diff --git a/gui/apply-boulder b/gui/apply-boulder index 9af048c..77d6cb5 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -55,6 +55,7 @@ if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then sed -i -e "s/\"timeout\": \"20s\"/\"timeout\": \"40s\"/" config/ra.json sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ocsp-updater.json sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/orphan-finder.json + sed -i -e "s/\"timeout\": \"1s\"/\"timeout\": \"5s\"/" config/health-checker.json fi sed -i -e "s/\"server\": \".*\"/\"server\": \"$PKI_EMAIL_SERVER\"/" config/bad-key-revoker.json diff --git a/install b/install index 9f494a3..a78a4bf 100755 --- a/install +++ b/install @@ -24,7 +24,7 @@ dockerComposeVersion="1.28.5" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2021-08-31" +boulderTag="release-2021-11-02" # # Color configuration @@ -515,6 +515,8 @@ config_boulder() { [ ! -e "$boulderLabCADir/secrets/smtp_password_PRESERVE" ] || mv "$boulderLabCADir/secrets/smtp_password_PRESERVE" "$boulderLabCADir/secrets/smtp_password" chown -R labca:labca "$boulderLabCADir" + rm -rf authz-filler challtestsrv gsb-test-srv + msg_ok "$msg" msg="Configure the boulder application" msg_info "$msg" @@ -591,17 +593,17 @@ config_boulder() { sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ra.json sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe.json sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe2.json - sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/akamai-purger.json - sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-responder.json - sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-updater.json - sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/publisher.json - sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json - sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe.json - sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json - sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" config/publisher.json - sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" integration-test.py - sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" helpers.py - sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" v1_integration.py + sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/akamai-purger.json + sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-responder.json + sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-updater.json + sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/publisher.json + sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json + sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe.json + sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json + sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" config/publisher.json + sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" integration-test.py + sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" helpers.py + sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" v1_integration.py sed -i -e "s/5001/443/g" config/va.json sed -i -e "s/5002/80/g" config/va.json sed -i -e "s/5001/443/g" config/va-remote-a.json @@ -665,6 +667,11 @@ config_boulder() { export PKI_EMAIL_FROM="Expiry bot " fi + local extended_timeout=$(grep extended_timeout $adminDir/data/config.json | grep true) + if [ "$extended_timeout" != "" ]; then + export PKI_EXTENDED_TIMEOUT=1 + fi + $adminDir/apply-boulder &>>$installLog else chown -R labca:labca "$boulderLabCADir" diff --git a/patches/cmd_shell.patch b/patches/cmd_shell.patch index e082fac..ec343b0 100644 --- a/patches/cmd_shell.patch +++ b/patches/cmd_shell.patch @@ -2,7 +2,7 @@ diff --git a/cmd/shell.go b/cmd/shell.go index 38f1edaf4..795815483 100644 --- a/cmd/shell.go +++ b/cmd/shell.go -@@ -163,7 +163,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger { +@@ -165,7 +165,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger { // Boulder's conception of time. go func() { for { diff --git a/patches/config_expiration-mailer.patch b/patches/config_expiration-mailer.patch index fe02054..474a431 100644 --- a/patches/config_expiration-mailer.patch +++ b/patches/config_expiration-mailer.patch @@ -2,7 +2,7 @@ diff --git a/test/config/expiration-mailer.json b/test/config/expiration-mailer. index 4519fe4d..f52a408c 100644 --- a/test/config/expiration-mailer.json +++ b/test/config/expiration-mailer.json -@@ -13,6 +13,11 @@ +@@ -14,6 +14,11 @@ "nagCheckInterval": "24h", "emailTemplate": "test/example-expiration-template", "debugAddr": ":8008", @@ -14,7 +14,7 @@ index 4519fe4d..f52a408c 100644 "tls": { "caCertFile": "test/grpc-creds/minica.pem", "certFile": "test/grpc-creds/expiration-mailer.boulder/cert.pem", -@@ -33,5 +38,9 @@ +@@ -34,5 +39,9 @@ "beeline": { "mute": true, "dataset": "Test" diff --git a/patches/config_ocsp-responder.patch b/patches/config_ocsp-responder.patch index 7d1e9ac..971d05c 100644 --- a/patches/config_ocsp-responder.patch +++ b/patches/config_ocsp-responder.patch @@ -1,15 +1,15 @@ diff --git a/test/config/ocsp-responder.json b/test/config/ocsp-responder.json -index fd2c4a8..a5e65d2 100644 +index ed874d3..a1a78f3 100644 --- a/test/config/ocsp-responder.json +++ b/test/config/ocsp-responder.json @@ -7,9 +7,7 @@ "path": "/", "listenAddress": "0.0.0.0:4002", "issuerCerts": [ -- "/tmp/intermediate-cert-rsa-a.pem", -- "/tmp/intermediate-cert-rsa-b.pem", -- "/tmp/intermediate-cert-ecdsa-a.pem" -+ "/tmp/intermediate-cert-rsa-a.pem" +- "/hierarchy/intermediate-cert-rsa-a.pem", +- "/hierarchy/intermediate-cert-rsa-b.pem", +- "/hierarchy/intermediate-cert-ecdsa-a.pem" ++ "/hierarchy/intermediate-cert-rsa-a.pem" ], "maxAge": "10s", "timeout": "4.9s", diff --git a/patches/config_publisher.patch b/patches/config_publisher.patch index f22ae0b..28d9fc8 100644 --- a/patches/config_publisher.patch +++ b/patches/config_publisher.patch @@ -1,23 +1,23 @@ diff --git a/test/config/publisher.json b/test/config/publisher.json -index 6c75f71..54fb877 100644 +index 6e0337c..1e5ed7b 100644 --- a/test/config/publisher.json +++ b/test/config/publisher.json @@ -6,18 +6,6 @@ [ - "/tmp/intermediate-cert-rsa-a.pem", - "/tmp/root-cert-rsa.pem" + "/hierarchy/intermediate-cert-rsa-a.pem", + "/hierarchy/root-cert-rsa.pem" - ], - [ -- "/tmp/intermediate-cert-rsa-b.pem", -- "/tmp/root-cert-rsa.pem" +- "/hierarchy/intermediate-cert-rsa-b.pem", +- "/hierarchy/root-cert-rsa.pem" - ], - [ -- "/tmp/intermediate-cert-ecdsa-a.pem", -- "/tmp/root-cert-ecdsa.pem" +- "/hierarchy/intermediate-cert-ecdsa-a.pem", +- "/hierarchy/root-cert-ecdsa.pem" - ], - [ -- "/tmp/intermediate-cert-ecdsa-b.pem", -- "/tmp/root-cert-ecdsa.pem" +- "/hierarchy/intermediate-cert-ecdsa-b.pem", +- "/hierarchy/root-cert-ecdsa.pem" ] ], "debugAddr": ":8009", diff --git a/patches/core_interfaces.patch b/patches/core_interfaces.patch index 8a7fa56..da24fea 100644 --- a/patches/core_interfaces.patch +++ b/patches/core_interfaces.patch @@ -2,11 +2,9 @@ diff --git a/core/interfaces.go b/core/interfaces.go index d19eb4fb8..3ae50d737 100644 --- a/core/interfaces.go +++ b/core/interfaces.go -@@ -91,6 +91,7 @@ type PolicyAuthority interface { +@@ -50,4 +50,5 @@ type PolicyAuthority interface { WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error) ChallengeTypeEnabled(t AcmeChallenge) bool + ValidEmail(address string) error } - - // StorageGetter are the Boulder SA's read-only methods diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch index 2bd7a87..ccdbd81 100644 --- a/patches/docker-compose.patch +++ b/patches/docker-compose.patch @@ -1,9 +1,9 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 713667d60..0a384c8ab 100644 +index f2c81aad9..116b858be 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,10 +4,11 @@ services: - image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.16.6_2021-07-12} + image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.17_2021-10-22} environment: FAKE_DNS: 10.77.77.77 - BOULDER_CONFIG_DIR: test/config @@ -13,12 +13,12 @@ index 713667d60..0a384c8ab 100644 - .:/go/src/github.com/letsencrypt/boulder:cached + - /home/labca/boulder_labca:/go/src/github.com/letsencrypt/boulder/labca - ./.gocache:/root/.cache/go-build:cached - networks: - bluenet: -@@ -49,11 +50,19 @@ services: - - 8055:8055 # dns-test-srv updates - depends_on: + - ./.hierarchy:/hierarchy/:cached + - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached +@@ -37,11 +38,19 @@ services: - bmysql + - bredis + - bredis_clusterer - entrypoint: test/entrypoint.sh + entrypoint: labca/entrypoint.sh working_dir: &boulder_working_dir /go/src/github.com/letsencrypt/boulder @@ -36,7 +36,7 @@ index 713667d60..0a384c8ab 100644 networks: bluenet: aliases: -@@ -67,22 +76,37 @@ services: +@@ -55,7 +64,11 @@ services: # small. command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON logging: @@ -47,6 +47,12 @@ index 713667d60..0a384c8ab 100644 + max-file: "5" + restart: always + bredis: + image: redis:latest +@@ -82,18 +95,31 @@ services: + aliases: + - boulder-redis-clusterer + - netaccess: + labca: image: *boulder_image @@ -67,8 +73,8 @@ index 713667d60..0a384c8ab 100644 + - /home/labca/boulder_labca:/boulder/labca + ports: + - 3000:3000 - depends_on: - - bmysql ++ depends_on: ++ - bmysql + working_dir: /go/src/labca + command: ./setup.sh + logging: diff --git a/patches/expiration-mailer_main.patch b/patches/expiration-mailer_main.patch index 06f172d..df525cf 100644 --- a/patches/expiration-mailer_main.patch +++ b/patches/expiration-mailer_main.patch @@ -1,16 +1,16 @@ diff --git a/cmd/expiration-mailer/main.go b/cmd/expiration-mailer/main.go -index f6b02976e..0b00b794d 100644 +index a471e1db5..4b7f7374f 100644 --- a/cmd/expiration-mailer/main.go +++ b/cmd/expiration-mailer/main.go -@@ -20,6 +20,7 @@ import ( - "github.com/honeycombio/beeline-go" +@@ -23,6 +23,7 @@ import ( "github.com/jmhodges/clock" + "google.golang.org/grpc" + "github.com/letsencrypt/boulder/bdns" "github.com/letsencrypt/boulder/cmd" "github.com/letsencrypt/boulder/core" corepb "github.com/letsencrypt/boulder/core/proto" -@@ -36,7 +37,7 @@ import ( +@@ -39,7 +40,7 @@ import ( const ( defaultNagCheckInterval = 24 * time.Hour @@ -19,7 +19,7 @@ index f6b02976e..0b00b794d 100644 ) type regStore interface { -@@ -385,6 +386,9 @@ type config struct { +@@ -419,6 +420,9 @@ type config struct { TLS cmd.TLSConfig SAService *cmd.GRPCClientConfig @@ -29,7 +29,7 @@ index f6b02976e..0b00b794d 100644 // Path to a file containing a list of trusted root certificates for use // during the SMTP connection (as opposed to the gRPC connections). SMTPTrustedRootFile string -@@ -394,6 +398,12 @@ type config struct { +@@ -428,6 +432,12 @@ type config struct { Syslog cmd.SyslogConfig Beeline cmd.BeelineConfig @@ -42,9 +42,9 @@ index f6b02976e..0b00b794d 100644 } func initStats(stats prometheus.Registerer) mailerStats { -@@ -511,6 +521,32 @@ func main() { +@@ -545,6 +555,32 @@ func main() { cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA") - sac := bgrpc.NewStorageAuthorityClient(sapb.NewStorageAuthorityClient(conn)) + sac := sapb.NewStorageAuthorityClient(conn) + dnsTimeout, err := time.ParseDuration(c.Common.DNSTimeout) + cmd.FailOnError(err, "Couldn't parse DNS timeout") @@ -75,7 +75,7 @@ index f6b02976e..0b00b794d 100644 var smtpRoots *x509.CertPool if c.Mailer.SMTPTrustedRootFile != "" { pem, err := ioutil.ReadFile(c.Mailer.SMTPTrustedRootFile) -@@ -546,6 +582,7 @@ func main() { +@@ -580,6 +616,7 @@ func main() { c.Mailer.Username, smtpPassword, smtpRoots, diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index 18541c8..0bd9e55 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -10,7 +10,7 @@ index 1023d0232..3f8d86d87 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -435,7 +434,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta +@@ -436,7 +435,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta contact, ) } diff --git a/patches/startservers.patch b/patches/startservers.patch index 332fc8b..1ee694c 100644 --- a/patches/startservers.patch +++ b/patches/startservers.patch @@ -1,5 +1,5 @@ diff --git a/test/startservers.py b/test/startservers.py -index ec8ada190..be5b7a2f2 100644 +index 0df56a4..14aa548 100644 --- a/test/startservers.py +++ b/test/startservers.py @@ -146,6 +146,9 @@ processes = [] @@ -9,6 +9,6 @@ index ec8ada190..be5b7a2f2 100644 + pass + +def setupHierarchyOriginal(): + """Set up the issuance hierarchy. Must have called install() before this.""" e = os.environ.copy() e.setdefault("GOBIN", "%s/bin" % os.getcwd()) - try: diff --git a/patches/test_config_ca_a.patch b/patches/test_config_ca_a.patch index 1e54b15..0bb1249 100644 --- a/patches/test_config_ca_a.patch +++ b/patches/test_config_ca_a.patch @@ -1,12 +1,12 @@ diff --git a/test/config/ca-a.json b/test/config/ca-a.json -index 92b32f094..e220d7d4f 100644 +index 0be07e4..cd5de49 100644 --- a/test/config/ca-a.json +++ b/test/config/ca-a.json @@ -60,19 +60,7 @@ "crlURL": "http://example.com/crl", "location": { "configFile": "test/test-ca.key-pkcs11.json", -- "certFile": "/tmp/intermediate-cert-rsa-a.pem", +- "certFile": "/hierarchy/intermediate-cert-rsa-a.pem", - "numSessions": 2 - } - }, @@ -18,7 +18,7 @@ index 92b32f094..e220d7d4f 100644 - "crlURL": "http://example.com/crl", - "location": { - "configFile": "test/test-ca.key-pkcs11.json", -- "certFile": "/tmp/intermediate-cert-rsa-b.pem", +- "certFile": "/hierarchy/intermediate-cert-rsa-b.pem", + "certFile": "test/test-ca.pem", "numSessions": 2 } diff --git a/patches/test_config_ca_b.patch b/patches/test_config_ca_b.patch index beb0a85..1ba90a2 100644 --- a/patches/test_config_ca_b.patch +++ b/patches/test_config_ca_b.patch @@ -1,12 +1,12 @@ diff --git a/test/config/ca-b.json b/test/config/ca-b.json -index 6c7d9d272..4e428bc4a 100644 +index baf5483..0aa6fd4 100644 --- a/test/config/ca-b.json +++ b/test/config/ca-b.json @@ -60,19 +60,7 @@ "crlURL": "http://example.com/crl", "location": { "configFile": "test/test-ca.key-pkcs11.json", -- "certFile": "/tmp/intermediate-cert-rsa-a.pem", +- "certFile": "/hierarchy/intermediate-cert-rsa-a.pem", - "numSessions": 2 - } - }, @@ -18,7 +18,7 @@ index 6c7d9d272..4e428bc4a 100644 - "crlURL": "http://example.com/crl", - "location": { - "configFile": "test/test-ca.key-pkcs11.json", -- "certFile": "/tmp/intermediate-cert-rsa-b.pem", +- "certFile": "/hierarchy/intermediate-cert-rsa-b.pem", + "certFile": "test/test-ca.pem", "numSessions": 2 }