Dev/CI: Add Go 1.11.1 builds (letsencrypt#3888)

Resolves letsencrypt#3872

**Note to reviewers**: There's an outstanding bug that I've tracked down to the `--load` stage of the integration tests that results in one of the remote VA instances in the `test/config-next` configuration under Go 1.11.1 to fail to cleanly shut down. I'm working on finding the root cause but in the meantime I've disabled `--load` during CI so we can unblock moving forward with getting Go 1.11.1 in dev/CI. Tracking this in letsencrypt#3889

.travis.yml

@@ -1,6 +1,7 @@
 language: go
 
 go:
+  - "1.11.1"
   - "1.10.3"
 
 go_import_path: github.com/letsencrypt/boulder

cmd/gen-ca/main.go

@@ -303,7 +303,7 @@ func makeTemplate(ctx pkcs11helpers.PKCtx, profile *CertProfile, pubKey []byte,
 		SignatureAlgorithm:    sigAlg,
 		SerialNumber:          big.NewInt(0).SetBytes(serial),
 		BasicConstraintsValid: true,
-		IsCA: true,
+		IsCA:                  true,
 		Subject: pkix.Name{
 			CommonName:   profile.CommonName,
 			Organization: []string{profile.Organization},

docker-compose.yml

@@ -2,7 +2,7 @@ version: '3'
 services:
     boulder:
         # To minimize fetching this should be the same version used below
-        image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.10.2}:2018-06-12
+        image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.11.1}:2018-10-18
         environment:
             FAKE_DNS: 127.0.0.1
             PKCS11_PROXY_SOCKET: tcp://boulder-hsm:5657
@@ -51,7 +51,7 @@ services:
         working_dir: /go/src/github.com/letsencrypt/boulder
     bhsm:
         # To minimize fetching this should be the same version used above
-        image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.10.2}:2018-06-12
+        image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.11.1}:2018-10-18
         environment:
             PKCS11_DAEMON_SOCKET: tcp://0.0.0.0:5657
         command: /usr/local/bin/pkcs11-daemon /usr/lib/softhsm/libsofthsm2.so
@@ -73,7 +73,7 @@ services:
         logging:
             driver: none
     netaccess:
-        image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.10.2}:2018-06-12
+        image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.11.1}:2018-10-18
         networks:
           - bluenet
         volumes:

grpc/creds/creds_test.go

@@ -93,7 +93,7 @@ func TestClientTransportCredentials(t *testing.T) {
 		NotBefore:             time.Unix(1000, 0),
 		NotAfter:              time.Now().AddDate(1, 0, 0),
 		BasicConstraintsValid: true,
-		IsCA: true,
+		IsCA:                  true,
 	}
 	derA, err := x509.CreateCertificate(rand.Reader, temp, temp, priv.Public(), priv)
 	test.AssertNotError(t, err, "x509.CreateCertificate failed")

grpc/pb-marshalling.go

@@ -133,13 +133,13 @@ func pbToChallenge(in *corepb.Challenge) (challenge core.Challenge, err error) {
 		return core.Challenge{}, err
 	}
 	return core.Challenge{
-		ID:     *in.Id,
-		Type:   *in.Type,
-		Status: core.AcmeStatus(*in.Status),
-		Token:  *in.Token,
+		ID:                       *in.Id,
+		Type:                     *in.Type,
+		Status:                   core.AcmeStatus(*in.Status),
+		Token:                    *in.Token,
 		ProvidedKeyAuthorization: *in.KeyAuthorization,
-		Error:            prob,
-		ValidationRecord: recordAry,
+		Error:                    prob,
+		ValidationRecord:         recordAry,
 	}, nil
 }
 

grpc/pb-marshalling_test.go

@@ -99,10 +99,10 @@ func TestChallenge(t *testing.T) {
 	err := json.Unmarshal([]byte(JWK1JSON), &jwk)
 	test.AssertNotError(t, err, "Failed to unmarshal test key")
 	chall := core.Challenge{
-		ID:     10,
-		Type:   core.ChallengeTypeDNS01,
-		Status: core.StatusPending,
-		Token:  "asd",
+		ID:                       10,
+		Type:                     core.ChallengeTypeDNS01,
+		Status:                   core.StatusPending,
+		Token:                    "asd",
 		ProvidedKeyAuthorization: "keyauth",
 	}
 
@@ -203,10 +203,10 @@ func TestPerformValidationReq(t *testing.T) {
 	test.AssertNotError(t, err, "Failed to unmarshal test key")
 	domain := "example.com"
 	chall := core.Challenge{
-		ID:     10,
-		Type:   core.ChallengeTypeDNS01,
-		Status: core.StatusPending,
-		Token:  "asd",
+		ID:                       10,
+		Type:                     core.ChallengeTypeDNS01,
+		Status:                   core.StatusPending,
+		Token:                    "asd",
 		ProvidedKeyAuthorization: "keyauth",
 	}
 	authz := core.Authorization{ID: "asd", RegistrationID: 10}
@@ -271,17 +271,17 @@ func TestAuthz(t *testing.T) {
 	combos := make([][]int, 1)
 	combos[0] = []int{0, 1}
 	challA := core.Challenge{
-		ID:     10,
-		Type:   core.ChallengeTypeDNS01,
-		Status: core.StatusPending,
-		Token:  "asd",
+		ID:                       10,
+		Type:                     core.ChallengeTypeDNS01,
+		Status:                   core.StatusPending,
+		Token:                    "asd",
 		ProvidedKeyAuthorization: "keyauth",
 	}
 	challB := core.Challenge{
-		ID:     11,
-		Type:   core.ChallengeTypeDNS01,
-		Status: core.StatusPending,
-		Token:  "asd2",
+		ID:                       11,
+		Type:                     core.ChallengeTypeDNS01,
+		Status:                   core.StatusPending,
+		Token:                    "asd2",
 		ProvidedKeyAuthorization: "keyauth4",
 	}
 	inAuthz := core.Authorization{

publisher/publisher_test.go

@@ -292,7 +292,7 @@ func makePrecert(k *ecdsa.PrivateKey) ([]ct.ASN1Cert, []byte, error) {
 		SerialNumber:          big.NewInt(0),
 		Subject:               pkix.Name{CommonName: "root"},
 		BasicConstraintsValid: true,
-		IsCA: true,
+		IsCA:                  true,
 	}
 	rootBytes, err := x509.CreateCertificate(rand.Reader, &rootTmpl, &rootTmpl, k.Public(), k)
 	if err != nil {

ra/ra.go

@@ -119,9 +119,9 @@ func NewRegistrationAuthorityImpl(
 	stats.MustRegister(ctpolicyResults)
 
 	ra := &RegistrationAuthorityImpl{
-		stats: stats,
-		clk:   clk,
-		log:   logger,
+		stats:                        stats,
+		clk:                          clk,
+		log:                          logger,
 		authorizationLifetime:        authorizationLifetime,
 		pendingAuthorizationLifetime: pendingAuthorizationLifetime,
 		rlPolicies:                   ratelimit.New(),

sa/model.go

@@ -281,10 +281,10 @@ func challengeToModel(c *core.Challenge, authID string) (*challModel, error) {
 
 func modelToChallenge(cm *challModel) (core.Challenge, error) {
 	c := core.Challenge{
-		ID:     cm.ID,
-		Type:   cm.Type,
-		Status: cm.Status,
-		Token:  cm.Token,
+		ID:                       cm.ID,
+		Type:                     cm.Type,
+		Status:                   cm.Status,
+		Token:                    cm.Token,
 		ProvidedKeyAuthorization: cm.KeyAuthorization,
 	}
 	if len(cm.Error) > 0 {

test.sh

@@ -111,6 +111,11 @@ fi
 if [[ "$RUN" =~ "fmt" ]] ; then
   start_context "fmt"
   check_gofmt() {
+    # NOTE(@cpu): Go 1.10.3's gofmt and Go 1.11.1's gofmt don't agree. Let's
+    # temporarily ignore the gofmt check when not using Go 1.11.1
+    if [ "$TRAVIS_GO_VERSION" != "1.11.1" ]; then
+      return 0
+    fi
     unformatted=$(find . -name "*.go" -not -path "./vendor/*" -print | xargs -n1 gofmt -l)
     if [ "x${unformatted}" == "x" ] ; then
       return 0
@@ -170,7 +175,7 @@ if [[ "$RUN" =~ "integration" ]] ; then
 
   source ${CERTBOT_PATH:-/certbot}/${VENV_NAME:-venv}/bin/activate
   DIRECTORY=http://boulder:4000/directory \
-    run python2 test/integration-test.py --chisel --load
+    run python2 test/integration-test.py --chisel
   end_context #integration
 fi
 
@@ -185,8 +190,8 @@ if [[ "$RUN" =~ "godep-restore" ]] ; then
   run_and_expect_silence rm -rf Godeps/ vendor/
   run_and_expect_silence godep save ./...
   run_and_expect_silence diff \
-    <(sed '/GodepVersion/d;/Comment/d' /tmp/Godeps.json.head) \
-    <(sed '/GodepVersion/d;/Comment/d' Godeps/Godeps.json)
+    <(sed '/GodepVersion/d;/Comment/d;/GoVersion/d;' /tmp/Godeps.json.head) \
+    <(sed '/GodepVersion/d;/Comment/d;/GoVersion/d;' Godeps/Godeps.json)
   run_and_expect_silence git diff --exit-code -- ./vendor/
   end_context #godep-restore
 fi

test/boulder-tools/tag_and_upload.sh

@@ -4,7 +4,7 @@ cd $(dirname $0)
 
 DATESTAMP=$(date +%Y-%m-%d)
 BASE_TAG_NAME="letsencrypt/boulder-tools"
-GO_VERSIONS=( "1.10.3" )
+GO_VERSIONS=( "1.10.3" "1.11.1" )
 
 # Build a tagged image for each GO_VERSION
 for GO_VERSION in "${GO_VERSIONS[@]}"

wfe2/wfe_test.go

@@ -2000,11 +2000,6 @@ func TestFinalizeOrder(t *testing.T) {
 			Request:      signAndPost(t, "1/7", "http://localhost/1/7", goodCertCSRPayload, 1, wfe.nonceService),
 			ExpectedBody: `{"type":"` + probs.V2ErrorNS + `malformed","detail":"Order 7 is expired","status":404}`,
 		},
-		{
-			Name:         "Invalid CSR",
-			Request:      signAndPost(t, "1/4", "http://localhost/1/4", `{"CSR": "ABCD"}`, 1, wfe.nonceService),
-			ExpectedBody: `{"type":"` + probs.V2ErrorNS + `malformed","detail":"Error parsing certificate request: asn1: structure error: tags don't match (16 vs {class:0 tag:0 length:16 isCompound:false}) {optional:false explicit:false application:false defaultValue:\u003cnil\u003e tag:\u003cnil\u003e stringType:0 timeType:0 set:false omitEmpty:false} certificateRequest @2","status":400}`,
-		},
 		{
 			Name:            "Good CSR, Pending Order",
 			Request:         signAndPost(t, "1/4", "http://localhost/1/4", goodCertCSRPayload, 1, wfe.nonceService),
@@ -2056,6 +2051,17 @@ func TestFinalizeOrder(t *testing.T) {
 				tc.ExpectedBody)
 		})
 	}
+
+	// Check a bad CSR request separately from the above testcases. We don't want
+	// to match the whole response body because the "detail" of a bad CSR problem
+	// contains a verbose Go error message that can change between versions (e.g.
+	// Go 1.10.4 to 1.11 changed the expected format)
+	badCSRReq := signAndPost(t, "1/4", "http://localhost/1/4", `{"CSR": "ABCD"}`, 1, wfe.nonceService)
+	responseWriter.Body.Reset()
+	responseWriter.HeaderMap = http.Header{}
+	wfe.FinalizeOrder(ctx, newRequestEvent(), responseWriter, badCSRReq)
+	responseBody := responseWriter.Body.String()
+	test.AssertContains(t, responseBody, "Error parsing certificate request")
 }
 
 func TestKeyRollover(t *testing.T) {