letsencrypt
Remove all static minica keys
Remove the redis-tls, wfe-tls, and mail-test-srv keys which were generated by minica and then checked in to the repo. All three are replaced by the dynamically-generated ipki directory.
Part of https://github.com/letsencrypt/boulder/issues/7476
@aarongable, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
There's an integration test failure during the first test.
pebble-challtestsrv - 2024/05/16 16:28:10 Added DNS-01 TXT challenge for Host "_acme-challenge.rand.3fd8c05d.xyz." - Value "uP1aJBd_6k246rQYgFWQx3TwpFGfHLrbh1gDP6HvY_E"
16:28:10.488156 6 boulder-va s_zY5go logDNSError chosenServer=[10.77.77.77:8343] hostname=[_acme-challenge.rand.3fd8c05d.xyz] queryType=[TXT] err=[Post "https://10.77.77.77:8343/dns-query": dial tcp 10.77.77.77:8343: connect: connection refused]
16:28:10.488468 6 boulder-va 5YbEvgM [AUDIT] Validation result JSON={"ID":"1","Requester":1,"Hostname":"rand.3fd8c05d.xyz","Challenge":{"type":"dns-01","status":"invalid","error":{"type":"dns","detail":"DNS problem: server failure at resolver looking up TXT for _acme-challenge.rand.3fd8c05d.xyz","status":400},"token":"24FntqTT-yeesArv547RXF961puphKIdmVtCpJAAUZ4","keyAuthorization":"24FntqTT-yeesArv547RXF961puphKIdmVtCpJAAUZ4.W_w5i1MxmLHbl71sNf_dRnNVB5HEVLjvsDc1t1JH554"},"ValidationLatency":15552006.488,"Error":"dns :: DNS problem: server failure at resolver looking up TXT for _acme-challenge.rand.3fd8c05d.xyz","InternalError":"DNS problem: server failure at resolver looking up TXT for _acme-challenge.rand.3fd8c05d.xyz"}
pebble-challtestsrv - 2024/05/16 16:28:10 Removed DNS-01 TXT challenge for Host "_acme-challenge.rand.3fd8c05d.xyz"
Traceback (most recent call last):
File "test/integration-test.py", line 146, in <module>
main()
File "test/integration-test.py", line 77, in main
setup_six_months_ago()
File "/boulder/test/helpers.py", line 178, in setup_six_months_ago
[f() for f in six_months_ago_functions]
File "/boulder/test/helpers.py", line 178, in <listcomp>
[f() for f in six_months_ago_functions]
File "/boulder/test/v2_integration.py", line 1304, in ocsp_exp_unauth_setup
chisel2.auth_and_issue([random_domain()], client=client, cert_output=cert_file.name)
File "/boulder/test/chisel2.py", line 133, in auth_and_issue
order = client.poll_and_finalize(order)
File "/usr/local/lib/python3.8/dist-packages/acme/client.py", line 184, in poll_and_finalize
orderr = self.poll_authorizations(orderr, deadline)
File "/usr/local/lib/python3.8/dist-packages/acme/client.py", line 209, in poll_authorizations
raise errors.ValidationError(failed)
acme.errors.ValidationError
Yep, I'm aware. This is because I moved the challtestsrv's DoH key out of the internal PKI and into the misc PKI... which means that it is signed by a different root, and the VA doesn't trust that root when reaching out to it! Go ahead and review the rest of the change while I figure out the right tweak to make this happy.
Yep, I'm aware. This is because I moved the challtestsrv's DoH key out of the internal PKI and into the misc PKI... which means that it is signed by a different root, and the VA doesn't trust that root when reaching out to it! Go ahead and review the rest of the change while I figure out the right tweak to make this happy.
The rest looks good from a review earlier today, just waiting for tests to pass.
I've fixed the issue with the challtestsrv cert, and I've expanded this PR to include the redis-tls certs too. PTAL!