github-personal/labca
1
0
Fork 0
mirror of https://github.com/outbackdingo/labca.git synced 2026-01-27 10:19:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Bump boulder version to release-2024-05-20

Browse Source
This commit is contained in:
Arjan H
2024-08-24 15:15:21 +02:00
parent b936bb53fe
commit ddbaa63b5b
31 changed files with 292 additions and 166 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/release.yml vendored
View File

@@ -13,7 +13,7 @@ jobs:
fail-fast: false
matrix:
GO_VERSION:
- 1.22.2
- 1.22.3
steps:
- name: Checkout

1
README_dockeronly.md
View File

@@ -9,6 +9,7 @@ The `docker-compose.yml` file is located in the `build` subdirectory for now. Yo
git clone https://github.com/hakwerk/labca.git
cd labca/build
export LABCA_FQDN=labca.example.com
docker compose up bsetup
docker compose up -d
```
And to tail the logs, especially if there are any issues:

3
build/Dockerfile-boulder
View File

@@ -1,4 +1,4 @@
FROM letsencrypt/boulder-tools:go1.22.2_2024-04-04 AS boulder-tools
FROM letsencrypt/boulder-tools:go1.22.3_2024-05-13 AS boulder-tools
FROM ubuntu:focal
@@ -14,6 +14,7 @@ RUN apt-get update && \
COPY --from=boulder-tools /usr/local/bin/sql-migrate /usr/local/bin/sql-migrate
COPY --from=boulder-tools /usr/local/bin/pebble-challtestsrv /usr/local/bin/pebble-challtestsrv
COPY --from=boulder-tools /usr/local/bin/minica /usr/local/bin/minica
COPY tmp/bin /opt/boulder/bin
COPY tmp/src/start.py /opt/boulder
RUN sed -i -e "s|./test|./labca|" /opt/boulder/start.py

6
build/build.sh
View File

@@ -8,13 +8,13 @@ TMP_DIR=$(pwd)/tmp
rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}
boulderDir=$TMP_DIR/src
boulderTag="release-2024-05-06"
boulderTag="release-2024-05-20"
boulderUrl="https://github.com/letsencrypt/boulder/"
cloneDir=$(pwd)/..
GIT_VERSION=$(git describe --always --tags 2>/dev/null)
BUILD_HOST=labca-$GIT_VERSION
BUILD_IMAGE=$(eval echo $(grep boulder-tools ../patches/docker-compose.patch | head -3 | tail -1 | sed -e "s/\+\s*image://" | sed -e "s/&boulder_image//"))
BUILD_IMAGE=$(eval echo $(grep boulder-tools ../patches/docker-compose.patch | head -3 | tail -1 | sed -e "s/\+\s*image://" | sed -e "s/&boulder_tools_image//"))
git clone --branch $boulderTag --depth 1 $boulderUrl $boulderDir 2>/dev/null
cd $boulderDir
@@ -23,7 +23,7 @@ if [ $boulderTag != "main" ]; then
fi
if [ "$BUILD_IMAGE" == "" ]; then
BUILD_IMAGE=$(eval echo $(grep boulder-tools $TMP_DIR/src/docker-compose.yml | grep "image:" | head -1 | sed -e "s/image://" | sed -e "s/&boulder_image//"))
BUILD_IMAGE=$(eval echo $(grep boulder-tools $TMP_DIR/src/docker-compose.yml | grep "image:" | head -1 | sed -e "s/image://" | sed -e "s/&boulder_tools_image//"))
fi
BOULDER_TOOLS_TAG=$(grep go1. $TMP_DIR/src/.github/workflows/boulder-ci.yml | head -1 | sed -e "s/\s*- //")

16
build/docker-compose.yml
View File

@@ -22,7 +22,7 @@ services:
- boulder_data:/opt/boulder/labca
- nginx_html:/opt/wwwstatic
- softhsm:/var/lib/softhsm/tokens:cached
- certificates:/hierarchy
- certificates:/opt/boulder/labca/certs
networks:
bouldernet:
ipv4_address: 10.77.77.77
@@ -61,6 +61,20 @@ services:
max-file: "5"
restart: always
bsetup:
image: ghcr.io/hakwerk/labca-boulder:${LABCA_IMAGE_VERSION:-latest}
volumes:
- boulder_data:/opt/boulder/labca
- softhsm:/var/lib/softhsm/tokens:cached
- certificates:/opt/boulder/labca/certs
entrypoint: labca/certs/generate.sh
working_dir: *boulder_working_dir
profiles:
# Adding a profile to this container means that it won't be started by a
# normal "docker compose up/run boulder", only when specifically invoked
# with a "docker compose up bsetup".
- setup
bmysql:
image: mariadb:10.5
volumes:

48
build/tmp.patch
View File

@@ -1,17 +1,17 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index 176d452e0..d24e8738d 100644
index 08d29d67c..33503bdfd 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,7 +4,7 @@ services:
# The `letsencrypt/boulder-tools:latest` tag is automatically built in local
# dev environments. In CI a specific BOULDER_TOOLS_TAG is passed, and it is
# pulled with `docker compose pull`.
- image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-latest}
- image: &boulder_tools_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-latest}
+ image: ghcr.io/hakwerk/labca-boulder:${LABCA_IMAGE_VERSION:-latest}
build:
context: test/boulder-tools/
# Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh.
@@ -19,12 +19,10 @@ services:
@@ -19,11 +19,10 @@ services:
GOCACHE: /boulder/.gocache/go-build
GOFLAGS: -mod=vendor
volumes:
@@ -19,16 +19,15 @@ index 176d452e0..d24e8738d 100644
- - /home/labca/boulder_labca:/opt/boulder/labca
- - /home/labca/nginx_data/static:/opt/wwwstatic
- - ./.gocache:/root/.cache/go-build:cached
- - ./.hierarchy:/hierarchy/:cached
- - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
- - /home/labca/boulder_labca/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
+ - boulder_data:/opt/boulder/labca
+ - certificates:/opt/boulder/labca/certs
+ - nginx_html:/opt/wwwstatic
+ - softhsm:/var/lib/softhsm/tokens:cached
+ - certificates:/hierarchy
networks:
bouldernet:
ipv4_address: 10.77.77.77
@@ -53,6 +51,7 @@ services:
@@ -52,6 +51,7 @@ services:
depends_on:
- bmysql
- bconsul
@@ -36,27 +35,44 @@ index 176d452e0..d24e8738d 100644
entrypoint: labca/entrypoint.sh
working_dir: &boulder_working_dir /opt/boulder
logging:
@@ -87,34 +86,37 @@ services:
@@ -62,12 +62,11 @@ services:
restart: always
bsetup:
- image: *boulder_tools_image
+ image: ghcr.io/hakwerk/labca-boulder:${LABCA_IMAGE_VERSION:-latest}
volumes:
- - .:/opt/boulder:cached
- - /home/labca/boulder_labca:/opt/boulder/labca
- - ./.gocache:/root/.cache/go-build:cached
- - /home/labca/boulder_labca/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
+ - boulder_data:/opt/boulder/labca
+ - certificates:/opt/boulder/labca/certs
+ - softhsm:/var/lib/softhsm/tokens:cached
entrypoint: labca/certs/generate.sh
working_dir: *boulder_working_dir
profiles:
@@ -101,34 +100,39 @@ services:
bconsul:
image: hashicorp/consul:1.15.4
+ depends_on:
+ - control
volumes:
- - ./test/:/test/:cached
- - /home/labca/boulder_labca:/opt/boulder/labca
+ - boulder_data:/opt/boulder/labca
+ - certificates:/opt/boulder/labca/certs
networks:
consulnet:
ipv4_address: 10.55.55.10
bouldernet:
ipv4_address: 10.77.77.10
- command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
+ command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl"
command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl"
+ working_dir: /opt/boulder
restart: always
gui:
- image: *boulder_image
- image: *boulder_tools_image
+ image: ghcr.io/hakwerk/labca-gui:${LABCA_IMAGE_VERSION:-latest}
networks:
- bouldernet
@@ -73,6 +89,7 @@ index 176d452e0..d24e8738d 100644
+ - nginx_html:/opt/wwwstatic
+ - backup:/opt/backup
+ - boulder_data:/opt/boulder/labca
+ - certificates:/opt/boulder/labca/certs
expose:
- 3000
depends_on:
@@ -85,7 +102,7 @@ index 176d452e0..d24e8738d 100644
logging:
driver: "json-file"
options:
@@ -131,27 +133,26 @@ services:
@@ -145,27 +149,27 @@ services:
- 80:80
- 443:443
volumes:
@@ -99,7 +116,7 @@ index 176d452e0..d24e8738d 100644
+ - control
control:
- image: *boulder_image
- image: *boulder_tools_image
+ image: ghcr.io/hakwerk/labca-control:${LABCA_IMAGE_VERSION:-latest}
networks:
- bouldernet
@@ -121,13 +138,14 @@ index 176d452e0..d24e8738d 100644
+ - backup:/opt/backup
+ - logs:/opt/logs
+ - boulder_data:/opt/boulder/labca
+ - certificates:/opt/boulder/labca/certs
+ - nginx_conf:/etc/nginx/conf.d
+ - nginx_ssl:/etc/nginx/ssl
+ - nginx_html:/var/www/html
expose:
- 3030
environment:
@@ -162,6 +163,15 @@ services:
@@ -176,6 +180,15 @@ services:
volumes:
dbdata:

6
build/tmp2.patch
View File

@@ -2,9 +2,9 @@ diff --git a/test/startservers.py b/test/startservers.py
index 5d19996ad..e1ccf8f45 100644
--- a/test/startservers.py
+++ b/test/startservers.py
@@ -183,6 +183,9 @@ def setupHierarchyOriginal():
@@ -169,6 +169,9 @@ processes = []
challSrvProcess = None
def install(race_detection):
+ return True
+

1
control_do.sh
View File

@@ -22,6 +22,7 @@ get_fqdn() {
setup_boulder_data() {
cp -rp /opt/staging/boulder_labca/* /opt/boulder/labca/
cp -rp /opt/staging/boulder_labca/certs/* /opt/boulder/labca/certs/
cd /opt/boulder/labca

1
cron_d
View File

@@ -4,5 +4,6 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
1 7 * * * root /opt/labca/mailer &>>/opt/logs/cron.log
5 7 * * * root /opt/labca/checkrenew &>>/opt/logs/cron.log
7 7 * * Sun root /opt/boulder/labca/certs/generate.sh &>>/opt/logs/cron.log
11 7 * * Mon root /opt/labca/backup cron &>>/opt/logs/cron.log
*/5 * * * * root /opt/labca/checkcrl &>>/opt/logs/cron.log

2
gui/apply-boulder
View File

@@ -239,7 +239,7 @@ if [ -e $PKI_ROOT_CERT_BASE.pem ]; then
cp -p $PKI_ROOT_CERT_BASE.pem test-root.pem
fi
chown -R `ls -l PKI.md | cut -d" " -f 3,4 | sed 's/ /:/g'` .
chown -R `ls -l example-weak-keys.json | cut -d" " -f 3,4 | sed 's/ /:/g'` .
if [ -e $PKI_INT_CERT_BASE.key ] && [ -e $PKI_ROOT_CERT_BASE.pem ]; then
[ -f setup_complete ] || touch setup_complete

6
install
View File

@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"
labcaUrl="https://github.com/hakwerk/labca/"
boulderUrl="https://github.com/letsencrypt/boulder/"
boulderTag="release-2024-05-06"
boulderTag="release-2024-05-20"
# Feature flags
flag_skip_redis=true
@@ -562,6 +562,8 @@ get_boulder() {
cd "$boulderDir"
chown -R labca:labca .
rm -rf bin/orphan-finder bin/validate
mkdir -p $baseDir/backup
[ ! -d .softhsm-tokens ] || mv .softhsm-tokens $baseDir/backup/ &>>$installLog
sudo -u labca -H git reset --hard HEAD^1 &>>$installLog
fi
@@ -798,6 +800,8 @@ startup() {
docker run --rm -v boulder_dbdata:/old -v labca_dbdata:/new $dimg bash -c "cp -R /old/* /new/" &>>$installLog
fi
[ ! -d $baseDir/backup/.softhsm-tokens ] || mkdir -p $boulderLabCADir/certs/; mv $baseDir/backup/.softhsm-tokens $boulderLabCADir/certs/ &>>$installLog
COMPOSE_HTTP_TIMEOUT=180 docker compose up -d &>>$installLog
wait_up $PS_NGINX &>>$installLog || true

40
patch-cfg.sh
View File

@@ -15,8 +15,6 @@ boulderLabCADir="${2:-labca}"
$SUDO patch -p1 -o "$boulderLabCADir/entrypoint.sh" < $cloneDir/patches/entrypoint.patch
cp test/startservers.py "$boulderLabCADir/startservers.py"
$SUDO patch -p1 -o "$boulderLabCADir/config/ca.json" < $cloneDir/patches/test_config_ca.patch
$SUDO patch -p1 -o "$boulderLabCADir/config/expiration-mailer.json" < $cloneDir/patches/config_expiration-mailer.patch
$SUDO patch -p1 -o "$boulderLabCADir/config/notify-mailer.json" < $cloneDir/patches/config_notify-mailer.patch
$SUDO patch -p1 -o "$boulderLabCADir/config/bad-key-revoker.json" < $cloneDir/patches/config_bad-key-revoker.patch
@@ -25,8 +23,11 @@ $SUDO patch -p1 -o "$boulderLabCADir/config/publisher.json" < $cloneDir/patches/
$SUDO patch -p1 -o "$boulderLabCADir/config/wfe2.json" < $cloneDir/patches/config_wfe2.patch
$SUDO patch -p1 -o "$boulderLabCADir/config/crl-storer.json" < $cloneDir/patches/config_crl-storer.patch
$SUDO patch -p1 -o "$boulderLabCADir/config/crl-updater.json" < $cloneDir/patches/config_crl-updater.patch
$SUDO patch -p1 -o "$boulderLabCADir/config/ca.json" < $cloneDir/patches/test_config_ca.patch
$SUDO patch -p1 -o "$boulderLabCADir/config/ra.json" < $cloneDir/patches/config_ra.patch
$SUDO patch -p1 -o "$boulderLabCADir/config/akamai-purger.json" < $cloneDir/patches/config_akamai-purger.patch
$SUDO patch -p1 -o "$boulderLabCADir/certs/generate.sh" < $cloneDir/patches/test_certs_generate.patch
chmod +x $boulderLabCADir/certs/generate.sh
cp test/config/va*.json "$boulderLabCADir/config/"
perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va.json
@@ -51,22 +52,23 @@ sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ocsp-responder.json
sed -i -e "s/test-ca2.pem/test-ca.pem/" config/publisher.json
sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ra.json
sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe2.json
sed -i -e "s|/hierarchy/int-rsa-a.cert.pem|labca/test-ca.pem|" config/akamai-purger.json
sed -i -e "s|/hierarchy/int-rsa-a.cert.pem|labca/test-ca.pem|" config/ocsp-responder.json
sed -i -e "s|/hierarchy/int-rsa-a.cert.pem|labca/test-ca.pem|" config/publisher.json
sed -i -e "s|/hierarchy/int-rsa-a.cert.pem|labca/test-ca.pem|" config/ra.json
sed -i -e "s|/hierarchy/int-rsa-a.cert.pem|labca/test-ca.pem|" config/wfe2.json
sed -i -e "s|/hierarchy/int-rsa-a.cert.pem|labca/test-ca.pem|" config/crl-storer.json
sed -i -e "s|/hierarchy/int-rsa-a.cert.pem|labca/test-ca.pem|" config/crl-updater.json
sed -i -e "s|/hierarchy/int-rsa-a.cert.pem|labca/test-ca.pem|" config/ra.json
sed -i -e "s|/hierarchy/int-rsa-a.cert.pem|labca/test-ca.pem|" v2_integration.py
sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" cert-ceremonies/root-ceremony-rsa.yaml
sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" cert-ceremonies/root-crl-rsa.yaml
sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" cert-ceremonies/intermediate-cert-ceremony-rsa.yaml
sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" config/publisher.json
sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" config/wfe2.json
sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" integration-test.py
sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" helpers.py
sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/test-ca.pem|" config/akamai-purger.json
sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/test-ca.pem|" config/ocsp-responder.json
sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/test-ca.pem|" config/publisher.json
sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/test-ca.pem|" config/ca.json
sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/test-ca.pem|" config/wfe2.json
sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/test-ca.pem|" config/crl-storer.json
sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/test-ca.pem|" config/crl-updater.json
sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/test-ca.pem|" config/ra.json
sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/test-ca.pem|" v2_integration.py
sed -i -e "s|test/certs/webpki/int-rsa-a.pkcs11.json|labca/test-ca.key-pkcs11.json|" config/ca.json
sed -i -e "s|test/certs/webpki/root-rsa.cert.pem|labca/test-root.pem|" certs/root-ceremony-rsa.yaml
sed -i -e "s|test/certs/webpki/root-rsa.cert.pem|labca/test-root.pem|" certs/root-crl-rsa.yaml
sed -i -e "s|test/certs/webpki/root-rsa.cert.pem|labca/test-root.pem|" certs/intermediate-cert-ceremony-rsa.yaml
sed -i -e "s|test/certs/webpki/root-rsa.cert.pem|labca/test-root.pem|" config/publisher.json
sed -i -e "s|test/certs/webpki/root-rsa.cert.pem|labca/test-root.pem|" config/wfe2.json
sed -i -e "s|test/certs/webpki/root-rsa.cert.pem|labca/test-root.pem|" integration-test.py
sed -i -e "s|test/certs/webpki/root-rsa.cert.pem|labca/test-root.pem|" helpers.py
sed -i -e "s|letsencrypt/boulder|hakwerk/labca|" config/wfe2.json
sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca.json
sed -i -e "s/ocspURL.Path = encodedReq/ocspURL.Path += encodedReq/" ocsp/helper/helper.go
@@ -82,6 +84,8 @@ sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/remoteva-b.json
sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/va-remote-a.json
sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/va-remote-b.json
sed -i -e "s|test/certs|/opt/boulder/labca/certs|" consul/config.hcl
if [ "$flag_skip_redis" == true ]; then
sed -i -e "s/^\(.*wait-for-it.sh.*4218\)/#\1/" entrypoint.sh
fi

1
patch.sh
View File

@@ -47,7 +47,6 @@ $SUDO patch -p1 < $cloneDir/patches/ra_ra.patch
$SUDO patch -p1 < $cloneDir/patches/ratelimit_rate-limits.patch
$SUDO patch -p1 < $cloneDir/patches/ratelimits_names.patch
$SUDO patch -p1 < $cloneDir/patches/remoteva_main.patch
$SUDO patch -p1 < $cloneDir/patches/startservers.patch
if [ "$SUDO" == "" ]; then
# TODO: should include this into startservers.patch
$SUDO patch -p1 < $cloneDir/build/tmp2.patch

18
patches/config_akamai-purger.patch
View File

@@ -2,14 +2,20 @@ diff --git a/test/config/akamai-purger.json b/test/config/akamai-purger.json
index 62c5b4cc9..2c39d70cb 100644
--- a/test/config/akamai-purger.json
+++ b/test/config/akamai-purger.json
@@ -13,6 +13,10 @@
"certFile": "test/grpc-creds/akamai-purger.boulder/cert.pem",
"keyFile": "test/grpc-creds/akamai-purger.boulder/key.pem"
},
@@ -9,9 +9,13 @@
"accessToken": "idk-how-this-is-different-from-client-token-but-okay",
"v3Network": "staging",
"tls": {
- "caCertfile": "test/certs/ipki/minica.pem",
- "certFile": "test/certs/ipki/akamai-purger.boulder/cert.pem",
- "keyFile": "test/certs/ipki/akamai-purger.boulder/key.pem"
+ "caCertfile": "labca/certs/ipki/minica.pem",
+ "certFile": "labca/certs/ipki/akamai-purger.boulder/cert.pem",
+ "keyFile": "labca/certs/ipki/akamai-purger.boulder/key.pem"
+ },
+ "throughput": {
+ "queueEntriesPerBatch": 5,
+ "purgeBatchInterval": "5m"
+ },
},
"grpc": {
"address": ":9099",
"maxConnectionAge": "30s",

4
patches/config_bad-key-revoker.patch
View File

@@ -14,8 +14,8 @@ index f4696dc2..b9c19ce3 100644
+ "dnsTimeout": "3s",
+ "dnsAllowLoopbackAddresses": true,
"tls": {
"caCertFile": "test/grpc-creds/minica.pem",
"certFile": "test/grpc-creds/bad-key-revoker.boulder/cert.pem",
"caCertFile": "test/certs/ipki/minica.pem",
"certFile": "test/certs/ipki/bad-key-revoker.boulder/cert.pem",
@@ -32,7 +39,7 @@
},
"maximumRevocations": 15,

42
patches/config_ca.patch Normal file
View File

@@ -0,0 +1,42 @@
diff --git a/test/config/ca.json b/test/config/ca.json
index cbb84f385..ec28cd37d 100644
--- a/test/config/ca.json
+++ b/test/config/ca.json
@@ -58,18 +58,6 @@
"maxValidityBackdate": "1h5m"
},
"issuers": [
- {
- "useForRSALeaves": false,
- "useForECDSALeaves": true,
- "issuerURL": "http://ca.example.org:4502/int-ecdsa-a",
- "ocspURL": "http://ca.example.org:4002/",
- "crlURLBase": "http://ca.example.org:4501/ecdsa-a/",
- "location": {
- "configFile": "test/certs/webpki/int-ecdsa-a.pkcs11.json",
- "certFile": "test/certs/webpki/int-ecdsa-a.cert.pem",
- "numSessions": 2
- }
- },
{
"useForRSALeaves": true,
"useForECDSALeaves": true,
@@ -81,18 +69,6 @@
"certFile": "test/certs/webpki/int-rsa-a.cert.pem",
"numSessions": 2
}
- },
- {
- "useForRSALeaves": false,
- "useForECDSALeaves": false,
- "issuerURL": "http://ca.example.org:4502/int-rsa-b",
- "ocspURL": "http://ca.example.org:4003/",
- "crlURLBase": "http://ca.example.org:4501/rsa-b/",
- "location": {
- "configFile": "test/certs/webpki/int-rsa-b.pkcs11.json",
- "certFile": "test/certs/webpki/int-rsa-b.cert.pem",
- "numSessions": 2
- }
}
],
"ignoredLints": [

8
patches/config_crl-storer.patch
View File

@@ -6,10 +6,10 @@ index ef70c2ffc..a53b75d86 100644
}
},
"issuerCerts": [
- "/hierarchy/int-rsa-a.cert.pem",
- "/hierarchy/int-rsa-b.cert.pem",
- "/hierarchy/int-ecdsa-a.cert.pem"
+ "/hierarchy/int-rsa-a.cert.pem"
- "test/certs/webpki/int-rsa-a.cert.pem",
- "test/certs/webpki/int-rsa-b.cert.pem",
- "test/certs/webpki/int-ecdsa-a.cert.pem"
+ "test/certs/webpki/int-rsa-a.cert.pem"
],
+ "localStorePath": "/opt/wwwstatic/crl",
"s3Endpoint": "http://localhost:4501",

8
patches/config_crl-updater.patch
View File

@@ -6,10 +6,10 @@ index f6b70123f..a6c1471e5 100644
"hostOverride": "crl-storer.boulder"
},
"issuerCerts": [
- "/hierarchy/int-rsa-a.cert.pem",
- "/hierarchy/int-rsa-b.cert.pem",
- "/hierarchy/int-ecdsa-a.cert.pem"
+ "/hierarchy/int-rsa-a.cert.pem"
- "test/certs/webpki/int-rsa-a.cert.pem",
- "test/certs/webpki/int-rsa-b.cert.pem",
- "test/certs/webpki/int-ecdsa-a.cert.pem"
+ "test/certs/webpki/int-rsa-a.cert.pem"
],
- "numShards": 10,
- "shardWidth": "240h",

4
patches/config_expiration-mailer.patch
View File

@@ -14,5 +14,5 @@ index 3b813060..6c709172 100644
+ "dnsTimeout": "3s",
+ "dnsAllowLoopbackAddresses": true,
"tls": {
"caCertFile": "test/grpc-creds/minica.pem",
"certFile": "test/grpc-creds/expiration-mailer.boulder/cert.pem",
"caCertFile": "test/certs/ipki/minica.pem",
"certFile": "test/certs/ipki/expiration-mailer.boulder/cert.pem",

18
patches/config_ocsp-responder.patch
View File

@@ -17,22 +17,22 @@ index bfea858d..fecea919 100644
- "poolSize": 100,
- "routeRandomly": true,
- "tls": {
- "caCertFile": "test/redis-tls/minica.pem",
- "certFile": "test/redis-tls/boulder/cert.pem",
- "keyFile": "test/redis-tls/boulder/key.pem"
- "caCertFile": "test/certs/ipki/minica.pem",
- "certFile": "test/certs/ipki/ocsp-responder.boulder/cert.pem",
- "keyFile": "test/certs/ipki/ocsp-responder.boulder/key.pem"
- }
- },
"tls": {
"caCertFile": "test/grpc-creds/minica.pem",
"certFile": "test/grpc-creds/ocsp-responder.boulder/cert.pem",
"caCertFile": "test/certs/ipki/minica.pem",
"certFile": "test/certs/ipki/ocsp-responder.boulder/cert.pem",
@@ -49,9 +33,7 @@
"path": "/",
"listenAddress": "0.0.0.0:4002",
"issuerCerts": [
- "/hierarchy/int-rsa-a.cert.pem",
- "/hierarchy/int-rsa-b.cert.pem",
- "/hierarchy/int-ecdsa-a.cert.pem"
+ "/hierarchy/int-rsa-a.cert.pem"
- "test/certs/webpki/int-rsa-a.cert.pem",
- "test/certs/webpki/int-rsa-b.cert.pem",
- "test/certs/webpki/int-ecdsa-a.cert.pem"
+ "test/certs/webpki/int-rsa-a.cert.pem"
],
"liveSigningPeriod": "60h",
"timeout": "4.9s",

16
patches/config_publisher.patch
View File

@@ -4,20 +4,20 @@ index 6e0337c..1e5ed7b 100644
+++ b/test/config/publisher.json
@@ -6,18 +6,6 @@
[
"/hierarchy/int-rsa-a.cert.pem",
"/hierarchy/root-rsa.cert.pem"
"test/certs/webpki/int-rsa-a.cert.pem",
"test/certs/webpki/root-rsa.cert.pem"
- ],
- [
- "/hierarchy/int-rsa-b.cert.pem",
- "/hierarchy/root-rsa.cert.pem"
- "test/certs/webpki/int-rsa-b.cert.pem",
- "test/certs/webpki/root-rsa.cert.pem"
- ],
- [
- "/hierarchy/int-ecdsa-a.cert.pem",
- "/hierarchy/root-ecdsa.cert.pem"
- "test/certs/webpki/int-ecdsa-a.cert.pem",
- "test/certs/webpki/root-ecdsa.cert.pem"
- ],
- [
- "/hierarchy/int-ecdsa-b.cert.pem",
- "/hierarchy/root-ecdsa.cert.pem"
- "test/certs/webpki/int-ecdsa-b.cert.pem",
- "test/certs/webpki/root-ecdsa.cert.pem"
]
],
"debugAddr": ":8009",

10
patches/config_ra.patch
View File

@@ -6,10 +6,10 @@ index 6f0baae9..6ad0f08c 100644
},
"orderLifetime": "168h",
"issuerCerts": [
- "/hierarchy/int-rsa-a.cert.pem",
- "/hierarchy/int-rsa-b.cert.pem",
- "/hierarchy/int-ecdsa-a.cert.pem"
+ "/hierarchy/int-rsa-a.cert.pem"
- "test/certs/webpki/int-rsa-a.cert.pem",
- "test/certs/webpki/int-rsa-b.cert.pem",
- "test/certs/webpki/int-ecdsa-a.cert.pem"
+ "test/certs/webpki/int-rsa-a.cert.pem"
],
"tls": {
"caCertFile": "test/grpc-creds/minica.pem",
"caCertFile": "test/certs/ipki/minica.pem",

24
patches/config_wfe2.patch
View File

@@ -4,28 +4,28 @@ index c0093044..e8ba4263 100644
+++ b/test/config/wfe2.json
@@ -79,26 +79,6 @@
[
"/hierarchy/int-rsa-a.cert.pem",
"/hierarchy/root-rsa.cert.pem"
"test/certs/webpki/int-rsa-a.cert.pem",
"test/certs/webpki/root-rsa.cert.pem"
- ],
- [
- "/hierarchy/int-rsa-b.cert.pem",
- "/hierarchy/root-rsa.cert.pem"
- "test/certs/webpki/int-rsa-b.cert.pem",
- "test/certs/webpki/root-rsa.cert.pem"
- ],
- [
- "/hierarchy/int-ecdsa-a.cert.pem",
- "/hierarchy/root-ecdsa.cert.pem"
- "test/certs/webpki/int-ecdsa-a.cert.pem",
- "test/certs/webpki/root-ecdsa.cert.pem"
- ],
- [
- "/hierarchy/int-ecdsa-b.cert.pem",
- "/hierarchy/root-ecdsa.cert.pem"
- "test/certs/webpki/int-ecdsa-b.cert.pem",
- "test/certs/webpki/root-ecdsa.cert.pem"
- ],
- [
- "/hierarchy/int-ecdsa-a-cross.cert.pem",
- "/hierarchy/root-rsa.cert.pem"
- "test/certs/webpki/int-ecdsa-a-cross.cert.pem",
- "test/certs/webpki/root-rsa.cert.pem"
- ],
- [
- "/hierarchy/int-ecdsa-b-cross.cert.pem",
- "/hierarchy/root-rsa.cert.pem"
- "test/certs/webpki/int-ecdsa-b-cross.cert.pem",
- "test/certs/webpki/root-rsa.cert.pem"
]
],
"staleTimeout": "5m",

10
patches/docker-compose-redis.patch
View File

@@ -1,8 +1,8 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index b7dc73ed4..235330460 100644
index f25309579..79ed8c4e4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -27,8 +27,6 @@ services:
@@ -26,8 +26,6 @@ services:
ipv4_address: 10.77.77.77
integrationtestnet:
ipv4_address: 10.88.88.88
@@ -11,7 +11,7 @@ index b7dc73ed4..235330460 100644
consulnet:
ipv4_address: 10.55.55.55
# Use consul as a backup to Docker's embedded DNS server. If there's a name
@@ -52,10 +50,6 @@ services:
@@ -51,10 +49,6 @@ services:
depends_on:
- bmysql
- bproxysql
@@ -22,7 +22,7 @@ index b7dc73ed4..235330460 100644
- bconsul
- bjaeger
- bpkilint
@@ -94,42 +88,6 @@ services:
@@ -107,42 +101,6 @@ services:
aliases:
- boulder-proxysql
@@ -65,7 +65,7 @@ index b7dc73ed4..235330460 100644
bconsul:
image: hashicorp/consul:1.15.4
volumes:
@@ -181,13 +139,6 @@ networks:
@@ -194,13 +152,6 @@ networks:
config:
- subnet: 10.88.88.0/24

54
patches/docker-compose.patch
View File

@@ -1,20 +1,13 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index 235330460..176d452e0 100644
index 79ed8c4e4..08d29d67c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,9 +1,10 @@
@@ -1,3 +1,4 @@
+name: labca
services:
boulder:
# The `letsencrypt/boulder-tools:latest` tag is automatically built in local
# dev environments. In CI a specific BOULDER_TOOLS_TAG is passed, and it is
# pulled with `docker compose pull`.
- image: letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-latest}
+ image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-latest}
build:
context: test/boulder-tools/
# Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh.
@@ -14,11 +15,13 @@ services:
@@ -14,13 +15,15 @@ services:
# to the IP address where your ACME client's solver is listening.
# FAKE_DNS: 172.17.0.1
FAKE_DNS: 10.77.77.77
@@ -28,9 +21,12 @@ index 235330460..176d452e0 100644
+ - /home/labca/boulder_labca:/opt/boulder/labca
+ - /home/labca/nginx_data/static:/opt/wwwstatic
- ./.gocache:/root/.cache/go-build:cached
- ./.hierarchy:/hierarchy/:cached
- ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
@@ -49,15 +52,20 @@ services:
- - ./test/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
+ - /home/labca/boulder_labca/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
networks:
bouldernet:
ipv4_address: 10.77.77.77
@@ -48,20 +51,24 @@ services:
- 4003:4003 # OCSP
depends_on:
- bmysql
@@ -49,6 +45,22 @@ index 235330460..176d452e0 100644
+ max-file: "5"
+ restart: always
bsetup:
image: *boulder_tools_image
volumes:
- - .:/boulder:cached
+ - .:/opt/boulder:cached
+ - /home/labca/boulder_labca:/opt/boulder/labca
- ./.gocache:/root/.cache/go-build:cached
- - ./test/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
- entrypoint: test/certs/generate.sh
+ - /home/labca/boulder_labca/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
+ entrypoint: labca/certs/generate.sh
working_dir: *boulder_working_dir
profiles:
# Adding a profile to this container means that it won't be started by a
@@ -71,6 +78,8 @@ services:
bmysql:
image: mariadb:10.5
+ volumes:
@@ -56,7 +68,7 @@ index 235330460..176d452e0 100644
networks:
bouldernet:
aliases:
@@ -71,22 +79,11 @@ services:
@@ -84,46 +93,89 @@ services:
# small.
command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
logging:
@@ -84,16 +96,22 @@ index 235330460..176d452e0 100644
bconsul:
image: hashicorp/consul:1.15.4
@@ -98,19 +95,73 @@ services:
volumes:
- - ./test/:/test/:cached
+ - /home/labca/boulder_labca:/opt/boulder/labca
networks:
consulnet:
ipv4_address: 10.55.55.10
bouldernet:
ipv4_address: 10.77.77.10
command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
- command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
+ command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl"
+ restart: always
- bjaeger:
- image: jaegertracing/all-in-one:1.50
+ gui:
+ image: *boulder_image
+ image: *boulder_tools_image
networks:
- bouldernet:
- ipv4_address: 10.77.77.17
@@ -138,7 +156,7 @@ index 235330460..176d452e0 100644
+ - /home/labca/nginx_data/static:/var/www/html
+
+ control:
+ image: *boulder_image
+ image: *boulder_tools_image
+ networks:
+ - bouldernet
+ volumes:

11
patches/entrypoint.patch
View File

@@ -1,17 +1,20 @@
diff --git a/test/entrypoint.sh b/test/entrypoint.sh
index 5ca9929..f18e1d8 100755
index 12d0397c4..23d9693de 100755
--- a/test/entrypoint.sh
+++ b/test/entrypoint.sh
@@ -13,12 +13,21 @@
@@ -13,12 +13,24 @@ service rsyslog start
# make sure we can reach the mysqldb.
./test/wait-for-it.sh boulder-mysql 3306
-# make sure we can reach the proxysql.
-./test/wait-for-it.sh bproxysql 6032
-
# create the database
MYSQL_CONTAINER=1 $DIR/create_db.sh
+# Generate the internal keys and certs
+./test/certs/generate.sh
+
+fl=$(pwd)/labca/setup_complete
+while [ ! -f $fl ]; do
+ echo "Waiting for $fl to appear..."

4
patches/ra_ra.patch
View File

@@ -1,5 +1,5 @@
diff --git a/ra/ra.go b/ra/ra.go
index c442fc5a7..050e60c93 100644
index c5cdc0c98..8d34d3325 100644
--- a/ra/ra.go
+++ b/ra/ra.go
@@ -44,7 +44,6 @@ import (
@@ -10,7 +10,7 @@ index c442fc5a7..050e60c93 100644
"github.com/letsencrypt/boulder/probs"
pubpb "github.com/letsencrypt/boulder/publisher/proto"
rapb "github.com/letsencrypt/boulder/ra/proto"
@@ -568,7 +567,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
@@ -576,7 +575,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
contact,
)
}

12
patches/remoteva_main.patch
View File

@@ -1,18 +1,18 @@
diff --git a/cmd/remoteva/main.go b/cmd/remoteva/main.go
index e83642477..6efab1ca3 100644
index 9ea068fc0..ef77eebfe 100644
--- a/cmd/remoteva/main.go
+++ b/cmd/remoteva/main.go
@@ -18,7 +18,8 @@ import (
type Config struct {
RVA struct {
vaConfig.Common
@@ -37,7 +37,8 @@ type Config struct {
// For more information, see: https://pkg.go.dev/crypto/tls#ClientAuthType
SkipGRPCClientCertVerification bool
- Features features.Config
+ Features features.Config
+ LabCADomains []string
}
Syslog cmd.SyslogConfig
@@ -95,7 +96,8 @@ func main() {
@@ -118,7 +119,8 @@ func main() {
scope,
clk,
logger,

14
patches/startservers.patch
View File

@@ -1,14 +0,0 @@
diff --git a/test/startservers.py b/test/startservers.py
index fcfdc9423..5d19996ad 100644
--- a/test/startservers.py
+++ b/test/startservers.py
@@ -169,6 +169,9 @@ processes = []
challSrvProcess = None
def setupHierarchy():
+ pass
+
+def setupHierarchyOriginal():
"""Set up the issuance hierarchy. Must have called install() before this."""
e = os.environ.copy()
e.setdefault("GOBIN", "%s/bin" % os.getcwd())

31
patches/test_certs_generate.patch Normal file
View File

@@ -0,0 +1,31 @@
diff --git a/test/certs/generate.sh b/test/certs/generate.sh
index 0b33f8c18..3e447f6f5 100755
--- a/test/certs/generate.sh
+++ b/test/certs/generate.sh
@@ -64,7 +64,7 @@ webpki() (
# script.
cd ../..
mkdir ./test/certs/webpki
- go run ./test/certs/webpki.go
+ # go run ./test/certs/webpki.go
)
if ! [ -d ipki ]; then
@@ -72,6 +72,17 @@ if ! [ -d ipki ]; then
ipki
fi
+end_date=$(openssl x509 -enddate -noout -in ipki/boulder/cert.pem | cut -d= -f2)
+end_date_seconds=$(date -d "$end_date" +%s)
+current_date_seconds=$(date +%s)
+remaining_days=$(( (end_date_seconds - current_date_seconds) / 86400 ))
+if [ $remaining_days -lt 60 ]; then
+ echo "Regenerating ipki/..."
+ [ -d ipki.prev ] && rm -rf ipki.prev
+ mv ipki ipki.prev
+ ipki
+fi
+
if ! [ -d webpki ]; then
echo "Generating webpki/..."
webpki

37
patches/test_config_ca.patch
View File

@@ -1,33 +1,30 @@
diff --git a/test/config/ca.json b/test/config/ca.json
index 53ae91f2d..1937e5580 100644
index cbb84f385..ec28cd37d 100644
--- a/test/config/ca.json
+++ b/test/config/ca.json
@@ -59,38 +59,14 @@
@@ -58,18 +58,6 @@
"maxValidityBackdate": "1h5m"
},
"issuers": [
{
- {
- "useForRSALeaves": false,
- "useForECDSALeaves": true,
- "issuerURL": "http://ca.example.org:4502/int-ecdsa-a",
- "ocspURL": "http://ca.example.org:4002/",
- "crlURLBase": "http://ca.example.org:4501/ecdsa-a/",
- "location": {
- "configFile": "/hierarchy/int-ecdsa-a.pkcs11.json",
- "certFile": "/hierarchy/int-ecdsa-a.cert.pem",
- "configFile": "test/certs/webpki/int-ecdsa-a.pkcs11.json",
- "certFile": "test/certs/webpki/int-ecdsa-a.cert.pem",
- "numSessions": 2
- }
- },
- {
{
"useForRSALeaves": true,
"useForECDSALeaves": true,
"issuerURL": "http://ca.example.org:4502/int-rsa-a",
"ocspURL": "http://ca.example.org:4002/",
"crlURLBase": "http://ca.example.org:4501/rsa-a/",
"location": {
- "configFile": "/hierarchy/int-rsa-a.pkcs11.json",
- "certFile": "/hierarchy/int-rsa-a.cert.pem",
- "numSessions": 2
- }
@@ -81,18 +69,6 @@
"certFile": "test/certs/webpki/int-rsa-a.cert.pem",
"numSessions": 2
}
- },
- {
- "useForRSALeaves": false,
@@ -36,10 +33,10 @@ index 53ae91f2d..1937e5580 100644
- "ocspURL": "http://ca.example.org:4003/",
- "crlURLBase": "http://ca.example.org:4501/rsa-b/",
- "location": {
- "configFile": "/hierarchy/int-rsa-b.pkcs11.json",
- "certFile": "/hierarchy/int-rsa-b.cert.pem",
+ "configFile": "test/test-ca.key-pkcs11.json",
+ "certFile": "test/test-ca.pem",
"numSessions": 2
}
- "configFile": "test/certs/webpki/int-rsa-b.pkcs11.json",
- "certFile": "test/certs/webpki/int-rsa-b.cert.pem",
- "numSessions": 2
- }
}
],
"ignoredLints": [