diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index eebe799..cd05d52 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: fail-fast: false matrix: GO_VERSION: - - 1.22.2 + - 1.22.3 steps: - name: Checkout diff --git a/README_dockeronly.md b/README_dockeronly.md index 6c90698..fb07658 100644 --- a/README_dockeronly.md +++ b/README_dockeronly.md @@ -9,6 +9,7 @@ The `docker-compose.yml` file is located in the `build` subdirectory for now. Yo git clone https://github.com/hakwerk/labca.git cd labca/build export LABCA_FQDN=labca.example.com +docker compose up bsetup docker compose up -d ``` And to tail the logs, especially if there are any issues: diff --git a/build/Dockerfile-boulder b/build/Dockerfile-boulder index eb171a9..3f7d612 100644 --- a/build/Dockerfile-boulder +++ b/build/Dockerfile-boulder @@ -1,4 +1,4 @@ -FROM letsencrypt/boulder-tools:go1.22.2_2024-04-04 AS boulder-tools +FROM letsencrypt/boulder-tools:go1.22.3_2024-05-13 AS boulder-tools FROM ubuntu:focal @@ -14,6 +14,7 @@ RUN apt-get update && \ COPY --from=boulder-tools /usr/local/bin/sql-migrate /usr/local/bin/sql-migrate COPY --from=boulder-tools /usr/local/bin/pebble-challtestsrv /usr/local/bin/pebble-challtestsrv +COPY --from=boulder-tools /usr/local/bin/minica /usr/local/bin/minica COPY tmp/bin /opt/boulder/bin COPY tmp/src/start.py /opt/boulder RUN sed -i -e "s|./test|./labca|" /opt/boulder/start.py diff --git a/build/build.sh b/build/build.sh index 76c9a93..e2f2f28 100755 --- a/build/build.sh +++ b/build/build.sh @@ -8,13 +8,13 @@ TMP_DIR=$(pwd)/tmp rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src} boulderDir=$TMP_DIR/src -boulderTag="release-2024-05-06" +boulderTag="release-2024-05-20" boulderUrl="https://github.com/letsencrypt/boulder/" cloneDir=$(pwd)/.. GIT_VERSION=$(git describe --always --tags 2>/dev/null) BUILD_HOST=labca-$GIT_VERSION -BUILD_IMAGE=$(eval echo $(grep boulder-tools ../patches/docker-compose.patch | head -3 | tail -1 | sed -e "s/\+\s*image://" | sed -e "s/&boulder_image//")) +BUILD_IMAGE=$(eval echo $(grep boulder-tools ../patches/docker-compose.patch | head -3 | tail -1 | sed -e "s/\+\s*image://" | sed -e "s/&boulder_tools_image//")) git clone --branch $boulderTag --depth 1 $boulderUrl $boulderDir 2>/dev/null cd $boulderDir @@ -23,7 +23,7 @@ if [ $boulderTag != "main" ]; then fi if [ "$BUILD_IMAGE" == "" ]; then - BUILD_IMAGE=$(eval echo $(grep boulder-tools $TMP_DIR/src/docker-compose.yml | grep "image:" | head -1 | sed -e "s/image://" | sed -e "s/&boulder_image//")) + BUILD_IMAGE=$(eval echo $(grep boulder-tools $TMP_DIR/src/docker-compose.yml | grep "image:" | head -1 | sed -e "s/image://" | sed -e "s/&boulder_tools_image//")) fi BOULDER_TOOLS_TAG=$(grep go1. $TMP_DIR/src/.github/workflows/boulder-ci.yml | head -1 | sed -e "s/\s*- //") diff --git a/build/docker-compose.yml b/build/docker-compose.yml index 47b0792..23c54a5 100644 --- a/build/docker-compose.yml +++ b/build/docker-compose.yml @@ -22,7 +22,7 @@ services: - boulder_data:/opt/boulder/labca - nginx_html:/opt/wwwstatic - softhsm:/var/lib/softhsm/tokens:cached - - certificates:/hierarchy + - certificates:/opt/boulder/labca/certs networks: bouldernet: ipv4_address: 10.77.77.77 @@ -61,6 +61,20 @@ services: max-file: "5" restart: always + bsetup: + image: ghcr.io/hakwerk/labca-boulder:${LABCA_IMAGE_VERSION:-latest} + volumes: + - boulder_data:/opt/boulder/labca + - softhsm:/var/lib/softhsm/tokens:cached + - certificates:/opt/boulder/labca/certs + entrypoint: labca/certs/generate.sh + working_dir: *boulder_working_dir + profiles: + # Adding a profile to this container means that it won't be started by a + # normal "docker compose up/run boulder", only when specifically invoked + # with a "docker compose up bsetup". + - setup + bmysql: image: mariadb:10.5 volumes: diff --git a/build/tmp.patch b/build/tmp.patch index 1e1e362..fd0c8e6 100644 --- a/build/tmp.patch +++ b/build/tmp.patch @@ -1,17 +1,17 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 176d452e0..d24e8738d 100644 +index 08d29d67c..33503bdfd 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,7 +4,7 @@ services: # The `letsencrypt/boulder-tools:latest` tag is automatically built in local # dev environments. In CI a specific BOULDER_TOOLS_TAG is passed, and it is # pulled with `docker compose pull`. -- image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-latest} +- image: &boulder_tools_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-latest} + image: ghcr.io/hakwerk/labca-boulder:${LABCA_IMAGE_VERSION:-latest} build: context: test/boulder-tools/ # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh. -@@ -19,12 +19,10 @@ services: +@@ -19,11 +19,10 @@ services: GOCACHE: /boulder/.gocache/go-build GOFLAGS: -mod=vendor volumes: @@ -19,16 +19,15 @@ index 176d452e0..d24e8738d 100644 - - /home/labca/boulder_labca:/opt/boulder/labca - - /home/labca/nginx_data/static:/opt/wwwstatic - - ./.gocache:/root/.cache/go-build:cached -- - ./.hierarchy:/hierarchy/:cached -- - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached +- - /home/labca/boulder_labca/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/:cached + - boulder_data:/opt/boulder/labca ++ - certificates:/opt/boulder/labca/certs + - nginx_html:/opt/wwwstatic + - softhsm:/var/lib/softhsm/tokens:cached -+ - certificates:/hierarchy networks: bouldernet: ipv4_address: 10.77.77.77 -@@ -53,6 +51,7 @@ services: +@@ -52,6 +51,7 @@ services: depends_on: - bmysql - bconsul @@ -36,27 +35,44 @@ index 176d452e0..d24e8738d 100644 entrypoint: labca/entrypoint.sh working_dir: &boulder_working_dir /opt/boulder logging: -@@ -87,34 +86,37 @@ services: +@@ -62,12 +62,11 @@ services: + restart: always + + bsetup: +- image: *boulder_tools_image ++ image: ghcr.io/hakwerk/labca-boulder:${LABCA_IMAGE_VERSION:-latest} + volumes: +- - .:/opt/boulder:cached +- - /home/labca/boulder_labca:/opt/boulder/labca +- - ./.gocache:/root/.cache/go-build:cached +- - /home/labca/boulder_labca/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/:cached ++ - boulder_data:/opt/boulder/labca ++ - certificates:/opt/boulder/labca/certs ++ - softhsm:/var/lib/softhsm/tokens:cached + entrypoint: labca/certs/generate.sh + working_dir: *boulder_working_dir + profiles: +@@ -101,34 +100,39 @@ services: bconsul: image: hashicorp/consul:1.15.4 + depends_on: + - control volumes: -- - ./test/:/test/:cached +- - /home/labca/boulder_labca:/opt/boulder/labca + - boulder_data:/opt/boulder/labca ++ - certificates:/opt/boulder/labca/certs networks: consulnet: ipv4_address: 10.55.55.10 bouldernet: ipv4_address: 10.77.77.10 -- command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl" -+ command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl" + command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl" + working_dir: /opt/boulder restart: always gui: -- image: *boulder_image +- image: *boulder_tools_image + image: ghcr.io/hakwerk/labca-gui:${LABCA_IMAGE_VERSION:-latest} networks: - bouldernet @@ -73,6 +89,7 @@ index 176d452e0..d24e8738d 100644 + - nginx_html:/opt/wwwstatic + - backup:/opt/backup + - boulder_data:/opt/boulder/labca ++ - certificates:/opt/boulder/labca/certs expose: - 3000 depends_on: @@ -85,7 +102,7 @@ index 176d452e0..d24e8738d 100644 logging: driver: "json-file" options: -@@ -131,27 +133,26 @@ services: +@@ -145,27 +149,27 @@ services: - 80:80 - 443:443 volumes: @@ -99,7 +116,7 @@ index 176d452e0..d24e8738d 100644 + - control control: -- image: *boulder_image +- image: *boulder_tools_image + image: ghcr.io/hakwerk/labca-control:${LABCA_IMAGE_VERSION:-latest} networks: - bouldernet @@ -121,13 +138,14 @@ index 176d452e0..d24e8738d 100644 + - backup:/opt/backup + - logs:/opt/logs + - boulder_data:/opt/boulder/labca ++ - certificates:/opt/boulder/labca/certs + - nginx_conf:/etc/nginx/conf.d + - nginx_ssl:/etc/nginx/ssl + - nginx_html:/var/www/html expose: - 3030 environment: -@@ -162,6 +163,15 @@ services: +@@ -176,6 +180,15 @@ services: volumes: dbdata: diff --git a/build/tmp2.patch b/build/tmp2.patch index 195f242..4e4e387 100644 --- a/build/tmp2.patch +++ b/build/tmp2.patch @@ -2,9 +2,9 @@ diff --git a/test/startservers.py b/test/startservers.py index 5d19996ad..e1ccf8f45 100644 --- a/test/startservers.py +++ b/test/startservers.py -@@ -183,6 +183,9 @@ def setupHierarchyOriginal(): - - +@@ -169,6 +169,9 @@ processes = [] + challSrvProcess = None + def install(race_detection): + return True + diff --git a/control_do.sh b/control_do.sh index ef08220..112c0e2 100755 --- a/control_do.sh +++ b/control_do.sh @@ -22,6 +22,7 @@ get_fqdn() { setup_boulder_data() { cp -rp /opt/staging/boulder_labca/* /opt/boulder/labca/ + cp -rp /opt/staging/boulder_labca/certs/* /opt/boulder/labca/certs/ cd /opt/boulder/labca diff --git a/cron_d b/cron_d index 7790c33..cbf8a58 100644 --- a/cron_d +++ b/cron_d @@ -4,5 +4,6 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 1 7 * * * root /opt/labca/mailer &>>/opt/logs/cron.log 5 7 * * * root /opt/labca/checkrenew &>>/opt/logs/cron.log +7 7 * * Sun root /opt/boulder/labca/certs/generate.sh &>>/opt/logs/cron.log 11 7 * * Mon root /opt/labca/backup cron &>>/opt/logs/cron.log */5 * * * * root /opt/labca/checkcrl &>>/opt/logs/cron.log diff --git a/gui/apply-boulder b/gui/apply-boulder index b2e58d6..c338e23 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -239,7 +239,7 @@ if [ -e $PKI_ROOT_CERT_BASE.pem ]; then cp -p $PKI_ROOT_CERT_BASE.pem test-root.pem fi -chown -R `ls -l PKI.md | cut -d" " -f 3,4 | sed 's/ /:/g'` . +chown -R `ls -l example-weak-keys.json | cut -d" " -f 3,4 | sed 's/ /:/g'` . if [ -e $PKI_INT_CERT_BASE.key ] && [ -e $PKI_ROOT_CERT_BASE.pem ]; then [ -f setup_complete ] || touch setup_complete diff --git a/install b/install index 00c136b..7095854 100755 --- a/install +++ b/install @@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2024-05-06" +boulderTag="release-2024-05-20" # Feature flags flag_skip_redis=true @@ -562,6 +562,8 @@ get_boulder() { cd "$boulderDir" chown -R labca:labca . rm -rf bin/orphan-finder bin/validate + mkdir -p $baseDir/backup + [ ! -d .softhsm-tokens ] || mv .softhsm-tokens $baseDir/backup/ &>>$installLog sudo -u labca -H git reset --hard HEAD^1 &>>$installLog fi @@ -798,6 +800,8 @@ startup() { docker run --rm -v boulder_dbdata:/old -v labca_dbdata:/new $dimg bash -c "cp -R /old/* /new/" &>>$installLog fi + [ ! -d $baseDir/backup/.softhsm-tokens ] || mkdir -p $boulderLabCADir/certs/; mv $baseDir/backup/.softhsm-tokens $boulderLabCADir/certs/ &>>$installLog + COMPOSE_HTTP_TIMEOUT=180 docker compose up -d &>>$installLog wait_up $PS_NGINX &>>$installLog || true diff --git a/patch-cfg.sh b/patch-cfg.sh index b712bb4..04a2fb1 100755 --- a/patch-cfg.sh +++ b/patch-cfg.sh @@ -15,8 +15,6 @@ boulderLabCADir="${2:-labca}" $SUDO patch -p1 -o "$boulderLabCADir/entrypoint.sh" < $cloneDir/patches/entrypoint.patch cp test/startservers.py "$boulderLabCADir/startservers.py" -$SUDO patch -p1 -o "$boulderLabCADir/config/ca.json" < $cloneDir/patches/test_config_ca.patch - $SUDO patch -p1 -o "$boulderLabCADir/config/expiration-mailer.json" < $cloneDir/patches/config_expiration-mailer.patch $SUDO patch -p1 -o "$boulderLabCADir/config/notify-mailer.json" < $cloneDir/patches/config_notify-mailer.patch $SUDO patch -p1 -o "$boulderLabCADir/config/bad-key-revoker.json" < $cloneDir/patches/config_bad-key-revoker.patch @@ -25,8 +23,11 @@ $SUDO patch -p1 -o "$boulderLabCADir/config/publisher.json" < $cloneDir/patches/ $SUDO patch -p1 -o "$boulderLabCADir/config/wfe2.json" < $cloneDir/patches/config_wfe2.patch $SUDO patch -p1 -o "$boulderLabCADir/config/crl-storer.json" < $cloneDir/patches/config_crl-storer.patch $SUDO patch -p1 -o "$boulderLabCADir/config/crl-updater.json" < $cloneDir/patches/config_crl-updater.patch +$SUDO patch -p1 -o "$boulderLabCADir/config/ca.json" < $cloneDir/patches/test_config_ca.patch $SUDO patch -p1 -o "$boulderLabCADir/config/ra.json" < $cloneDir/patches/config_ra.patch $SUDO patch -p1 -o "$boulderLabCADir/config/akamai-purger.json" < $cloneDir/patches/config_akamai-purger.patch +$SUDO patch -p1 -o "$boulderLabCADir/certs/generate.sh" < $cloneDir/patches/test_certs_generate.patch +chmod +x $boulderLabCADir/certs/generate.sh cp test/config/va*.json "$boulderLabCADir/config/" perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va.json @@ -51,22 +52,23 @@ sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ocsp-responder.json sed -i -e "s/test-ca2.pem/test-ca.pem/" config/publisher.json sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ra.json sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe2.json -sed -i -e "s|/hierarchy/int-rsa-a.cert.pem|labca/test-ca.pem|" config/akamai-purger.json -sed -i -e "s|/hierarchy/int-rsa-a.cert.pem|labca/test-ca.pem|" config/ocsp-responder.json -sed -i -e "s|/hierarchy/int-rsa-a.cert.pem|labca/test-ca.pem|" config/publisher.json -sed -i -e "s|/hierarchy/int-rsa-a.cert.pem|labca/test-ca.pem|" config/ra.json -sed -i -e "s|/hierarchy/int-rsa-a.cert.pem|labca/test-ca.pem|" config/wfe2.json -sed -i -e "s|/hierarchy/int-rsa-a.cert.pem|labca/test-ca.pem|" config/crl-storer.json -sed -i -e "s|/hierarchy/int-rsa-a.cert.pem|labca/test-ca.pem|" config/crl-updater.json -sed -i -e "s|/hierarchy/int-rsa-a.cert.pem|labca/test-ca.pem|" config/ra.json -sed -i -e "s|/hierarchy/int-rsa-a.cert.pem|labca/test-ca.pem|" v2_integration.py -sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" cert-ceremonies/root-ceremony-rsa.yaml -sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" cert-ceremonies/root-crl-rsa.yaml -sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" cert-ceremonies/intermediate-cert-ceremony-rsa.yaml -sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" config/publisher.json -sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" config/wfe2.json -sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" integration-test.py -sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" helpers.py +sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/test-ca.pem|" config/akamai-purger.json +sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/test-ca.pem|" config/ocsp-responder.json +sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/test-ca.pem|" config/publisher.json +sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/test-ca.pem|" config/ca.json +sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/test-ca.pem|" config/wfe2.json +sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/test-ca.pem|" config/crl-storer.json +sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/test-ca.pem|" config/crl-updater.json +sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/test-ca.pem|" config/ra.json +sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/test-ca.pem|" v2_integration.py +sed -i -e "s|test/certs/webpki/int-rsa-a.pkcs11.json|labca/test-ca.key-pkcs11.json|" config/ca.json +sed -i -e "s|test/certs/webpki/root-rsa.cert.pem|labca/test-root.pem|" certs/root-ceremony-rsa.yaml +sed -i -e "s|test/certs/webpki/root-rsa.cert.pem|labca/test-root.pem|" certs/root-crl-rsa.yaml +sed -i -e "s|test/certs/webpki/root-rsa.cert.pem|labca/test-root.pem|" certs/intermediate-cert-ceremony-rsa.yaml +sed -i -e "s|test/certs/webpki/root-rsa.cert.pem|labca/test-root.pem|" config/publisher.json +sed -i -e "s|test/certs/webpki/root-rsa.cert.pem|labca/test-root.pem|" config/wfe2.json +sed -i -e "s|test/certs/webpki/root-rsa.cert.pem|labca/test-root.pem|" integration-test.py +sed -i -e "s|test/certs/webpki/root-rsa.cert.pem|labca/test-root.pem|" helpers.py sed -i -e "s|letsencrypt/boulder|hakwerk/labca|" config/wfe2.json sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca.json sed -i -e "s/ocspURL.Path = encodedReq/ocspURL.Path += encodedReq/" ocsp/helper/helper.go @@ -82,6 +84,8 @@ sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/remoteva-b.json sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/va-remote-a.json sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/va-remote-b.json +sed -i -e "s|test/certs|/opt/boulder/labca/certs|" consul/config.hcl + if [ "$flag_skip_redis" == true ]; then sed -i -e "s/^\(.*wait-for-it.sh.*4218\)/#\1/" entrypoint.sh fi diff --git a/patch.sh b/patch.sh index 93760b2..2a7c402 100755 --- a/patch.sh +++ b/patch.sh @@ -47,7 +47,6 @@ $SUDO patch -p1 < $cloneDir/patches/ra_ra.patch $SUDO patch -p1 < $cloneDir/patches/ratelimit_rate-limits.patch $SUDO patch -p1 < $cloneDir/patches/ratelimits_names.patch $SUDO patch -p1 < $cloneDir/patches/remoteva_main.patch -$SUDO patch -p1 < $cloneDir/patches/startservers.patch if [ "$SUDO" == "" ]; then # TODO: should include this into startservers.patch $SUDO patch -p1 < $cloneDir/build/tmp2.patch diff --git a/patches/config_akamai-purger.patch b/patches/config_akamai-purger.patch index 9cc66b3..8f1acc8 100644 --- a/patches/config_akamai-purger.patch +++ b/patches/config_akamai-purger.patch @@ -2,14 +2,20 @@ diff --git a/test/config/akamai-purger.json b/test/config/akamai-purger.json index 62c5b4cc9..2c39d70cb 100644 --- a/test/config/akamai-purger.json +++ b/test/config/akamai-purger.json -@@ -13,6 +13,10 @@ - "certFile": "test/grpc-creds/akamai-purger.boulder/cert.pem", - "keyFile": "test/grpc-creds/akamai-purger.boulder/key.pem" - }, +@@ -9,9 +9,13 @@ + "accessToken": "idk-how-this-is-different-from-client-token-but-okay", + "v3Network": "staging", + "tls": { +- "caCertfile": "test/certs/ipki/minica.pem", +- "certFile": "test/certs/ipki/akamai-purger.boulder/cert.pem", +- "keyFile": "test/certs/ipki/akamai-purger.boulder/key.pem" ++ "caCertfile": "labca/certs/ipki/minica.pem", ++ "certFile": "labca/certs/ipki/akamai-purger.boulder/cert.pem", ++ "keyFile": "labca/certs/ipki/akamai-purger.boulder/key.pem" ++ }, + "throughput": { + "queueEntriesPerBatch": 5, + "purgeBatchInterval": "5m" -+ }, + }, "grpc": { "address": ":9099", - "maxConnectionAge": "30s", diff --git a/patches/config_bad-key-revoker.patch b/patches/config_bad-key-revoker.patch index 27eee0b..11b12ad 100644 --- a/patches/config_bad-key-revoker.patch +++ b/patches/config_bad-key-revoker.patch @@ -14,8 +14,8 @@ index f4696dc2..b9c19ce3 100644 + "dnsTimeout": "3s", + "dnsAllowLoopbackAddresses": true, "tls": { - "caCertFile": "test/grpc-creds/minica.pem", - "certFile": "test/grpc-creds/bad-key-revoker.boulder/cert.pem", + "caCertFile": "test/certs/ipki/minica.pem", + "certFile": "test/certs/ipki/bad-key-revoker.boulder/cert.pem", @@ -32,7 +39,7 @@ }, "maximumRevocations": 15, diff --git a/patches/config_ca.patch b/patches/config_ca.patch new file mode 100644 index 0000000..14ad5e3 --- /dev/null +++ b/patches/config_ca.patch @@ -0,0 +1,42 @@ +diff --git a/test/config/ca.json b/test/config/ca.json +index cbb84f385..ec28cd37d 100644 +--- a/test/config/ca.json ++++ b/test/config/ca.json +@@ -58,18 +58,6 @@ + "maxValidityBackdate": "1h5m" + }, + "issuers": [ +- { +- "useForRSALeaves": false, +- "useForECDSALeaves": true, +- "issuerURL": "http://ca.example.org:4502/int-ecdsa-a", +- "ocspURL": "http://ca.example.org:4002/", +- "crlURLBase": "http://ca.example.org:4501/ecdsa-a/", +- "location": { +- "configFile": "test/certs/webpki/int-ecdsa-a.pkcs11.json", +- "certFile": "test/certs/webpki/int-ecdsa-a.cert.pem", +- "numSessions": 2 +- } +- }, + { + "useForRSALeaves": true, + "useForECDSALeaves": true, +@@ -81,18 +69,6 @@ + "certFile": "test/certs/webpki/int-rsa-a.cert.pem", + "numSessions": 2 + } +- }, +- { +- "useForRSALeaves": false, +- "useForECDSALeaves": false, +- "issuerURL": "http://ca.example.org:4502/int-rsa-b", +- "ocspURL": "http://ca.example.org:4003/", +- "crlURLBase": "http://ca.example.org:4501/rsa-b/", +- "location": { +- "configFile": "test/certs/webpki/int-rsa-b.pkcs11.json", +- "certFile": "test/certs/webpki/int-rsa-b.cert.pem", +- "numSessions": 2 +- } + } + ], + "ignoredLints": [ diff --git a/patches/config_crl-storer.patch b/patches/config_crl-storer.patch index 1c1c087..7e9009e 100644 --- a/patches/config_crl-storer.patch +++ b/patches/config_crl-storer.patch @@ -6,10 +6,10 @@ index ef70c2ffc..a53b75d86 100644 } }, "issuerCerts": [ -- "/hierarchy/int-rsa-a.cert.pem", -- "/hierarchy/int-rsa-b.cert.pem", -- "/hierarchy/int-ecdsa-a.cert.pem" -+ "/hierarchy/int-rsa-a.cert.pem" +- "test/certs/webpki/int-rsa-a.cert.pem", +- "test/certs/webpki/int-rsa-b.cert.pem", +- "test/certs/webpki/int-ecdsa-a.cert.pem" ++ "test/certs/webpki/int-rsa-a.cert.pem" ], + "localStorePath": "/opt/wwwstatic/crl", "s3Endpoint": "http://localhost:4501", diff --git a/patches/config_crl-updater.patch b/patches/config_crl-updater.patch index 9c9fb44..9b97206 100644 --- a/patches/config_crl-updater.patch +++ b/patches/config_crl-updater.patch @@ -6,10 +6,10 @@ index f6b70123f..a6c1471e5 100644 "hostOverride": "crl-storer.boulder" }, "issuerCerts": [ -- "/hierarchy/int-rsa-a.cert.pem", -- "/hierarchy/int-rsa-b.cert.pem", -- "/hierarchy/int-ecdsa-a.cert.pem" -+ "/hierarchy/int-rsa-a.cert.pem" +- "test/certs/webpki/int-rsa-a.cert.pem", +- "test/certs/webpki/int-rsa-b.cert.pem", +- "test/certs/webpki/int-ecdsa-a.cert.pem" ++ "test/certs/webpki/int-rsa-a.cert.pem" ], - "numShards": 10, - "shardWidth": "240h", diff --git a/patches/config_expiration-mailer.patch b/patches/config_expiration-mailer.patch index 0423265..5df6e11 100644 --- a/patches/config_expiration-mailer.patch +++ b/patches/config_expiration-mailer.patch @@ -14,5 +14,5 @@ index 3b813060..6c709172 100644 + "dnsTimeout": "3s", + "dnsAllowLoopbackAddresses": true, "tls": { - "caCertFile": "test/grpc-creds/minica.pem", - "certFile": "test/grpc-creds/expiration-mailer.boulder/cert.pem", + "caCertFile": "test/certs/ipki/minica.pem", + "certFile": "test/certs/ipki/expiration-mailer.boulder/cert.pem", diff --git a/patches/config_ocsp-responder.patch b/patches/config_ocsp-responder.patch index 42f7616..8ba1b3d 100644 --- a/patches/config_ocsp-responder.patch +++ b/patches/config_ocsp-responder.patch @@ -17,22 +17,22 @@ index bfea858d..fecea919 100644 - "poolSize": 100, - "routeRandomly": true, - "tls": { -- "caCertFile": "test/redis-tls/minica.pem", -- "certFile": "test/redis-tls/boulder/cert.pem", -- "keyFile": "test/redis-tls/boulder/key.pem" +- "caCertFile": "test/certs/ipki/minica.pem", +- "certFile": "test/certs/ipki/ocsp-responder.boulder/cert.pem", +- "keyFile": "test/certs/ipki/ocsp-responder.boulder/key.pem" - } - }, "tls": { - "caCertFile": "test/grpc-creds/minica.pem", - "certFile": "test/grpc-creds/ocsp-responder.boulder/cert.pem", + "caCertFile": "test/certs/ipki/minica.pem", + "certFile": "test/certs/ipki/ocsp-responder.boulder/cert.pem", @@ -49,9 +33,7 @@ "path": "/", "listenAddress": "0.0.0.0:4002", "issuerCerts": [ -- "/hierarchy/int-rsa-a.cert.pem", -- "/hierarchy/int-rsa-b.cert.pem", -- "/hierarchy/int-ecdsa-a.cert.pem" -+ "/hierarchy/int-rsa-a.cert.pem" +- "test/certs/webpki/int-rsa-a.cert.pem", +- "test/certs/webpki/int-rsa-b.cert.pem", +- "test/certs/webpki/int-ecdsa-a.cert.pem" ++ "test/certs/webpki/int-rsa-a.cert.pem" ], "liveSigningPeriod": "60h", "timeout": "4.9s", diff --git a/patches/config_publisher.patch b/patches/config_publisher.patch index a552799..f54d7ba 100644 --- a/patches/config_publisher.patch +++ b/patches/config_publisher.patch @@ -4,20 +4,20 @@ index 6e0337c..1e5ed7b 100644 +++ b/test/config/publisher.json @@ -6,18 +6,6 @@ [ - "/hierarchy/int-rsa-a.cert.pem", - "/hierarchy/root-rsa.cert.pem" + "test/certs/webpki/int-rsa-a.cert.pem", + "test/certs/webpki/root-rsa.cert.pem" - ], - [ -- "/hierarchy/int-rsa-b.cert.pem", -- "/hierarchy/root-rsa.cert.pem" +- "test/certs/webpki/int-rsa-b.cert.pem", +- "test/certs/webpki/root-rsa.cert.pem" - ], - [ -- "/hierarchy/int-ecdsa-a.cert.pem", -- "/hierarchy/root-ecdsa.cert.pem" +- "test/certs/webpki/int-ecdsa-a.cert.pem", +- "test/certs/webpki/root-ecdsa.cert.pem" - ], - [ -- "/hierarchy/int-ecdsa-b.cert.pem", -- "/hierarchy/root-ecdsa.cert.pem" +- "test/certs/webpki/int-ecdsa-b.cert.pem", +- "test/certs/webpki/root-ecdsa.cert.pem" ] ], "debugAddr": ":8009", diff --git a/patches/config_ra.patch b/patches/config_ra.patch index 0fe8b78..cd4c0c3 100644 --- a/patches/config_ra.patch +++ b/patches/config_ra.patch @@ -6,10 +6,10 @@ index 6f0baae9..6ad0f08c 100644 }, "orderLifetime": "168h", "issuerCerts": [ -- "/hierarchy/int-rsa-a.cert.pem", -- "/hierarchy/int-rsa-b.cert.pem", -- "/hierarchy/int-ecdsa-a.cert.pem" -+ "/hierarchy/int-rsa-a.cert.pem" +- "test/certs/webpki/int-rsa-a.cert.pem", +- "test/certs/webpki/int-rsa-b.cert.pem", +- "test/certs/webpki/int-ecdsa-a.cert.pem" ++ "test/certs/webpki/int-rsa-a.cert.pem" ], "tls": { - "caCertFile": "test/grpc-creds/minica.pem", + "caCertFile": "test/certs/ipki/minica.pem", diff --git a/patches/config_wfe2.patch b/patches/config_wfe2.patch index 8942ae3..9776650 100644 --- a/patches/config_wfe2.patch +++ b/patches/config_wfe2.patch @@ -4,28 +4,28 @@ index c0093044..e8ba4263 100644 +++ b/test/config/wfe2.json @@ -79,26 +79,6 @@ [ - "/hierarchy/int-rsa-a.cert.pem", - "/hierarchy/root-rsa.cert.pem" + "test/certs/webpki/int-rsa-a.cert.pem", + "test/certs/webpki/root-rsa.cert.pem" - ], - [ -- "/hierarchy/int-rsa-b.cert.pem", -- "/hierarchy/root-rsa.cert.pem" +- "test/certs/webpki/int-rsa-b.cert.pem", +- "test/certs/webpki/root-rsa.cert.pem" - ], - [ -- "/hierarchy/int-ecdsa-a.cert.pem", -- "/hierarchy/root-ecdsa.cert.pem" +- "test/certs/webpki/int-ecdsa-a.cert.pem", +- "test/certs/webpki/root-ecdsa.cert.pem" - ], - [ -- "/hierarchy/int-ecdsa-b.cert.pem", -- "/hierarchy/root-ecdsa.cert.pem" +- "test/certs/webpki/int-ecdsa-b.cert.pem", +- "test/certs/webpki/root-ecdsa.cert.pem" - ], - [ -- "/hierarchy/int-ecdsa-a-cross.cert.pem", -- "/hierarchy/root-rsa.cert.pem" +- "test/certs/webpki/int-ecdsa-a-cross.cert.pem", +- "test/certs/webpki/root-rsa.cert.pem" - ], - [ -- "/hierarchy/int-ecdsa-b-cross.cert.pem", -- "/hierarchy/root-rsa.cert.pem" +- "test/certs/webpki/int-ecdsa-b-cross.cert.pem", +- "test/certs/webpki/root-rsa.cert.pem" ] ], "staleTimeout": "5m", diff --git a/patches/docker-compose-redis.patch b/patches/docker-compose-redis.patch index 00e3458..cb691a8 100644 --- a/patches/docker-compose-redis.patch +++ b/patches/docker-compose-redis.patch @@ -1,8 +1,8 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index b7dc73ed4..235330460 100644 +index f25309579..79ed8c4e4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml -@@ -27,8 +27,6 @@ services: +@@ -26,8 +26,6 @@ services: ipv4_address: 10.77.77.77 integrationtestnet: ipv4_address: 10.88.88.88 @@ -11,7 +11,7 @@ index b7dc73ed4..235330460 100644 consulnet: ipv4_address: 10.55.55.55 # Use consul as a backup to Docker's embedded DNS server. If there's a name -@@ -52,10 +50,6 @@ services: +@@ -51,10 +49,6 @@ services: depends_on: - bmysql - bproxysql @@ -22,7 +22,7 @@ index b7dc73ed4..235330460 100644 - bconsul - bjaeger - bpkilint -@@ -94,42 +88,6 @@ services: +@@ -107,42 +101,6 @@ services: aliases: - boulder-proxysql @@ -65,7 +65,7 @@ index b7dc73ed4..235330460 100644 bconsul: image: hashicorp/consul:1.15.4 volumes: -@@ -181,13 +139,6 @@ networks: +@@ -194,13 +152,6 @@ networks: config: - subnet: 10.88.88.0/24 diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch index d889d42..5198d5b 100644 --- a/patches/docker-compose.patch +++ b/patches/docker-compose.patch @@ -1,20 +1,13 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 235330460..176d452e0 100644 +index 79ed8c4e4..08d29d67c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml -@@ -1,9 +1,10 @@ +@@ -1,3 +1,4 @@ +name: labca services: boulder: # The `letsencrypt/boulder-tools:latest` tag is automatically built in local - # dev environments. In CI a specific BOULDER_TOOLS_TAG is passed, and it is - # pulled with `docker compose pull`. -- image: letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-latest} -+ image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-latest} - build: - context: test/boulder-tools/ - # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh. -@@ -14,11 +15,13 @@ services: +@@ -14,13 +15,15 @@ services: # to the IP address where your ACME client's solver is listening. # FAKE_DNS: 172.17.0.1 FAKE_DNS: 10.77.77.77 @@ -28,9 +21,12 @@ index 235330460..176d452e0 100644 + - /home/labca/boulder_labca:/opt/boulder/labca + - /home/labca/nginx_data/static:/opt/wwwstatic - ./.gocache:/root/.cache/go-build:cached - - ./.hierarchy:/hierarchy/:cached - - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached -@@ -49,15 +52,20 @@ services: +- - ./test/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/:cached ++ - /home/labca/boulder_labca/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/:cached + networks: + bouldernet: + ipv4_address: 10.77.77.77 +@@ -48,20 +51,24 @@ services: - 4003:4003 # OCSP depends_on: - bmysql @@ -49,6 +45,22 @@ index 235330460..176d452e0 100644 + max-file: "5" + restart: always + bsetup: + image: *boulder_tools_image + volumes: +- - .:/boulder:cached ++ - .:/opt/boulder:cached ++ - /home/labca/boulder_labca:/opt/boulder/labca + - ./.gocache:/root/.cache/go-build:cached +- - ./test/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/:cached +- entrypoint: test/certs/generate.sh ++ - /home/labca/boulder_labca/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/:cached ++ entrypoint: labca/certs/generate.sh + working_dir: *boulder_working_dir + profiles: + # Adding a profile to this container means that it won't be started by a +@@ -71,6 +78,8 @@ services: + bmysql: image: mariadb:10.5 + volumes: @@ -56,7 +68,7 @@ index 235330460..176d452e0 100644 networks: bouldernet: aliases: -@@ -71,22 +79,11 @@ services: +@@ -84,46 +93,89 @@ services: # small. command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON logging: @@ -84,16 +96,22 @@ index 235330460..176d452e0 100644 bconsul: image: hashicorp/consul:1.15.4 -@@ -98,19 +95,73 @@ services: + volumes: +- - ./test/:/test/:cached ++ - /home/labca/boulder_labca:/opt/boulder/labca + networks: + consulnet: + ipv4_address: 10.55.55.10 bouldernet: ipv4_address: 10.77.77.10 - command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl" +- command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl" ++ command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl" + restart: always - bjaeger: - image: jaegertracing/all-in-one:1.50 + gui: -+ image: *boulder_image ++ image: *boulder_tools_image networks: - bouldernet: - ipv4_address: 10.77.77.17 @@ -138,7 +156,7 @@ index 235330460..176d452e0 100644 + - /home/labca/nginx_data/static:/var/www/html + + control: -+ image: *boulder_image ++ image: *boulder_tools_image + networks: + - bouldernet + volumes: diff --git a/patches/entrypoint.patch b/patches/entrypoint.patch index c8859ea..3bc65cd 100644 --- a/patches/entrypoint.patch +++ b/patches/entrypoint.patch @@ -1,17 +1,20 @@ diff --git a/test/entrypoint.sh b/test/entrypoint.sh -index 5ca9929..f18e1d8 100755 +index 12d0397c4..23d9693de 100755 --- a/test/entrypoint.sh +++ b/test/entrypoint.sh -@@ -13,12 +13,21 @@ +@@ -13,12 +13,24 @@ service rsyslog start # make sure we can reach the mysqldb. ./test/wait-for-it.sh boulder-mysql 3306 - + -# make sure we can reach the proxysql. -./test/wait-for-it.sh bproxysql 6032 - # create the database MYSQL_CONTAINER=1 $DIR/create_db.sh - + ++# Generate the internal keys and certs ++./test/certs/generate.sh ++ +fl=$(pwd)/labca/setup_complete +while [ ! -f $fl ]; do + echo "Waiting for $fl to appear..." diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index 698e4ed..8d69b1b 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -1,5 +1,5 @@ diff --git a/ra/ra.go b/ra/ra.go -index c442fc5a7..050e60c93 100644 +index c5cdc0c98..8d34d3325 100644 --- a/ra/ra.go +++ b/ra/ra.go @@ -44,7 +44,6 @@ import ( @@ -10,7 +10,7 @@ index c442fc5a7..050e60c93 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -568,7 +567,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { +@@ -576,7 +575,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { contact, ) } diff --git a/patches/remoteva_main.patch b/patches/remoteva_main.patch index 6fdd698..7ad04c0 100644 --- a/patches/remoteva_main.patch +++ b/patches/remoteva_main.patch @@ -1,18 +1,18 @@ diff --git a/cmd/remoteva/main.go b/cmd/remoteva/main.go -index e83642477..6efab1ca3 100644 +index 9ea068fc0..ef77eebfe 100644 --- a/cmd/remoteva/main.go +++ b/cmd/remoteva/main.go -@@ -18,7 +18,8 @@ import ( - type Config struct { - RVA struct { - vaConfig.Common +@@ -37,7 +37,8 @@ type Config struct { + // For more information, see: https://pkg.go.dev/crypto/tls#ClientAuthType + SkipGRPCClientCertVerification bool + - Features features.Config + Features features.Config + LabCADomains []string } Syslog cmd.SyslogConfig -@@ -95,7 +96,8 @@ func main() { +@@ -118,7 +119,8 @@ func main() { scope, clk, logger, diff --git a/patches/startservers.patch b/patches/startservers.patch deleted file mode 100644 index 6c338b2..0000000 --- a/patches/startservers.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/test/startservers.py b/test/startservers.py -index fcfdc9423..5d19996ad 100644 ---- a/test/startservers.py -+++ b/test/startservers.py -@@ -169,6 +169,9 @@ processes = [] - challSrvProcess = None - - def setupHierarchy(): -+ pass -+ -+def setupHierarchyOriginal(): - """Set up the issuance hierarchy. Must have called install() before this.""" - e = os.environ.copy() - e.setdefault("GOBIN", "%s/bin" % os.getcwd()) diff --git a/patches/test_certs_generate.patch b/patches/test_certs_generate.patch new file mode 100644 index 0000000..a8a373e --- /dev/null +++ b/patches/test_certs_generate.patch @@ -0,0 +1,31 @@ +diff --git a/test/certs/generate.sh b/test/certs/generate.sh +index 0b33f8c18..3e447f6f5 100755 +--- a/test/certs/generate.sh ++++ b/test/certs/generate.sh +@@ -64,7 +64,7 @@ webpki() ( + # script. + cd ../.. + mkdir ./test/certs/webpki +- go run ./test/certs/webpki.go ++ # go run ./test/certs/webpki.go + ) + + if ! [ -d ipki ]; then +@@ -72,6 +72,17 @@ if ! [ -d ipki ]; then + ipki + fi + ++end_date=$(openssl x509 -enddate -noout -in ipki/boulder/cert.pem | cut -d= -f2) ++end_date_seconds=$(date -d "$end_date" +%s) ++current_date_seconds=$(date +%s) ++remaining_days=$(( (end_date_seconds - current_date_seconds) / 86400 )) ++if [ $remaining_days -lt 60 ]; then ++ echo "Regenerating ipki/..." ++ [ -d ipki.prev ] && rm -rf ipki.prev ++ mv ipki ipki.prev ++ ipki ++fi ++ + if ! [ -d webpki ]; then + echo "Generating webpki/..." + webpki diff --git a/patches/test_config_ca.patch b/patches/test_config_ca.patch index d83b585..14ad5e3 100644 --- a/patches/test_config_ca.patch +++ b/patches/test_config_ca.patch @@ -1,33 +1,30 @@ diff --git a/test/config/ca.json b/test/config/ca.json -index 53ae91f2d..1937e5580 100644 +index cbb84f385..ec28cd37d 100644 --- a/test/config/ca.json +++ b/test/config/ca.json -@@ -59,38 +59,14 @@ +@@ -58,18 +58,6 @@ + "maxValidityBackdate": "1h5m" }, "issuers": [ - { +- { - "useForRSALeaves": false, - "useForECDSALeaves": true, - "issuerURL": "http://ca.example.org:4502/int-ecdsa-a", - "ocspURL": "http://ca.example.org:4002/", - "crlURLBase": "http://ca.example.org:4501/ecdsa-a/", - "location": { -- "configFile": "/hierarchy/int-ecdsa-a.pkcs11.json", -- "certFile": "/hierarchy/int-ecdsa-a.cert.pem", +- "configFile": "test/certs/webpki/int-ecdsa-a.pkcs11.json", +- "certFile": "test/certs/webpki/int-ecdsa-a.cert.pem", - "numSessions": 2 - } - }, -- { + { "useForRSALeaves": true, "useForECDSALeaves": true, - "issuerURL": "http://ca.example.org:4502/int-rsa-a", - "ocspURL": "http://ca.example.org:4002/", - "crlURLBase": "http://ca.example.org:4501/rsa-a/", - "location": { -- "configFile": "/hierarchy/int-rsa-a.pkcs11.json", -- "certFile": "/hierarchy/int-rsa-a.cert.pem", -- "numSessions": 2 -- } +@@ -81,18 +69,6 @@ + "certFile": "test/certs/webpki/int-rsa-a.cert.pem", + "numSessions": 2 + } - }, - { - "useForRSALeaves": false, @@ -36,10 +33,10 @@ index 53ae91f2d..1937e5580 100644 - "ocspURL": "http://ca.example.org:4003/", - "crlURLBase": "http://ca.example.org:4501/rsa-b/", - "location": { -- "configFile": "/hierarchy/int-rsa-b.pkcs11.json", -- "certFile": "/hierarchy/int-rsa-b.cert.pem", -+ "configFile": "test/test-ca.key-pkcs11.json", -+ "certFile": "test/test-ca.pem", - "numSessions": 2 - } +- "configFile": "test/certs/webpki/int-rsa-b.pkcs11.json", +- "certFile": "test/certs/webpki/int-rsa-b.cert.pem", +- "numSessions": 2 +- } } + ], + "ignoredLints": [