Fixes#982.
Rather than failing immediately if two OCSP responses differ, which can happen
if ocsp-updater fires in between two requests, we wait until all OCSP responses
reach their expected state, and then check for equality.
Additionally, reorganize the OCSP checking to be somewhat cleaner, and improve
detection of verify failures (e.g. when a OpenSSL can't find a signer
certificate).
* Moves revocation from the CA to the OCSP-Updater, the RA will mark certificates as
revoked then wait for the OCSP-Updater to create a new (final) revoked response
* Merges the ocspResponses table with the certificateStatus table and only use UPDATES
to update the OCSP response (vs INSERT-only since this happens quite often and will
lead to an extremely large table)
also moves the first OCSP responses generation from the CA to the OCSP updater. This patch lays the
ground work for moving CT submission and adding CT backfill to the OCSP updater.
Previously, test.sh was responsible for running venv/bin/activate, meaning that
`python test/amqp-integration-test.py` would fail to run the letsencrypt client.
Now, so long as LETSENCRYPT_PATH is already set to a valid dir (e.g. in your
.bashrc), `python test/amqp-integration-test.py` should work.
If two OCSP responses were generated in the same second, the earlier would
previously take priority sometimes, leading to a "good" response for revoked
certificates and causing the OCSP integration test to be flaky.
Run builds in parallell as well as starting servers in parallel.
Wait for the servers to come up, so tests don't start running too early.
Enable race detection only for the integration test, not for start.py.
Previously I'd suggested it should always be on, but after running with it for a
while I'm convinced it's too slow for start.py (but still very valuable for
integration tests!).
The race detector has found at least one race in our current code. See
issue #465. Turn it on for the unit and integration tests running in
TravisCI.
Also, allow the local user to add new test flags with the `GOTESTFLAGS`
environment variable.
To ease speed of debugging issues, the ability to skip the unit or
integration tests is also provided.
amqp-integration-test.py gains a way to print out what processes
failed to start.
test.sh gains:
* the ability to continue the build correctly if
LETSENCRYPT_PATH was provided but does not exist on disk.
* an explanatory exit message if the LETSENCRYPT_PATH does
exist, but there is not finished build in it.
* a working detection for a python 2.7 binary on OS X
This uses a node.js module to post `status` updates to Github, and uses a Travis
secret to authenticate.
- Post comments from static analysis tools
- Change to posting from LetsEncryptBot
- For integration testing, only fail if the compile fails, or
the NodeJS-client fails. Log if the Python client fails.
Travis:
* Downloads the Let's Encrypt client
* Installs system requirements for client
* Sets up virtualenv
Dockerfile:
* Buildout for development
* Includes numerous pacakges needed for integration testing
(including all of the above in Travis)
test.sh:
* If no path is defined for the LE client
* Download the Let's Encrypt client
* Set up virtualenv
test/amqp-integration-test.py:
* Run client test with sensible defaults
* One test: auth for foo.com
This allows us to use the same PKCS#11 key for both cert signing and OCSP
signing, and simplifies config and startup.
This also starts building with -tags pkcs11 in all scripts, which is required
now that the CA can choose between pkcs11 and non-pkcs11.
In order to successfully issue using a pkcs11 key, you'll need to run a version
of Go built off the master branch. The released versions are missing this
commit:
fe40cdd756,
which is necessary for PKCS#11 signing.
Clean up tempfiles on exit.
Print exceptions instead of hiding them.
Exit early if a build fails, and clean up processes that are running at the time.
Update README to reflect RabbitMQ requirement.
Jacob Hoffman-Andrews
Roland Shoemaker
Jeff Hodges
Tom Clegg
J.C. Jones
Jakub Warmuz
William Budington