github-personal/labca
1
0
Fork 0
mirror of https://github.com/outbackdingo/labca.git synced 2026-01-27 18:19:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
540 Commits 1 Branch 0 Tags
master
Commit Graph

71 Commits

Author SHA1 Message Date
Arjan H
37dd9184a7 Bump boulder version to v0.20251216.0 2025-12-27 16:40:48 +01:00
Arjan H
e808b18d2a Bump boulder version to v0.20251021.0 2025-11-09 17:03:16 +01:00
Arjan H
4f6c31873e Run mysql_upgrade every time the compose stack starts 2025-09-23 20:31:51 +02:00
Arjan H
73fb58a13d Bump boulder version to v0.20250728.0 2025-08-05 19:35:09 +02:00
Arjan H
e875804af1 Remove email details from admin pages 
As Let's Encrypt has removed all email sending from boulder, we no longer need
the email details in LabCA either.
 2025-08-05 18:14:37 +02:00
Arjan H
1a5050b3b0 Bump boulder version to v0.20250707.0 2025-07-12 20:25:18 +02:00
Arjan H
ec77c14f62 Also ignore lint check unknown_tld_in_san (#181) 2025-06-04 21:28:17 +02:00
Arjan H
0febdd24e6 Bump boulder version to release-2025-05-27 2025-05-31 12:29:07 +02:00
Arjan H
7d518d7ea4 Bump boulder version to release-2025-03-18 2025-03-20 19:57:14 +01:00
Arjan H
8b7f5145a8 Fix CRL shard detection when revoking certs (#158) 
Also fix admin.boulder ipki cert for older installations that only still
have admin-revoker.boulder ipki cert
 2025-03-04 21:45:47 +01:00
Arjan H
6f66bc73ac Fix issuer and CRL URLs in certificates 2025-02-16 17:08:44 +01:00
Arjan H
f14a2636c5 Bump boulder version to release-2025-02-04; add redis container 
Let's Encrypt has changed the rate limiter to require redis, so we can
no longer remove it from the docker compose filei completely. But at
least we can run it once instead of four instances.
 2025-02-10 19:38:38 +01:00
Arjan H
6d72d32398 Use ceremony tool for generating keys and certs; store keys on SoftHSM 
Replace openssl certificate / CRL generation with the tool as used by
Let's Encrypt, storing the keys on SoftHSMv2, a simulated HSM (Hardware
Security Module).
Include migration of old setups where key files were also stored on
disk.
 2025-01-31 20:44:48 +01:00
Arjan H
3116c85c2c Bump boulder version to release-2025-01-06 2025-01-12 11:43:41 +01:00
Arjan H
120048ff30 Bump boulder version to release-2024-12-10 2024-12-13 18:00:40 +01:00
Arjan H
295cd00011 SMTP server can now use LabCA issued certificate (#139) 
LabCA can optionally be configured to send emails. Until now it was only possible to send to SMTP
servers that use a certificate signed by a public root CA (e.g. gmail). Now this can also be an
internal server using a LabCA issued certificate, or you can skip TLS verification completely.
 2024-09-28 16:00:21 +02:00
Arjan H
cab563d1d7 Bump boulder version to release-2024-07-29 2024-08-30 16:31:07 +02:00
Arjan H
18b53030a1 Bump boulder version to release-2024-06-10 2024-08-26 20:16:12 +02:00
Arjan H
ddbaa63b5b Bump boulder version to release-2024-05-20 2024-08-24 15:15:21 +02:00
Arjan H
4eb3ad877c Bump boulder version to release-2024-05-06 2024-07-02 19:47:47 +02:00
Arjan H
5d27e00fa4 Bump boulder version to release-2024-04-30 2024-05-04 21:26:13 +02:00
Arjan H
75c98926a8 Fix dns server lookup in apply-boulder [#119] 2024-03-17 12:01:21 +01:00
Arjan H
df520e64f7 Bump boulder version to release-2024-02-26 2024-03-03 11:41:24 +01:00
Arjan H
98871cd6e7 Suppress 'must end in IANA registered TLD' error on renewal (#114) 
When using whitelist/lockdown domains, also accept them in va.extractRequestTarget().
Apparently that method only gets used on renewal but not during the original request?
 2024-02-23 17:52:38 +01:00
Arjan H
045a128c2c Option to allow public contact email addresses in lockdown mode 
When in lockdown mode, only those domains can be used to request certificates for,
but it also only accepts email addresses in those domains. With this option in the
GUI it is now possible to still allow all public domains in contact addresses.
 2024-02-04 13:46:26 +01:00
Arjan H
bef3544d5e Bump boulder version to release-2024-01-22 2024-01-26 20:08:22 +01:00
Arjan H
43f0b2cea7 Extend health-checker timeout always (#86) 2024-01-13 11:29:38 +01:00
Arjan H
33208bf347 Add way to renew (extend lifetime of) CA certificates (#74) 2023-12-26 11:56:45 +01:00
Arjan H
3781027664 Make Issuer CRL generation interval configurable (default 24h) 2023-06-15 18:36:18 +02:00
Arjan H
2b81d2d3dd Add options to trigger CRL generation and upload a Root CRL (#53) 2023-06-11 12:09:14 +02:00
Arjan H
9f77d1a308 Add ability to keep private Root CA key offline (#53) 
When generating a new Root CA certificate, show the key in the GUI and ask the user to
store it offline. When importing an existing CA make the root key optional.
When the private key is needed but we don't have it, ask the user to provide it. You
can now also create a CSR for the Issuer CA that can be signed by the offline Root CA.
 2023-06-08 20:24:41 +02:00
Arjan H
f59601fde9 Fix connMaxIdleTime after spaces were changed to tabs 2023-04-29 19:17:56 +02:00
Arjan H
b5db9b857d File config/ocsp-updater.json was removed from boulder 2023-04-08 10:50:45 +02:00
Arjan H
24b2712373 File setup_complete was created too soon on new installs 2023-03-26 14:48:11 +02:00
Arjan H
34acb1b7f2 Let apply scripts collect their own data from config 
Before, we passed the info on via environment variables
 2023-03-24 20:32:53 +01:00
Arjan H
620470ca87 Bump boulder version to release-2023-03-22 2023-03-23 20:08:06 +01:00
Arjan H
780c10daeb Bump boulder version to release-2022-10-25 2022-10-26 20:38:34 +02:00
Arjan H
f53590f664 Set CRL lifespan and update periode to more appropriate values 2022-08-20 10:45:23 +02:00
Arjan H
7bd39317f2 Prevent repeating values when updating config files 2022-08-17 20:44:41 +02:00
Arjan H
5c3380bf0f Generate and store crl files regularly; set crl URL in certs 
Tweak the new crl-storer to save the crl files locally instead of in S3,
with some housekeeping to keep only the last five versions.
 2022-08-17 20:36:39 +02:00
Arjan H
616da91583 Bump boulder version to release-2022-08-15 2022-08-16 19:35:01 +02:00
Arjan H
f767264f57 Fix setting connMaxIdleTime in all db configs 2022-08-15 19:23:01 +02:00
Arjan H
09d2fcaf72 Set connMaxIdleTime in all db configs to prevent warnings in audit log 
Should no longer see these messages from now on:
[mysql] closing bad idle connection: connection reset by peer
[mysql] driver: bad connection
 2022-08-06 16:41:11 +02:00
Arjan H
28553dac91 Determine issuer NameID value so we can set the correct AIA URL (#35) 2022-07-31 16:42:47 +02:00
Arjan H
c8ba8e7b9d Bump boulder version to release-2022-07-25 2022-07-29 19:32:22 +02:00
Arjan H
cfac480241 Retain new certificatesPerFQDNSetFast in rate-limit-policies.yml 2022-05-11 18:46:58 +02:00
Arjan H
3ef8777b63 Fix rate-limit-policies.yml generation with multiple domains (#45) 2022-05-11 18:24:23 +02:00
Arjan H
de64d833ef Fix rate-limit-policies.yml generation with multiple domains (#45) 2022-05-11 18:10:18 +02:00
Arjan H
578c63afac Bump boulder version to release-2022-05-02 2022-05-03 20:08:10 +02:00
Arjan H
169b147078 Extract code patching to separate script 2022-04-15 11:12:12 +02:00