github-personal/labca
1
0
Fork 0
mirror of https://github.com/outbackdingo/labca.git synced 2026-01-27 18:19:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Bump boulder version to release-2023-08-14

Browse Source
This commit is contained in:
Arjan H
2023-08-14 19:18:07 +02:00
parent a8a91a36a7
commit 0cc6fb6b93
25 changed files with 132 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/release.yml vendored
View File

@@ -13,7 +13,7 @@ jobs:
fail-fast: false
matrix:
GO_VERSION:
- 1.20.6
- 1.20.7
steps:
- name: Checkout

2
build/Dockerfile-boulder
View File

@@ -1,4 +1,4 @@
FROM letsencrypt/boulder-tools:go1.20.5_2023-06-20 AS boulder-tools
FROM letsencrypt/boulder-tools:go1.20.7_2023-08-02 AS boulder-tools
FROM ubuntu:focal

2
build/build.sh
View File

@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}
boulderDir=$TMP_DIR/src
boulderTag="release-2023-07-11"
boulderTag="release-2023-08-14"
boulderUrl="https://github.com/letsencrypt/boulder/"
cloneDir=$(pwd)/..

2
build/docker-compose.yml
View File

@@ -74,7 +74,7 @@ services:
restart: always
bconsul:
image: hashicorp/consul:1.14.2
image: hashicorp/consul:1.15.4
depends_on:
- control
volumes:

6
build/tmp.patch
View File

@@ -1,12 +1,12 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index 81ece4913..869b7d5de 100644
index df62bf8b..748d81cc 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,7 +3,7 @@ name: labca
services:
boulder:
# Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh.
- image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.20.5_2023-06-20}
- image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.20.7_2023-08-02}
+ image: ghcr.io/hakwerk/labca-boulder:${LABCA_IMAGE_VERSION:-latest}
environment:
# To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS
@@ -38,7 +38,7 @@ index 81ece4913..869b7d5de 100644
@@ -77,8 +75,10 @@ services:
bconsul:
image: hashicorp/consul:1.14.2
image: hashicorp/consul:1.15.4
+ depends_on:
+ - control
volumes:

2
install
View File

@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"
labcaUrl="https://github.com/hakwerk/labca/"
boulderUrl="https://github.com/letsencrypt/boulder/"
boulderTag="release-2023-07-11"
boulderTag="release-2023-08-14"
# Feature flags
flag_skip_redis=true

8
patch-cfg.sh
View File

@@ -24,16 +24,15 @@ $SUDO patch -p1 -o "$boulderLabCADir/config/bad-key-revoker.json" < $cloneDir/pa
$SUDO patch -p1 -o "$boulderLabCADir/config/ocsp-responder.json" < $cloneDir/patches/config_ocsp-responder.patch
$SUDO patch -p1 -o "$boulderLabCADir/config/publisher.json" < $cloneDir/patches/config_publisher.patch
$SUDO patch -p1 -o "$boulderLabCADir/config/wfe2.json" < $cloneDir/patches/config_wfe2.patch
$SUDO patch -p1 -o "$boulderLabCADir/config/orphan-finder.json" < $cloneDir/patches/config_orphan-finder.patch
$SUDO patch -p1 -o "$boulderLabCADir/config/crl-storer.json" < $cloneDir/patches/config_crl-storer.patch
$SUDO patch -p1 -o "$boulderLabCADir/config/crl-updater.json" < $cloneDir/patches/config_crl-updater.patch
$SUDO patch -p1 -o "$boulderLabCADir/config/ra.json" < $cloneDir/patches/config_ra.patch
$SUDO patch -p1 -o "$boulderLabCADir/config/akamai-purger.json" < $cloneDir/patches/config_akamai-purger.patch
cp test/config/va*.json "$boulderLabCADir/config/"
perl -i -p0e "s/\"dnsResolver\": \"service.consul\",/\"dnsResolvers\": [\n \"127.0.0.1:8053\",\n \"127.0.0.1:8054\"\n ],/igs" $boulderLabCADir/config/va.json
perl -i -p0e "s/\"dnsResolver\": \"service.consul\",/\"dnsResolvers\": [\n \"127.0.0.1:8053\",\n \"127.0.0.1:8054\"\n ],/igs" $boulderLabCADir/config/va-remote-a.json
perl -i -p0e "s/\"dnsResolver\": \"service.consul\",/\"dnsResolvers\": [\n \"127.0.0.1:8053\",\n \"127.0.0.1:8054\"\n ],/igs" $boulderLabCADir/config/va-remote-b.json
perl -i -p0e "s/\"dnsProvider\": {.*?\t\t},/\"dnsResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va.json
perl -i -p0e "s/\"dnsProvider\": {.*?\t\t},/\"dnsResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va-remote-a.json
perl -i -p0e "s/\"dnsProvider\": {.*?\t\t},/\"dnsResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va-remote-b.json
if [ "$flag_skip_redis" == true ]; then
perl -i -p0e "s/\n \"redis\": \{\n.*? \},//igs" $boulderLabCADir/config/ocsp-responder.json
@@ -51,7 +50,6 @@ sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/o
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/publisher.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/orphan-finder.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-storer.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-updater.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json

1
patch.sh
View File

@@ -43,6 +43,7 @@ $SUDO patch -p1 < $cloneDir/patches/ocsp-responder_main.patch
$SUDO patch -p1 < $cloneDir/patches/policy_pa.patch
$SUDO patch -p1 < $cloneDir/patches/ra_ra.patch
$SUDO patch -p1 < $cloneDir/patches/ratelimit_rate-limits.patch
$SUDO patch -p1 < $cloneDir/patches/ratelimits_names.patch
$SUDO patch -p1 < $cloneDir/patches/reloader_reloader.patch
$SUDO patch -p1 < $cloneDir/patches/startservers.patch
if [ "$SUDO" == "" ]; then

8
patches/bad-key-revoker_main.patch
View File

@@ -1,5 +1,5 @@
diff --git a/cmd/bad-key-revoker/main.go b/cmd/bad-key-revoker/main.go
index 527d4d36a..b2c0fa411 100644
index 052e46819..d1c96b7ca 100644
--- a/cmd/bad-key-revoker/main.go
+++ b/cmd/bad-key-revoker/main.go
@@ -18,6 +18,7 @@ import (
@@ -10,7 +10,7 @@ index 527d4d36a..b2c0fa411 100644
"github.com/letsencrypt/boulder/cmd"
"github.com/letsencrypt/boulder/config"
"github.com/letsencrypt/boulder/core"
@@ -392,6 +393,11 @@ type Config struct {
@@ -396,6 +397,11 @@ type Config struct {
TLS cmd.TLSConfig
RAService *cmd.GRPCClientConfig
@@ -22,7 +22,7 @@ index 527d4d36a..b2c0fa411 100644
// MaximumRevocations specifies the maximum number of certificates associated with
// a key hash that bad-key-revoker will attempt to revoke. If the number of certificates
// is higher than MaximumRevocations bad-key-revoker will error out and refuse to
@@ -457,6 +463,29 @@ func main() {
@@ -461,6 +467,29 @@ func main() {
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
rac := rapb.NewRegistrationAuthorityClient(conn)
@@ -52,7 +52,7 @@ index 527d4d36a..b2c0fa411 100644
var smtpRoots *x509.CertPool
if config.BadKeyRevoker.Mailer.SMTPTrustedRootFile != "" {
pem, err := os.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile)
@@ -478,6 +507,7 @@ func main() {
@@ -482,6 +511,7 @@ func main() {
config.BadKeyRevoker.Mailer.Username,
smtpPassword,
smtpRoots,

21
patches/boulder-va_main.patch
View File

@@ -1,29 +1,24 @@
diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
index 8994b9b20..a0f0f9aa6 100644
index 1c998bc97..0665bdf4b 100644
--- a/cmd/boulder-va/main.go
+++ b/cmd/boulder-va/main.go
@@ -27,8 +27,9 @@ type Config struct {
@@ -27,7 +27,8 @@ type Config struct {
// before giving up. May be short-circuited by deadlines. A zero value
// will be turned into 1.
DNSTries int
- DNSResolver string `validate:"required_without=DNSProvider,excluded_with=DNSProvider,omitempty,hostname|hostname_port"`
- DNSProvider *cmd.DNSProvider `validate:"required_without=DNSResolver,excluded_with=DNSResolver,omitempty"`
+ DNSResolver string `validate:"omitempty,hostname|hostname_port"`
- DNSProvider *cmd.DNSProvider `validate:"required"`
+ DNSResolvers []string
+ DNSProvider *cmd.DNSProvider `validate:"omitempty"`
DNSTimeout config.Duration `validate:"required"`
DNSAllowLoopbackAddresses bool
@@ -87,7 +88,7 @@ func main() {
cmd.Fail("Cannot specify both 'dnsResolver' and dnsProvider")
@@ -80,13 +81,18 @@ func main() {
}
clk := cmd.Clock()
- if c.VA.DNSResolver == "" && c.VA.DNSProvider == nil {
+ if c.VA.DNSResolver == "" && c.VA.DNSProvider == nil && len(c.VA.DNSResolvers) == 0 {
cmd.Fail("Must specify either 'dnsResolver' or dnsProvider")
}
@@ -100,8 +101,13 @@ func main() {
- if c.VA.DNSProvider == nil {
+ if c.VA.DNSProvider == nil && len(c.VA.DNSResolvers) == 0 {
cmd.Fail("Must specify dnsProvider")
}
var servers bdns.ServerProvider

20
patches/cert-checker_main.patch
View File

@@ -1,8 +1,8 @@
diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
index 1dbc8fadf..442f34e69 100644
index 199f40706..d1611a824 100644
--- a/cmd/cert-checker/main.go
+++ b/cmd/cert-checker/main.go
@@ -101,6 +101,7 @@ type certChecker struct {
@@ -108,6 +108,7 @@ type certChecker struct {
checkPeriod time.Duration
acceptableValidityDurations map[time.Duration]bool
logger blog.Logger
@@ -10,15 +10,15 @@ index 1dbc8fadf..442f34e69 100644
}
func newChecker(saDbMap certDB,
@@ -110,6 +111,7 @@ func newChecker(saDbMap certDB,
@@ -117,6 +118,7 @@ func newChecker(saDbMap certDB,
period time.Duration,
avd map[time.Duration]bool,
logger blog.Logger,
+ sfd bool,
) certChecker {
return certChecker{
pa: pa,
@@ -122,6 +124,7 @@ func newChecker(saDbMap certDB,
precertGetter := func(ctx context.Context, serial string) ([]byte, error) {
precertPb, err := sa.SelectPrecertificate(ctx, saDbMap, serial)
@@ -137,6 +139,7 @@ func newChecker(saDbMap certDB,
checkPeriod: period,
acceptableValidityDurations: avd,
logger: logger,
@@ -26,7 +26,7 @@ index 1dbc8fadf..442f34e69 100644
}
}
@@ -348,7 +351,7 @@ func (c *certChecker) checkCert(cert core.Certificate, ignoredLints map[string]b
@@ -365,7 +368,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno
err = c.pa.WillingToIssueWildcards([]identifier.ACMEIdentifier{id})
if err != nil {
problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err))
@@ -35,7 +35,7 @@ index 1dbc8fadf..442f34e69 100644
// For defense-in-depth, even if the PA was willing to issue for a name
// we double check it against a list of forbidden domains. This way even
// if the hostnamePolicyFile malfunctions we will flag the forbidden
@@ -410,10 +413,11 @@ type Config struct {
@@ -441,10 +444,11 @@ type Config struct {
DB cmd.DBConfig
cmd.HostnamePolicyConfig
@@ -51,7 +51,7 @@ index 1dbc8fadf..442f34e69 100644
// AcceptableValidityDurations is a list of durations which are
// acceptable for certificates we issue.
@@ -479,6 +483,8 @@ func main() {
@@ -510,6 +514,8 @@ func main() {
acceptableValidityDurations[ninetyDays] = true
}
@@ -60,7 +60,7 @@ index 1dbc8fadf..442f34e69 100644
// Validate PA config and set defaults if needed.
cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
@@ -519,6 +525,7 @@ func main() {
@@ -550,6 +556,7 @@ func main() {
config.CertChecker.CheckPeriod.Duration,
acceptableValidityDurations,
logger,

4
patches/cmd_config.patch
View File

@@ -1,8 +1,8 @@
diff --git a/cmd/config.go b/cmd/config.go
index 18213cf51..a612afd18 100644
index 62c99005a..6794a9712 100644
--- a/cmd/config.go
+++ b/cmd/config.go
@@ -464,7 +464,7 @@ type GRPCServerConfig struct {
@@ -449,7 +449,7 @@ type GRPCServerConfig struct {
// this controls how long it takes before a client learns about changes to its
// backends.
// https://pkg.go.dev/google.golang.org/grpc/keepalive#ServerParameters

15
patches/config_crl-updater.patch
View File

@@ -2,7 +2,7 @@ diff --git a/test/config/crl-updater.json b/test/config/crl-updater.json
index f6b70123f..a6c1471e5 100644
--- a/test/config/crl-updater.json
+++ b/test/config/crl-updater.json
@@ -22,15 +22,15 @@
@@ -22,16 +22,14 @@
"hostOverride": "crl-storer.boulder"
},
"issuerCerts": [
@@ -12,16 +12,17 @@ index f6b70123f..a6c1471e5 100644
+ "/hierarchy/intermediate-cert-rsa-a.pem"
],
- "numShards": 10,
+ "numShards": 1,
"certificateLifetime": "2160h",
- "shardWidth": "240h",
- "lookbackPeriod": "24h",
- "updatePeriod": "6h",
- "updateOffset": "9120s",
- "maxParallelism": 10
- "maxParallelism": 10,
+ "numShards": 1,
+ "shardWidth": "24h",
+ "lookbackPeriod": "96h",
+ "updatePeriod": "24h",
+ "updateOffset": "5m",
+ "maxParallelism": 1
+ "maxParallelism": 1,
"maxAttempts": 5,
"features": {}
},
"syslog": {
"stdoutlevel": 6,

15
patches/config_orphan-finder.patch
View File

@@ -1,15 +0,0 @@
diff --git a/test/config/orphan-finder.json b/test/config/orphan-finder.json
index 5497f8f1..8f91fd59 100644
--- a/test/config/orphan-finder.json
+++ b/test/config/orphan-finder.json
@@ -1,9 +1,7 @@
{
"backdate": "1h",
"issuerCerts": [
- "/hierarchy/intermediate-cert-rsa-a.pem",
- "/hierarchy/intermediate-cert-rsa-b.pem",
- "/hierarchy/intermediate-cert-ecdsa-a.pem"
+ "/hierarchy/intermediate-cert-rsa-a.pem"
],
"syslog": {
"stdoutlevel": 7,

6
patches/contact-auditor_main.patch
View File

@@ -1,8 +1,8 @@
diff --git a/cmd/contact-auditor/main.go b/cmd/contact-auditor/main.go
index 419182fe..d77270cd 100644
index a20560b6f..ac0d567f8 100644
--- a/cmd/contact-auditor/main.go
+++ b/cmd/contact-auditor/main.go
@@ -11,6 +11,7 @@ import (
@@ -12,6 +12,7 @@ import (
"time"
"github.com/letsencrypt/boulder/cmd"
@@ -10,7 +10,7 @@ index 419182fe..d77270cd 100644
"github.com/letsencrypt/boulder/db"
blog "github.com/letsencrypt/boulder/log"
"github.com/letsencrypt/boulder/policy"
@@ -49,9 +50,13 @@ func validateContacts(id int64, createdAt string, contacts []string) error {
@@ -50,9 +51,13 @@ func validateContacts(id int64, createdAt string, contacts []string) error {
fmt.Fprintf(&probsBuff, "%d\t%s\tvalidation\t%q\t%q\t%q\n", id, createdAt, contact, prob, contacts)
}

34
patches/docker-compose-redis.patch
View File

@@ -1,5 +1,5 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index f7c4e45c0..59f5423d4 100644
index 5be626d6..4c28fe96 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -22,8 +22,6 @@ services:
@@ -11,16 +11,18 @@ index f7c4e45c0..59f5423d4 100644
consulnet:
ipv4_address: 10.55.55.55
# Use consul as a backup to Docker's embedded DNS server. If there's a name
@@ -42,8 +40,6 @@ services:
@@ -42,10 +40,6 @@ services:
depends_on:
- bmysql
- bproxysql
- - bredis_1
- - bredis_2
- - bredis_3
- - bredis_4
- bconsul
- bjaeger
entrypoint: test/entrypoint.sh
@@ -81,24 +77,6 @@ services:
@@ -83,42 +77,6 @@ services:
aliases:
- boulder-proxysql
@@ -28,7 +30,7 @@ index f7c4e45c0..59f5423d4 100644
- image: redis:6.2.7
- volumes:
- - ./test/:/test/:cached
- command: redis-server /test/redis.config
- command: redis-server /test/redis-ocsp.config
- networks:
- redisnet:
- ipv4_address: 10.33.33.2
@@ -37,15 +39,33 @@ index f7c4e45c0..59f5423d4 100644
- image: redis:6.2.7
- volumes:
- - ./test/:/test/:cached
- command: redis-server /test/redis.config
- command: redis-server /test/redis-ocsp.config
- networks:
- redisnet:
- ipv4_address: 10.33.33.3
-
- bredis_3:
- image: redis:6.2.7
- volumes:
- - ./test/:/test/:cached
- command: redis-server /test/redis-ratelimits.config
- networks:
- redisnet:
- ipv4_address: 10.33.33.4
-
- bredis_4:
- image: redis:6.2.7
- volumes:
- - ./test/:/test/:cached
- command: redis-server /test/redis-ratelimits.config
- networks:
- redisnet:
- ipv4_address: 10.33.33.5
-
bconsul:
image: hashicorp/consul:1.14.2
image: hashicorp/consul:1.15.4
volumes:
@@ -148,13 +126,6 @@ networks:
@@ -168,13 +126,6 @@ networks:
config:
- subnet: 10.88.88.0/24

6
patches/docker-compose.patch
View File

@@ -1,5 +1,5 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index 59f5423d4..81ece4913 100644
index 4c28fe96..df62bf8b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,4 +1,5 @@
@@ -67,7 +67,7 @@ index 59f5423d4..81ece4913 100644
logging:
- driver: none
- bproxysql:
- image: proxysql/proxysql:2.5.2
- image: proxysql/proxysql:2.5.4
- # The --initial flag force resets the ProxySQL database on startup. By
- # default, ProxySQL ignores new configuration if the database already
- # exists. Without this flag, new configuration wouldn't be applied until you
@@ -88,7 +88,7 @@ index 59f5423d4..81ece4913 100644
+ restart: always
bconsul:
image: hashicorp/consul:1.14.2
image: hashicorp/consul:1.15.4
@@ -89,27 +87,73 @@ services:
rednet:
ipv4_address: 10.88.88.10

8
patches/expiration-mailer_main.patch
View File

@@ -1,5 +1,5 @@
diff --git a/cmd/expiration-mailer/main.go b/cmd/expiration-mailer/main.go
index d41bc5a0b..cde94e5a0 100644
index 1d7ccde3f..271813b5f 100644
--- a/cmd/expiration-mailer/main.go
+++ b/cmd/expiration-mailer/main.go
@@ -23,6 +23,7 @@ import (
@@ -19,7 +19,7 @@ index d41bc5a0b..cde94e5a0 100644
)
type regStore interface {
@@ -685,6 +686,11 @@ type Config struct {
@@ -688,6 +689,11 @@ type Config struct {
TLS cmd.TLSConfig
SAService *cmd.GRPCClientConfig
@@ -31,7 +31,7 @@ index d41bc5a0b..cde94e5a0 100644
// Path to a file containing a list of trusted root certificates for use
// during the SMTP connection (as opposed to the gRPC connections).
SMTPTrustedRootFile string
@@ -833,6 +839,29 @@ func main() {
@@ -836,6 +842,29 @@ func main() {
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
sac := sapb.NewStorageAuthorityClient(conn)
@@ -61,7 +61,7 @@ index d41bc5a0b..cde94e5a0 100644
var smtpRoots *x509.CertPool
if c.Mailer.SMTPTrustedRootFile != "" {
pem, err := os.ReadFile(c.Mailer.SMTPTrustedRootFile)
@@ -868,6 +897,7 @@ func main() {
@@ -871,6 +900,7 @@ func main() {
c.Mailer.Username,
smtpPassword,
smtpRoots,

4
patches/linter_linter.patch
View File

@@ -1,8 +1,8 @@
diff --git a/linter/linter.go b/linter/linter.go
index 7310ef9d4..e179415d1 100644
index cf8c93cad..76d3c7dab 100644
--- a/linter/linter.go
+++ b/linter/linter.go
@@ -155,10 +155,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
@@ -184,10 +184,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
SubjectKeyId: realIssuer.SubjectKeyId,
URIs: realIssuer.URIs,
UnknownExtKeyUsage: realIssuer.UnknownExtKeyUsage,

14
patches/notify-mailer_main.patch
View File

@@ -1,8 +1,8 @@
diff --git a/cmd/notify-mailer/main.go b/cmd/notify-mailer/main.go
index e4b9ef739..7fd57e8f2 100644
index 8794a4b42..fc874549e 100644
--- a/cmd/notify-mailer/main.go
+++ b/cmd/notify-mailer/main.go
@@ -36,6 +36,7 @@ type mailer struct {
@@ -37,6 +37,7 @@ type mailer struct {
recipients []recipient
targetRange interval
sleepInterval time.Duration
@@ -10,7 +10,7 @@ index e4b9ef739..7fd57e8f2 100644
parallelSends uint
}
@@ -200,7 +201,7 @@ func (m *mailer) run() error {
@@ -201,7 +202,7 @@ func (m *mailer) run(ctx context.Context) error {
continue
}
@@ -19,7 +19,7 @@ index e4b9ef739..7fd57e8f2 100644
if err != nil {
m.log.Infof("Skipping %q due to policy violation: %s", w.address, err)
continue
@@ -501,7 +502,9 @@ type Config struct {
@@ -502,7 +503,9 @@ type Config struct {
NotifyMailer struct {
DB cmd.DBConfig
cmd.SMTPConfig
@@ -29,7 +29,7 @@ index e4b9ef739..7fd57e8f2 100644
Syslog cmd.SyslogConfig
}
@@ -568,6 +571,15 @@ func main() {
@@ -569,6 +572,15 @@ func main() {
log.Infof("While reading the recipient list file %s", probs)
}
@@ -45,7 +45,7 @@ index e4b9ef739..7fd57e8f2 100644
var mailClient bmail.Mailer
if *dryRun {
log.Infof("Starting %s in dry-run mode", cmd.VersionString())
@@ -583,6 +595,7 @@ func main() {
@@ -584,6 +596,7 @@ func main() {
cfg.NotifyMailer.Username,
smtpPassword,
nil,
@@ -53,7 +53,7 @@ index e4b9ef739..7fd57e8f2 100644
*address,
log,
metrics.NoopRegisterer,
@@ -603,6 +616,7 @@ func main() {
@@ -604,6 +617,7 @@ func main() {
end: *end,
},
sleepInterval: *sleep,

10
patches/policy_pa.patch
View File

@@ -1,5 +1,5 @@
diff --git a/policy/pa.go b/policy/pa.go
index 7da498f3..e24663de 100644
index ff497a240..c21af1b23 100644
--- a/policy/pa.go
+++ b/policy/pa.go
@@ -32,6 +32,8 @@ type AuthorityImpl struct {
@@ -46,12 +46,12 @@ index 7da498f3..e24663de 100644
// * exactly equal to an IANA registered TLD
//
// It does _not_ check that the domain isn't on any PA blocked lists.
-func validDomain(domain string) error {
-func ValidDomain(domain string) error {
+func (pa *AuthorityImpl) ValidDomain(domain string) error {
if domain == "" {
return errEmptyName
}
@@ -286,6 +301,14 @@ func validDomain(domain string) error {
@@ -286,6 +301,14 @@ func ValidDomain(domain string) error {
}
}
@@ -79,7 +79,7 @@ index 7da498f3..e24663de 100644
}
splitEmail := strings.SplitN(email.Address, "@", -1)
domain := strings.ToLower(splitEmail[len(splitEmail)-1])
- err = validDomain(domain)
- err = ValidDomain(domain)
+ err = pa.ValidDomain(domain)
if err != nil {
return berrors.InvalidEmailError(
@@ -88,7 +88,7 @@ index 7da498f3..e24663de 100644
}
domain := id.Value
- err := validDomain(domain)
- err := ValidDomain(domain)
+ err := pa.ValidDomain(domain)
if err != nil {
return err

31
patches/ratelimits_names.patch Normal file
View File

@@ -0,0 +1,31 @@
diff --git a/ratelimits/names.go b/ratelimits/names.go
index bb827e5e8..6e498bf6c 100644
--- a/ratelimits/names.go
+++ b/ratelimits/names.go
@@ -107,7 +107,11 @@ func validateRegIdDomain(id string) error {
return fmt.Errorf(
"invalid regId, %q must be formatted 'regId:domain'", id)
}
- if policy.ValidDomain(parts[1]) != nil {
+ pa, err := policy.New(nil, nil)
+ if err != nil {
+ return fmt.Errorf("cannot create policy authority implementation")
+ }
+ if pa.ValidDomain(parts[1]) != nil {
return fmt.Errorf(
"invalid domain, %q must be formatted 'regId:domain'", id)
}
@@ -132,8 +136,12 @@ func validateRegIdFQDNSet(id string) error {
return fmt.Errorf(
"invalid fqdnSet, %q must be formatted 'regId:fqdnSet'", id)
}
+ pa, err := policy.New(nil, nil)
+ if err != nil {
+ return fmt.Errorf("cannot create policy authority implementation")
+ }
for _, domain := range domains {
- if policy.ValidDomain(domain) != nil {
+ if pa.ValidDomain(domain) != nil {
return fmt.Errorf(
"invalid domain, %q must be formatted 'regId:fqdnSet'", id)
}

2
patches/test_config_ca_a.patch
View File

@@ -2,7 +2,7 @@ diff --git a/test/config/ca-a.json b/test/config/ca-a.json
index 1233a9c95..3c4a0a3ca 100644
--- a/test/config/ca-a.json
+++ b/test/config/ca-a.json
@@ -71,30 +71,7 @@
@@ -61,30 +61,7 @@
"crlURL": "http://example.com/crl",
"location": {
"configFile": "test/test-ca.key-pkcs11.json",

2
patches/test_config_ca_b.patch
View File

@@ -2,7 +2,7 @@ diff --git a/test/config/ca-b.json b/test/config/ca-b.json
index 960d62f95..54b25dd81 100644
--- a/test/config/ca-b.json
+++ b/test/config/ca-b.json
@@ -71,30 +71,7 @@
@@ -61,30 +61,7 @@
"crlURL": "http://example.com/crl",
"location": {
"configFile": "test/test-ca.key-pkcs11.json",

8
patches/updater_updater.patch
View File

@@ -1,5 +1,5 @@
diff --git a/crl/updater/updater.go b/crl/updater/updater.go
index cf58b3e6f..75ee6f338 100644
index 678f15ce9..df3cdc2f5 100644
--- a/crl/updater/updater.go
+++ b/crl/updater/updater.go
@@ -8,6 +8,7 @@ import (
@@ -10,7 +10,7 @@ index cf58b3e6f..75ee6f338 100644
"sort"
"strings"
"time"
@@ -128,6 +129,29 @@ func NewUpdater(
@@ -136,6 +137,29 @@ func NewUpdater(
// next scheduled run time based on the current time and the updateOffset, then
// begins running once every updatePeriod.
func (cu *crlUpdater) Run(ctx context.Context) error {
@@ -40,7 +40,7 @@ index cf58b3e6f..75ee6f338 100644
// We don't want the times at which crlUpdater runs to be dependent on when
// the process starts. So wait until the appropriate time before kicking off
// the first run and the main ticker loop.
@@ -149,7 +173,7 @@ func (cu *crlUpdater) Run(ctx context.Context) error {
@@ -157,7 +181,7 @@ func (cu *crlUpdater) Run(ctx context.Context) error {
// counting from the appropriate time.
ticker := time.NewTicker(cu.updatePeriod)
atTime := cu.clk.Now()
@@ -49,7 +49,7 @@ index cf58b3e6f..75ee6f338 100644
if err != nil {
// We only log, rather than return, so that the long-lived process can
// continue and try again at the next tick.
@@ -359,7 +383,7 @@ func (cu *crlUpdater) tickShard(ctx context.Context, atTime time.Time, issuerNam
@@ -398,7 +422,7 @@ func (cu *crlUpdater) tickShard(ctx context.Context, atTime time.Time, issuerNam
crlEntries = append(crlEntries, entry)
}