This fixes some mysterious breakages that Let's Encrypt users that also
used mod_security on their domains had.
There's some back and forth about whether the mod_security rule is wise,
but that's captured in a mod_security ticket linked from this PR's
ticket.
This patch is a one-line fix with no probable downside. We're not likely
to want to do many more things to satisfy misunderstandings around HTTP
but this seems fine to help our people out.
Fixes#1019.
This allows us to call the Google Safe Browsing calls through the VA.
If the RA config's boolean UseIsSafeDomain is true, the RA will make the RPC
call to the VA during its NewAuthorization.
If the VA config's GoogleSafeBrowsingConfig struct is not nil, the VA
will check the Google Safe Browsing API in
VA.IsSafeDomain. If the GoogleSafeBrowsingConfig struct is nil, it will
always return true.
In order to actually make requests, the VA's GoogleSafeBrowsingConfig
will need to have a directory on disk it can store the local GSB hashes
it will check first and a working Google API key for the GSB API.
Fixes#1058
When a URL couldn't be connected to in validateSimpleHTTP, the
fmt.Sprintf's using the URL would format it as something like:
{https <nil> kuba.us.to:443 .well-known/acme-challenge/-bgTYeerZbjhysBOgwIx_-7uVDnVnsaxagWvCk6lzNc }
Instead of:
https://kuba.us.to:443/.well-known/acme-challenge/-bgTYeerZbjhysBOgwIx_-7uVDnVnsaxagWvCk6lzNc
This would show up in errors like:
Failed authorization procedure. kuba.us.to (simpleHttp): connection :: The server could not connect to the client for DV :: Could not connect to {https <nil> kuba.us.to:443 .well-known/acme-challenge/-bgTYeerZbjhysBOgwIx_-7uVDnVnsaxagWvCk6lzNc }
By passing in a plain URL struct to
Sprintf(), it wasn't using the *url.URL.String() method, but the
built-in struct formatting.
The fix is simple: make the url variable a `*url.URL` instead of a
`url.URL`.
This removes TestMode from the boulder-va command, from ca.Config
(it was only used in the VA) and gets the integration config to specify
the ports it should use explicitly.
(It also removes a DBDriver field from ca.Config that was left over from
letsencrypt/boulder#624.)
Fixes#627.
Previously the VA test had race conditions where the various test servers would
not shut down before the next test started its own server, and the necessary port
wouldn't be available.
Go's httptest makes shutdown simpler, and also chooses a random port, which
further helps avoid collisions.
This change required refactoring the VA to specify the ports for various
challenges as fields. This should allow us to fully remove the TestMode bool in
a subsequent change.
Credit to jmhodges for the first version of this patch.
Refactor DNS problem details use
Actually store and log resolved addresses
Less convuluted get adresses function/usage
Store redirects, reconstruct transport on redirect, add redirect + lookup tests
Add another test
Review fixes
Initial bulk of review fixes (cleanups inc)
Comment cleanup
Add some more tests
Cleanups
Give addrFilter a type and add the config wiring
Expose filters
LookupHost cleanups
Remove Resolved Addresses and Redirect chain from replies to client without breaking RPC layer
Switch address/redirect logging method, add redirect loop checking + test
Review fixes + remove IPv6
Remove AddressFilter remnant + constant-ize the VA timeout
Review fixes pt. 1
Initialize validation record
Don't blank out validation reocrds
Add validation record sanity checking
Switch to shared struct
Check port is in valid range
Review fixes
Jacob Hoffman-Andrews
Jeff Hodges
Roland Shoemaker
Tom Clegg
Richard Barnes