Fix "internal name" pkilint findings

docker-compose.yml

@@ -43,6 +43,11 @@ services:
     # TODO: Remove this when ServerAddress is deprecated in favor of SRV records
     # and DNSAuthority.
     dns: 10.55.55.10
+    extra_hosts:
+      # Allow the boulder container to be reached as "boulder.ca", so that we
+      # can put that name inside our integration test certs (e.g. as a crl
+      # url) and have it look like a publicly-accessible name.
+      - "boulder.ca:10.77.77.77"
     ports:
       - 4001:4001 # ACMEv2
       - 4002:4002 # OCSP

test/aia-test-srv/main.go

@@ -9,6 +9,7 @@ import (
 	"os"
 	"path"
 	"regexp"
+	"strings"
 	"time"
 
 	"github.com/letsencrypt/boulder/cmd"
@@ -25,6 +26,7 @@ func (srv *aiaTestSrv) handleIssuer(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusBadRequest)
 		return
 	}
+	issuerName = strings.ReplaceAll(issuerName, "-", " ")
 
 	issuer, ok := srv.issuersByName[issuerName]
 	if !ok {

test/config-next/ca.json

@@ -65,9 +65,9 @@
 			"issuers": [
 				{
 					"active": true,
-					"issuerURL": "http://127.0.0.1:4502/int ecdsa a",
-					"ocspURL": "http://127.0.0.1:4002/",
-					"crlURLBase": "http://127.0.0.1:4501/ecdsa-a/",
+					"issuerURL": "http://boulder.ca:4502/int-ecdsa-a",
+					"ocspURL": "http://boulder.ca:4002/",
+					"crlURLBase": "http://boulder.ca:4501/ecdsa-a/",
 					"location": {
 						"configFile": "/hierarchy/int-ecdsa-a.pkcs11.json",
 						"certFile": "/hierarchy/int-ecdsa-a.cert.pem",
@@ -76,9 +76,9 @@
 				},
 				{
 					"active": true,
-					"issuerURL": "http://127.0.0.1:4502/int ecdsa b",
-					"ocspURL": "http://127.0.0.1:4002/",
-					"crlURLBase": "http://127.0.0.1:4501/ecdsa-b/",
+					"issuerURL": "http://boulder.ca:4502/int-ecdsa-b",
+					"ocspURL": "http://boulder.ca:4002/",
+					"crlURLBase": "http://boulder.ca:4501/ecdsa-b/",
 					"location": {
 						"configFile": "/hierarchy/int-ecdsa-b.pkcs11.json",
 						"certFile": "/hierarchy/int-ecdsa-b.cert.pem",
@@ -87,9 +87,9 @@
 				},
 				{
 					"active": false,
-					"issuerURL": "http://127.0.0.1:4502/int ecdsa c",
-					"ocspURL": "http://127.0.0.1:4002/",
-					"crlURLBase": "http://127.0.0.1:4501/ecdsa-c/",
+					"issuerURL": "http://boulder.ca:4502/int-ecdsa-c",
+					"ocspURL": "http://boulder.ca:4002/",
+					"crlURLBase": "http://boulder.ca:4501/ecdsa-c/",
 					"location": {
 						"configFile": "/hierarchy/int-ecdsa-c.pkcs11.json",
 						"certFile": "/hierarchy/int-ecdsa-c.cert.pem",
@@ -98,9 +98,9 @@
 				},
 				{
 					"active": true,
-					"issuerURL": "http://127.0.0.1:4502/int rsa a",
-					"ocspURL": "http://127.0.0.1:4002/",
-					"crlURLBase": "http://127.0.0.1:4501/rsa-a/",
+					"issuerURL": "http://boulder.ca:4502/int-rsa-a",
+					"ocspURL": "http://boulder.ca:4002/",
+					"crlURLBase": "http://boulder.ca:4501/rsa-a/",
 					"location": {
 						"configFile": "/hierarchy/int-rsa-a.pkcs11.json",
 						"certFile": "/hierarchy/int-rsa-a.cert.pem",
@@ -109,9 +109,9 @@
 				},
 				{
 					"active": true,
-					"issuerURL": "http://127.0.0.1:4502/int rsa b",
-					"ocspURL": "http://127.0.0.1:4002/",
-					"crlURLBase": "http://127.0.0.1:4501/rsa-b/",
+					"issuerURL": "http://boulder.ca:4502/int-rsa-b",
+					"ocspURL": "http://boulder.ca:4002/",
+					"crlURLBase": "http://boulder.ca:4501/rsa-b/",
 					"location": {
 						"configFile": "/hierarchy/int-rsa-b.pkcs11.json",
 						"certFile": "/hierarchy/int-rsa-b.cert.pem",
@@ -120,9 +120,9 @@
 				},
 				{
 					"active": false,
-					"issuerURL": "http://127.0.0.1:4502/int rsa c",
-					"ocspURL": "http://127.0.0.1:4002/",
-					"crlURLBase": "http://127.0.0.1:4501/rsa-c/",
+					"issuerURL": "http://boulder.ca:4502/int-rsa-c",
+					"ocspURL": "http://boulder.ca:4002/",
+					"crlURLBase": "http://boulder.ca:4501/rsa-c/",
 					"location": {
 						"configFile": "/hierarchy/int-rsa-c.pkcs11.json",
 						"certFile": "/hierarchy/int-rsa-c.cert.pem",

test/config/ca.json

@@ -61,8 +61,8 @@
 				{
 					"useForRSALeaves": false,
 					"useForECDSALeaves": true,
-					"issuerURL": "http://127.0.0.1:4502/int ecdsa a",
-					"ocspURL": "http://127.0.0.1:4002/",
+					"issuerURL": "http://boulder.ca:4502/int-ecdsa-a",
+					"ocspURL": "http://boulder.ca:4002/",
 					"location": {
 						"configFile": "/hierarchy/int-ecdsa-a.pkcs11.json",
 						"certFile": "/hierarchy/int-ecdsa-a.cert.pem",
@@ -72,8 +72,8 @@
 				{
 					"useForRSALeaves": true,
 					"useForECDSALeaves": true,
-					"issuerURL": "http://127.0.0.1:4502/int rsa a",
-					"ocspURL": "http://127.0.0.1:4002/",
+					"issuerURL": "http://boulder.ca:4502/int-rsa-a",
+					"ocspURL": "http://boulder.ca:4002/",
 					"location": {
 						"configFile": "/hierarchy/int-rsa-a.pkcs11.json",
 						"certFile": "/hierarchy/int-rsa-a.cert.pem",
@@ -83,8 +83,8 @@
 				{
 					"useForRSALeaves": false,
 					"useForECDSALeaves": false,
-					"issuerURL": "http://127.0.0.1:4502/int rsa b",
-					"ocspURL": "http://127.0.0.1:4002/",
+					"issuerURL": "http://boulder.ca:4502/int-rsa-b",
+					"ocspURL": "http://boulder.ca:4003/",
 					"location": {
 						"configFile": "/hierarchy/int-rsa-b.pkcs11.json",
 						"certFile": "/hierarchy/int-rsa-b.cert.pem",