Skip to content

Commit

Permalink
Merge branch 'release/22.03'
Browse files Browse the repository at this point in the history
* release/22.03:
  Bump boulder version to release-2022-03-22
  Clarify troubleshooting tips a bit more
  Clarify troubleshooting tips a bit
  • Loading branch information
hakwerk committed Mar 24, 2022
2 parents 0bef155 + ba9feed commit 7736780
Show file tree
Hide file tree
Showing 9 changed files with 42 additions and 35 deletions.
12 changes: 8 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
- [Background](#background)
- [Install](#install)
- [Usage](#usage)
- [Troubleshooting](#troubleshooting)
- [Contributing](#contributing)
- [License](#license)

Expand Down Expand Up @@ -93,22 +94,25 @@ The end users in your organization / lab can visit the public pages of you LabCA

<img src="https://user-images.githubusercontent.com/44847421/48658731-f727ef80-ea46-11e8-985c-1ea64f340220.jpg" width="300"> <img src="https://user-images.githubusercontent.com/44847421/48658733-fa22e000-ea46-11e8-9fb1-901fddc9ee12.jpg" width="300">

### Troubleshooting
## Troubleshooting

Some log files to check in case of issues are:
After installing sometimes the application is not starting up properly and it can be quite hard to figure out why. Some log files to check in case of issues are:
* /etc/nginx/ssl/acme_tiny.log
* /home/labca/logs/commander.log
* cd /home/labca/boulder; docker-compose logs labca
* cd /home/labca/boulder; docker-compose logs boulder
* /var/log/labca.err
* possibly /var/log/nginx/error.log

If you get "No valid IP addresses found for <hostname>" in /etc/nginx/ssl/acme_tiny.log, solve it by entering the hostname in your local DNS. Same for "Could not resolve host: <hostname>" in /var/log/labca.err.
### Common error messages

When issuing a certificate, LabCA/boulder checks for CAA (Certification Authority Authorization) records in DNS, which specify what CAs are allowed to issue certificates for the domain. If you get an error like "SERVFAIL looking up CAA for internal" or "CAA record for ca01.foo.internal prevents issuance", you can try to add something like this to your DNS domain:
If you get "**No valid IP addresses found for <hostname>**" in /etc/nginx/ssl/acme_tiny.log, solve it by entering the hostname in your local DNS. Same for "**Could not resolve host: <hostname>**" in /var/log/labca.err.

When issuing a certificate, LabCA/boulder checks for CAA (Certification Authority Authorization) records in DNS, which specify what CAs are allowed to issue certificates for the domain. If you get an error like "**SERVFAIL looking up CAA for internal**" or "**CAA record for ca01.foo.internal prevents issuance**", you can try to add something like this to your DNS domain:
```
foo.internal. CAA 0 issue "foo.internal"
```
The value in the issue field should be the domain of your LabCA instance, not the hostname. This value can be found in the issuerDomain property in the /home/labca/boulder_labca/config/va.json file.
See also the [Let's Encrypt&trade; page on CAA](https://letsencrypt.org/docs/caa/).

### NOTE
Expand Down
2 changes: 1 addition & 1 deletion install
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ dockerComposeVersion="1.28.5"

labcaUrl="https://github.com/hakwerk/labca/"
boulderUrl="https://github.com/letsencrypt/boulder/"
boulderTag="release-2022-02-14"
boulderTag="release-2022-03-22"

# Feature flags
flag_skip_redis=true
Expand Down
2 changes: 1 addition & 1 deletion patches/cert-checker_main.patch
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ index cfc72632..de4b01ca 100644
// Validate PA config and set defaults if needed.
cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")

@@ -421,6 +426,7 @@ func main() {
@@ -420,6 +425,7 @@ func main() {
kp,
config.CertChecker.CheckPeriod.Duration,
acceptableValidityDurations,
Expand Down
4 changes: 2 additions & 2 deletions patches/config_rocsp-tool.patch
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,5 @@ index 9b0a1d13..eace2cf9 100644
- ".hierarchy/intermediate-cert-rsa-b.pem": 4
+ ".hierarchy/intermediate-cert-rsa-a.pem": 1
}
}
}
},
"syslog": {
2 changes: 1 addition & 1 deletion patches/config_wfe2.patch
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ diff --git a/test/config/wfe2.json b/test/config/wfe2.json
index c0093044..e8ba4263 100644
--- a/test/config/wfe2.json
+++ b/test/config/wfe2.json
@@ -43,18 +43,6 @@
@@ -45,18 +45,6 @@
[
"/hierarchy/intermediate-cert-rsa-a.pem",
"/hierarchy/root-cert-rsa.pem"
Expand Down
14 changes: 7 additions & 7 deletions patches/docker-compose-redis.patch
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index c1d54f23..2b6de7cb 100644
index e88f7c19f..d771aa011 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -17,8 +17,6 @@ services:
@@ -26,8 +26,6 @@ services:
ipv4_address: 10.77.77.77
rednet:
ipv4_address: 10.88.88.88
Expand All @@ -11,15 +11,15 @@ index c1d54f23..2b6de7cb 100644
# Use sd-test-srv as a backup to Docker's embedded DNS server
# (https://docs.docker.com/config/containers/container-networking/#dns-services).
# If there's a name Docker's DNS server doesn't know about, it will
@@ -34,7 +32,6 @@ services:
- 8055:8055 # dns-test-srv updates
@@ -41,7 +39,6 @@ services:
- 4003:4003 # OCSP
depends_on:
- bmysql
- - bredis_clusterer
entrypoint: labca/entrypoint.sh
working_dir: &boulder_working_dir /go/src/github.com/letsencrypt/boulder
working_dir: &boulder_working_dir /boulder
logging:
@@ -67,78 +64,6 @@ services:
@@ -74,78 +71,6 @@ services:
max-file: "5"
restart: always

Expand Down Expand Up @@ -98,7 +98,7 @@ index c1d54f23..2b6de7cb 100644

labca:
image: *boulder_image
@@ -179,10 +104,3 @@ networks:
@@ -186,10 +111,3 @@ networks:
driver: default
config:
- subnet: 10.88.88.0/24
Expand Down
27 changes: 15 additions & 12 deletions patches/docker-compose.patch
Original file line number Diff line number Diff line change
@@ -1,27 +1,31 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index f515225e4..c1d54f235 100644
index b0c235a91..d72c08883 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,10 +4,11 @@ services:
@@ -8,7 +8,7 @@ services:
image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.17.7_2022-02-10}
environment:
FAKE_DNS: 10.77.77.77
- BOULDER_CONFIG_DIR: test/config
+ BOULDER_CONFIG_DIR: labca/config
GOFLAGS: -mod=vendor
# Go 1.18 turns off SHA-1 validation on CSRs (and certs, but that doesn't
# affect us). It also turns off TLS 1.0 and TLS 1.1. Temporarily go back
@@ -17,6 +17,7 @@ services:
GODEBUG: x509sha1=1,tls10default=1
volumes:
- .:/go/src/github.com/letsencrypt/boulder:cached
+ - /home/labca/boulder_labca:/go/src/github.com/letsencrypt/boulder/labca
- .:/boulder:cached
+ - /home/labca/boulder_labca:/boulder/labca
- ./.gocache:/root/.cache/go-build:cached
- ./.hierarchy:/hierarchy/:cached
- ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
@@ -34,11 +35,19 @@ services:
@@ -41,11 +42,19 @@ services:
depends_on:
- bmysql
- bredis_clusterer
- entrypoint: test/entrypoint.sh
+ entrypoint: labca/entrypoint.sh
working_dir: &boulder_working_dir /go/src/github.com/letsencrypt/boulder
working_dir: &boulder_working_dir /boulder
+ logging:
+ driver: "json-file"
+ options:
Expand All @@ -36,7 +40,7 @@ index f515225e4..c1d54f235 100644
networks:
bluenet:
aliases:
@@ -52,7 +61,11 @@ services:
@@ -59,7 +68,11 @@ services:
# small.
command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
logging:
Expand All @@ -49,7 +53,7 @@ index f515225e4..c1d54f235 100644

bredis_1:
image: redis:latest
@@ -127,18 +140,31 @@ services:
@@ -134,18 +147,31 @@ services:
aliases:
- boulder-redis-clusterer

Expand All @@ -63,13 +67,12 @@ index f515225e4..c1d54f235 100644
networks:
- bluenet
volumes:
- - .:/go/src/github.com/letsencrypt/boulder
- working_dir: *boulder_working_dir
- entrypoint: test/entrypoint-netaccess.sh
+ - /home/labca/admin:/go/src/labca
+ - ./.gocache:/root/.cache/go-build
+ - /var/www/html:/wwwstatic
+ - .:/boulder
- .:/boulder
- working_dir: *boulder_working_dir
- entrypoint: test/entrypoint-netaccess.sh
+ - /home/labca/boulder_labca:/boulder/labca
+ ports:
+ - 3000:3000
Expand Down
8 changes: 4 additions & 4 deletions patches/expiration-mailer_main.patch
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ index f488b73c..ef2ed34a 100644
)

type regStore interface {
@@ -409,6 +410,9 @@ type Config struct {
@@ -407,6 +408,9 @@ type Config struct {
TLS cmd.TLSConfig
SAService *cmd.GRPCClientConfig

Expand All @@ -29,7 +29,7 @@ index f488b73c..ef2ed34a 100644
// Path to a file containing a list of trusted root certificates for use
// during the SMTP connection (as opposed to the gRPC connections).
SMTPTrustedRootFile string
@@ -418,6 +422,12 @@ type Config struct {
@@ -416,6 +420,12 @@ type Config struct {

Syslog cmd.SyslogConfig
Beeline cmd.BeelineConfig
Expand All @@ -42,7 +42,7 @@ index f488b73c..ef2ed34a 100644
}

func initStats(stats prometheus.Registerer) mailerStats {
@@ -520,6 +530,32 @@ func main() {
@@ -518,6 +528,32 @@ func main() {
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
sac := sapb.NewStorageAuthorityClient(conn)

Expand Down Expand Up @@ -75,7 +75,7 @@ index f488b73c..ef2ed34a 100644
var smtpRoots *x509.CertPool
if c.Mailer.SMTPTrustedRootFile != "" {
pem, err := ioutil.ReadFile(c.Mailer.SMTPTrustedRootFile)
@@ -555,6 +591,7 @@ func main() {
@@ -553,6 +589,7 @@ func main() {
c.Mailer.Username,
smtpPassword,
smtpRoots,
Expand Down
6 changes: 3 additions & 3 deletions patches/ra_ra.patch
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
diff --git a/ra/ra.go b/ra/ra.go
index 1ea20982..937f2859 100644
index 63d0ce8ef..c33f23180 100644
--- a/ra/ra.go
+++ b/ra/ra.go
@@ -31,7 +31,6 @@ import (
@@ -32,7 +32,6 @@ import (
"github.com/letsencrypt/boulder/issuance"
blog "github.com/letsencrypt/boulder/log"
"github.com/letsencrypt/boulder/metrics"
- "github.com/letsencrypt/boulder/policy"
"github.com/letsencrypt/boulder/probs"
pubpb "github.com/letsencrypt/boulder/publisher/proto"
rapb "github.com/letsencrypt/boulder/ra/proto"
@@ -454,7 +453,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
@@ -477,7 +476,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
contact,
)
}
Expand Down

0 comments on commit 7736780

Please sign in to comment.