c24888d03a
use paranoid error checking
2016-03-11 13:03:34 -08:00
91bc75b0e3
Add GetValidAuthorizations to batch authz checks
...
By performing only one query to MySQL, we should be able to avoid
blowing the timeouts.
Fixes #1567
2016-03-11 10:26:55 -08:00
a220ee0ad8
Merge pull request #1581 from letsencrypt/full-window
...
Make OCSP Updater SCT loop look at full window
2016-03-10 18:55:53 -08:00
c61bd7bfc0
Merge branch 'master' into full-window
2016-03-10 17:09:48 -08:00
e1f07801e9
Merge pull request #1584 from letsencrypt/etld-ratelimit
...
Handle errors in EffectiveTLDPlusOne for ratelimits
2016-03-09 16:15:49 -08:00
1f4d52277a
Merge branch 'master' into etld-ratelimit
2016-03-09 16:07:20 -08:00
b0b5378fe0
Merge pull request #1563 from letsencrypt/1434
...
Bypass per domain rate limit if FQDN set was previously issued
2016-03-09 15:51:18 -08:00
8b66eb4d5b
Remove unnecessary mock method
2016-03-09 14:17:45 -08:00
832ce79e5f
Switch LIMIT to correct query
2016-03-09 13:24:46 -08:00
b9e162fb38
Merge branch 'master' into 1434
2016-03-09 13:13:00 -08:00
dea8eff780
Merge pull request #1556 from letsencrypt/mailer-renewal
...
expiration-mailer: don't mail if exact-renewal already
2016-03-09 13:06:54 -08:00
56c45d1330
Bypass per domain rate limit if FQDN set was previously issued
...
In ra.checkCertificatesPerName allow a bypass of the rate limit
if the exact name set has previously been issued for. This should
make a few current scenarios people have been running into slightly
less painful.
2016-03-09 13:03:07 -08:00
6c2945301f
Update test
2016-03-09 11:07:34 -08:00
327a760311
expiration-mailer: don't mail if exact-renewal already
...
If a certificate has already been issued with the same set of FQDNs, it
is considered to be renewed and no expiration mail is sent.
Also, use the connection string in the test/vars package instead of
copying it all around.
2016-03-09 10:58:56 -08:00
3e0bd535d7
Handle errors in EffectiveTLDPlusOne for ratelimits
...
The only failure conditions for EffectiveTLDPlusOne are (1) the
underlying PublicSuffix function returning nonsensical data (a suffix
longer than the original domain, or the character preceding the suffix
is not a '.'), and (2) the suffix being equal to the domain.
Since we have bigger problems if (1) ever happens, assume errors are
only returned if (2) has occured, and use the public suffix itself for
the ratelimit.
Fixes #1572
2016-03-09 10:48:27 -08:00
c8f8c45b36
Merge pull request #1580 from letsencrypt/rem-tel
...
Remove telephone contacts as a option
2016-03-09 09:40:37 -08:00
fa7f9f6a97
Merge branch 'master' into rem-tel
2016-03-09 09:27:48 -08:00
09a14627c1
Use full window when looking for new serials not just batchSize
2016-03-08 16:39:19 -08:00
03427ccb81
Remove telephone contacts as a option
2016-03-08 16:03:16 -08:00
68906268d6
Merge pull request #1574 from letsencrypt/ca-logging
...
Add more detailed logging to the CA.
2016-03-08 10:32:30 -08:00
cf1860797a
Add more detailed logging to the CA.
2016-03-08 10:08:32 -08:00
c8bf4e7bb6
Merge pull request #1560 from letsencrypt/fcenv
...
Introduce cmd.Clock() for use in tests
2016-03-07 15:06:38 -08:00
a6317d1717
Introduce cmd.Clock() for use in integration tests
...
If the FAKECLOCK environment variable is set, and the build was in a
test environment, cmd.Clock will return a FakeClock with the time set to
the content of the environment variable.
The choice of the UnixDate format was because `date -d` is a common
choice for shell scripts.
2016-03-07 14:52:34 -08:00
bad35e7fe8
Merge pull request #1565 from letsencrypt/multiple-blacklist
...
When multiple names are forbidden, list all.
2016-03-07 11:48:57 -08:00
a17e51915b
Merge branch 'master' into multiple-blacklist
2016-03-07 11:28:24 -08:00
18b251cc1c
Merge pull request #1566 from letsencrypt/issued-together
...
Update issuedNames table in a single query.
2016-03-07 11:28:14 -08:00
99d7c492a4
Merge branch 'master' into issued-together
2016-03-07 10:17:28 -08:00
afff5a0def
Merge pull request #1569 from ibukanov/master
...
test - Ensure FAKE_DNS is passed to boulder container
2016-03-07 08:36:33 -08:00
5498058d85
Ensure FAKE_DNS is passed to boulder container
...
The patch adds the explicit -e FAKE_DNS=value to the docker run command that runs the boulder container to ensure that the variable is available in the container.
The patch also removes the code that automatically derived FAKE_DNS. As FAKE_DNS was not passed previously, using that code now can break the cases when run-docker.sh was used under assumption that FAKE_DNS should be 127.0.0.1.
2016-03-07 12:47:41 +01:00
109bec1f21
Fix tests by adding DNSNames.
2016-03-06 19:58:53 -08:00
bc32ff6c03
Updated issuedNames table in a single query.
...
This means that the number of queries required (and therefore the latency)
doesn't vary too much with the number of DNSNames on the cert.
2016-03-05 18:16:48 -08:00
8f0f261048
When multiple names are forbidden, list all.
...
Also, change "name is blacklisted" in PA to "Policy forbids issuance," to match
CA.
2016-03-05 14:29:05 -08:00
246dc5a31a
Merge pull request #1552 from letsencrypt/concurrent-caa
...
Perform CAA lookups in parallel.
2016-03-04 12:35:16 -08:00
31535f5b89
Perform CAA lookups in parallel.
...
Also, stop skipping CAA lookups for the root TLDs. The RFC is unclear on
the desired behavior here, but the ICANNTLD function is nonstandard and
the behavior is strictly more conservative than what we had before.
This unblocks the removal of the ICANNTLD function, which allows us to
stop forking upstream.
Closes #1522
2016-03-04 11:07:14 -08:00
027585212a
Merge pull request #1554 from letsencrypt/ocsp-ca-backoff
...
Remove CA HSM lockout and update OCSP updater backoff
2016-03-03 14:52:35 -08:00
02d23ac2d0
Merge branch 'master' into ocsp-ca-backoff
2016-03-03 12:52:20 -08:00
19ef1d9467
Merge pull request #1555 from sunny-g/fix/1323
...
Fixes #1323 (I think)
2016-03-03 12:50:39 -08:00
f5cd31fbdf
fix to parse multiple addresses
2016-03-03 09:13:50 -08:00
b91a152148
Simplfy backoff + collect stats on cfssl and pkcs11 errors
2016-03-02 15:54:54 -08:00
d9429c9b2b
edit multipleAddressDetail
2016-03-01 22:10:52 -08:00
bfca1e687f
fixes #1323
2016-03-01 21:51:13 -08:00
c4dd3506aa
Remove CA HSM lockout and make the OCSP updater CA backoff more HSM specific
2016-03-01 14:22:12 -08:00
89d2f4d299
Merge pull request #1549 from letsencrypt/cfssl-logger
...
Add call to cfssl SetLogger, remove TODO
2016-02-29 16:08:32 -08:00
f4241b23d9
Merge branch 'master' into cfssl-logger
2016-02-29 15:48:57 -08:00
82834ac08a
Merge pull request #1544 from letsencrypt/mysql-config
...
sa: use mysql.Config to set flags on connect strings
2016-02-29 15:48:54 -08:00
c8614e21c5
Add call to cfssl SetLogger, remove TODO
...
Fixes #1528
2016-02-29 15:39:57 -08:00
f440380330
sa: use mysql.Config to set flags on connect strings
...
This also exposes an interface to open a connection using a
mysql.Config, so we can start changing config files to use those.
Part of #1505
2016-02-29 15:38:43 -08:00
f568f63f5d
Merge pull request #1480 from letsencrypt/exact-name-rl
...
Exact name set rate limit
2016-02-29 13:58:08 -08:00
ee77c68549
Merge branch 'master' into exact-name-rl
2016-02-29 13:41:20 -08:00
632d2eb9c9
Merge pull request #1540 from letsencrypt/update-depends
...
Update cfssl in godeps
2016-02-29 13:39:00 -08:00
Kane York