0ea7b36b6a
remove dead POST code in wfe.Certificate
...
The Certificate endpoint (a.k.a. /acme/cert) had code that took POSTs
but always returned errors when they were hit.
2015-07-24 16:46:49 -07:00
58080cc3b9
remove Go version and build host from API
...
This data would be useful to attackers attempting to exploit our
system. We have not committed to producing our binaries to the public,
so these are not exposed through other means.
2015-07-24 14:52:47 -07:00
9423467142
Switch to our own fork of go-jose.
...
This is the result of `godep save -r ./...` and
`git rm -r -f Godeps/_workspace/src/github.com/square`
Our fork is currently at the head of go-jose when Richard made the local nonce
changes, with the nonce changes added on top. In other words, the newly created
files are exactly equal to the deleted files.
In a separate commit I will bring our own go-jose fork up to the remote head,
then update our deps.
Also note: Square's go-jose repo contains a `cipher` package. Since we don't
make any changes to that package, we leave it imported as-is.
2015-07-24 14:39:00 -07:00
620a012c62
Rewrite go-jose dependencies to our fork.
2015-07-24 14:16:01 -07:00
7f5da3b8bc
Merge pull request #521 from letsencrypt/remove_v
...
remove incorrect uses of %v, use specific verbs
2015-07-24 13:00:29 -07:00
8975601d5e
correct bodyStr->body
2015-07-23 17:41:15 -07:00
d8ffa41d67
Remove backup logging in case of error.
...
AuditObject already does this for us.
2015-07-23 13:24:57 -07:00
752080871d
Instead of panic on error, log an error.
2015-07-23 09:34:04 -07:00
9a4cd50a93
Use []byte to implicitly marshal to base64.
2015-07-22 17:50:43 -07:00
941df62ad4
Switch to AuditObject for CSR logging.
...
This allows us to log the remote address and registration object along with the
CSR.
Also, restore part of a comment on CertificateRequest that was deleted.
2015-07-22 16:32:11 -07:00
6952aebeb3
Record initial application CSR.
...
Fixes https://github.com/letsencrypt/boulder/issues/493 .
Also, modify MockSyslogWriter so that it implements the SyslogWriter interface
(no pointer receivers).
2015-07-22 15:34:59 -07:00
ce4ca429a6
Merge pull request #502 from letsencrypt/directory
...
Basic ACME directory endpoint
2015-07-22 15:32:15 -07:00
2c2075d2f0
Add missing link headers for registration resource update.
2015-07-22 20:15:21 +02:00
9f18d6fd71
Remove redudant comments
2015-07-21 19:46:20 -07:00
b093613191
Add cache helper methods and always send static cache max-age
2015-07-21 18:21:48 -07:00
0e83538b56
Merge master
2015-07-21 17:48:19 -07:00
1a3e41ee57
Review fixes
2015-07-21 17:39:16 -07:00
2d758a7ab6
Basic ACME directory endpoint
2015-07-21 16:55:57 -07:00
6e03f78ad0
Extend wfe.Certificate tests
2015-07-20 12:27:26 -07:00
6a2344e1bf
Add config vars and wire them into cmd/boulder and cmd/boulder-wfe
2015-07-17 17:44:03 -07:00
f08261edb5
Add cache-control headers to terms, issuer, and certificate endpoints
2015-07-17 17:14:39 -07:00
ff491962b9
Dry up "method not allowed" handling.
2015-07-16 22:07:44 -04:00
2d4f089980
say Handler returns a thing, not configures
2015-07-16 13:32:46 -07:00
5a69753b6d
correct HandlePaths to Handler in godoc
2015-07-16 13:26:34 -07:00
ef54dda46a
add debug http server to services
...
Currently, the debug http server in every service contains just the
net/http/pprof handlers. This allows us to get CPU, blocking, and memory
profiling remotely.
Along the way, remove all the places we use http.DefaultServeMux (which
includes use of http.Handle and http.HandlerFunc) and use a NewServeMux
for each place.
Fixes #457
2015-07-14 01:28:18 -07:00
738d959417
Merge pull request #429 from letsencrypt/unknown-key
...
Return better message to client if JWK is unknown
2015-07-08 10:50:36 -07:00
a745160ee6
Merge master
2015-07-06 17:38:04 -07:00
c233aa8e56
411 - Redirect /terms to wfe.SubscriberAgreementURL
...
- Rebased (jcjones)
2015-07-06 17:16:40 -07:00
82ccb8bd70
Return better message to client if JWK is unknown
2015-07-06 19:52:00 +01:00
d9d537f7f4
Add location header to /acme/new-reg if key is already in use
2015-07-06 18:40:40 +01:00
12589834a3
Merge master
2015-06-25 15:59:59 -07:00
ff192330f8
Propagate nonce errors through WFE
2015-06-23 13:15:09 -07:00
b43d1cf447
Switch logRequestDetails argument to pointer and don't use anonymous functions
2015-06-22 19:45:04 +01:00
84e43b725d
Rework per @jcjones
2015-06-22 19:02:13 +01:00
9edd2b8e07
Refactor StatsD metrics collection
...
- Moved HandlerTimer definition from various cmd/ binaries to cmd/shell.go
- Cleaned up HandlerTimer endpoint metrics
- Moved New... counter metrics from WFE to RA and add Updated... and Finalized... ones
- Added error code and problem type counter metrics to WFE
- Added validation type / status counter metrics to VA
- Consistently return the total RTT from LookupCAA, LookupCNAME, and LookupDNSSEC method
- Added DNS RTT timing metrics to VA for the various Loookup... methods
2015-06-21 23:28:10 -07:00
5c01de76cd
Remove termination bool
2015-06-21 14:17:39 -07:00
3d8a5f4509
Switch to Extra map method for storing extra objects
2015-06-20 16:05:25 -07:00
f21dc2e146
Merge branch 'master' into wfe-logging
2015-06-19 17:00:05 -07:00
f228ac41f5
Add connection logging to the WFE
2015-06-19 16:47:54 -07:00
4655447a35
Reformatted error messages
2015-06-19 14:47:45 -07:00
426b03b7de
Final cleanup
2015-06-19 14:09:09 -07:00
9312fb7eae
Allowed for more detailed error messages:
2015-06-19 12:51:09 -07:00
f19cad3a04
Additional cleanup of error handling
2015-06-18 10:08:59 -07:00
41f5788c77
Correct most `go lint` warnings. (274 -> 5)
2015-06-16 22:18:28 -05:00
b094c81371
Merge remote-tracking branch 'upstream/master' into errors
2015-06-16 10:59:16 -07:00
3ca3d9b283
Finished adding basic errors
2015-06-15 19:30:11 -07:00
01c41c1bd0
Merge pull request #354 from letsencrypt/344-internal_server_errors
...
Resolves Issue #344 : Only send InternalServerError when needed
2015-06-15 15:57:04 -07:00
80d5e50e42
Enable revocation by account key.
...
In addition to cert private key. This required modifying the GetCertificate*
functions to return core.Certificate instead of certificate bytes.
2015-06-15 12:33:50 -07:00
1474b7f21f
Resolves Issue #344 : Only send InternalServerError when needed
...
Basically, just send InternalServerError when it indicates an internal state
was broken.
2015-06-13 00:21:44 -05:00
9af2742ae2
Merge pull request #353 from letsencrypt/cors
...
Send CORS headers
2015-06-12 16:05:50 -07:00
8b0fcde9ce
Merge pull request #352 from letsencrypt/allow
...
Send an Allow header whenever we send 405
2015-06-12 14:58:50 -07:00
af64f5a534
Add missing return.
2015-06-12 14:37:26 -07:00
2b2f4110d4
Revoke path should not end in slash.
2015-06-12 13:26:43 -07:00
615366636a
Send CORS headers
2015-06-11 22:26:16 -04:00
d398bd962a
Send an Allow header whenever we send 405
2015-06-11 22:12:01 -04:00
676ebf721f
Merge pull request #325 from letsencrypt/anti-replay
...
Add an anti-replay nonce facility
2015-06-10 16:55:20 -04:00
8289a6d2fa
Make tests pass
2015-06-09 17:43:16 -04:00
a64d521023
Add more details to the /build endpoint in the WFE as well.
2015-06-09 12:25:33 -07:00
d653f97cb8
Transition from random nonces to encrypted counters
2015-06-09 12:30:49 -04:00
fca1567cb2
Fixes to integration tests
2015-06-08 15:31:56 -04:00
a620fe4583
Initial anti-replay mechanism
2015-06-08 15:02:39 -04:00
573e35ed56
Disallow multiple registrations with same key (and fix all related tests)
2015-06-04 20:21:59 +01:00
bbd5ff1821
Merge pull request #301 from rolandshoemaker/299-audit
...
Only audit log internal server errors in WFE
2015-06-03 13:15:20 -07:00
7de8bef948
Add comment
2015-06-03 18:15:12 +01:00
ce84a4c31a
Only audit log internal server errors in WFE
2015-06-03 18:11:19 +01:00
ccb401f993
Add comment clarifying agreement check.
2015-06-02 15:56:26 -07:00
3974a0eaa6
Revert "Actually verify compliance to a specific subscriber agreement"
...
This reverts commit 33ed771180
2015-06-02 15:56:23 -07:00
04479eca5c
Merge pull request #291 from letsencrypt/fix-revocation
...
Revert change to revocation from #275
2015-06-02 17:52:35 -04:00
7a60d431d6
Revert "Supporess the 'expires' field in public Authorizations"
...
This reverts commit d47b7c12ac
2015-06-02 12:02:05 -07:00
026cb424fc
Revert "Replace RevokeCertficate with something more in line with the spec"
...
This reverts commit b1bad40fe6
2015-06-02 10:45:54 -07:00
6c66207834
Fix nil key bug in AMQP mode.
2015-06-01 12:24:23 -07:00
63ca50229d
Fix a bug introduced in 81fa97f and make ./start.sh work
2015-06-01 12:46:19 -04:00
577478db7a
One more nit from JCJ
2015-06-01 02:16:32 -04:00
bfd9e4ac20
Fixing JCJ nits
2015-06-01 02:11:10 -04:00
b1bad40fe6
Replace RevokeCertficate with something more in line with the spec
2015-06-01 02:11:10 -04:00
ba84275611
Enable GET on Challenge resources
2015-06-01 02:08:47 -04:00
d47b7c12ac
Supporess the 'expires' field in public Authorizations
2015-06-01 02:08:47 -04:00
791118eee7
Clean up argument names in WFE methods
2015-06-01 02:08:47 -04:00
f6cf178edc
Simplify Terms() output
2015-06-01 02:08:47 -04:00
1492c8b0cf
Remove Let's Encrypt from Index()
2015-06-01 02:08:47 -04:00
129b05f42a
Always check the method first thing
2015-06-01 02:05:17 -04:00
afc5fb8e93
Add Link header field to Authz GET
2015-06-01 02:05:17 -04:00
764c7165b0
Do registration check before attempting to parse response
2015-06-01 02:05:17 -04:00
6a518383ba
Actually verify compliance to a specific subscriber agreement
2015-06-01 02:05:17 -04:00
81fa97fb21
Remove duplicative calls to MergeUpdate
2015-06-01 02:05:17 -04:00
9917ca17f6
Clean up TODOs
2015-06-01 02:05:17 -04:00
c0bacc3fb6
Add more detailed error code reporting
2015-05-31 15:58:08 -04:00
8766edaa93
Issue #239 - Add a build ID method to WFE, and print Info on startup for all
2015-05-28 11:13:09 -07:00
d1321f2d78
More RPC fixes for Issue #202
...
- NewPendingAuthorization now uses a core.Authorization object, so
that foreign key constraints are followed
- core.Authorization now serializes RegistrationID to JSON, so it has to get
blanked out in WFE before transmission to client.
- Remove ParsedCertificate from core.Certificate, as type x509.Certificate cannot
be marshaled.
- Added AssertDeepEquals and AssertMarhsaledEquals to test-tools.go
- Caught several overloaded and misleadingly named errors in WFE
2015-05-28 11:05:55 -07:00
c5415c77c0
Fix: Challenge URIs were incomplete when running in RPC mode.
2015-05-28 08:19:58 -07:00
e4e52e7315
More work on Issue #202 for RPC functions
...
- Fix a bunch of typos in rpc-wrappers.go
- Unblank `id` in core.Registration JSON:
- It's not spec, but it's not hurting anything, and we reveal it to clients anyway.
- We need knowledge of the ID in RPC, so if we don't want to include this in the object, we need to make a transfer object to wrap it.
- Make the RPC logs much clearer as to who's talking to who
- Typo in WFE where we called a registration an authz
2015-05-27 23:37:12 -07:00
5d82c5f994
Merge pull request #224 from rolandshoemaker/182-return
...
Return 500 for multiple certs with same short serial
2015-05-26 15:53:02 -07:00
bc3acca096
Resolved Issue #230
...
- Move setting the core.Registration.Key field from RA.NewRegistration to
WFE.NewRegistration to avoid a chicken-and-egg problem.
- Note: I kept the RPC wrapper object even though it now only has one field.
Seems like it's a good practice to use wrapper objects, even though we don't
everywhere.
2015-05-26 14:44:15 -07:00
5541a8ab37
remove trailing , and return 500 for multi certs with the same short serial
2015-05-25 09:26:37 +01:00
c1f3791b27
Fix some issues brought up by integration test
2015-05-21 17:25:56 -07:00
153234204d
Add an integration test using test.js
...
Include updates to test.js to make its output more useful as a diagnostic.
It remains a future TODO to do integration testing with the real letsencrypt
client.
Also, work around a go vet bug.
2015-05-21 16:51:40 -07:00
f63c8ec5ca
Merge pull request #218 from letsencrypt/204_audit_challenges
...
Audit all Challenges (success/failure) in VA for Issue #204
2015-05-21 14:23:54 -07:00
1c9837ddf8
Audit all Challenges (success/failure) in VA for Issue #204
...
- Don't ignore entropy underruns in challenges.go
- Correct identity crisis in Policy Authority; hopefully it will remember.
- Add a method `AuditObject` in audit-logger and convert RA/VA to use it
- Fix json typo in registration-authority that caused empty audit logs
- Fix vet issue in WFE where RegID was being printed as a 32-bit int instead of 64-bit
- Unfix the issue in WFE where RegID isn't right, per PR #215
2015-05-21 13:58:40 -07:00
74ecad349b
Merge upstream/master
2015-05-20 13:03:43 -07:00
0f4f17e82b
make sure user has agreed before any subsequent actions
2015-05-20 12:58:14 -07:00
48cdd35026
gofmt wfe
2015-05-19 18:25:02 -07:00
8c9830618b
Use absolute URL for link to issuer cert
2015-05-19 16:30:33 -07:00
8dd4c650bd
Disallow GETs for Registration.
...
Per the spec, authenticated requests must be signed by an account key, and
GET requests can't be signed under the current protocol. If the account holder
wishes to fetch their current registration, they can do so by posting a signed,
empty update to their registration resource.
Also fix a bug in generating registration URLs.
2015-05-19 12:44:04 -07:00
870f02917c
check subscriber agreement in new/updated registrations
2015-05-18 20:56:51 -07:00
42302541bd
Run `go fmt` for PR #186
2015-05-18 18:44:38 -07:00
d2be0dcb95
Review updates
2015-05-18 18:24:37 -07:00
894703ae67
Follow-on work for Issue #62
...
- Documentation correction
- Don't lose the problemDoc failback (merge issue, I guess?)
- Add the start of an ack script to find methods implementing the audit UUIDs
- Documentation fix (RA calls VA, not WFE)
- Audit log revocations
- Audit log unauthorized domains
- Include all SANs in issuance audit log
- Add a script to locate all audit markers
2015-05-18 18:23:09 -07:00
c3b312118e
Add audit logging
...
- Auditing for general errors in executables
- Auditing for improper messages received by WFE
- Automatic audit wlogging of software errors
- Audit logging for mis-routed messages
- Audit logging for certificate requests
- Auditing for improper messages received by WFE
- Add audit events table
- Expect more details in TestRegistration in web-front-end_test.go
- Remove "extra" debug details from web-front-end.go per Issue #174
- Improve test coverage of web-front-end.go
- WFE audit updates for revocation support rebase
- Add audit messages to RPC for Improper Messages and Error Conditions
- Also note misrouted messages
2015-05-18 18:23:08 -07:00
4cda5e11f3
Merge pull request #201 from rolandshoemaker/remkey
...
Switch Authorization object from key to registration ID as association
2015-05-18 11:24:51 -07:00
e1ba291019
Store registration ID with certificate
2015-05-16 13:47:51 -07:00
faa1d5ac45
review cleanups
2015-05-16 13:25:36 -07:00
f8d54a728c
Fix up rebase issues.
2015-05-14 16:11:56 -07:00
b43d647fa2
Call RevokeCertificate through RA.
2015-05-14 15:54:12 -07:00
7b5038ac89
Switch WFE to revoke by posting cert rather than serial.
2015-05-14 15:54:10 -07:00
de4e37bf60
Implement user-facing revocation.
2015-05-14 15:53:58 -07:00
bff5ea2cfe
Implement user-facing revocation.
2015-05-14 15:52:11 -07:00
e233fdaa61
switch authz and pending_authz to store registration ID instead of key (and update all the random stuff they touched)
2015-05-14 14:14:36 -07:00
b3d85ed9b5
fix breakage introduced by b0rked rebase
2015-05-13 19:30:37 -07:00
8aa2a0607e
return full registration object and proper JSON marshal
2015-05-13 19:16:55 -07:00
c580041ed5
appropriate error messages
2015-05-13 19:16:55 -07:00
b9745cf894
check key is assosiated with existing registration in verifyPOST
2015-05-13 19:16:20 -07:00
aa8c20f84a
Fixes in response to review feedback.
2015-05-13 17:36:39 -07:00
3eed9e3f7c
Move to Square's go-jose library.
2015-05-13 17:36:38 -07:00
8e95c98cb5
add type namespacing
2015-05-11 14:44:54 -07:00
8655e900ab
send problem doc types in sendError (ignoring badCSR for now)
2015-05-11 14:44:54 -07:00
debf86375b
Remove Location header.
2015-05-10 21:37:29 -07:00
1276d82146
Add /acme/issuer-cert endpoint and up links to it
...
In /acme/new-cert and /acme/cert/<serial>.
2015-05-10 21:35:28 -07:00
3fddff8dcf
further tests for VA, consistent sendError for verifyPOST in WFE
2015-05-05 15:31:53 -07:00
2db4194b4d
add new registration + authorization tests for wfe
2015-05-04 20:54:58 -07:00
b5ca98130e
remove unused struct from broken fix
2015-05-04 19:40:08 -07:00
11a4a5019f
better reg test, ignore empty payload for now
2015-05-04 19:39:24 -07:00
4fc3a1146e
VA tests, WFE tests, plus WFE NewRegistration empty payload fix
2015-05-04 18:43:18 -07:00
3383809c20
Properly route index ( fixes #146 )
2015-05-03 20:35:53 +00:00
c4497aca72
Merge pull request #134 from letsencrypt/ocsp-table
...
More steps towards revocation / OCSP support
2015-05-02 11:22:23 -07:00
ac78f333f8
Merge branch 'master' into ocsp-table
...
Conflicts:
ca/certificate-authority.go
ca/certificate-authority_test.go
cmd/boulder-ca/main.go
cmd/boulder/main.go
sa/storage-authority.go
sa/storage-authority_test.go
2015-05-02 11:10:05 -07:00
c4aec38066
WFE: index (GET /)
2015-05-02 15:55:46 +00:00
a77152e828
Rework Authority "New" methods to obtain AuditLogger from Singleton
...
- Also ran `go fmt` against these files I was touching anyway:
sa/storage-authority.go
va/validation-authority.go
wfe/web-front-end.go
2015-05-01 21:50:07 -07:00
35834bf262
test.InitAuthorities, progress tests for wfe.Challenge
2015-05-01 00:33:22 +00:00
373636952e
Progress fixing tests for wfe.Challenge
2015-04-30 22:37:29 +00:00
4311f02a90
Add tests for wfe.Challenge
2015-04-30 20:48:02 +00:00
738e442f63
Fix build.
2015-04-30 19:25:28 +00:00
37f430d80f
Location and "up" Link for Challenge
2015-04-30 19:05:02 +00:00
7d98856ad7
"POST challenge" returns Challenge instead of Authorization ( fixes : #130 ).
2015-04-30 18:45:27 +00:00
1d2c6a5d7c
Split out GetCertificate / GetCertificateByShortSerial.
...
Also stub out some initial revocation code.
2015-04-29 11:48:08 -07:00
1065b14c9c
Add more logging to boulder.
2015-04-24 18:39:50 -07:00
830f64585c
Merge branch 'master' of github.com:letsencrypt/boulder into certificate-query
2015-04-18 23:45:47 -04:00
7d8ef9a019
Fix tests and tidy up for review.
2015-04-18 23:44:42 -04:00
431ad092eb
Query certs by sequential part of serial number.
...
Also refactor WFE for better initialization and change StorageAuthority to
support this type of query.
2015-04-18 00:48:19 -04:00
f839d89f25
add return
2015-04-16 17:44:14 -07:00
e7f2f4f90c
hook cmd.ProfileCmd into all the polylithic clients
2015-04-12 20:26:02 -07:00
Jeff Hodges
Jacob Hoffman-Andrews
Roland Shoemaker
Romain Fliedel
Tom Clegg
Richard Barnes
Brad Warren
J.C. Jones
bifurcation
James 'J.C.' Jones
Jakub Warmuz