entrouvert
/
certbot-haproxy
Archived
17
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge branch 'release/0.1.2'

This commit is contained in:
Maarten de Waard 2017-08-15 17:51:17 +02:00
parent 7c51c9896c 825e48f95c
commit 10b0f7a537
6 changed files with 124 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
README.rst
View File

@ -14,19 +14,23 @@ also enable you to very easily do automatic certificate renewal.
Furthermore, you can configure HAProxy to handle Boulder's authentication using Furthermore, you can configure HAProxy to handle Boulder's authentication using
the HAProxy authenticator of this plugin. the HAProxy authenticator of this plugin.
It was created for use with `Greenhost`_'s share hosting environment and can be It was created for use with `Greenhost's`_ shared hosting environment and can be
useful to you in the following cases: useful to you in the following cases:
- If you use HAProxy and have several domains for which you want to enable Let's - If you use HAProxy and have several domains for which you want to enable Let's
Encrypt certificates Encrypt certificates.
- If you yourself have a shared hosting platform that uses HAProxy to redirect - If you yourself have a shared hosting platform that uses HAProxy to redirect
to your client's websites to your client's websites.
- Actually any case in which you want to automatically restart HAProxy after you - Actually any case in which you want to automatically restart HAProxy after you
request a new certificate. request a new certificate.
.. _Greenhost: https://greenhost.net .. _Greenhost's: https://greenhost.net
Please read the installation instructions on how to configure HAProxy. This plugin does not configure HAProxy for you, because HAProxy configurations
can can vary a great deal. Please read the installation instructions on how to
configure HAProxy for use with the plugin. If you have a good idea on how we can
implement automatic HAProxy configuration, you are welcome to create a merge
request or an issue.
Installing: Requirements Installing: Requirements
------------------------ ------------------------
@ -380,7 +384,19 @@ server, which is the exact same server Let's Encrypt is running. The server is
started in Virtual Box using Vagrant. To prevent the installation of any started in Virtual Box using Vagrant. To prevent the installation of any
components and dependencies from cluttering up your computer there is also a components and dependencies from cluttering up your computer there is also a
client Virtual Box instance. Both of these machines can be setup and started by client Virtual Box instance. Both of these machines can be setup and started by
running the ``dev_start.sh`` script. running the ``dev_start.sh`` script. This sets up a local boulder server and the
letsencrypt client, so don't worry if it takes more than an hour.
Vagrant machines
================
The ``dev_start.sh`` script boots two virtual machines. The first is named
'boulder' and runs a development instance of the boulder server. The second is
'lehaproxy' and runs the client. To test if the machines are setup correctly,
you can SSH into the 'lehaproxy' machine, by running ``vagrant ssh
lehaproxy``. Next, go to the /lehaproxy directory and run
``./tests/boulder-integration.sh``. This runs a modified version of certbot's
boulder-integration test, which tests the HAProxy plugin. If the test succeeds,
your development environment is setup correctly.
Development: Running locally without sudo Development: Running locally without sudo
----------------------------------------- -----------------------------------------
@ -449,14 +465,16 @@ you can update.
Making a `.deb` debian package Making a `.deb` debian package
------------------------------ ------------------------------
Requirements: Requirements:
- python stdeb: pip install --upgrade stdeb - python stdeb: pip install --upgrade stdeb
- dh clean: apt-get install dh-make - dh clean: apt-get install dh-make
Run the following commands in your vagrant machine: Run the following commands in your vagrant machine:
``` .. code:: bash
apt-file update apt-file update
python setup.py sdist python setup.py sdist
# py2dsc has a problem with vbox mounted folders # py2dsc has a problem with vbox mounted folders
@ -467,4 +485,3 @@ Run the following commands in your vagrant machine:
# NOTE: Not signed, no signed changes (with -uc and -us) # NOTE: Not signed, no signed changes (with -uc and -us)
# NOTE: Add the package to the ghtools repo # NOTE: Add the package to the ghtools repo
dpkg-buildpackage -rfakeroot -uc -us dpkg-buildpackage -rfakeroot -uc -us
```

7
Vagrantfile vendored
View File

@ -21,8 +21,8 @@ ENVS = {
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.hostmanager.enabled = true #config.hostmanager.enabled = true
config.hostmanager.manage_host = true #config.hostmanager.manage_host = true
config.vbguest.auto_update = true config.vbguest.auto_update = true
config.vbguest.no_remote = false config.vbguest.no_remote = false
@ -30,7 +30,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
server.vm.box = "debian/jessie64" server.vm.box = "debian/jessie64"
server.vm.hostname = "boulder.local" server.vm.hostname = "boulder.local"
server.vm.network :private_network, ip: ENVS['PROJECT_SERVER_IP'] server.vm.network :private_network, ip: ENVS['PROJECT_SERVER_IP']
server.vm.synced_folder ".", "/vagrant/", type: "virtualbox" server.vm.synced_folder ".", "/boulder/", type: "virtualbox"
server.vm.provision "shell" do |s| server.vm.provision "shell" do |s|
s.path = './provisioning_server.sh' s.path = './provisioning_server.sh'
s.env = ENVS s.env = ENVS
@ -47,7 +47,6 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
client.vm.box = "debian/jessie64" client.vm.box = "debian/jessie64"
client.vm.hostname = PROJECT_NAME + ".local" client.vm.hostname = PROJECT_NAME + ".local"
client.vm.network :private_network, ip: ENVS['PROJECT_CLIENT_IP'] client.vm.network :private_network, ip: ENVS['PROJECT_CLIENT_IP']
client.vm.synced_folder ".", "/vagrant/", disabled: true
client.vm.synced_folder ".", "/" + PROJECT_NAME + "/", type: "virtualbox" client.vm.synced_folder ".", "/" + PROJECT_NAME + "/", type: "virtualbox"
client.vm.provision "shell" do |s| client.vm.provision "shell" do |s|
s.path = './provisioning_client.sh' s.path = './provisioning_client.sh'

74
greenhost.patch
View File

@ -1,74 +0,0 @@
diff --git a/test/config/va.json b/test/config/va.json
index 75ff959..d031f99 100644
--- a/test/config/va.json
+++ b/test/config/va.json
@@ -3,8 +3,8 @@
"userAgent": "boulder",
"debugAddr": "localhost:8004",
"portConfig": {
- "httpPort": 5002,
- "httpsPort": 5001,
+ "httpPort": 80,
+ "httpsPort": 443,
"tlsPort": 5001
},
"maxConcurrentRPCServerRequests": 16,
@@ -37,4 +37,4 @@
"dnsTimeout": "10s",
"dnsAllowLoopbackAddresses": true
}
-}
\ No newline at end of file
+}
diff --git a/test/config/wfe.json b/test/config/wfe.json
index 532da42..29e09fd 100644
--- a/test/config/wfe.json
+++ b/test/config/wfe.json
@@ -44,7 +44,7 @@
},
"common": {
- "baseURL": "http://127.0.0.1:4000",
+ "baseURL": "http://192.168.33.111:4000",
"issuerCert": "test/test-ca.pem"
}
-}
\ No newline at end of file
+}
diff --git a/test/rate-limit-policies.yml b/test/rate-limit-policies.yml
index 41aadd3..25d656b 100644
--- a/test/rate-limit-policies.yml
+++ b/test/rate-limit-policies.yml
@@ -4,7 +4,7 @@ totalCertificates:
threshold: 100000
certificatesPerName:
window: 2160h
- threshold: 2
+ threshold: 10000
overrides:
ratelimit.me: 1
lim.it: 0
@@ -27,10 +27,10 @@ registrationsPerIP:
127.0.0.1: 1000000
pendingAuthorizationsPerAccount:
window: 168h # 1 week, should match pending authorization lifetime.
- threshold: 3
+ threshold: 10000
certificatesPerFQDNSet:
window: 24h
- threshold: 5
+ threshold: 10000
overrides:
le.wtf: 10000
le1.wtf: 10000
diff --git a/test/test-ca.key-pkcs11.json b/test/test-ca.key-pkcs11.json
index 7a8d348..746dee8 100644
--- a/test/test-ca.key-pkcs11.json
+++ b/test/test-ca.key-pkcs11.json
@@ -1,5 +1,5 @@
{
- "module": "/usr/local/lib/libpkcs11-proxy.so",
+ "module": "/usr/lib/softhsm/libsofthsm.so",
"tokenLabel": "intermediate",
"pin": "5678",
"privateKeyLabel": "intermediate_key"

90
hsmpatch.py Executable file
View File

@ -0,0 +1,90 @@
#!/usr/bin/env python2
"""
Patch the HSM config file to set correct settings for use with a Vagrant
development setup.
Note: this used to be a simple patch file but since the format changed, it
seems better to parse the file, change the json object and dump it back to the
file.
"""
import simplejson as json
import yaml
import sys
import os.path
MAX_RECURSION = 100
PATCHES = {
"test/config/va.json": {
"va": {
"portConfig": {
"httpPort": 80,
"httpsPort": 443
}
}
},
"test/rate-limit-policies.yml": {
"certificatesPerName": {
"threshold": 1000
},
"certificatesPerFQDNSet": {
"threshold": 1000
}
},
"test/test-ca.key-pkcs11.json": {
"module": "/usr/lib/softhsm/libsofthsm.so",
}
}
def recursive_update(old_obj, new_obj, depth=0):
if depth > MAX_RECURSION:
raise RuntimeError("Maximum recursion level reached.")
if isinstance(new_obj, dict):
for key, value in new_obj.items():
old_obj[key] = recursive_update(
old_obj[key], new_obj[key], depth+1)
elif isinstance(new_obj, (list, tuple)):
# Merge lists/tuples.
old_obj = old_obj + new_obj
else:
# Set strings, integers, etc. and set() so arrays can be
# overridden.
old_obj = new_obj
return old_obj
def patch_yaml(file, obj):
with open(file, "r") as fp:
yaml_obj = yaml.load(fp)
yaml_obj = recursive_update(yaml_obj, obj)
with open(file, "w") as fp:
yaml.dump(yaml_obj, fp, default_flow_style=False)
def patch_json(file, obj):
with open(file, "r") as fp:
json_obj = json.load(fp)
json_obj = recursive_update(json_obj, obj)
with open(file, "w") as fp:
json.dump(json_obj, fp, indent=4)
if __name__ == '__main__':
try:
for patch_file, patch_obj in PATCHES.items():
_, file_extension = os.path.splitext(patch_file)
if file_extension in (".yml", ".yaml"):
patch_yaml(patch_file, patch_obj)
elif file_extension in (".json", ".js"):
patch_json(patch_file, patch_obj)
else:
raise NotImplementedError(
"Can't patch files with %s extension" % file_extension)
print("Patched {}".format(os.path.abspath(patch_file)))
except (OSError, IOError), exc:
print(
"Failed to patch the HSM for development, reason: {}".format(exc))
sys.exit(1)

5
provisioning_server.sh
View File

@ -89,7 +89,7 @@ go get bitbucket.org/liamstask/goose/cmd/goose
go get -d github.com/letsencrypt/boulder/... go get -d github.com/letsencrypt/boulder/...
# Enter the boulder directory # Enter the boulder directory
cd /gopath/src/github.com/letsencrypt/boulder cd $GOPATH/src/github.com/letsencrypt/boulder
# Install alle dependencies # Install alle dependencies
godep restore godep restore
@ -107,7 +107,8 @@ fi
# Change pkcs to softhsm and IP to 192.168.33.111 and set high thresholds for rate limiting # Change pkcs to softhsm and IP to 192.168.33.111 and set high thresholds for rate limiting
if grep -Fq "/usr/local/lib/libpkcs11-proxy.so" test/test-ca.key-pkcs11.json; then if grep -Fq "/usr/local/lib/libpkcs11-proxy.so" test/test-ca.key-pkcs11.json; then
git apply /vagrant/greenhost.patch pip install simplejson pyyaml
/boulder/hsmpatch.py
fi fi
cat <<EOF > /etc/nginx/sites-available/wfe cat <<EOF > /etc/nginx/sites-available/wfe

2
setup.py
View File

@ -3,7 +3,7 @@ import sys
from setuptools import setup from setuptools import setup
from setuptools import find_packages from setuptools import find_packages
own_version = '0.1.1' own_version = '0.1.2'
certbot_version = '0.8.1' certbot_version = '0.8.1'
# Please update tox.ini when modifying dependency version requirements # Please update tox.ini when modifying dependency version requirements