I have a local boulder instance running and issuance works fine. As a next step, I added google’s testtube CT log to the va config but when a new cert is issued, I get the following error:
boulder-publisher Request failed, backing-off for 8s: Post http://ct.googleapis.com/testtube/ct/v1/add-chain: dial tcp: lookup ct.googleapis.com on 127.0.0.11:53: server misbehaving
The actual endpoint it’s trying to log to looks correct to me. I’m using 8.8.8.8 as a resolver in the va and ra configs and I am puzzled why it’s trying to use 127.0.0.11 as a DNS resolver.
Also, just to avoid questions, google’s requirements for logging to their test logs are fulfilled (the cert’s subject has test in the name and the root in the chain is acceptable to testtube).
boulder-publisher doesn't use the RA/VA configs, but I think that the likely cause is that your Docker network's embedded DNS resolver (127.0.0.11) is broken.
The reason that resolver is used is because it provides the ability for containers to address each other by their proper names (e.g. ra1.boulder) rather than hardcoded addresses, and other queries are forwarded onto the system's host resolver.
Since the RA and VA have special DNS resolver requirements, they send DNS queries directly to other resolvers.
Try checking that you can perform DNS lookups in a normal interactive container, try restart Docker, try passing a resolver for the embedded resolver to forward queries to e.g. --dns 8.8.8.8.