Skip to content

Commit 9da5a7e

Browse files
jshacpu
jsha
authored and
cpu
committed
Cleanup: TLS and GRPC configs are mandatory. (letsencrypt#3476)
Our various main.go functions gated some key code on whether the TLS and/or GRPC config fields were present. Now that those fields are fully deployed in production, we can simplify the code and require them. Also, rename tls to tlsConfig everywhere to avoid confusion with the tls package. Avoid assigning to the same err from two different goroutines in boulder-ca (fix a race).
1 parent 0b53063 commit 9da5a7e

File tree

11 files changed

+104
-195
lines changed

11 files changed

+104
-195
lines changed

cmd/admin-revoker/main.go

Lines changed: 4 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,6 @@
11
package main
22

33
import (
4-
"crypto/tls"
54
"crypto/x509"
65
"database/sql"
76
"flag"
@@ -63,15 +62,11 @@ type config struct {
6362
func setupContext(c config) (core.RegistrationAuthority, blog.Logger, *gorp.DbMap, core.StorageAuthority) {
6463
logger := cmd.NewLogger(c.Syslog)
6564

66-
var tls *tls.Config
67-
var err error
68-
if c.Revoker.TLS.CertFile != nil {
69-
tls, err = c.Revoker.TLS.Load()
70-
cmd.FailOnError(err, "TLS config")
71-
}
65+
tlsConfig, err := c.Revoker.TLS.Load()
66+
cmd.FailOnError(err, "TLS config")
7267

7368
clientMetrics := bgrpc.NewClientMetrics(metrics.NewNoopScope())
74-
raConn, err := bgrpc.ClientSetup(c.Revoker.RAService, tls, clientMetrics)
69+
raConn, err := bgrpc.ClientSetup(c.Revoker.RAService, tlsConfig, clientMetrics)
7570
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
7671
rac := bgrpc.NewRegistrationAuthorityClient(rapb.NewRegistrationAuthorityClient(raConn))
7772

@@ -80,7 +75,7 @@ func setupContext(c config) (core.RegistrationAuthority, blog.Logger, *gorp.DbMa
8075
dbMap, err := sa.NewDbMap(dbURL, c.Revoker.DBConfig.MaxDBConns)
8176
cmd.FailOnError(err, "Couldn't setup database connection")
8277

83-
saConn, err := bgrpc.ClientSetup(c.Revoker.SAService, tls, clientMetrics)
78+
saConn, err := bgrpc.ClientSetup(c.Revoker.SAService, tlsConfig, clientMetrics)
8479
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
8580
sac := bgrpc.NewStorageAuthorityClient(sapb.NewStorageAuthorityClient(saConn))
8681

cmd/boulder-ca/main.go

Lines changed: 22 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,6 @@ package main
22

33
import (
44
"crypto"
5-
"crypto/tls"
65
"crypto/x509"
76
"encoding/json"
87
"flag"
@@ -12,7 +11,6 @@ import (
1211

1312
"github.com/cloudflare/cfssl/helpers"
1413
"github.com/letsencrypt/pkcs11key"
15-
"google.golang.org/grpc"
1614

1715
"github.com/letsencrypt/boulder/ca"
1816
"github.com/letsencrypt/boulder/ca/config"
@@ -142,14 +140,11 @@ func main() {
142140
kp, err := goodkey.NewKeyPolicy(c.CA.WeakKeyFile)
143141
cmd.FailOnError(err, "Unable to create key policy")
144142

145-
var tls *tls.Config
146-
if c.CA.TLS.CertFile != nil {
147-
tls, err = c.CA.TLS.Load()
148-
cmd.FailOnError(err, "TLS config")
149-
}
143+
tlsConfig, err := c.CA.TLS.Load()
144+
cmd.FailOnError(err, "TLS config")
150145

151146
clientMetrics := bgrpc.NewClientMetrics(scope)
152-
conn, err := bgrpc.ClientSetup(c.CA.SAService, tls, clientMetrics)
147+
conn, err := bgrpc.ClientSetup(c.CA.SAService, tlsConfig, clientMetrics)
153148
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
154149
sa := bgrpc.NewStorageAuthorityClient(sapb.NewStorageAuthorityClient(conn))
155150

@@ -165,38 +160,27 @@ func main() {
165160
cmd.FailOnError(err, "Failed to create CA impl")
166161

167162
serverMetrics := bgrpc.NewServerMetrics(scope)
168-
var caSrv *grpc.Server
169-
if c.CA.GRPCCA != nil {
170-
s, l, err := bgrpc.NewServer(c.CA.GRPCCA, tls, serverMetrics)
171-
cmd.FailOnError(err, "Unable to setup CA gRPC server")
172-
caWrapper := bgrpc.NewCertificateAuthorityServer(cai)
173-
caPB.RegisterCertificateAuthorityServer(s, caWrapper)
174-
go func() {
175-
err = cmd.FilterShutdownErrors(s.Serve(l))
176-
cmd.FailOnError(err, "CA gRPC service failed")
177-
}()
178-
caSrv = s
179-
}
180-
var ocspSrv *grpc.Server
181-
if c.CA.GRPCOCSPGenerator != nil {
182-
s, l, err := bgrpc.NewServer(c.CA.GRPCOCSPGenerator, tls, serverMetrics)
183-
cmd.FailOnError(err, "Unable to setup CA gRPC server")
184-
caWrapper := bgrpc.NewCertificateAuthorityServer(cai)
185-
caPB.RegisterOCSPGeneratorServer(s, caWrapper)
186-
go func() {
187-
err = cmd.FilterShutdownErrors(s.Serve(l))
188-
cmd.FailOnError(err, "OCSPGenerator gRPC service failed")
189-
}()
190-
ocspSrv = s
191-
}
163+
164+
caSrv, caListener, err := bgrpc.NewServer(c.CA.GRPCCA, tlsConfig, serverMetrics)
165+
cmd.FailOnError(err, "Unable to setup CA gRPC server")
166+
caWrapper := bgrpc.NewCertificateAuthorityServer(cai)
167+
caPB.RegisterCertificateAuthorityServer(caSrv, caWrapper)
168+
go func() {
169+
cmd.FailOnError(cmd.FilterShutdownErrors(caSrv.Serve(caListener)), "CA gRPC service failed")
170+
}()
171+
172+
ocspSrv, ocspListener, err := bgrpc.NewServer(c.CA.GRPCOCSPGenerator, tlsConfig, serverMetrics)
173+
cmd.FailOnError(err, "Unable to setup CA gRPC server")
174+
ocspWrapper := bgrpc.NewCertificateAuthorityServer(cai)
175+
caPB.RegisterOCSPGeneratorServer(ocspSrv, ocspWrapper)
176+
go func() {
177+
cmd.FailOnError(cmd.FilterShutdownErrors(ocspSrv.Serve(ocspListener)),
178+
"OCSPGenerator gRPC service failed")
179+
}()
192180

193181
go cmd.CatchSignals(logger, func() {
194-
if caSrv != nil {
195-
caSrv.GracefulStop()
196-
}
197-
if ocspSrv != nil {
198-
ocspSrv.GracefulStop()
199-
}
182+
caSrv.GracefulStop()
183+
ocspSrv.GracefulStop()
200184
})
201185

202186
select {}

cmd/boulder-publisher/main.go

Lines changed: 11 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,10 @@
11
package main
22

33
import (
4-
"crypto/tls"
54
"flag"
65
"os"
76

87
ct "github.com/google/certificate-transparency-go"
9-
"google.golang.org/grpc"
108

119
"github.com/letsencrypt/boulder/cmd"
1210
"github.com/letsencrypt/boulder/core"
@@ -69,14 +67,11 @@ func main() {
6967
bundle = append(bundle, ct.ASN1Cert{Data: cert.Raw})
7068
}
7169

72-
var tls *tls.Config
73-
if c.Publisher.TLS.CertFile != nil {
74-
tls, err = c.Publisher.TLS.Load()
75-
cmd.FailOnError(err, "TLS config")
76-
}
70+
tlsConfig, err := c.Publisher.TLS.Load()
71+
cmd.FailOnError(err, "TLS config")
7772

7873
clientMetrics := bgrpc.NewClientMetrics(scope)
79-
conn, err := bgrpc.ClientSetup(c.Publisher.SAService, tls, clientMetrics)
74+
conn, err := bgrpc.ClientSetup(c.Publisher.SAService, tlsConfig, clientMetrics)
8075
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
8176
sac := bgrpc.NewStorageAuthorityClient(sapb.NewStorageAuthorityClient(conn))
8277

@@ -87,25 +82,14 @@ func main() {
8782
scope,
8883
sac)
8984

90-
var grpcSrv *grpc.Server
91-
if c.Publisher.GRPC != nil {
92-
serverMetrics := bgrpc.NewServerMetrics(scope)
93-
s, l, err := bgrpc.NewServer(c.Publisher.GRPC, tls, serverMetrics)
94-
cmd.FailOnError(err, "Unable to setup Publisher gRPC server")
95-
gw := bgrpc.NewPublisherServerWrapper(pubi)
96-
pubPB.RegisterPublisherServer(s, gw)
97-
go func() {
98-
err = cmd.FilterShutdownErrors(s.Serve(l))
99-
cmd.FailOnError(err, "Publisher gRPC service failed")
100-
}()
101-
grpcSrv = s
102-
}
85+
serverMetrics := bgrpc.NewServerMetrics(scope)
86+
grpcSrv, l, err := bgrpc.NewServer(c.Publisher.GRPC, tlsConfig, serverMetrics)
87+
cmd.FailOnError(err, "Unable to setup Publisher gRPC server")
88+
gw := bgrpc.NewPublisherServerWrapper(pubi)
89+
pubPB.RegisterPublisherServer(grpcSrv, gw)
10390

104-
go cmd.CatchSignals(logger, func() {
105-
if grpcSrv != nil {
106-
grpcSrv.GracefulStop()
107-
}
108-
})
91+
go cmd.CatchSignals(logger, grpcSrv.GracefulStop)
10992

110-
select {}
93+
err = cmd.FilterShutdownErrors(grpcSrv.Serve(l))
94+
cmd.FailOnError(err, "Publisher gRPC service failed")
11195
}

cmd/boulder-ra/main.go

Lines changed: 31 additions & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,14 @@
11
package main
22

33
import (
4-
"crypto/tls"
54
"flag"
65
"fmt"
7-
"net"
86
"os"
97
"time"
108

11-
"google.golang.org/grpc"
12-
139
"github.com/letsencrypt/boulder/bdns"
1410
caPB "github.com/letsencrypt/boulder/ca/proto"
1511
"github.com/letsencrypt/boulder/cmd"
16-
"github.com/letsencrypt/boulder/core"
1712
"github.com/letsencrypt/boulder/ctpolicy"
1813
"github.com/letsencrypt/boulder/features"
1914
"github.com/letsencrypt/boulder/goodkey"
@@ -141,50 +136,48 @@ func main() {
141136
logger.Info("No challengesWhitelistFile given, not loading")
142137
}
143138

144-
var tls *tls.Config
145-
if c.RA.TLS.CertFile != nil {
146-
tls, err = c.RA.TLS.Load()
147-
cmd.FailOnError(err, "TLS config")
148-
}
139+
tlsConfig, err := c.RA.TLS.Load()
140+
cmd.FailOnError(err, "TLS config")
149141

150142
clientMetrics := bgrpc.NewClientMetrics(scope)
151-
vaConn, err := bgrpc.ClientSetup(c.RA.VAService, tls, clientMetrics)
143+
vaConn, err := bgrpc.ClientSetup(c.RA.VAService, tlsConfig, clientMetrics)
152144
cmd.FailOnError(err, "Unable to create VA client")
153145
vac := bgrpc.NewValidationAuthorityGRPCClient(vaConn)
154146

155147
caaClient := vaPB.NewCAAClient(vaConn)
156148

157-
caConn, err := bgrpc.ClientSetup(c.RA.CAService, tls, clientMetrics)
149+
caConn, err := bgrpc.ClientSetup(c.RA.CAService, tlsConfig, clientMetrics)
158150
cmd.FailOnError(err, "Unable to create CA client")
159151
// Build a CA client that is only capable of issuing certificates, not
160152
// signing OCSP. TODO(jsha): Once we've fully moved to gRPC, replace this
161153
// with a plain caPB.NewCertificateAuthorityClient.
162154
cac := bgrpc.NewCertificateAuthorityClient(caPB.NewCertificateAuthorityClient(caConn), nil)
163155

164-
var pubc core.Publisher
156+
raConn, err := bgrpc.ClientSetup(c.RA.PublisherService, tlsConfig, clientMetrics)
157+
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to Publisher")
158+
pubc := bgrpc.NewPublisherClientWrapper(pubPB.NewPublisherClient(raConn))
159+
165160
var ctp *ctpolicy.CTPolicy
166-
if c.RA.PublisherService != nil {
167-
conn, err := bgrpc.ClientSetup(c.RA.PublisherService, tls, clientMetrics)
168-
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to Publisher")
169-
pubc = bgrpc.NewPublisherClientWrapper(pubPB.NewPublisherClient(conn))
170-
171-
if c.RA.CTLogGroups != nil {
172-
groups := make([]cmd.CTGroup, len(c.RA.CTLogGroups))
173-
for i, logs := range c.RA.CTLogGroups {
174-
groups[i] = cmd.CTGroup{
175-
Name: fmt.Sprintf("%d", i),
176-
Logs: logs,
177-
}
161+
conn, err := bgrpc.ClientSetup(c.RA.PublisherService, tlsConfig, clientMetrics)
162+
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to Publisher")
163+
pubc = bgrpc.NewPublisherClientWrapper(pubPB.NewPublisherClient(conn))
164+
165+
if c.RA.CTLogGroups != nil {
166+
groups := make([]cmd.CTGroup, len(c.RA.CTLogGroups))
167+
for i, logs := range c.RA.CTLogGroups {
168+
groups[i] = cmd.CTGroup{
169+
Name: fmt.Sprintf("%d", i),
170+
Logs: logs,
178171
}
179-
ctp = ctpolicy.New(pubc, groups, nil, logger)
180-
} else if c.RA.CTLogGroups2 != nil {
181-
ctp = ctpolicy.New(pubc, c.RA.CTLogGroups2, c.RA.InformationalCTLogs, logger)
182172
}
173+
ctp = ctpolicy.New(pubc, groups, nil, logger)
174+
} else if c.RA.CTLogGroups2 != nil {
175+
ctp = ctpolicy.New(pubc, c.RA.CTLogGroups2, c.RA.InformationalCTLogs, logger)
183176
}
184177

185-
conn, err := bgrpc.ClientSetup(c.RA.SAService, tls, clientMetrics)
178+
saConn, err := bgrpc.ClientSetup(c.RA.SAService, tlsConfig, clientMetrics)
186179
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
187-
sac := bgrpc.NewStorageAuthorityClient(sapb.NewStorageAuthorityClient(conn))
180+
sac := bgrpc.NewStorageAuthorityClient(sapb.NewStorageAuthorityClient(saConn))
188181

189182
// TODO(patf): remove once RA.authorizationLifetimeDays is deployed
190183
authorizationLifetime := 300 * 24 * time.Hour
@@ -251,25 +244,14 @@ func main() {
251244
err = rai.UpdateIssuedCountForever()
252245
cmd.FailOnError(err, "Updating total issuance count")
253246

254-
var grpcSrv *grpc.Server
255-
if c.RA.GRPC != nil {
256-
serverMetrics := bgrpc.NewServerMetrics(scope)
257-
var listener net.Listener
258-
grpcSrv, listener, err = bgrpc.NewServer(c.RA.GRPC, tls, serverMetrics)
259-
cmd.FailOnError(err, "Unable to setup RA gRPC server")
260-
gw := bgrpc.NewRegistrationAuthorityServer(rai)
261-
rapb.RegisterRegistrationAuthorityServer(grpcSrv, gw)
262-
go func() {
263-
err = cmd.FilterShutdownErrors(grpcSrv.Serve(listener))
264-
cmd.FailOnError(err, "RA gRPC service failed")
265-
}()
266-
}
247+
serverMetrics := bgrpc.NewServerMetrics(scope)
248+
grpcSrv, listener, err := bgrpc.NewServer(c.RA.GRPC, tlsConfig, serverMetrics)
249+
cmd.FailOnError(err, "Unable to setup RA gRPC server")
250+
gw := bgrpc.NewRegistrationAuthorityServer(rai)
251+
rapb.RegisterRegistrationAuthorityServer(grpcSrv, gw)
267252

268-
go cmd.CatchSignals(logger, func() {
269-
if grpcSrv != nil {
270-
grpcSrv.GracefulStop()
271-
}
272-
})
253+
go cmd.CatchSignals(logger, grpcSrv.GracefulStop)
273254

274-
select {}
255+
err = cmd.FilterShutdownErrors(grpcSrv.Serve(listener))
256+
cmd.FailOnError(err, "RA gRPC service failed")
275257
}

cmd/boulder-sa/main.go

Lines changed: 10 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -2,11 +2,8 @@ package main
22

33
import (
44
"flag"
5-
"net"
65
"os"
76

8-
"google.golang.org/grpc"
9-
107
"github.com/letsencrypt/boulder/cmd"
118
"github.com/letsencrypt/boulder/features"
129
bgrpc "github.com/letsencrypt/boulder/grpc"
@@ -76,27 +73,16 @@ func main() {
7673
sai, err := sa.NewSQLStorageAuthority(dbMap, cmd.Clock(), logger, scope, parallel)
7774
cmd.FailOnError(err, "Failed to create SA impl")
7875

79-
var grpcSrv *grpc.Server
80-
if c.SA.GRPC != nil {
81-
tls, err := c.SA.TLS.Load()
82-
cmd.FailOnError(err, "TLS config")
83-
var listener net.Listener
84-
serverMetrics := bgrpc.NewServerMetrics(scope)
85-
grpcSrv, listener, err = bgrpc.NewServer(c.SA.GRPC, tls, serverMetrics)
86-
cmd.FailOnError(err, "Unable to setup SA gRPC server")
87-
gw := bgrpc.NewStorageAuthorityServer(sai)
88-
sapb.RegisterStorageAuthorityServer(grpcSrv, gw)
89-
go func() {
90-
err = cmd.FilterShutdownErrors(grpcSrv.Serve(listener))
91-
cmd.FailOnError(err, "SA gRPC service failed")
92-
}()
93-
}
76+
tls, err := c.SA.TLS.Load()
77+
cmd.FailOnError(err, "TLS config")
78+
serverMetrics := bgrpc.NewServerMetrics(scope)
79+
grpcSrv, listener, err := bgrpc.NewServer(c.SA.GRPC, tls, serverMetrics)
80+
cmd.FailOnError(err, "Unable to setup SA gRPC server")
81+
gw := bgrpc.NewStorageAuthorityServer(sai)
82+
sapb.RegisterStorageAuthorityServer(grpcSrv, gw)
9483

95-
go cmd.CatchSignals(logger, func() {
96-
if grpcSrv != nil {
97-
grpcSrv.GracefulStop()
98-
}
99-
})
84+
go cmd.CatchSignals(logger, grpcSrv.GracefulStop)
10085

101-
select {}
86+
err = cmd.FilterShutdownErrors(grpcSrv.Serve(listener))
87+
cmd.FailOnError(err, "SA gRPC service failed")
10288
}

0 commit comments

Comments
 (0)