main() {
++ Common struct {
++ DNSResolver string
++ DNSTimeout string
++ DNSAllowLoopbackAddresses bool
++ }
+ }
+
+ func main() {
+@@ -421,6 +431,32 @@ func main() {
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
rac := rapb.NewRegistrationAuthorityClient(conn)
@@ -66,7 +66,7 @@ index 3f3a953d3..c02b4dfc1 100644
var smtpRoots *x509.CertPool
if config.BadKeyRevoker.Mailer.SMTPTrustedRootFile != "" {
pem, err := ioutil.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile)
-@@ -455,6 +491,7 @@ func main() {
+@@ -442,6 +478,7 @@ func main() {
config.BadKeyRevoker.Mailer.Username,
smtpPassword,
smtpRoots,
diff --git a/patches/cert-checker_main.patch b/patches/cert-checker_main.patch
index 42d553e..070caef 100644
--- a/patches/cert-checker_main.patch
+++ b/patches/cert-checker_main.patch
@@ -1,20 +1,20 @@
diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
-index fbdd9bb8..dc7fa4fd 100644
+index cfc72632..de4b01ca 100644
--- a/cmd/cert-checker/main.go
+++ b/cmd/cert-checker/main.go
-@@ -90,9 +90,10 @@ type certChecker struct {
+@@ -93,9 +93,10 @@ type certChecker struct {
issuedReport report
checkPeriod time.Duration
acceptableValidityDurations map[time.Duration]bool
+ skipForbiddenDomains bool
}
--func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, period time.Duration, avd map[time.Duration]bool) certChecker {
-+func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, period time.Duration, avd map[time.Duration]bool, sfd bool) certChecker {
+-func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, kp goodkey.KeyPolicy, period time.Duration, avd map[time.Duration]bool) certChecker {
++func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, kp goodkey.KeyPolicy, period time.Duration, avd map[time.Duration]bool, sfd bool) certChecker {
return certChecker{
pa: pa,
- dbMap: saDbMap,
-@@ -102,6 +103,7 @@ func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, period
+ kp: kp,
+@@ -106,6 +107,7 @@ func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, kp goo
issuedReport: report{Entries: make(map[string]reportEntry)},
checkPeriod: period,
acceptableValidityDurations: avd,
@@ -22,7 +22,7 @@ index fbdd9bb8..dc7fa4fd 100644
}
}
-@@ -271,7 +273,7 @@ func (c *certChecker) checkCert(cert core.Certificate, ignoredLints map[string]b
+@@ -275,7 +277,7 @@ func (c *certChecker) checkCert(cert core.Certificate, ignoredLints map[string]b
err = c.pa.WillingToIssueWildcards([]identifier.ACMEIdentifier{id})
if err != nil {
problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err))
@@ -31,7 +31,7 @@ index fbdd9bb8..dc7fa4fd 100644
// For defense-in-depth, even if the PA was willing to issue for a name
// we double check it against a list of forbidden domains. This way even
// if the hostnamePolicyFile malfunctions we will flag the forbidden
-@@ -309,11 +311,12 @@ type config struct {
+@@ -326,11 +328,12 @@ type Config struct {
DB cmd.DBConfig
cmd.HostnamePolicyConfig
@@ -49,7 +49,7 @@ index fbdd9bb8..dc7fa4fd 100644
// AcceptableValidityDurations is a list of durations which are
// acceptable for certificates we issue.
-@@ -364,6 +367,8 @@ func main() {
+@@ -386,6 +389,8 @@ func main() {
acceptableValidityDurations[ninetyDays] = true
}
@@ -58,8 +58,8 @@ index fbdd9bb8..dc7fa4fd 100644
// Validate PA config and set defaults if needed.
cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
-@@ -412,6 +417,7 @@ func main() {
- pa,
+@@ -421,6 +426,7 @@ func main() {
+ kp,
config.CertChecker.CheckPeriod.Duration,
acceptableValidityDurations,
+ skipForbiddenDomains,
diff --git a/patches/cmd_shell.patch b/patches/cmd_shell.patch
index ec343b0..bb9964b 100644
--- a/patches/cmd_shell.patch
+++ b/patches/cmd_shell.patch
@@ -2,7 +2,7 @@ diff --git a/cmd/shell.go b/cmd/shell.go
index 38f1edaf4..795815483 100644
--- a/cmd/shell.go
+++ b/cmd/shell.go
-@@ -165,7 +165,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger {
+@@ -173,7 +173,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger {
// Boulder's conception of time.
go func() {
for {
diff --git a/patches/config_orphan-finder.patch b/patches/config_orphan-finder.patch
new file mode 100644
index 0000000..751c4a7
--- /dev/null
+++ b/patches/config_orphan-finder.patch
@@ -0,0 +1,15 @@
+diff --git a/test/config/orphan-finder.json b/test/config/orphan-finder.json
+index 9ed90276..7c9158d0 100644
+--- a/test/config/orphan-finder.json
++++ b/test/config/orphan-finder.json
+@@ -1,9 +1,7 @@
+ {
+ "backdate": "1h",
+ "issuerCerts": [
+- "/hierarchy/intermediate-cert-rsa-a.pem",
+- "/hierarchy/intermediate-cert-rsa-b.pem",
+- "/hierarchy/intermediate-cert-ecdsa-a.pem"
++ "/hierarchy/intermediate-cert-rsa-a.pem"
+ ],
+
+
diff --git a/patches/config_rocsp-tool.patch b/patches/config_rocsp-tool.patch
new file mode 100644
index 0000000..5dbb5b2
--- /dev/null
+++ b/patches/config_rocsp-tool.patch
@@ -0,0 +1,16 @@
+diff --git a/test/config/rocsp-tool.json b/test/config/rocsp-tool.json
+index 9b0a1d13..eace2cf9 100644
+--- a/test/config/rocsp-tool.json
++++ b/test/config/rocsp-tool.json
+@@ -34,10 +34,7 @@
+ }
+ },
+ "issuers": {
+- ".hierarchy/intermediate-cert-ecdsa-a.pem": 1,
+- ".hierarchy/intermediate-cert-ecdsa-b.pem": 2,
+- ".hierarchy/intermediate-cert-rsa-a.pem": 3,
+- ".hierarchy/intermediate-cert-rsa-b.pem": 4
++ ".hierarchy/intermediate-cert-rsa-a.pem": 1
+ }
+ }
+ }
diff --git a/patches/config_wfe2.patch b/patches/config_wfe2.patch
new file mode 100644
index 0000000..ba850be
--- /dev/null
+++ b/patches/config_wfe2.patch
@@ -0,0 +1,23 @@
+diff --git a/test/config/wfe2.json b/test/config/wfe2.json
+index c0093044..e8ba4263 100644
+--- a/test/config/wfe2.json
++++ b/test/config/wfe2.json
+@@ -43,18 +43,6 @@
+ [
+ "/hierarchy/intermediate-cert-rsa-a.pem",
+ "/hierarchy/root-cert-rsa.pem"
+- ],
+- [
+- "/hierarchy/intermediate-cert-rsa-b.pem",
+- "/hierarchy/root-cert-rsa.pem"
+- ],
+- [
+- "/hierarchy/intermediate-cert-ecdsa-a.pem",
+- "/hierarchy/root-cert-ecdsa.pem"
+- ],
+- [
+- "/hierarchy/intermediate-cert-ecdsa-b.pem",
+- "/hierarchy/root-cert-ecdsa.pem"
+ ]
+ ],
+ "staleTimeout": "5m",
diff --git a/patches/contact-auditor_main.patch b/patches/contact-auditor_main.patch
index 4a02d4f..5812134 100644
--- a/patches/contact-auditor_main.patch
+++ b/patches/contact-auditor_main.patch
@@ -1,15 +1,15 @@
diff --git a/cmd/contact-auditor/main.go b/cmd/contact-auditor/main.go
-index 88792e42a..26dfed7e5 100644
+index e595af47..b00458c5 100644
--- a/cmd/contact-auditor/main.go
+++ b/cmd/contact-auditor/main.go
@@ -12,6 +12,7 @@ import (
"time"
- "github.com/go-sql-driver/mysql"
-+ "github.com/letsencrypt/boulder/core"
"github.com/letsencrypt/boulder/cmd"
++ "github.com/letsencrypt/boulder/core"
blog "github.com/letsencrypt/boulder/log"
"github.com/letsencrypt/boulder/policy"
+ "github.com/letsencrypt/boulder/sa"
@@ -49,9 +50,12 @@ func validateContacts(id int64, createdAt string, contacts []string) error {
fmt.Fprintf(&probsBuff, "%d\t%s\tvalidation\t%q\t%q\n", id, createdAt, contact, prob)
}
diff --git a/patches/core_interfaces.patch b/patches/core_interfaces.patch
index da24fea..034a183 100644
--- a/patches/core_interfaces.patch
+++ b/patches/core_interfaces.patch
@@ -2,7 +2,7 @@ diff --git a/core/interfaces.go b/core/interfaces.go
index d19eb4fb8..3ae50d737 100644
--- a/core/interfaces.go
+++ b/core/interfaces.go
-@@ -50,4 +50,5 @@ type PolicyAuthority interface {
+@@ -11,4 +11,5 @@ type PolicyAuthority interface {
WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error
ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error)
ChallengeTypeEnabled(t AcmeChallenge) bool
diff --git a/patches/docker-compose-redis.patch b/patches/docker-compose-redis.patch
index ad65784..24aac52 100644
--- a/patches/docker-compose-redis.patch
+++ b/patches/docker-compose-redis.patch
@@ -11,7 +11,7 @@ index c1d54f23..2b6de7cb 100644
# Use sd-test-srv as a backup to Docker's embedded DNS server
# (https://docs.docker.com/config/containers/container-networking/#dns-services).
# If there's a name Docker's DNS server doesn't know about, it will
-@@ -36,7 +34,6 @@ services:
+@@ -34,7 +32,6 @@ services:
- 8055:8055 # dns-test-srv updates
depends_on:
- bmysql
@@ -19,7 +19,7 @@ index c1d54f23..2b6de7cb 100644
entrypoint: labca/entrypoint.sh
working_dir: &boulder_working_dir /go/src/github.com/letsencrypt/boulder
logging:
-@@ -69,78 +66,6 @@ services:
+@@ -67,78 +64,6 @@ services:
max-file: "5"
restart: always
@@ -98,7 +98,7 @@ index c1d54f23..2b6de7cb 100644
labca:
image: *boulder_image
-@@ -181,10 +106,3 @@ networks:
+@@ -179,10 +104,3 @@ networks:
driver: default
config:
- subnet: 10.88.88.0/24
diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch
index b2b7314..bc21485 100644
--- a/patches/docker-compose.patch
+++ b/patches/docker-compose.patch
@@ -3,7 +3,7 @@ index f515225e4..c1d54f235 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,10 +4,11 @@ services:
- image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.17_2021-10-22}
+ image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.17.5_2022-01-13}
environment:
FAKE_DNS: 10.77.77.77
- BOULDER_CONFIG_DIR: test/config
@@ -15,7 +15,7 @@ index f515225e4..c1d54f235 100644
- ./.gocache:/root/.cache/go-build:cached
- ./.hierarchy:/hierarchy/:cached
- ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
-@@ -36,11 +37,19 @@ services:
+@@ -34,11 +35,19 @@ services:
depends_on:
- bmysql
- bredis_clusterer
@@ -36,7 +36,7 @@ index f515225e4..c1d54f235 100644
networks:
bluenet:
aliases:
-@@ -54,7 +63,11 @@ services:
+@@ -52,7 +61,11 @@ services:
# small.
command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
logging:
@@ -49,7 +49,7 @@ index f515225e4..c1d54f235 100644
bredis_1:
image: redis:latest
-@@ -129,18 +142,31 @@ services:
+@@ -127,18 +140,31 @@ services:
aliases:
- boulder-redis-clusterer
diff --git a/patches/expiration-mailer_main.patch b/patches/expiration-mailer_main.patch
index 0f88520..db83d7c 100644
--- a/patches/expiration-mailer_main.patch
+++ b/patches/expiration-mailer_main.patch
@@ -1,5 +1,5 @@
diff --git a/cmd/expiration-mailer/main.go b/cmd/expiration-mailer/main.go
-index 862ed2fe7..e8b0aac3d 100644
+index f488b73c..ef2ed34a 100644
--- a/cmd/expiration-mailer/main.go
+++ b/cmd/expiration-mailer/main.go
@@ -22,6 +22,7 @@ import (
@@ -19,7 +19,7 @@ index 862ed2fe7..e8b0aac3d 100644
)
type regStore interface {
-@@ -408,6 +409,9 @@ type config struct {
+@@ -409,6 +410,9 @@ type Config struct {
TLS cmd.TLSConfig
SAService *cmd.GRPCClientConfig
@@ -29,7 +29,7 @@ index 862ed2fe7..e8b0aac3d 100644
// Path to a file containing a list of trusted root certificates for use
// during the SMTP connection (as opposed to the gRPC connections).
SMTPTrustedRootFile string
-@@ -417,6 +421,12 @@ type config struct {
+@@ -418,6 +422,12 @@ type Config struct {
Syslog cmd.SyslogConfig
Beeline cmd.BeelineConfig
@@ -42,7 +42,7 @@ index 862ed2fe7..e8b0aac3d 100644
}
func initStats(stats prometheus.Registerer) mailerStats {
-@@ -535,6 +545,32 @@ func main() {
+@@ -520,6 +530,32 @@ func main() {
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
sac := sapb.NewStorageAuthorityClient(conn)
@@ -75,7 +75,7 @@ index 862ed2fe7..e8b0aac3d 100644
var smtpRoots *x509.CertPool
if c.Mailer.SMTPTrustedRootFile != "" {
pem, err := ioutil.ReadFile(c.Mailer.SMTPTrustedRootFile)
-@@ -570,6 +606,7 @@ func main() {
+@@ -555,6 +591,7 @@ func main() {
c.Mailer.Username,
smtpPassword,
smtpRoots,
diff --git a/patches/notify-mailer_main.patch b/patches/notify-mailer_main.patch
index c21c450..532ba47 100644
--- a/patches/notify-mailer_main.patch
+++ b/patches/notify-mailer_main.patch
@@ -1,8 +1,8 @@
diff --git a/cmd/notify-mailer/main.go b/cmd/notify-mailer/main.go
-index fa2aac74e..08430ee10 100644
+index f281d85c..449845dc 100644
--- a/cmd/notify-mailer/main.go
+++ b/cmd/notify-mailer/main.go
-@@ -37,6 +37,7 @@ type mailer struct {
+@@ -36,6 +36,7 @@ type mailer struct {
recipients []recipient
targetRange interval
sleepInterval time.Duration
@@ -10,26 +10,26 @@ index fa2aac74e..08430ee10 100644
}
// interval defines a range of email addresses to send to in alphabetical order.
-@@ -151,7 +152,7 @@ func (m *mailer) run() error {
+@@ -152,7 +153,7 @@ func (m *mailer) run() error {
continue
}
-- if err := policy.ValidEmail(address); err != nil {
-+ if err := m.pa.ValidEmail(address); err != nil {
+- err := policy.ValidEmail(address)
++ err := m.pa.ValidEmail(address)
+ if err != nil {
m.log.Infof("Skipping %q due to policy violation: %s", address, err)
continue
- }
-@@ -477,7 +478,9 @@ func main() {
- NotifyMailer struct {
- DB cmd.DBConfig
- cmd.SMTPConfig
-+ cmd.HostnamePolicyConfig
- }
-+ PA cmd.PAConfig
- Syslog cmd.SyslogConfig
+@@ -448,7 +449,9 @@ type Config struct {
+ NotifyMailer struct {
+ DB cmd.DBConfig
+ cmd.SMTPConfig
++ cmd.HostnamePolicyConfig
}
++ PA cmd.PAConfig
+ Syslog cmd.SyslogConfig
+ }
-@@ -531,6 +534,14 @@ func main() {
+@@ -512,6 +515,14 @@ func main() {
log.Infof("While reading the recipient list file %s", probs)
}
@@ -44,7 +44,7 @@ index fa2aac74e..08430ee10 100644
var mailClient bmail.Mailer
if *dryRun {
log.Infof("Starting %s in dry-run mode", cmd.VersionString())
-@@ -546,6 +557,7 @@ func main() {
+@@ -527,6 +538,7 @@ func main() {
cfg.NotifyMailer.Username,
smtpPassword,
nil,
@@ -52,7 +52,7 @@ index fa2aac74e..08430ee10 100644
*address,
log,
metrics.NoopRegisterer,
-@@ -566,6 +578,7 @@ func main() {
+@@ -547,6 +559,7 @@ func main() {
end: *end,
},
sleepInterval: *sleep,
diff --git a/patches/policy_pa.patch b/patches/policy_pa.patch
index 736bd06..9f62878 100644
--- a/patches/policy_pa.patch
+++ b/patches/policy_pa.patch
@@ -1,5 +1,5 @@
diff --git a/policy/pa.go b/policy/pa.go
-index 7dd9c37cd..43410e3f9 100644
+index d3494495..184f7186 100644
--- a/policy/pa.go
+++ b/policy/pa.go
@@ -31,6 +31,8 @@ type AuthorityImpl struct {
@@ -79,28 +79,29 @@ index 7dd9c37cd..43410e3f9 100644
}
splitEmail := strings.SplitN(email.Address, "@", -1)
domain := strings.ToLower(splitEmail[len(splitEmail)-1])
-- if err := ValidDomain(domain); err != nil {
-+ if err := pa.ValidDomain(domain); err != nil {
+- err = ValidDomain(domain)
++ err = pa.ValidDomain(domain)
+ if err != nil {
return berrors.InvalidEmailError(
"contact email %q has invalid domain : %s",
- email.Address, err)
-@@ -365,10 +388,14 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
+@@ -369,11 +392,15 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
}
domain := id.Value
-- if err := ValidDomain(domain); err != nil {
-+ if err := pa.ValidDomain(domain); err != nil {
+- err := ValidDomain(domain)
++ err := pa.ValidDomain(domain)
+ if err != nil {
return err
}
+ if ok, _ := pa.checkWhitelist(domain); ok {
-+ return nil
-+ }
++ return nil
++ }
+
// Require no match against hostname block lists
- if err := pa.checkHostLists(domain); err != nil {
- return err
-@@ -377,6 +404,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
+ err = pa.checkHostLists(domain)
+ if err != nil {
+@@ -383,6 +410,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
return nil
}
diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch
index ce4de6b..ac5f31e 100644
--- a/patches/ra_ra.patch
+++ b/patches/ra_ra.patch
@@ -1,5 +1,5 @@
diff --git a/ra/ra.go b/ra/ra.go
-index 275e64a95..873d5c943 100644
+index 1ea20982..937f2859 100644
--- a/ra/ra.go
+++ b/ra/ra.go
@@ -31,7 +31,6 @@ import (
@@ -10,12 +10,12 @@ index 275e64a95..873d5c943 100644
"github.com/letsencrypt/boulder/probs"
pubpb "github.com/letsencrypt/boulder/publisher/proto"
rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -448,7 +447,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
+@@ -454,7 +453,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
contact,
)
}
-- if err := policy.ValidEmail(parsed.Opaque); err != nil {
-+ if err := ra.PA.ValidEmail(parsed.Opaque); err != nil {
+- err = policy.ValidEmail(parsed.Opaque)
++ err = ra.PA.ValidEmail(parsed.Opaque)
+ if err != nil {
return err
}
- }
diff --git a/patches/startservers.patch b/patches/startservers.patch
index 1ee694c..928893d 100644
--- a/patches/startservers.patch
+++ b/patches/startservers.patch
@@ -2,7 +2,7 @@ diff --git a/test/startservers.py b/test/startservers.py
index 0df56a4..14aa548 100644
--- a/test/startservers.py
+++ b/test/startservers.py
-@@ -146,6 +146,9 @@ processes = []
+@@ -142,6 +142,9 @@ processes = []
challSrvProcess = None
def setupHierarchy():
diff --git a/patches/test_config_ca_a.patch b/patches/test_config_ca_a.patch
index 0bb1249..49b2d1e 100644
--- a/patches/test_config_ca_a.patch
+++ b/patches/test_config_ca_a.patch
@@ -1,5 +1,5 @@
diff --git a/test/config/ca-a.json b/test/config/ca-a.json
-index 0be07e4..cd5de49 100644
+index 88c438bf..5ff1a9fb 100644
--- a/test/config/ca-a.json
+++ b/test/config/ca-a.json
@@ -60,19 +60,7 @@
@@ -13,7 +13,7 @@ index 0be07e4..cd5de49 100644
- {
- "useForRSALeaves": false,
- "useForECDSALeaves": false,
-- "issuerURL": "http://127.0.0.1:4000/acme/issuer-cert",
+- "issuerURL": "http://127.0.0.1:4001/aia/issuer/41127673797486028",
- "ocspURL": "http://127.0.0.1:4002/",
- "crlURL": "http://example.com/crl",
- "location": {
diff --git a/patches/test_config_ca_b.patch b/patches/test_config_ca_b.patch
index 1ba90a2..bf20b5d 100644
--- a/patches/test_config_ca_b.patch
+++ b/patches/test_config_ca_b.patch
@@ -1,5 +1,5 @@
diff --git a/test/config/ca-b.json b/test/config/ca-b.json
-index baf5483..0aa6fd4 100644
+index c61ac87e..fb1db942 100644
--- a/test/config/ca-b.json
+++ b/test/config/ca-b.json
@@ -60,19 +60,7 @@
@@ -13,7 +13,7 @@ index baf5483..0aa6fd4 100644
- {
- "useForRSALeaves": false,
- "useForECDSALeaves": false,
-- "issuerURL": "http://127.0.0.1:4000/acme/issuer-cert",
+- "issuerURL": "http://127.0.0.1:4001/aia/issuer/41127673797486028",
- "ocspURL": "http://127.0.0.1:4002/",
- "crlURL": "http://example.com/crl",
- "location": {
diff --git a/www/502.html b/www/502.html
index bff3553..96e299a 100644
--- a/www/502.html
+++ b/www/502.html
@@ -118,7 +118,7 @@