letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
An ACME-based certificate authority, written in Go.
2,691 Commits 89 Branches 416 Tags 101 MiB
Go 95.2%
Python 2.9%
Shell 1.3%
HCL 0.3%
HTML 0.2%
Go to file
Roland Shoemaker aa94f07081 Review fixes 2016-01-06 17:13:04 -08:00
Godeps add retries and context deadlines to DNSResolver 2016-01-04 14:59:10 -08:00
akamai Add a Akamai CCU client and use it to purge OCSP responses on revocation and update 2015-10-27 21:45:25 -07:00
analysis Correct most `go lint` warnings. (274 -> 5) 2015-06-16 22:18:28 -05:00
bdns add retries and context deadlines to DNSResolver 2016-01-04 14:59:10 -08:00
ca Allow PKCS11 config to be loaded from a file. 2015-11-27 15:23:31 -08:00
cmd Merge branch 'master' into mailer-fixes 2016-01-06 15:10:12 -08:00
core Fixed a bunch of typos 2016-01-04 18:39:34 -05:00
docs Review fix 2015-10-19 16:34:44 -07:00
log Fixed a bunch of typos 2016-01-04 18:39:34 -05:00
mail Review fixes 2016-01-06 17:13:04 -08:00
metrics add metrics.Scope 2015-12-15 20:13:03 -08:00
mocks Merge branch 'master' into mailer-fixes 2016-01-06 15:10:12 -08:00
policy delete old challenge code 2015-12-10 15:41:40 -08:00
probs return ProblemDetails when validating emails in ra 2015-12-15 14:44:19 -08:00
publisher Fixed a bunch of typos 2016-01-04 18:39:34 -05:00
ra add IP to rate limit logging 2016-01-05 11:35:05 -08:00
rpc Fixed a bunch of typos 2016-01-04 18:39:34 -05:00
sa Fixed a bunch of typos 2016-01-04 18:39:34 -05:00
test Merge branch 'master' into ct-sign 2016-01-05 17:04:09 -08:00
va Merge branch 'master' into retry_dns 2016-01-04 16:38:27 -08:00
wfe Merge branch 'master' into correct_head_content_length 2016-01-04 16:35:16 -08:00
.gitignore Disable activity-monitor. 2016-01-05 14:50:25 -08:00
.travis.yml Merge branch 'master' into bump_go_1.5.2 2015-12-06 12:42:51 -08:00
CONTRIBUTING.md Fixed a bunch of typos 2016-01-04 18:39:34 -05:00
DESIGN.md Fixed a bunch of typos 2016-01-04 18:39:34 -05:00
Dockerfile Merge branch 'master' into 1056 2015-12-14 18:32:35 -08:00
LICENSE.txt Add LICENSE.txt 2015-01-28 23:06:59 +00:00
Makefile remove pkcs11bench. 2015-10-03 14:21:53 -07:00
README.md Go get works on packages, not on URLs 2015-12-22 17:21:14 -05:00
docker-compose.yml RabbitMQ must also run on the host network 2015-12-23 16:07:39 -05:00
start.py Speed up start.py and integration test. 2015-07-28 18:07:22 -07:00
test.sh Split out setup.sh from travis-before-install. 2015-11-30 23:44:45 -08:00

README.md

Boulder - An ACME CA

This is an initial implementation of an ACME-based CA. The ACME protocol allows the CA to automatically verify that an applicant for a certificate actually controls an identifier, and allows domain holders to issue and revoke certificates for their domains.

Build Status Coverage Status

Quickstart

Boulder has a Dockerfile to make it easy to install and set up all its dependencies. This approach is most suitable if you just need to set up Boulder for the purpose of testing client software against it. To start Boulder in a Docker container, run:

./test/run-docker.sh

Slow start

This approach is better if you intend to develop on Boulder frequently, because it's challenging to develop inside the Docker container.

Boulder requires an installation of RabbitMQ, libtool-ltdl, goose, and MariaDB 10 to work correctly. On Ubuntu and CentOS, you may have to install RabbitMQ from https://rabbitmq.com/download.html to get a recent version.

Also, Boulder requires Go 1.5. As of September 2015 this version is not yet available in OS repositories, so you will have to install from https://golang.org/dl/. Add ${GOPATH}/bin to your path.

Ubuntu:

sudo apt-get install libltdl3-dev mariadb-server rabbitmq-server

CentOS:

sudo yum install libtool-ltdl-devel MariaDB-server MariaDB-client rabbitmq-server

Arch Linux:

sudo pacman -S libtool mariadb rabbitmq --needed

OS X:

brew install libtool mariadb rabbitmq

or

sudo port install libtool mariadb-server rabbitmq-server

(On OS X, using port, you will have to add CGO_CFLAGS="-I/opt/local/include" CGO_LDFLAGS="-L/opt/local/lib" to your environment or go invocations.)

Resolve Go-dependencies, set up a database and RabbitMQ:

./test/setup.sh

Note: setup.sh calls create_db.sh, which uses the root MariaDB user with the default password, so if you have disabled that account or changed the password you may have to adjust the file or recreate the commands.

Start each boulder component with test configs (Ctrl-C kills all):

> ./start.py

Run tests:

> ./test.sh

Working with a client:

Check out the official Let's Encrypt client from https://github.com/letsencrypt/letsencrypt/ and follow the setup instructions there.

Component Model

The CA is divided into the following main components:

  1. Web Front End
  2. Registration Authority
  3. Validation Authority
  4. Certificate Authority
  5. Storage Authority

This component model lets us separate the function of the CA by security context. The Web Front End and Validation Authority need access to the Internet, which puts them at greater risk of compromise. The Registration Authority can live without Internet connectivity, but still needs to talk to the Web Front End and Validation Authority. The Certificate Authority need only receive instructions from the Registration Authority.


client <--ACME--> WFE ---+
  .                      |
  .                      +--- RA --- CA
  .                      |
client <-checks->  VA ---+

Internally, the logic of the system is based around four types of objects: registrations, authorizations, challenges, and certificates, mapping directly to the resources of the same name in ACME.

Requests from ACME clients result in new objects and changes to objects. The Storage Authority maintains persistent copies of the current set of objects.

Objects are also passed from one component to another on change events. For example, when a client provides a successful response to a validation challenge, it results in a change to the corresponding validation object. The Validation Authority forwards the new validation object to the Storage Authority for storage, and to the Registration Authority for any updates to a related Authorization object.

Boulder uses AMQP as a message bus. For components that you want to be remote, it is necessary to instantiate a "client" and "server" for that component. The client implements the component's Go interface, while the server has the actual logic for the component. More details in amqp-rpc.go.

The full details of how the various ACME operations happen in Boulder are laid out in DESIGN.md

Dependencies

All Go dependencies are vendorized under the Godeps directory, to make dependency management easier.

Local development also requires a RabbitMQ installation and MariaDB 10 installation (see above). MariaDB should be run on port 3306 for the default integration tests.

To update the Go dependencies:

# Fetch godep
go get -u github.com/tools/godep
# Check out the currently vendorized version of each dependency.
godep restore
# Update to the latest version of a dependency. Alternately you can cd to the
# directory under GOPATH and check out a specific revision. Here's an example
# using cfssl:
go get -u github.com/cloudflare/cfssl/...
# Update the Godep config to the appropriate version.
godep update github.com/cloudflare/cfssl/...
# Save the dependencies, rewriting any internal or external dependencies that
# may have been added.
godep save -r ./...
git add Godeps
git commit

TODO

See the issues list