From 0cc6fb6b93dfc05df7750e889251935f1df31bd5 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Mon, 14 Aug 2023 19:18:07 +0200 Subject: [PATCH] Bump boulder version to release-2023-08-14 --- .github/workflows/release.yml | 2 +- build/Dockerfile-boulder | 2 +- build/build.sh | 2 +- build/docker-compose.yml | 2 +- build/tmp.patch | 6 ++--- install | 2 +- patch-cfg.sh | 8 +++---- patch.sh | 1 + patches/bad-key-revoker_main.patch | 8 +++---- patches/boulder-va_main.patch | 21 +++++++---------- patches/cert-checker_main.patch | 20 ++++++++-------- patches/cmd_config.patch | 4 ++-- patches/config_crl-updater.patch | 15 ++++++------ patches/config_orphan-finder.patch | 15 ------------ patches/contact-auditor_main.patch | 6 ++--- patches/docker-compose-redis.patch | 34 ++++++++++++++++++++++------ patches/docker-compose.patch | 6 ++--- patches/expiration-mailer_main.patch | 8 +++---- patches/linter_linter.patch | 4 ++-- patches/notify-mailer_main.patch | 14 ++++++------ patches/policy_pa.patch | 10 ++++---- patches/ratelimits_names.patch | 31 +++++++++++++++++++++++++ patches/test_config_ca_a.patch | 2 +- patches/test_config_ca_b.patch | 2 +- patches/updater_updater.patch | 8 +++---- 25 files changed, 132 insertions(+), 101 deletions(-) delete mode 100644 patches/config_orphan-finder.patch create mode 100644 patches/ratelimits_names.patch diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e83b776..70ec5a4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: fail-fast: false matrix: GO_VERSION: - - 1.20.6 + - 1.20.7 steps: - name: Checkout diff --git a/build/Dockerfile-boulder b/build/Dockerfile-boulder index deb289b..916b537 100644 --- a/build/Dockerfile-boulder +++ b/build/Dockerfile-boulder @@ -1,4 +1,4 @@ -FROM letsencrypt/boulder-tools:go1.20.5_2023-06-20 AS boulder-tools +FROM letsencrypt/boulder-tools:go1.20.7_2023-08-02 AS boulder-tools FROM ubuntu:focal diff --git a/build/build.sh b/build/build.sh index 384de27..60638ec 100755 --- a/build/build.sh +++ b/build/build.sh @@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src} boulderDir=$TMP_DIR/src -boulderTag="release-2023-07-11" +boulderTag="release-2023-08-14" boulderUrl="https://github.com/letsencrypt/boulder/" cloneDir=$(pwd)/.. diff --git a/build/docker-compose.yml b/build/docker-compose.yml index 869b7d5..748d81c 100644 --- a/build/docker-compose.yml +++ b/build/docker-compose.yml @@ -74,7 +74,7 @@ services: restart: always bconsul: - image: hashicorp/consul:1.14.2 + image: hashicorp/consul:1.15.4 depends_on: - control volumes: diff --git a/build/tmp.patch b/build/tmp.patch index 0c670ba..b26ebf5 100644 --- a/build/tmp.patch +++ b/build/tmp.patch @@ -1,12 +1,12 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 81ece4913..869b7d5de 100644 +index df62bf8b..748d81cc 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,7 +3,7 @@ name: labca services: boulder: # Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh. -- image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.20.5_2023-06-20} +- image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.20.7_2023-08-02} + image: ghcr.io/hakwerk/labca-boulder:${LABCA_IMAGE_VERSION:-latest} environment: # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS @@ -38,7 +38,7 @@ index 81ece4913..869b7d5de 100644 @@ -77,8 +75,10 @@ services: bconsul: - image: hashicorp/consul:1.14.2 + image: hashicorp/consul:1.15.4 + depends_on: + - control volumes: diff --git a/install b/install index ef01c04..764fb16 100755 --- a/install +++ b/install @@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2023-07-11" +boulderTag="release-2023-08-14" # Feature flags flag_skip_redis=true diff --git a/patch-cfg.sh b/patch-cfg.sh index 24b4281..c6bf32e 100755 --- a/patch-cfg.sh +++ b/patch-cfg.sh @@ -24,16 +24,15 @@ $SUDO patch -p1 -o "$boulderLabCADir/config/bad-key-revoker.json" < $cloneDir/pa $SUDO patch -p1 -o "$boulderLabCADir/config/ocsp-responder.json" < $cloneDir/patches/config_ocsp-responder.patch $SUDO patch -p1 -o "$boulderLabCADir/config/publisher.json" < $cloneDir/patches/config_publisher.patch $SUDO patch -p1 -o "$boulderLabCADir/config/wfe2.json" < $cloneDir/patches/config_wfe2.patch -$SUDO patch -p1 -o "$boulderLabCADir/config/orphan-finder.json" < $cloneDir/patches/config_orphan-finder.patch $SUDO patch -p1 -o "$boulderLabCADir/config/crl-storer.json" < $cloneDir/patches/config_crl-storer.patch $SUDO patch -p1 -o "$boulderLabCADir/config/crl-updater.json" < $cloneDir/patches/config_crl-updater.patch $SUDO patch -p1 -o "$boulderLabCADir/config/ra.json" < $cloneDir/patches/config_ra.patch $SUDO patch -p1 -o "$boulderLabCADir/config/akamai-purger.json" < $cloneDir/patches/config_akamai-purger.patch cp test/config/va*.json "$boulderLabCADir/config/" -perl -i -p0e "s/\"dnsResolver\": \"service.consul\",/\"dnsResolvers\": [\n \"127.0.0.1:8053\",\n \"127.0.0.1:8054\"\n ],/igs" $boulderLabCADir/config/va.json -perl -i -p0e "s/\"dnsResolver\": \"service.consul\",/\"dnsResolvers\": [\n \"127.0.0.1:8053\",\n \"127.0.0.1:8054\"\n ],/igs" $boulderLabCADir/config/va-remote-a.json -perl -i -p0e "s/\"dnsResolver\": \"service.consul\",/\"dnsResolvers\": [\n \"127.0.0.1:8053\",\n \"127.0.0.1:8054\"\n ],/igs" $boulderLabCADir/config/va-remote-b.json +perl -i -p0e "s/\"dnsProvider\": {.*?\t\t},/\"dnsResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va.json +perl -i -p0e "s/\"dnsProvider\": {.*?\t\t},/\"dnsResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va-remote-a.json +perl -i -p0e "s/\"dnsProvider\": {.*?\t\t},/\"dnsResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va-remote-b.json if [ "$flag_skip_redis" == true ]; then perl -i -p0e "s/\n \"redis\": \{\n.*? \},//igs" $boulderLabCADir/config/ocsp-responder.json @@ -51,7 +50,6 @@ sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/o sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/publisher.json sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json -sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/orphan-finder.json sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-storer.json sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-updater.json sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json diff --git a/patch.sh b/patch.sh index dcfca6a..e101c83 100755 --- a/patch.sh +++ b/patch.sh @@ -43,6 +43,7 @@ $SUDO patch -p1 < $cloneDir/patches/ocsp-responder_main.patch $SUDO patch -p1 < $cloneDir/patches/policy_pa.patch $SUDO patch -p1 < $cloneDir/patches/ra_ra.patch $SUDO patch -p1 < $cloneDir/patches/ratelimit_rate-limits.patch +$SUDO patch -p1 < $cloneDir/patches/ratelimits_names.patch $SUDO patch -p1 < $cloneDir/patches/reloader_reloader.patch $SUDO patch -p1 < $cloneDir/patches/startservers.patch if [ "$SUDO" == "" ]; then diff --git a/patches/bad-key-revoker_main.patch b/patches/bad-key-revoker_main.patch index bcdcc5f..dbdd987 100644 --- a/patches/bad-key-revoker_main.patch +++ b/patches/bad-key-revoker_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/bad-key-revoker/main.go b/cmd/bad-key-revoker/main.go -index 527d4d36a..b2c0fa411 100644 +index 052e46819..d1c96b7ca 100644 --- a/cmd/bad-key-revoker/main.go +++ b/cmd/bad-key-revoker/main.go @@ -18,6 +18,7 @@ import ( @@ -10,7 +10,7 @@ index 527d4d36a..b2c0fa411 100644 "github.com/letsencrypt/boulder/cmd" "github.com/letsencrypt/boulder/config" "github.com/letsencrypt/boulder/core" -@@ -392,6 +393,11 @@ type Config struct { +@@ -396,6 +397,11 @@ type Config struct { TLS cmd.TLSConfig RAService *cmd.GRPCClientConfig @@ -22,7 +22,7 @@ index 527d4d36a..b2c0fa411 100644 // MaximumRevocations specifies the maximum number of certificates associated with // a key hash that bad-key-revoker will attempt to revoke. If the number of certificates // is higher than MaximumRevocations bad-key-revoker will error out and refuse to -@@ -457,6 +463,29 @@ func main() { +@@ -461,6 +467,29 @@ func main() { cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA") rac := rapb.NewRegistrationAuthorityClient(conn) @@ -52,7 +52,7 @@ index 527d4d36a..b2c0fa411 100644 var smtpRoots *x509.CertPool if config.BadKeyRevoker.Mailer.SMTPTrustedRootFile != "" { pem, err := os.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile) -@@ -478,6 +507,7 @@ func main() { +@@ -482,6 +511,7 @@ func main() { config.BadKeyRevoker.Mailer.Username, smtpPassword, smtpRoots, diff --git a/patches/boulder-va_main.patch b/patches/boulder-va_main.patch index eeb0340..b3feb1e 100644 --- a/patches/boulder-va_main.patch +++ b/patches/boulder-va_main.patch @@ -1,29 +1,24 @@ diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go -index 8994b9b20..a0f0f9aa6 100644 +index 1c998bc97..0665bdf4b 100644 --- a/cmd/boulder-va/main.go +++ b/cmd/boulder-va/main.go -@@ -27,8 +27,9 @@ type Config struct { +@@ -27,7 +27,8 @@ type Config struct { // before giving up. May be short-circuited by deadlines. A zero value // will be turned into 1. DNSTries int -- DNSResolver string `validate:"required_without=DNSProvider,excluded_with=DNSProvider,omitempty,hostname|hostname_port"` -- DNSProvider *cmd.DNSProvider `validate:"required_without=DNSResolver,excluded_with=DNSResolver,omitempty"` -+ DNSResolver string `validate:"omitempty,hostname|hostname_port"` +- DNSProvider *cmd.DNSProvider `validate:"required"` + DNSResolvers []string + DNSProvider *cmd.DNSProvider `validate:"omitempty"` DNSTimeout config.Duration `validate:"required"` DNSAllowLoopbackAddresses bool -@@ -87,7 +88,7 @@ func main() { - cmd.Fail("Cannot specify both 'dnsResolver' and dnsProvider") +@@ -80,13 +81,18 @@ func main() { } + clk := cmd.Clock() -- if c.VA.DNSResolver == "" && c.VA.DNSProvider == nil { -+ if c.VA.DNSResolver == "" && c.VA.DNSProvider == nil && len(c.VA.DNSResolvers) == 0 { - cmd.Fail("Must specify either 'dnsResolver' or dnsProvider") - } - -@@ -100,8 +101,13 @@ func main() { +- if c.VA.DNSProvider == nil { ++ if c.VA.DNSProvider == nil && len(c.VA.DNSResolvers) == 0 { + cmd.Fail("Must specify dnsProvider") } var servers bdns.ServerProvider diff --git a/patches/cert-checker_main.patch b/patches/cert-checker_main.patch index 9194ccf..71db4c5 100644 --- a/patches/cert-checker_main.patch +++ b/patches/cert-checker_main.patch @@ -1,8 +1,8 @@ diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go -index 1dbc8fadf..442f34e69 100644 +index 199f40706..d1611a824 100644 --- a/cmd/cert-checker/main.go +++ b/cmd/cert-checker/main.go -@@ -101,6 +101,7 @@ type certChecker struct { +@@ -108,6 +108,7 @@ type certChecker struct { checkPeriod time.Duration acceptableValidityDurations map[time.Duration]bool logger blog.Logger @@ -10,15 +10,15 @@ index 1dbc8fadf..442f34e69 100644 } func newChecker(saDbMap certDB, -@@ -110,6 +111,7 @@ func newChecker(saDbMap certDB, +@@ -117,6 +118,7 @@ func newChecker(saDbMap certDB, period time.Duration, avd map[time.Duration]bool, logger blog.Logger, + sfd bool, ) certChecker { - return certChecker{ - pa: pa, -@@ -122,6 +124,7 @@ func newChecker(saDbMap certDB, + precertGetter := func(ctx context.Context, serial string) ([]byte, error) { + precertPb, err := sa.SelectPrecertificate(ctx, saDbMap, serial) +@@ -137,6 +139,7 @@ func newChecker(saDbMap certDB, checkPeriod: period, acceptableValidityDurations: avd, logger: logger, @@ -26,7 +26,7 @@ index 1dbc8fadf..442f34e69 100644 } } -@@ -348,7 +351,7 @@ func (c *certChecker) checkCert(cert core.Certificate, ignoredLints map[string]b +@@ -365,7 +368,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno err = c.pa.WillingToIssueWildcards([]identifier.ACMEIdentifier{id}) if err != nil { problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err)) @@ -35,7 +35,7 @@ index 1dbc8fadf..442f34e69 100644 // For defense-in-depth, even if the PA was willing to issue for a name // we double check it against a list of forbidden domains. This way even // if the hostnamePolicyFile malfunctions we will flag the forbidden -@@ -410,10 +413,11 @@ type Config struct { +@@ -441,10 +444,11 @@ type Config struct { DB cmd.DBConfig cmd.HostnamePolicyConfig @@ -51,7 +51,7 @@ index 1dbc8fadf..442f34e69 100644 // AcceptableValidityDurations is a list of durations which are // acceptable for certificates we issue. -@@ -479,6 +483,8 @@ func main() { +@@ -510,6 +514,8 @@ func main() { acceptableValidityDurations[ninetyDays] = true } @@ -60,7 +60,7 @@ index 1dbc8fadf..442f34e69 100644 // Validate PA config and set defaults if needed. cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration") -@@ -519,6 +525,7 @@ func main() { +@@ -550,6 +556,7 @@ func main() { config.CertChecker.CheckPeriod.Duration, acceptableValidityDurations, logger, diff --git a/patches/cmd_config.patch b/patches/cmd_config.patch index c6823f4..a3fe767 100644 --- a/patches/cmd_config.patch +++ b/patches/cmd_config.patch @@ -1,8 +1,8 @@ diff --git a/cmd/config.go b/cmd/config.go -index 18213cf51..a612afd18 100644 +index 62c99005a..6794a9712 100644 --- a/cmd/config.go +++ b/cmd/config.go -@@ -464,7 +464,7 @@ type GRPCServerConfig struct { +@@ -449,7 +449,7 @@ type GRPCServerConfig struct { // this controls how long it takes before a client learns about changes to its // backends. // https://pkg.go.dev/google.golang.org/grpc/keepalive#ServerParameters diff --git a/patches/config_crl-updater.patch b/patches/config_crl-updater.patch index 5f82612..88ceb0b 100644 --- a/patches/config_crl-updater.patch +++ b/patches/config_crl-updater.patch @@ -2,7 +2,7 @@ diff --git a/test/config/crl-updater.json b/test/config/crl-updater.json index f6b70123f..a6c1471e5 100644 --- a/test/config/crl-updater.json +++ b/test/config/crl-updater.json -@@ -22,15 +22,15 @@ +@@ -22,16 +22,14 @@ "hostOverride": "crl-storer.boulder" }, "issuerCerts": [ @@ -12,16 +12,17 @@ index f6b70123f..a6c1471e5 100644 + "/hierarchy/intermediate-cert-rsa-a.pem" ], - "numShards": 10, -+ "numShards": 1, - "certificateLifetime": "2160h", +- "shardWidth": "240h", +- "lookbackPeriod": "24h", - "updatePeriod": "6h", - "updateOffset": "9120s", -- "maxParallelism": 10 +- "maxParallelism": 10, ++ "numShards": 1, + "shardWidth": "24h", + "lookbackPeriod": "96h", + "updatePeriod": "24h", + "updateOffset": "5m", -+ "maxParallelism": 1 ++ "maxParallelism": 1, + "maxAttempts": 5, + "features": {} }, - "syslog": { - "stdoutlevel": 6, diff --git a/patches/config_orphan-finder.patch b/patches/config_orphan-finder.patch deleted file mode 100644 index 0c51ca1..0000000 --- a/patches/config_orphan-finder.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/test/config/orphan-finder.json b/test/config/orphan-finder.json -index 5497f8f1..8f91fd59 100644 ---- a/test/config/orphan-finder.json -+++ b/test/config/orphan-finder.json -@@ -1,9 +1,7 @@ - { - "backdate": "1h", - "issuerCerts": [ -- "/hierarchy/intermediate-cert-rsa-a.pem", -- "/hierarchy/intermediate-cert-rsa-b.pem", -- "/hierarchy/intermediate-cert-ecdsa-a.pem" -+ "/hierarchy/intermediate-cert-rsa-a.pem" - ], - "syslog": { - "stdoutlevel": 7, diff --git a/patches/contact-auditor_main.patch b/patches/contact-auditor_main.patch index ac6c751..7b90dcd 100644 --- a/patches/contact-auditor_main.patch +++ b/patches/contact-auditor_main.patch @@ -1,8 +1,8 @@ diff --git a/cmd/contact-auditor/main.go b/cmd/contact-auditor/main.go -index 419182fe..d77270cd 100644 +index a20560b6f..ac0d567f8 100644 --- a/cmd/contact-auditor/main.go +++ b/cmd/contact-auditor/main.go -@@ -11,6 +11,7 @@ import ( +@@ -12,6 +12,7 @@ import ( "time" "github.com/letsencrypt/boulder/cmd" @@ -10,7 +10,7 @@ index 419182fe..d77270cd 100644 "github.com/letsencrypt/boulder/db" blog "github.com/letsencrypt/boulder/log" "github.com/letsencrypt/boulder/policy" -@@ -49,9 +50,13 @@ func validateContacts(id int64, createdAt string, contacts []string) error { +@@ -50,9 +51,13 @@ func validateContacts(id int64, createdAt string, contacts []string) error { fmt.Fprintf(&probsBuff, "%d\t%s\tvalidation\t%q\t%q\t%q\n", id, createdAt, contact, prob, contacts) } diff --git a/patches/docker-compose-redis.patch b/patches/docker-compose-redis.patch index 24c2f0b..7108a9f 100644 --- a/patches/docker-compose-redis.patch +++ b/patches/docker-compose-redis.patch @@ -1,5 +1,5 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index f7c4e45c0..59f5423d4 100644 +index 5be626d6..4c28fe96 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -22,8 +22,6 @@ services: @@ -11,16 +11,18 @@ index f7c4e45c0..59f5423d4 100644 consulnet: ipv4_address: 10.55.55.55 # Use consul as a backup to Docker's embedded DNS server. If there's a name -@@ -42,8 +40,6 @@ services: +@@ -42,10 +40,6 @@ services: depends_on: - bmysql - bproxysql - - bredis_1 - - bredis_2 +- - bredis_3 +- - bredis_4 - bconsul - bjaeger entrypoint: test/entrypoint.sh -@@ -81,24 +77,6 @@ services: +@@ -83,42 +77,6 @@ services: aliases: - boulder-proxysql @@ -28,7 +30,7 @@ index f7c4e45c0..59f5423d4 100644 - image: redis:6.2.7 - volumes: - - ./test/:/test/:cached -- command: redis-server /test/redis.config +- command: redis-server /test/redis-ocsp.config - networks: - redisnet: - ipv4_address: 10.33.33.2 @@ -37,15 +39,33 @@ index f7c4e45c0..59f5423d4 100644 - image: redis:6.2.7 - volumes: - - ./test/:/test/:cached -- command: redis-server /test/redis.config +- command: redis-server /test/redis-ocsp.config - networks: - redisnet: - ipv4_address: 10.33.33.3 +- +- bredis_3: +- image: redis:6.2.7 +- volumes: +- - ./test/:/test/:cached +- command: redis-server /test/redis-ratelimits.config +- networks: +- redisnet: +- ipv4_address: 10.33.33.4 +- +- bredis_4: +- image: redis:6.2.7 +- volumes: +- - ./test/:/test/:cached +- command: redis-server /test/redis-ratelimits.config +- networks: +- redisnet: +- ipv4_address: 10.33.33.5 - bconsul: - image: hashicorp/consul:1.14.2 + image: hashicorp/consul:1.15.4 volumes: -@@ -148,13 +126,6 @@ networks: +@@ -168,13 +126,6 @@ networks: config: - subnet: 10.88.88.0/24 diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch index a341716..51a437f 100644 --- a/patches/docker-compose.patch +++ b/patches/docker-compose.patch @@ -1,5 +1,5 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 59f5423d4..81ece4913 100644 +index 4c28fe96..df62bf8b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,4 +1,5 @@ @@ -67,7 +67,7 @@ index 59f5423d4..81ece4913 100644 logging: - driver: none - bproxysql: -- image: proxysql/proxysql:2.5.2 +- image: proxysql/proxysql:2.5.4 - # The --initial flag force resets the ProxySQL database on startup. By - # default, ProxySQL ignores new configuration if the database already - # exists. Without this flag, new configuration wouldn't be applied until you @@ -88,7 +88,7 @@ index 59f5423d4..81ece4913 100644 + restart: always bconsul: - image: hashicorp/consul:1.14.2 + image: hashicorp/consul:1.15.4 @@ -89,27 +87,73 @@ services: rednet: ipv4_address: 10.88.88.10 diff --git a/patches/expiration-mailer_main.patch b/patches/expiration-mailer_main.patch index 3e720bb..403c6d1 100644 --- a/patches/expiration-mailer_main.patch +++ b/patches/expiration-mailer_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/expiration-mailer/main.go b/cmd/expiration-mailer/main.go -index d41bc5a0b..cde94e5a0 100644 +index 1d7ccde3f..271813b5f 100644 --- a/cmd/expiration-mailer/main.go +++ b/cmd/expiration-mailer/main.go @@ -23,6 +23,7 @@ import ( @@ -19,7 +19,7 @@ index d41bc5a0b..cde94e5a0 100644 ) type regStore interface { -@@ -685,6 +686,11 @@ type Config struct { +@@ -688,6 +689,11 @@ type Config struct { TLS cmd.TLSConfig SAService *cmd.GRPCClientConfig @@ -31,7 +31,7 @@ index d41bc5a0b..cde94e5a0 100644 // Path to a file containing a list of trusted root certificates for use // during the SMTP connection (as opposed to the gRPC connections). SMTPTrustedRootFile string -@@ -833,6 +839,29 @@ func main() { +@@ -836,6 +842,29 @@ func main() { cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA") sac := sapb.NewStorageAuthorityClient(conn) @@ -61,7 +61,7 @@ index d41bc5a0b..cde94e5a0 100644 var smtpRoots *x509.CertPool if c.Mailer.SMTPTrustedRootFile != "" { pem, err := os.ReadFile(c.Mailer.SMTPTrustedRootFile) -@@ -868,6 +897,7 @@ func main() { +@@ -871,6 +900,7 @@ func main() { c.Mailer.Username, smtpPassword, smtpRoots, diff --git a/patches/linter_linter.patch b/patches/linter_linter.patch index 36263aa..de5c944 100644 --- a/patches/linter_linter.patch +++ b/patches/linter_linter.patch @@ -1,8 +1,8 @@ diff --git a/linter/linter.go b/linter/linter.go -index 7310ef9d4..e179415d1 100644 +index cf8c93cad..76d3c7dab 100644 --- a/linter/linter.go +++ b/linter/linter.go -@@ -155,10 +155,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C +@@ -184,10 +184,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C SubjectKeyId: realIssuer.SubjectKeyId, URIs: realIssuer.URIs, UnknownExtKeyUsage: realIssuer.UnknownExtKeyUsage, diff --git a/patches/notify-mailer_main.patch b/patches/notify-mailer_main.patch index f5e9c3a..968eebb 100644 --- a/patches/notify-mailer_main.patch +++ b/patches/notify-mailer_main.patch @@ -1,8 +1,8 @@ diff --git a/cmd/notify-mailer/main.go b/cmd/notify-mailer/main.go -index e4b9ef739..7fd57e8f2 100644 +index 8794a4b42..fc874549e 100644 --- a/cmd/notify-mailer/main.go +++ b/cmd/notify-mailer/main.go -@@ -36,6 +36,7 @@ type mailer struct { +@@ -37,6 +37,7 @@ type mailer struct { recipients []recipient targetRange interval sleepInterval time.Duration @@ -10,7 +10,7 @@ index e4b9ef739..7fd57e8f2 100644 parallelSends uint } -@@ -200,7 +201,7 @@ func (m *mailer) run() error { +@@ -201,7 +202,7 @@ func (m *mailer) run(ctx context.Context) error { continue } @@ -19,7 +19,7 @@ index e4b9ef739..7fd57e8f2 100644 if err != nil { m.log.Infof("Skipping %q due to policy violation: %s", w.address, err) continue -@@ -501,7 +502,9 @@ type Config struct { +@@ -502,7 +503,9 @@ type Config struct { NotifyMailer struct { DB cmd.DBConfig cmd.SMTPConfig @@ -29,7 +29,7 @@ index e4b9ef739..7fd57e8f2 100644 Syslog cmd.SyslogConfig } -@@ -568,6 +571,15 @@ func main() { +@@ -569,6 +572,15 @@ func main() { log.Infof("While reading the recipient list file %s", probs) } @@ -45,7 +45,7 @@ index e4b9ef739..7fd57e8f2 100644 var mailClient bmail.Mailer if *dryRun { log.Infof("Starting %s in dry-run mode", cmd.VersionString()) -@@ -583,6 +595,7 @@ func main() { +@@ -584,6 +596,7 @@ func main() { cfg.NotifyMailer.Username, smtpPassword, nil, @@ -53,7 +53,7 @@ index e4b9ef739..7fd57e8f2 100644 *address, log, metrics.NoopRegisterer, -@@ -603,6 +616,7 @@ func main() { +@@ -604,6 +617,7 @@ func main() { end: *end, }, sleepInterval: *sleep, diff --git a/patches/policy_pa.patch b/patches/policy_pa.patch index b89ca5c..fdad6fc 100644 --- a/patches/policy_pa.patch +++ b/patches/policy_pa.patch @@ -1,5 +1,5 @@ diff --git a/policy/pa.go b/policy/pa.go -index 7da498f3..e24663de 100644 +index ff497a240..c21af1b23 100644 --- a/policy/pa.go +++ b/policy/pa.go @@ -32,6 +32,8 @@ type AuthorityImpl struct { @@ -46,12 +46,12 @@ index 7da498f3..e24663de 100644 // * exactly equal to an IANA registered TLD // // It does _not_ check that the domain isn't on any PA blocked lists. --func validDomain(domain string) error { +-func ValidDomain(domain string) error { +func (pa *AuthorityImpl) ValidDomain(domain string) error { if domain == "" { return errEmptyName } -@@ -286,6 +301,14 @@ func validDomain(domain string) error { +@@ -286,6 +301,14 @@ func ValidDomain(domain string) error { } } @@ -79,7 +79,7 @@ index 7da498f3..e24663de 100644 } splitEmail := strings.SplitN(email.Address, "@", -1) domain := strings.ToLower(splitEmail[len(splitEmail)-1]) -- err = validDomain(domain) +- err = ValidDomain(domain) + err = pa.ValidDomain(domain) if err != nil { return berrors.InvalidEmailError( @@ -88,7 +88,7 @@ index 7da498f3..e24663de 100644 } domain := id.Value -- err := validDomain(domain) +- err := ValidDomain(domain) + err := pa.ValidDomain(domain) if err != nil { return err diff --git a/patches/ratelimits_names.patch b/patches/ratelimits_names.patch new file mode 100644 index 0000000..44a590a --- /dev/null +++ b/patches/ratelimits_names.patch @@ -0,0 +1,31 @@ +diff --git a/ratelimits/names.go b/ratelimits/names.go +index bb827e5e8..6e498bf6c 100644 +--- a/ratelimits/names.go ++++ b/ratelimits/names.go +@@ -107,7 +107,11 @@ func validateRegIdDomain(id string) error { + return fmt.Errorf( + "invalid regId, %q must be formatted 'regId:domain'", id) + } +- if policy.ValidDomain(parts[1]) != nil { ++ pa, err := policy.New(nil, nil) ++ if err != nil { ++ return fmt.Errorf("cannot create policy authority implementation") ++ } ++ if pa.ValidDomain(parts[1]) != nil { + return fmt.Errorf( + "invalid domain, %q must be formatted 'regId:domain'", id) + } +@@ -132,8 +136,12 @@ func validateRegIdFQDNSet(id string) error { + return fmt.Errorf( + "invalid fqdnSet, %q must be formatted 'regId:fqdnSet'", id) + } ++ pa, err := policy.New(nil, nil) ++ if err != nil { ++ return fmt.Errorf("cannot create policy authority implementation") ++ } + for _, domain := range domains { +- if policy.ValidDomain(domain) != nil { ++ if pa.ValidDomain(domain) != nil { + return fmt.Errorf( + "invalid domain, %q must be formatted 'regId:fqdnSet'", id) + } diff --git a/patches/test_config_ca_a.patch b/patches/test_config_ca_a.patch index 0b8a80c..50c7f10 100644 --- a/patches/test_config_ca_a.patch +++ b/patches/test_config_ca_a.patch @@ -2,7 +2,7 @@ diff --git a/test/config/ca-a.json b/test/config/ca-a.json index 1233a9c95..3c4a0a3ca 100644 --- a/test/config/ca-a.json +++ b/test/config/ca-a.json -@@ -71,30 +71,7 @@ +@@ -61,30 +61,7 @@ "crlURL": "http://example.com/crl", "location": { "configFile": "test/test-ca.key-pkcs11.json", diff --git a/patches/test_config_ca_b.patch b/patches/test_config_ca_b.patch index 1f4576b..ff16c86 100644 --- a/patches/test_config_ca_b.patch +++ b/patches/test_config_ca_b.patch @@ -2,7 +2,7 @@ diff --git a/test/config/ca-b.json b/test/config/ca-b.json index 960d62f95..54b25dd81 100644 --- a/test/config/ca-b.json +++ b/test/config/ca-b.json -@@ -71,30 +71,7 @@ +@@ -61,30 +61,7 @@ "crlURL": "http://example.com/crl", "location": { "configFile": "test/test-ca.key-pkcs11.json", diff --git a/patches/updater_updater.patch b/patches/updater_updater.patch index b19cf0e..660e697 100644 --- a/patches/updater_updater.patch +++ b/patches/updater_updater.patch @@ -1,5 +1,5 @@ diff --git a/crl/updater/updater.go b/crl/updater/updater.go -index cf58b3e6f..75ee6f338 100644 +index 678f15ce9..df3cdc2f5 100644 --- a/crl/updater/updater.go +++ b/crl/updater/updater.go @@ -8,6 +8,7 @@ import ( @@ -10,7 +10,7 @@ index cf58b3e6f..75ee6f338 100644 "sort" "strings" "time" -@@ -128,6 +129,29 @@ func NewUpdater( +@@ -136,6 +137,29 @@ func NewUpdater( // next scheduled run time based on the current time and the updateOffset, then // begins running once every updatePeriod. func (cu *crlUpdater) Run(ctx context.Context) error { @@ -40,7 +40,7 @@ index cf58b3e6f..75ee6f338 100644 // We don't want the times at which crlUpdater runs to be dependent on when // the process starts. So wait until the appropriate time before kicking off // the first run and the main ticker loop. -@@ -149,7 +173,7 @@ func (cu *crlUpdater) Run(ctx context.Context) error { +@@ -157,7 +181,7 @@ func (cu *crlUpdater) Run(ctx context.Context) error { // counting from the appropriate time. ticker := time.NewTicker(cu.updatePeriod) atTime := cu.clk.Now() @@ -49,7 +49,7 @@ index cf58b3e6f..75ee6f338 100644 if err != nil { // We only log, rather than return, so that the long-lived process can // continue and try again at the next tick. -@@ -359,7 +383,7 @@ func (cu *crlUpdater) tickShard(ctx context.Context, atTime time.Time, issuerNam +@@ -398,7 +422,7 @@ func (cu *crlUpdater) tickShard(ctx context.Context, atTime time.Time, issuerNam crlEntries = append(crlEntries, entry) }