From dce90e945c3262f86ec3faff4a96159ef34f72b5 Mon Sep 17 00:00:00 2001
From: Seth Schoen <schoen@eff.org>
Date: Mon, 22 Oct 2012 16:39:47 -0700
Subject: [PATCH 1/4] formalize disabling Observatory check for now

---
 server-ca/chocolate.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/server-ca/chocolate.py b/server-ca/chocolate.py
index 2c8b38a6f..953fde28a 100755
--- a/server-ca/chocolate.py
+++ b/server-ca/chocolate.py
@@ -271,11 +271,13 @@ class session(object):
                 return
             try:
                 # Check whether the SSL Observatory has seen a valid cert for this name.
-                if urllib2.urlopen("https://observatory.eff.org/check_name?domain_name=%s" % san).read().strip() != "False":
+                # XXX: This has been disabled because this API is unavailable
+                # or unreliable.
+                if False and urllib2.urlopen("https://observatory.eff.org/check_name?domain_name=%s" % san).read().strip() != "False":
                     self.die(r, r.CannotIssueThatName, uri="https://ca.example.com/failures/observatory?%s" % san)
                     return
                 wildcard_variant = "*." + san.partition(".")[2]
-                if urllib2.urlopen("https://observatory.eff.org/check_name?domain_name=%s" % wildcard_variant).read().strip() != "False":
+                if False and urllib2.urlopen("https://observatory.eff.org/check_name?domain_name=%s" % wildcard_variant).read().strip() != "False":
                     self.die(r, r.CannotIssueThatName, uri="https://ca.example.com/failures/observatory?%s" % san)
                     return
             except urllib2.HTTPError:

From 08ed76da82bb5cf58189f4913112035ae1aa0324 Mon Sep 17 00:00:00 2001
From: James Kasten <jdkasten@umich.edu>
Date: Wed, 24 Oct 2012 18:54:19 -0400
Subject: [PATCH 2/4] Changed apache reload to more consistent apache restart

---
 trustify/client/configurator.py | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/trustify/client/configurator.py b/trustify/client/configurator.py
index 1ae27e487..ce60b9889 100644
--- a/trustify/client/configurator.py
+++ b/trustify/client/configurator.py
@@ -7,11 +7,11 @@ import socket
 import time
 import shutil
 
-from trustify.client.CONFIG import SERVER_ROOT, BACKUP_DIR, MODIFIED_FILES
-#from CONFIG import SERVER_ROOT, BACKUP_DIR, MODIFIED_FILES, REWRITE_HTTPS_ARGS
-from trustify.client.CONFIG import REWRITE_HTTPS_ARGS
-from trustify.client import logger
-#import logger
+#from trustify.client.CONFIG import SERVER_ROOT, BACKUP_DIR, MODIFIED_FILES
+from CONFIG import SERVER_ROOT, BACKUP_DIR, MODIFIED_FILES, REWRITE_HTTPS_ARGS
+#from trustify.client.CONFIG import REWRITE_HTTPS_ARGS
+#from trustify.client import logger
+import logger
 
 #TODO - Need an initialization routine... make sure directories exist..ect
 
@@ -706,7 +706,7 @@ LogLevel warn \n\
 	    # Use check_output so the command will finish before reloading      
             subprocess.check_call(["sudo", "a2enmod", mod_name], stdout=open("/dev/null", 'w'), stderr=open("/dev/null", 'w'))
             # Hopefully this waits for output                                   
-            subprocess.check_call(["sudo", "/etc/init.d/apache2", "reload"], stdout=open("/dev/null", 'w'), stderr=open("/dev/null", 'w'))
+            subprocess.check_call(["sudo", "/etc/init.d/apache2", "restart"], stdout=open("/dev/null", 'w'), stderr=open("/dev/null", 'w'))
         except:
 	    logger.error("Error enabling mod_" + mod_name)
             sys.exit(1)
@@ -813,9 +813,9 @@ LogLevel warn \n\
         try:
             p = ''
             if quiet:
-                p = subprocess.Popen(['/etc/init.d/apache2', 'reload'], stdout=subprocess.PIPE, stderr=open("/dev/null", 'w')).communicate()[0]
+                p = subprocess.Popen(['/etc/init.d/apache2', 'restart'], stdout=subprocess.PIPE, stderr=open("/dev/null", 'w')).communicate()[0]
             else:
-                p = subprocess.Popen(['/etc/init.d/apache2', 'reload'], stderr=subprocess.PIPE).communicate()[0]
+                p = subprocess.Popen(['/etc/init.d/apache2', 'restart'], stderr=subprocess.PIPE).communicate()[0]
 
             if "fail" in p:
                 logger.error("Apache configuration is incorrect")
@@ -835,6 +835,10 @@ LogLevel warn \n\
         self.aug.insert(lastInclude[0], "incl", False)
         self.aug.set("/augeas/load/Httpd/incl[last()]", incl)
 
+    def configtest(self):
+        p = subprocess.Popen(['sudo', '/usr/sbin/apache2ctl', 'configtest'], stdout=subprocess.PIPE, stderr=open("/dev/null", 'w')).communicate()[0]
+        print p
+
     def save(self, mod_conf="Augeas Configuration", reversible=False):
         """
         Saves all changes to the configuration files
@@ -867,8 +871,8 @@ LogLevel warn \n\
             return False
 
         # Retrieve list of modified files
-        # Note: Noop saves can cause the file to be listed twice, used set to
-        # remove this possibility
+        # Note: Noop saves can cause the file to be listed twice, I used a 
+        # set to remove this possibility. This is a known augeas error.
         save_paths = self.aug.match("/augeas/events/saved")
 
         # If the augeas tree didn't change, no files were saved and a backup
@@ -1030,6 +1034,7 @@ def main():
     #config.recover_checkpoint(1)
     """
     config.display_checkpoints()
+    config.configtest()
     """
     #config.make_vhost_ssl("/etc/apache2/sites-available/default")
     # Testing redirection

From 9d346ee2463395a1570ffb25857263ed8d364c17 Mon Sep 17 00:00:00 2001
From: James Kasten <jdkasten@umich.edu>
Date: Wed, 24 Oct 2012 18:55:39 -0400
Subject: [PATCH 3/4] Changed apache reload to more consistent apache restart

---
 trustify/client/configurator.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/trustify/client/configurator.py b/trustify/client/configurator.py
index ce60b9889..a7deb0745 100644
--- a/trustify/client/configurator.py
+++ b/trustify/client/configurator.py
@@ -7,11 +7,11 @@ import socket
 import time
 import shutil
 
-#from trustify.client.CONFIG import SERVER_ROOT, BACKUP_DIR, MODIFIED_FILES
-from CONFIG import SERVER_ROOT, BACKUP_DIR, MODIFIED_FILES, REWRITE_HTTPS_ARGS
-#from trustify.client.CONFIG import REWRITE_HTTPS_ARGS
-#from trustify.client import logger
-import logger
+from trustify.client.CONFIG import SERVER_ROOT, BACKUP_DIR, MODIFIED_FILES
+#from CONFIG import SERVER_ROOT, BACKUP_DIR, MODIFIED_FILES, REWRITE_HTTPS_ARGS
+from trustify.client.CONFIG import REWRITE_HTTPS_ARGS
+from trustify.client import logger
+#import logger
 
 #TODO - Need an initialization routine... make sure directories exist..ect
 

From 581c362d974faff5693bf82ccb0288e771fe0ec7 Mon Sep 17 00:00:00 2001
From: Seth Schoen <schoen@eff.org>
Date: Wed, 24 Oct 2012 23:33:45 -0700
Subject: [PATCH 4/4] warning: we apparently need to replace urllib2

---
 trustify/client/client.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/trustify/client/client.py b/trustify/client/client.py
index 1851ac75c..7b08b33bb 100644
--- a/trustify/client/client.py
+++ b/trustify/client/client.py
@@ -4,6 +4,7 @@ import M2Crypto
 # It is OK to use the upstream M2Crypto here instead of our modified
 # version.
 import urllib2
+# XXX TODO: per https://docs.google.com/document/pub?id=1roBIeSJsYq3Ntpf6N0PIeeAAvu4ddn7mGo6Qb7aL7ew, urllib2 is unsafe (!) and must be replaced
 import os, grp, pwd, sys, time, random, sys
 import hashlib
 import subprocess