-
Notifications
You must be signed in to change notification settings - Fork 184
Setup Boulder CA on Amazon Linux
| This page is only for developers who want to setup their own instance of the Boulder CA server for their own development and testing. It is not required for use of the le-win client components. | UPDATE: This page is being left here for historical reference, however it is most like outdated. Since the launch of the Let's Encrypt STAGE API endpoint ACMESharp has used that endpoint for its development and testing and abandoned the local Boulder installation. Therefore YMMV with the instructions below.
The letsencrypt-win ACME client is being developed and tested against the Boulder CA reference implementation of an ACME server. The steps here outline how to spin up an AWS EC2 instance running the Amazon Linux AMI and configure it to run Boulder.
-
Launch latest AMI
-
sudo yum update; sudo reboot
-
sudo yum install libtool-ltdl-devel
-
sudo yum install golang-pkg-linux-amd64
-
You need to enable the epel yum repo:
sudo vi /etc/yum.repos.d/epel.repo
-
sudo yum install npm
-
sudo yum install rabbitmq-server
-
sudo service rabbitmq-server start
-
UPDATE 2015/08/14 - As of versions
b08e6e0badb9f6242976dbceb4d9799e22da5047
,86390e312b015d170be190c52755548daeac337c
and64987a3639b77fb52063cb1db6165be44030cf15
integration tests moved from using SQLite to MariaDB/MySQL-
as per this, we can add MariaDB yum repo and install
-
latest AMZLNX seems to be most compatible with RHEL7 (as per https://forums.aws.amazon.com/message.jspa?messageID=575779)
-
using MariaDB repo generator, we get:
-
cat | sudo tee /etc/yum.repos.d/MariaDB.repo
[mariadb] name = MariaDB baseurl = http://yum.mariadb.org/10.0/rhel7-amd64 gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB gpgcheck=1 ```
sudo yum install MariaDB-server MariaDB-client
-
-
sudo service mysql start
-
The first time, you need to seed the Boulder DB schema:
/home/ec2-user/gocode/src/github.com/letsencrypt/boulder/test/create_db.sh
-
-
mkdir gocode
-
export GOPATH=/home/ec2-user/gocode ## add this to your .bash_profile
-
export PATH=$PATH:$GOPATH/bin ## add this to your .bash_profile
-
edit the test config file
test/boulder-config.json
:- replace the value at JSON path
wfe.listenAddress
with0.0.0.0:4000
to allow it to accept non-localhost connections - if you want to change the DNS server that's used for verifying DNS-type challenges:
- by default Boulder uses a built-in fake DNS server hosted on UDP port 8053
- change the JSON path
common.dnsResolver
to a server that you can use for testing, and make sure to set the correct port (default for DNS is 53)
- replace the value at JSON path
-
Follow along as in the quickstart with these caveats:
-
vi $GOPATH/src/github.com/letsencrypt/boulder/Godeps/_workspace/src/golang.org/x/crypto/ocsp/ocsp.go
- search for elliptic.P224
- comment out that switch statement case
- can't use this pubkey curve variation, maybe because of export restrictions
- replace
nodejs
with justnode
-
-
If you want to update the Boulder code base do:
go get -u github.com/letsencrypt/boulder
- Watch out for conflicts with any local changes, you may need to re-apply any local mods or temporarily move them out of the way.
Docs
- Overview
- FAQ
- Let's Encrypt Reference Sheet
- Quick Start
- Requirements
- Basic Concepts
- Vaults, Vault Providers and Vault Profiles
- Challenge Types, Challenge Handlers and Providers
- Troubleshooting
- Contributions
Legacy Docs - out of date
Reference
- Good to Know
- Proposed Extension Mechanism
- PowerShell Module Design
- Style Guides and Conventions
- Documentation Resources
A bit dated