Fix cert-checker for whitelist/lockdown domains

2026-01-27 18:19:33 +00:00 · 2021-12-05 10:02:15 +01:00
parent d7c1cbe118
commit b5cdcbb414
3 changed files with 76 additions and 0 deletions
--- a/gui/apply-boulder
+++ b/gui/apply-boulder
@@ -15,6 +15,11 @@ sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config
 sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_DOMAIN\"/" config/wfe.json
 sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_DOMAIN\"/" config/wfe2.json

+if ([ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]) || ([ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]); then
+    perl -i -p0e "s/(\"badResultsOnly\":.*?\n)/\1    \"skipForbiddenDomains\": true,\n/igs" config/cert-checker.json
+    perl -i -p0e "s/(\s+\"ignoredLints\": \[\n)/\1      \"e_dnsname_not_valid_tld\",\n/igs" config/cert-checker.json
+fi
+
 [ -e ../test/hostname-policy.yaml ] && cp ../test/hostname-policy.yaml ./ || true
 [ -e ../boulder/test/hostname-policy.yaml ] && cp ../boulder/test/hostname-policy.yaml ./ || true
 [ -e hostname-policy.json ] && rm hostname-policy.json || true
--- a/3
+++ b/3
@@ -570,6 +570,9 @@ config_boulder() {
    sudo -u labca -H patch -p1 < $cloneDir/patches/bad-key-revoker_main.patch &>>$installLog
    cp cmd/bad-key-revoker/main.go "$boulderLabCADir/.backup/"

+    sudo -u labca -H patch -p1 < $cloneDir/patches/cert-checker_main.patch &>>$installLog
+    cp cmd/cert-checker/main.go "$boulderLabCADir/.backup/"
+
    sudo -u labca -H patch -p1 < $cloneDir/patches/log-validator_main.patch &>>$installLog
    cp cmd/log-validator/main.go "$boulderLabCADir/.backup/"

--- a/patches/cert-checker_main.patch
+++ b/patches/cert-checker_main.patch
@@ -0,0 +1,68 @@
+diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
+index fbdd9bb8..dc7fa4fd 100644
+--- a/cmd/cert-checker/main.go
+++ b/cmd/cert-checker/main.go
+@@ -90,9 +90,10 @@ type certChecker struct {
+ 	issuedReport                report
+ 	checkPeriod                 time.Duration
+ 	acceptableValidityDurations map[time.Duration]bool
+	skipForbiddenDomains        bool
+ }
+ 
+-func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, period time.Duration, avd map[time.Duration]bool) certChecker {
+func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, period time.Duration, avd map[time.Duration]bool, sfd bool) certChecker {
+ 	return certChecker{
+ 		pa:                          pa,
+ 		dbMap:                       saDbMap,
+@@ -102,6 +103,7 @@ func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, period
+ 		issuedReport:                report{Entries: make(map[string]reportEntry)},
+ 		checkPeriod:                 period,
+ 		acceptableValidityDurations: avd,
+		skipForbiddenDomains:        sfd,
+ 	}
+ }
+ 
+@@ -271,7 +273,7 @@ func (c *certChecker) checkCert(cert core.Certificate, ignoredLints map[string]b
+ 			err = c.pa.WillingToIssueWildcards([]identifier.ACMEIdentifier{id})
+ 			if err != nil {
+ 				problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err))
+-			} else {
+			} else if !c.skipForbiddenDomains {
+ 				// For defense-in-depth, even if the PA was willing to issue for a name
+ 				// we double check it against a list of forbidden domains. This way even
+ 				// if the hostnamePolicyFile malfunctions we will flag the forbidden
+@@ -309,11 +311,12 @@ type config struct {
+ 		DB cmd.DBConfig
+ 		cmd.HostnamePolicyConfig
+ 
+-		Workers             int
+-		ReportDirectoryPath string
+-		UnexpiredOnly       bool
+-		BadResultsOnly      bool
+-		CheckPeriod         cmd.ConfigDuration
+		Workers              int
+		ReportDirectoryPath  string
+		UnexpiredOnly        bool
+		BadResultsOnly       bool
+		SkipForbiddenDomains bool
+		CheckPeriod          cmd.ConfigDuration
+ 
+ 		// AcceptableValidityDurations is a list of durations which are
+ 		// acceptable for certificates we issue.
+@@ -364,6 +367,8 @@ func main() {
+ 		acceptableValidityDurations[ninetyDays] = true
+ 	}
+ 
+	skipForbiddenDomains := config.CertChecker.SkipForbiddenDomains
+
+ 	// Validate PA config and set defaults if needed.
+ 	cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
+ 
+@@ -412,6 +417,7 @@ func main() {
+ 		pa,
+ 		config.CertChecker.CheckPeriod.Duration,
+ 		acceptableValidityDurations,
+		skipForbiddenDomains,
+ 	)
+ 	fmt.Fprintf(os.Stderr, "# Getting certificates issued in the last %s\n", config.CertChecker.CheckPeriod)
+