github-personal/labca
1
0
Fork 0
mirror of https://github.com/outbackdingo/labca.git synced 2026-01-27 10:19:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Bump boulder version to release-2025-05-27

Browse Source
This commit is contained in:
Arjan H
2025-05-31 12:29:07 +02:00
parent 6253a01061
commit 0febdd24e6
42 changed files with 481 additions and 193 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
build/Dockerfile-boulder
View File

@@ -1,21 +1,20 @@
# syntax=docker/dockerfile:1
FROM letsencrypt/boulder-tools:go1.24.1_2025-03-10 AS boulder-tools
FROM letsencrypt/boulder-tools:go1.24.1_2025-04-30 AS boulder-tools
FROM ubuntu:focal
FROM ubuntu:noble
RUN apt-get update && \
apt-get install -y --no-install-recommends \
ca-certificates \
mariadb-client-core-10.3 \
mariadb-client-core \
net-tools \
python3-pip \
rsyslog \
softhsm2 \
&& rm -rf /var/lib/apt/lists/* \
&& pip3 install requests
&& pip3 install --break-system-packages requests
COPY --from=boulder-tools /usr/local/bin/sql-migrate /usr/local/bin/sql-migrate
COPY --from=boulder-tools /usr/local/bin/pebble-challtestsrv /usr/local/bin/pebble-challtestsrv
COPY --from=boulder-tools /usr/local/bin/minica /usr/local/bin/minica
COPY tmp/bin /opt/boulder/bin
COPY tmp/src/start.py /opt/boulder

6
build/Dockerfile-control
View File

@@ -1,7 +1,7 @@
# syntax=docker/dockerfile:1
FROM letsencrypt/boulder-tools:go1.23.1_2024-09-05 AS boulder-tools
FROM letsencrypt/boulder-tools:go1.24.1_2025-04-30 AS boulder-tools
FROM ubuntu:focal as builder
FROM ubuntu:noble AS builder
RUN export DEBIAN_FRONTEND=noninteractive \
&& apt-get update \
@@ -29,7 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive \
fi \
&& rm -rf /var/lib/apt/lists/*
FROM ubuntu:focal
FROM ubuntu:noble
RUN export DEBIAN_FRONTEND=noninteractive \
&& apt update \

4
build/Dockerfile-gui
View File

@@ -1,5 +1,5 @@
# syntax=docker/dockerfile:1
FROM ubuntu:focal AS builder
FROM ubuntu:noble AS builder
RUN export DEBIAN_FRONTEND=noninteractive \
&& apt-get update \
@@ -27,7 +27,7 @@ RUN export DEBIAN_FRONTEND=noninteractive \
fi \
&& rm -rf /var/lib/apt/lists/*
FROM ubuntu:focal
FROM ubuntu:noble
RUN apt-get update && \
apt-get install -y --no-install-recommends \

2
build/Dockerfile-standalone
View File

@@ -1,5 +1,5 @@
# syntax=docker/dockerfile:1
FROM ubuntu:24.04
FROM ubuntu:noble
ARG TARGETARCH

2
build/build.sh
View File

@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}
boulderDir=$TMP_DIR/src
boulderTag="release-2025-03-18"
boulderTag="release-2025-05-27"
boulderUrl="https://github.com/letsencrypt/boulder/"
cloneDir=$(pwd)/..

5
build/docker-compose.yml
View File

@@ -46,6 +46,9 @@ services:
# we can put that name inside our integration test certs (e.g. as a crl
# url) and have it look like a publicly-accessible name.
- "ca.example.org:10.77.77.77"
# Allow the boulder container to be reached as "integration.trust", for
# similar reasons, but intended for use as a SAN rather than a CRLDP.
- "integration.trust:10.77.77.77"
ports:
- 4001:4001 # ACMEv2
- 4002:4002 # OCSP
@@ -177,7 +180,7 @@ services:
restart: always
bpkimetal:
image: ghcr.io/pkimetal/pkimetal:v1.19.0
image: ghcr.io/pkimetal/pkimetal:v1.20.0
networks:
bouldernet:
ipv4_address: 10.77.77.9

10
build/tmp.patch
View File

@@ -1,5 +1,5 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index 6e06c3578..fc25e3b88 100644
index e981e30ec..cf6585c65 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,7 +4,7 @@ services:
@@ -27,7 +27,7 @@ index 6e06c3578..fc25e3b88 100644
networks:
bouldernet:
ipv4_address: 10.77.77.77
@@ -87,7 +86,8 @@ services:
@@ -90,7 +89,8 @@ services:
bredis:
image: redis:6.2.7
volumes:
@@ -37,7 +37,7 @@ index 6e06c3578..fc25e3b88 100644
command: redis-server /opt/boulder/labca/redis-ratelimits.config
networks:
redisnet:
@@ -99,35 +99,37 @@ services:
@@ -102,35 +102,37 @@ services:
depends_on:
- control
volumes:
@@ -86,7 +86,7 @@ index 6e06c3578..fc25e3b88 100644
logging:
driver: "json-file"
options:
@@ -144,30 +146,28 @@ services:
@@ -147,30 +149,28 @@ services:
- 80:80
- 443:443
volumes:
@@ -131,7 +131,7 @@ index 6e06c3578..fc25e3b88 100644
expose:
- 3030
environment:
@@ -185,6 +185,15 @@ services:
@@ -188,6 +188,15 @@ services:
volumes:
dbdata:

2
control_do.sh
View File

@@ -34,6 +34,8 @@ setup_boulder_data() {
sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-a.json
sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/remoteva-b.json
sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-b.json
sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/remoteva-c.json
sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-c.json
sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va.json
sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va.json

13
gui/apply-boulder
View File

@@ -64,14 +64,23 @@ fi
perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/remoteva-a.json
perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/remoteva-b.json
perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/remoteva-c.json
perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va.json
perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/bad-key-revoker.json
perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/expiration-mailer.json
# Disable DOH as long as it is a feature...
sed -i -e "s/\(\"DOH\":\s*\).*/\1false/" config/remoteva-a.json
sed -i -e "s/\(\"DOH\":\s*\).*/\1false/" config/remoteva-b.json
sed -i -e "s/\(\"DOH\":\s*\).*/\1false/" config/remoteva-c.json
sed -i -e "s/\(\"DOH\":\s*\).*/\1false/" config/va.json
for fl in $(grep -Rl maxConnectionAge config/); do
perl -i -p0e "s/(\s+\"maxConnectionAge\":[^\n]+)//igs" $fl
done
sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/remoteva-a.json
sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/remoteva-b.json
sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/remoteva-c.json
sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va.json
sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_DOMAIN\"/" config/wfe2.json
@@ -82,7 +91,8 @@ if ([ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]) |
perl -i -p0e "s/(\"modern\".*?)(\"ignoredLints\": \[).*?(\s+)(\"w_ext_subject_key_identifier_missing_sub_cert\")/\1\2\3\"e_dnsname_not_valid_tld\",\3\"w_sub_cert_aia_contains_internal_names\",\3\4/igs" config/ca.json
perl -i -p0e "s/(\"shortlived\".*?)(\"ignoredLints\": \[).*?(\s+)(\"w_ext_subject_key_identifier_missing_sub_cert\")/\1\2\3\"e_dnsname_not_valid_tld\",\3\"w_sub_cert_aia_contains_internal_names\",\3\4/igs" config/ca.json
perl -i -p0e "s/(\"pkilint:cabf.serverauth.subscriber_rsa_digitalsignature_and_keyencipherment_present\",).*?(\])/\1\n \"pkilint:cabf.internal_domain_name\",\n \"zlint:e_dnsname_not_valid_tld\",\n \"zlint:w_sub_cert_aia_contains_internal_names\",\n \"certlint:\",\n\2/igs" config/zlint.toml
perl -i -p0e "s/(\"pkilint:cabf.serverauth.subscriber_rsa_digitalsignature_and_keyencipherment_present\",).*?(\])/\1\n \"pkilint:cabf.internal_domain_name\",\n \"zlint:e_dnsname_not_valid_tld\",\n \"zlint:w_sub_cert_aia_contains_internal_names\",\n \"certlint:special_name_in_san\",\n \"certlint:br_certificates_must_include_an_http_url_of_the_ocsp_responder\",\n \"x509lint:no_ocsp_over_http\",\n\2/igs" config/zlint.toml
perl -p0e "s/(ignore_lints = \[).*(\])/\1\"zlint:e_crl_next_update_invalid\"\2/igs" config/zlint.toml
fi
[ -e ../test/hostname-policy.yaml ] && cp ../test/hostname-policy.yaml ./ || true
@@ -153,6 +163,7 @@ if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ]
perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/remoteva-a.json
perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/remoteva-b.json
perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/remoteva-c.json
perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va.json
fi

4
install
View File

@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"
labcaUrl="https://github.com/hakwerk/labca/"
boulderUrl="https://github.com/letsencrypt/boulder/"
boulderTag="release-2025-03-18"
boulderTag="release-2025-05-27"
#
# Color configuration
@@ -667,6 +667,8 @@ config_boulder() {
sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-a.json
sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/remoteva-b.json
sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-b.json
sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/remoteva-c.json
sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-c.json
sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va.json
sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va.json
cd "$boulderDir"

5
mail-tester.go
View File

@@ -57,6 +57,8 @@ type config struct {
// during the SMTP connection (as opposed to the gRPC connections).
SMTPTrustedRootFile string
UserAgent string
Features features.Config
}
@@ -110,11 +112,12 @@ func main() {
scope,
clk,
dnsTries,
c.Mailer.UserAgent,
logger,
tlsConfig)
resolver = r
} else {
r := bdns.NewTest(dnsTimeout, servers, scope, clk, dnsTries, logger, tlsConfig)
r := bdns.NewTest(dnsTimeout, servers, scope, clk, dnsTries, c.Mailer.UserAgent, logger, tlsConfig)
resolver = r
}

4
patch-cfg.sh
View File

@@ -32,8 +32,10 @@ cp test/config/va*.json "$boulderLabCADir/config/"
perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va.json
perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/remoteva-a.json
perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/remoteva-b.json
perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/remoteva-c.json
perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/remoteva-a.json
perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/remoteva-b.json
perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/remoteva-c.json
perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va.json
perl -i -p0e "s/\n \"redis\": \{\n.*? \},//igs" $boulderLabCADir/config/ocsp-responder.json
@@ -60,11 +62,13 @@ sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca.json
sed -i -e "s/ocspURL.Path = encodedReq/ocspURL.Path += encodedReq/" ocsp/helper/helper.go
sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-a.json
sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-b.json
sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-c.json
sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/ra.json
sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va.json
sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/ca.json
sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/remoteva-a.json
sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/remoteva-b.json
sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/remoteva-c.json
sed -i -e "s/\"endpoint\": \".*\"/\"endpoint\": \"\"/" config/sfe.json
sed -i -e "s/sleep 1/sleep 5/g" wait-for-it.sh

3
patch.sh
View File

@@ -20,6 +20,7 @@ $SUDO patch -p1 < $cloneDir/patches/boulder-va_main.patch
$SUDO patch -p1 < $cloneDir/patches/ca_ca.patch
$SUDO patch -p1 < $cloneDir/patches/ca_ca_keytype_hack.patch
$SUDO patch -p1 < $cloneDir/patches/ca_crl.patch
$SUDO patch -p1 < $cloneDir/patches/ceremony_crl.patch
$SUDO patch -p1 < $cloneDir/patches/ceremony_ecdsa.patch
$SUDO patch -p1 < $cloneDir/patches/ceremony_key.patch
$SUDO patch -p1 < $cloneDir/patches/ceremony_main.patch
@@ -73,6 +74,8 @@ sed -i -e "s|./test|./labca|" start.py
sed -i -e "s/proxysql:6033/mysql:3306/" sa/db/dbconfig.yml
sed -i -e "s/\(.*overrides.*\)/-- \1/" sa/db-users/boulder_sa.sql
mkdir -p "cmd/mail-tester"
cp $cloneDir/mail-tester.go cmd/mail-tester/main.go
perl -i -p0e "s/(\n\t\"github.com\/letsencrypt\/boulder\/cmd\")/\t_ \"github.com\/letsencrypt\/boulder\/cmd\/mail-tester\"\n\1/igs" cmd/boulder/main.go

18
patches/bad-key-revoker_main.patch
View File

@@ -1,5 +1,5 @@
diff --git a/cmd/bad-key-revoker/main.go b/cmd/bad-key-revoker/main.go
index c333b88c3..839437c4e 100644
index c333b88c3..8e9cc21bd 100644
--- a/cmd/bad-key-revoker/main.go
+++ b/cmd/bad-key-revoker/main.go
@@ -18,6 +18,7 @@ import (
@@ -22,7 +22,16 @@ index c333b88c3..839437c4e 100644
// MaximumRevocations specifies the maximum number of certificates associated with
// a key hash that bad-key-revoker will attempt to revoke. If the number of certificates
// is higher than MaximumRevocations bad-key-revoker will error out and refuse to
@@ -469,8 +475,35 @@ func main() {
@@ -417,6 +423,8 @@ type Config struct {
// or no work to do.
BackoffIntervalMax config.Duration `validate:"-"`
+ UserAgent string
+
Mailer struct {
cmd.SMTPConfig
// Path to a file containing a list of trusted root certificates for use
@@ -469,8 +477,36 @@ func main() {
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
rac := rapb.NewRegistrationAuthorityClient(conn)
@@ -42,11 +51,12 @@ index c333b88c3..839437c4e 100644
+ scope,
+ clk,
+ dnsTries,
+ config.BadKeyRevoker.UserAgent,
+ logger,
+ tlsConfig)
+ resolver = r
+ } else {
+ r := bdns.NewTest(dnsTimeout, servers, scope, clk, dnsTries, logger, tlsConfig)
+ r := bdns.NewTest(dnsTimeout, servers, scope, clk, dnsTries, config.BadKeyRevoker.UserAgent, logger, tlsConfig)
+ resolver = r
+ }
+
@@ -59,7 +69,7 @@ index c333b88c3..839437c4e 100644
pem, err := os.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile)
cmd.FailOnError(err, "Loading trusted roots file")
smtpRoots = x509.NewCertPool()
@@ -490,6 +523,8 @@ func main() {
@@ -490,6 +526,8 @@ func main() {
config.BadKeyRevoker.Mailer.Username,
smtpPassword,
smtpRoots,

4
patches/boulder-ra_main.patch
View File

@@ -1,8 +1,8 @@
diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go
index 5bc425c60..842277b13 100644
index 9aa809e42..0facecca5 100644
--- a/cmd/boulder-ra/main.go
+++ b/cmd/boulder-ra/main.go
@@ -281,6 +281,8 @@ func main() {
@@ -270,6 +270,8 @@ func main() {
limiterRedis, err = bredis.NewRingFromConfig(*c.RA.Limiter.Redis, scope, logger)
cmd.FailOnError(err, "Failed to create Redis ring")

4
patches/boulder-va_main.patch
View File

@@ -1,5 +1,5 @@
diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
index e18989222..809e0c19e 100644
index 981c4f9b5..9d5db072d 100644
--- a/cmd/boulder-va/main.go
+++ b/cmd/boulder-va/main.go
@@ -52,6 +52,7 @@ type Config struct {
@@ -10,7 +10,7 @@ index e18989222..809e0c19e 100644
}
Syslog cmd.SyslogConfig
@@ -150,7 +151,8 @@ func main() {
@@ -152,7 +153,8 @@ func main() {
c.VA.AccountURIPrefixes,
va.PrimaryPerspective,
"",

4
patches/ca_ca.patch
View File

@@ -1,8 +1,8 @@
diff --git a/ca/ca.go b/ca/ca.go
index a598fc5cd..264ec35cc 100644
index f8caf76fb..400d2b613 100644
--- a/ca/ca.go
+++ b/ca/ca.go
@@ -182,10 +182,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
@@ -171,10 +171,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
}
}
if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {

4
patches/ca_ca_keytype_hack.patch
View File

@@ -1,8 +1,8 @@
diff --git a/ca/ca.go b/ca/ca.go
index 264ec35cc..f56e9a342 100644
index 400d2b613..09e651a96 100644
--- a/ca/ca.go
+++ b/ca/ca.go
@@ -182,10 +182,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
@@ -171,10 +171,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
}
}
if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {

13
patches/ceremony_crl.patch Normal file
View File

@@ -0,0 +1,13 @@
diff --git a/cmd/ceremony/crl.go b/cmd/ceremony/crl.go
index 98790d906..4de35ae5c 100644
--- a/cmd/ceremony/crl.go
+++ b/cmd/ceremony/crl.go
@@ -42,7 +42,7 @@ func generateCRL(signer crypto.Signer, issuer *x509.Certificate, thisUpdate, nex
}
template.ExtraExtensions = append(template.ExtraExtensions, *idp)
- err = linter.CheckCRL(template, issuer, signer, []string{})
+ err = linter.CheckCRL(template, issuer, signer, []string{"e_crl_next_update_invalid"})
if err != nil {
return nil, fmt.Errorf("crl failed pre-issuance lint: %w", err)
}

50
patches/cert-checker_main.patch
View File

@@ -1,8 +1,8 @@
diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
index 615abe3c1..621c597c2 100644
index a323e70b8..df64d3e94 100644
--- a/cmd/cert-checker/main.go
+++ b/cmd/cert-checker/main.go
@@ -108,6 +108,7 @@ type certChecker struct {
@@ -109,6 +109,7 @@ type certChecker struct {
acceptableValidityDurations map[time.Duration]bool
lints lint.Registry
logger blog.Logger
@@ -10,7 +10,7 @@ index 615abe3c1..621c597c2 100644
}
func newChecker(saDbMap certDB,
@@ -118,6 +119,7 @@ func newChecker(saDbMap certDB,
@@ -119,6 +120,7 @@ func newChecker(saDbMap certDB,
avd map[time.Duration]bool,
lints lint.Registry,
logger blog.Logger,
@@ -18,7 +18,7 @@ index 615abe3c1..621c597c2 100644
) certChecker {
precertGetter := func(ctx context.Context, serial string) ([]byte, error) {
precertPb, err := sa.SelectPrecertificate(ctx, saDbMap, serial)
@@ -139,6 +141,7 @@ func newChecker(saDbMap certDB,
@@ -140,6 +142,7 @@ func newChecker(saDbMap certDB,
acceptableValidityDurations: avd,
lints: lints,
logger: logger,
@@ -26,16 +26,32 @@ index 615abe3c1..621c597c2 100644
}
}
@@ -415,7 +418,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate) ([]s
err = c.pa.WillingToIssue([]identifier.ACMEIdentifier{identifier.NewDNS(name)})
if err != nil {
problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err))
- } else {
+ } else if !c.skipForbiddenDomains {
// For defense-in-depth, even if the PA was willing to issue for a name
// we double check it against a list of forbidden domains. This way even
// if the hostnamePolicyFile malfunctions we will flag the forbidden
@@ -495,9 +498,10 @@ type Config struct {
@@ -437,14 +440,16 @@ func (c *certChecker) checkCert(ctx context.Context, cert *corepb.Certificate) (
problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err))
continue
}
- // For defense-in-depth, even if the PA was willing to issue for a name
- // we double check it against a list of forbidden domains. This way even
- // if the hostnamePolicyFile malfunctions we will flag the forbidden
- // domain matches
- if forbidden, pattern := isForbiddenDomain(name); forbidden {
- problems = append(problems, fmt.Sprintf(
- "Policy Authority was willing to issue but domain '%s' matches "+
- "forbiddenDomains entry %q", name, pattern))
+ if !c.skipForbiddenDomains {
+ // For defense-in-depth, even if the PA was willing to issue for a name
+ // we double check it against a list of forbidden domains. This way even
+ // if the hostnamePolicyFile malfunctions we will flag the forbidden
+ // domain matches
+ if forbidden, pattern := isForbiddenDomain(name); forbidden {
+ problems = append(problems, fmt.Sprintf(
+ "Policy Authority was willing to issue but domain '%s' matches "+
+ "forbiddenDomains entry %q", name, pattern))
+ }
}
}
for _, name := range parsedCert.IPAddresses {
@@ -533,9 +538,10 @@ type Config struct {
Workers int `validate:"required,min=1"`
// Deprecated: this is ignored, and cert checker always checks both expired and unexpired.
@@ -49,7 +65,7 @@ index 615abe3c1..621c597c2 100644
// AcceptableValidityDurations is a list of durations which are
// acceptable for certificates we issue.
@@ -555,6 +559,8 @@ func main() {
@@ -593,6 +599,8 @@ func main() {
acceptableValidityDurations[ninetyDays] = true
}
@@ -57,8 +73,8 @@ index 615abe3c1..621c597c2 100644
+
// Validate PA config and set defaults if needed.
cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
@@ -598,6 +604,7 @@ func main() {
cmd.FailOnError(config.PA.CheckIdentifiers(), "Invalid PA configuration")
@@ -637,6 +645,7 @@ func main() {
acceptableValidityDurations,
lints,
logger,

4
patches/cmd_config.patch
View File

@@ -1,8 +1,8 @@
diff --git a/cmd/config.go b/cmd/config.go
index 3072f206c..f7271cb7c 100644
index f8b6b847f..38ea91f33 100644
--- a/cmd/config.go
+++ b/cmd/config.go
@@ -456,7 +456,7 @@ type GRPCServerConfig struct {
@@ -469,7 +469,7 @@ type GRPCServerConfig struct {
// this controls how long it takes before a client learns about changes to its
// backends.
// https://pkg.go.dev/google.golang.org/grpc/keepalive#ServerParameters

17
patches/config_crl-updater.patch
View File

@@ -1,8 +1,8 @@
diff --git a/test/config/crl-updater.json b/test/config/crl-updater.json
index eb5ba23e0..c4d40af92 100644
index adb2b01e5..6066b7e5e 100644
--- a/test/config/crl-updater.json
+++ b/test/config/crl-updater.json
@@ -36,18 +36,13 @@
@@ -36,24 +36,19 @@
"hostOverride": "crl-storer.boulder"
},
"issuerCerts": [
@@ -17,13 +17,20 @@ index eb5ba23e0..c4d40af92 100644
- "numShards": 10,
- "shardWidth": "240h",
- "lookbackPeriod": "24h",
- "updatePeriod": "6h",
- "maxParallelism": 10,
- "updatePeriod": "10m",
- "updateTimeout": "1m",
+ "numShards": 1,
+ "shardWidth": "24h",
+ "lookbackPeriod": "96h",
+ "updatePeriod": "24h",
+ "updateTimeout": "2m",
"expiresMargin": "5m",
"cacheControl": "stale-if-error=60",
"temporallyShardedSerialPrefixes": [
"7f"
],
- "maxParallelism": 10,
+ "maxParallelism": 1,
"maxAttempts": 5,
"maxAttempts": 2,
"features": {}
},

27
patches/config_publisher.patch
View File

@@ -1,11 +1,13 @@
diff --git a/test/config/publisher.json b/test/config/publisher.json
index 6e0337c..1e5ed7b 100644
index 1909a6f60..795de12e6 100644
--- a/test/config/publisher.json
+++ b/test/config/publisher.json
@@ -6,18 +6,6 @@
@@ -4,20 +4,8 @@
"blockProfileRate": 1000000000,
"chains": [
[
"test/certs/webpki/int-rsa-a.cert.pem",
"test/certs/webpki/root-rsa.cert.pem"
- "test/certs/webpki/int-rsa-a.cert.pem",
- "test/certs/webpki/root-rsa.cert.pem"
- ],
- [
- "test/certs/webpki/int-rsa-b.cert.pem",
@@ -18,6 +20,21 @@ index 6e0337c..1e5ed7b 100644
- [
- "test/certs/webpki/int-ecdsa-b.cert.pem",
- "test/certs/webpki/root-ecdsa.cert.pem"
+ "labca/certs/webpki/issuer-01-cert.pem",
+ "labca/certs/webpki/root-01-cert.pem"
]
],
"debugAddr": ":8009",
"grpc": {
@@ -36,9 +24,9 @@
}
},
"tls": {
- "caCertFile": "test/certs/ipki/minica.pem",
- "certFile": "test/certs/ipki/publisher.boulder/cert.pem",
- "keyFile": "test/certs/ipki/publisher.boulder/key.pem"
+ "caCertFile": "labca/certs/ipki/minica.pem",
+ "certFile": "labca/certs/ipki/publisher.boulder/cert.pem",
+ "keyFile": "labca/certs/ipki/publisher.boulder/key.pem"
},
"features": {}
},

59
patches/config_ra.patch
View File

@@ -1,10 +1,39 @@
diff --git a/test/config/ra.json b/test/config/ra.json
index 23c277c6c..0aa9a0088 100644
index c16978e12..15e8252c0 100644
--- a/test/config/ra.json
+++ b/test/config/ra.json
@@ -33,12 +33,7 @@
"fermatRounds": 100
@@ -3,7 +3,8 @@
"limiter": {
"redis": {
"username": "boulder-wfe",
- "passwordFile": "test/secrets/wfe_ratelimits_redis_password",
+ "passwordFile": "labca/secrets/wfe_ratelimits_redis_password",
+ "db": 1,
"lookups": [
{
"Service": "redisratelimits",
@@ -16,25 +17,20 @@
"poolSize": 100,
"routeRandomly": true,
"tls": {
- "caCertFile": "test/certs/ipki/minica.pem",
- "certFile": "test/certs/ipki/wfe.boulder/cert.pem",
- "keyFile": "test/certs/ipki/wfe.boulder/key.pem"
+ "caCertFile": "labca/certs/ipki/minica.pem",
+ "certFile": "labca/certs/ipki/wfe.boulder/cert.pem",
+ "keyFile": "labca/certs/ipki/wfe.boulder/key.pem"
}
},
- "Defaults": "test/config/wfe2-ratelimit-defaults.yml",
- "Overrides": "test/config/wfe2-ratelimit-overrides.yml"
+ "Defaults": "labca/config/wfe2-ratelimit-defaults.yml",
+ "Overrides": "labca/config/wfe2-ratelimit-overrides.yml"
},
"maxContactsPerRegistration": 3,
"debugAddr": ":8002",
- "hostnamePolicyFile": "test/hostname-policy.yaml",
+ "hostnamePolicyFile": "labca/hostname-policy.yaml",
"goodkey": {},
"issuerCerts": [
- "test/certs/webpki/int-rsa-a.cert.pem",
- "test/certs/webpki/int-rsa-b.cert.pem",
@@ -12,7 +41,29 @@ index 23c277c6c..0aa9a0088 100644
- "test/certs/webpki/int-ecdsa-a.cert.pem",
- "test/certs/webpki/int-ecdsa-b.cert.pem",
- "test/certs/webpki/int-ecdsa-c.cert.pem"
+ "test/certs/webpki/int-rsa-a.cert.pem"
+ "labca/certs/webpki/issuer-01-cert.pem"
],
"validationProfiles": {
"legacy": {
@@ -58,9 +54,9 @@
},
"defaultProfileName": "legacy",
"tls": {
- "caCertFile": "test/certs/ipki/minica.pem",
- "certFile": "test/certs/ipki/ra.boulder/cert.pem",
- "keyFile": "test/certs/ipki/ra.boulder/key.pem"
+ "caCertFile": "labca/certs/ipki/minica.pem",
+ "certFile": "labca/certs/ipki/ra.boulder/cert.pem",
+ "keyFile": "labca/certs/ipki/ra.boulder/key.pem"
},
"vaService": {
"dnsAuthority": "consul.service.consul",
@@ -154,7 +150,7 @@
},
"ctLogs": {
"stagger": "500ms",
- "logListFile": "test/ct-test-srv/log_list.json",
+ "logListFile": "labca/ct-test-srv/log_list.json",
"sctLogs": [
"A1 Current",
"A1 Future",

82
patches/config_wfe2.patch
View File

@@ -1,19 +1,48 @@
diff --git a/test/config/wfe2.json b/test/config/wfe2.json
index 6a5f95ef0..b880db50f 100644
index 51c7aa8ef..1ed5d37af 100644
--- a/test/config/wfe2.json
+++ b/test/config/wfe2.json
@@ -12,6 +12,7 @@
@@ -3,8 +3,8 @@
"timeout": "30s",
"listenAddress": "0.0.0.0:4001",
"TLSListenAddress": "0.0.0.0:4431",
- "serverCertificatePath": "test/certs/ipki/boulder/cert.pem",
- "serverKeyPath": "test/certs/ipki/boulder/key.pem",
+ "serverCertificatePath": "labca/certs/ipki/boulder/cert.pem",
+ "serverKeyPath": "labca/certs/ipki/boulder/key.pem",
"allowOrigins": [
"*"
],
@@ -12,13 +12,14 @@
"subscriberAgreementURL": "https://boulder.service.consul:4431/terms/v7",
"debugAddr": ":8013",
"directoryCAAIdentity": "happy-hacker-ca.invalid",
"directoryWebsite": "https://github.com/letsencrypt/boulder",
+ "hostnamePolicyFile": "test/hostname-policy.yaml",
- "directoryWebsite": "https://github.com/letsencrypt/boulder",
+ "directoryWebsite": "https://github.com/hakwerk/labca",
+ "hostnamePolicyFile": "labca/hostname-policy.yaml",
"legacyKeyIDPrefix": "http://boulder.service.consul:4000/reg/",
"goodkey": {},
"tls": {
@@ -77,26 +78,6 @@
- "caCertFile": "test/certs/ipki/minica.pem",
- "certFile": "test/certs/ipki/wfe.boulder/cert.pem",
- "keyFile": "test/certs/ipki/wfe.boulder/key.pem"
+ "caCertFile": "labca/certs/ipki/minica.pem",
+ "certFile": "labca/certs/ipki/wfe.boulder/cert.pem",
+ "keyFile": "labca/certs/ipki/wfe.boulder/key.pem"
},
"raService": {
"dnsAuthority": "consul.service.consul",
@@ -72,39 +73,20 @@
"hostOverride": "nonce.boulder"
},
"nonceHMACKey": {
- "keyFile": "test/secrets/nonce_prefix_key"
+ "keyFile": "labca/secrets/nonce_prefix_key"
},
"chains": [
[
"test/certs/webpki/int-rsa-a.cert.pem",
"test/certs/webpki/root-rsa.cert.pem"
- "test/certs/webpki/int-rsa-a.cert.pem",
- "test/certs/webpki/root-rsa.cert.pem"
- ],
- [
- "test/certs/webpki/int-rsa-b.cert.pem",
@@ -34,6 +63,45 @@ index 6a5f95ef0..b880db50f 100644
- [
- "test/certs/webpki/int-ecdsa-b-cross.cert.pem",
- "test/certs/webpki/root-rsa.cert.pem"
+ "labca/certs/webpki/issuer-01-cert.pem",
+ "labca/certs/webpki/root-01-cert.pem"
]
],
"staleTimeout": "5m",
"limiter": {
"redis": {
"username": "boulder-wfe",
- "passwordFile": "test/secrets/wfe_ratelimits_redis_password",
+ "passwordFile": "labca/secrets/wfe_ratelimits_redis_password",
+ "db": 1,
"lookups": [
{
"Service": "redisratelimits",
@@ -117,13 +99,13 @@
"poolSize": 100,
"routeRandomly": true,
"tls": {
- "caCertFile": "test/certs/ipki/minica.pem",
- "certFile": "test/certs/ipki/wfe.boulder/cert.pem",
- "keyFile": "test/certs/ipki/wfe.boulder/key.pem"
+ "caCertFile": "labca/certs/ipki/minica.pem",
+ "certFile": "labca/certs/ipki/wfe.boulder/cert.pem",
+ "keyFile": "labca/certs/ipki/wfe.boulder/key.pem"
}
},
- "Defaults": "test/config/wfe2-ratelimit-defaults.yml",
- "Overrides": "test/config/wfe2-ratelimit-overrides.yml"
+ "Defaults": "labca/config/wfe2-ratelimit-defaults.yml",
+ "Overrides": "labca/config/wfe2-ratelimit-overrides.yml"
},
"features": {
"ServeRenewalInfo": true,
@@ -136,7 +118,7 @@
},
"unpause": {
"hmacKey": {
- "keyFile": "test/secrets/sfe_unpause_key"
+ "keyFile": "labca/secrets/sfe_unpause_key"
},
"jwtLifetime": "336h",
"url": "https://boulder.service.consul:4003"

13
patches/contact-auditor_main.patch
View File

@@ -1,22 +1,27 @@
diff --git a/cmd/contact-auditor/main.go b/cmd/contact-auditor/main.go
index a20560b6f..ac0d567f8 100644
index fdec0c660..cc62d91c0 100644
--- a/cmd/contact-auditor/main.go
+++ b/cmd/contact-auditor/main.go
@@ -12,6 +12,7 @@ import (
@@ -12,7 +12,9 @@ import (
"time"
"github.com/letsencrypt/boulder/cmd"
+ "github.com/letsencrypt/boulder/core"
"github.com/letsencrypt/boulder/db"
+ "github.com/letsencrypt/boulder/identifier"
blog "github.com/letsencrypt/boulder/log"
"github.com/letsencrypt/boulder/policy"
@@ -50,9 +51,13 @@ func validateContacts(id int64, createdAt string, contacts []string) error {
"github.com/letsencrypt/boulder/sa"
@@ -50,9 +52,16 @@ func validateContacts(id int64, createdAt string, contacts []string) error {
fmt.Fprintf(&probsBuff, "%d\t%s\tvalidation\t%q\t%q\t%q\n", id, createdAt, contact, prob, contacts)
}
+ var pa *policy.AuthorityImpl
+ logger := cmd.NewLogger(cmd.SyslogConfig{StdoutLevel: 7})
+ pa, _ = policy.New(map[core.AcmeChallenge]bool{}, logger)
+ pa, _ = policy.New(
+ map[identifier.IdentifierType]bool{identifier.TypeDNS: true, identifier.TypeIP: true},
+ map[core.AcmeChallenge]bool{},
+ logger)
+
for _, contact := range contacts {
if strings.HasPrefix(contact, "mailto:") {

6
patches/docker-compose.patch
View File

@@ -1,5 +1,5 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index b66a13d04..6e06c3578 100644
index 9b05172ef..e981e30ec 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,3 +1,4 @@
@@ -26,7 +26,7 @@ index b66a13d04..6e06c3578 100644
networks:
bouldernet:
ipv4_address: 10.77.77.77
@@ -50,121 +53,138 @@ services:
@@ -53,121 +56,138 @@ services:
- 4003:4003 # SFE
depends_on:
- bmysql
@@ -234,7 +234,7 @@ index b66a13d04..6e06c3578 100644
+ restart: always
bpkimetal:
image: ghcr.io/pkimetal/pkimetal:v1.19.0
image: ghcr.io/pkimetal/pkimetal:v1.20.0
networks:
bouldernet:
ipv4_address: 10.77.77.9

23
patches/expiration-mailer_main.patch
View File

@@ -1,5 +1,5 @@
diff --git a/cmd/expiration-mailer/main.go b/cmd/expiration-mailer/main.go
index eed765273..e17bfde1c 100644
index 8c80c8408..4102e879b 100644
--- a/cmd/expiration-mailer/main.go
+++ b/cmd/expiration-mailer/main.go
@@ -23,6 +23,7 @@ import (
@@ -10,7 +10,7 @@ index eed765273..e17bfde1c 100644
"github.com/letsencrypt/boulder/cmd"
"github.com/letsencrypt/boulder/config"
"github.com/letsencrypt/boulder/core"
@@ -39,7 +40,7 @@ import (
@@ -40,7 +41,7 @@ import (
)
const (
@@ -19,11 +19,11 @@ index eed765273..e17bfde1c 100644
)
var (
@@ -161,8 +162,12 @@ func (m *mailer) sendNags(conn bmail.Conn, contacts []string, certs []*x509.Cert
@@ -162,8 +163,12 @@ func (m *mailer) sendNags(conn bmail.Conn, contacts []string, certs []*x509.Cert
if parsed.Scheme != "mailto" {
continue
}
+ pa, err := policy.New(nil, nil)
+ pa, err := policy.New(nil, nil, nil)
+ if err != nil {
+ return fmt.Errorf("cannot create policy authority implementation")
+ }
@@ -33,7 +33,7 @@ index eed765273..e17bfde1c 100644
if err != nil {
m.log.Debugf("skipping invalid email: %s", err)
continue
@@ -697,6 +702,11 @@ type Config struct {
@@ -697,10 +702,17 @@ type Config struct {
TLS cmd.TLSConfig
SAService *cmd.GRPCClientConfig
@@ -45,7 +45,13 @@ index eed765273..e17bfde1c 100644
// Path to a file containing a list of trusted root certificates for use
// during the SMTP connection (as opposed to the gRPC connections).
SMTPTrustedRootFile string
@@ -850,8 +860,35 @@ func main() {
+ UserAgent string
+
Features features.Config
}
@@ -850,8 +862,36 @@ func main() {
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
sac := sapb.NewStorageAuthorityClient(conn)
@@ -65,11 +71,12 @@ index eed765273..e17bfde1c 100644
+ scope,
+ clk,
+ dnsTries,
+ c.Mailer.UserAgent,
+ logger,
+ tlsConfig)
+ resolver = r
+ } else {
+ r := bdns.NewTest(dnsTimeout, servers, scope, clk, dnsTries, logger, tlsConfig)
+ r := bdns.NewTest(dnsTimeout, servers, scope, clk, dnsTries, c.Mailer.UserAgent, logger, tlsConfig)
+ resolver = r
+ }
+
@@ -82,7 +89,7 @@ index eed765273..e17bfde1c 100644
pem, err := os.ReadFile(c.Mailer.SMTPTrustedRootFile)
cmd.FailOnError(err, "Loading trusted roots file")
smtpRoots = x509.NewCertPool()
@@ -885,6 +922,8 @@ func main() {
@@ -885,6 +925,8 @@ func main() {
c.Mailer.Username,
smtpPassword,
smtpRoots,

12
patches/issuance_issuer.patch
View File

@@ -1,17 +1,17 @@
diff --git a/issuance/issuer.go b/issuance/issuer.go
index 950ce44ce..b2264e86a 100644
index 95d2f03a7..c3129fe97 100644
--- a/issuance/issuer.go
+++ b/issuance/issuer.go
@@ -162,7 +162,7 @@ type IssuerConfig struct {
@@ -161,7 +161,7 @@ type IssuerConfig struct {
Active bool
IssuerURL string `validate:"required,url"`
OCSPURL string `validate:"required,url"`
- CRLURLBase string `validate:"required,url,startswith=http://,endswith=/"`
+ CRLURLBase string `validate:"required,url,startswith=http://"`
// Number of CRL shards.
// This must be nonzero if adding CRLDistributionPoints to certificates
@@ -252,9 +252,6 @@ func newIssuer(config IssuerConfig, cert *Certificate, signer crypto.Signer, clk
// TODO(#8177): Remove this.
OCSPURL string `validate:"omitempty,url"`
@@ -248,9 +248,6 @@ func newIssuer(config IssuerConfig, cert *Certificate, signer crypto.Signer, clk
if !strings.HasPrefix(config.CRLURLBase, "http://") {
return nil, fmt.Errorf("crlURLBase must use HTTP scheme, got %q", config.CRLURLBase)
}

16
patches/mail_mailer.patch
View File

@@ -1,5 +1,5 @@
diff --git a/mail/mailer.go b/mail/mailer.go
index 31ebd40b1..61add3ec2 100644
index 31ebd40b1..760b0b66e 100644
--- a/mail/mailer.go
+++ b/mail/mailer.go
@@ -2,6 +2,7 @@ package mail
@@ -10,7 +10,7 @@ index 31ebd40b1..61add3ec2 100644
"crypto/rand"
"crypto/tls"
"crypto/x509"
@@ -23,8 +24,11 @@ import (
@@ -23,7 +24,9 @@ import (
"github.com/jmhodges/clock"
"github.com/prometheus/client_golang/prometheus"
@@ -18,11 +18,9 @@ index 31ebd40b1..61add3ec2 100644
"github.com/letsencrypt/boulder/core"
+ berrors "github.com/letsencrypt/boulder/errors"
blog "github.com/letsencrypt/boulder/log"
+ "github.com/letsencrypt/boulder/probs"
)
type idGenerator interface {
@@ -139,6 +143,8 @@ func New(
@@ -139,6 +142,8 @@ func New(
username,
password string,
rootCAs *x509.CertPool,
@@ -31,7 +29,7 @@ index 31ebd40b1..61add3ec2 100644
from mail.Address,
logger blog.Logger,
stats prometheus.Registerer,
@@ -154,11 +160,13 @@ func New(
@@ -154,11 +159,13 @@ func New(
return &mailerImpl{
config: config{
dialer: &dialerImpl{
@@ -50,7 +48,7 @@ index 31ebd40b1..61add3ec2 100644
},
log: logger,
from: from,
@@ -202,7 +210,7 @@ func (c config) generateMessage(to []string, subject, body string) ([]byte, erro
@@ -202,7 +209,7 @@ func (c config) generateMessage(to []string, subject, body string) ([]byte, erro
fmt.Sprintf("To: %s", strings.Join(addrs, ", ")),
fmt.Sprintf("From: %s", c.from.String()),
fmt.Sprintf("Subject: %s", subject),
@@ -59,7 +57,7 @@ index 31ebd40b1..61add3ec2 100644
fmt.Sprintf("Message-Id: <%s.%s.%s>", now.Format("20060102T150405"), mid.String(), c.from.Address),
"MIME-Version: 1.0",
"Content-Type: text/plain; charset=UTF-8",
@@ -259,23 +267,41 @@ func (m *mailerImpl) Connect() (Conn, error) {
@@ -259,23 +266,41 @@ func (m *mailerImpl) Connect() (Conn, error) {
type dialerImpl struct {
username, password, server, port string
rootCAs *x509.CertPool
@@ -81,7 +79,7 @@ index 31ebd40b1..61add3ec2 100644
+ addrs, _, err := di.dnsClient.LookupHost(ctx, di.server)
if err != nil {
- return nil, err
+ problem := probs.DNS("%v")
+ problem := berrors.DNSError("%v")
+ return nil, problem
+ }
+

4
patches/notify-mailer_main.patch
View File

@@ -1,5 +1,5 @@
diff --git a/cmd/notify-mailer/main.go b/cmd/notify-mailer/main.go
index 6c01efd64..23b1f4f9d 100644
index 6c01efd64..6da77c7eb 100644
--- a/cmd/notify-mailer/main.go
+++ b/cmd/notify-mailer/main.go
@@ -2,6 +2,7 @@ package notmain
@@ -48,7 +48,7 @@ index 6c01efd64..23b1f4f9d 100644
+ cmd.FailOnError(cfg.PA.CheckChallenges(), "Invalid PA configuration")
+
+ logger := cmd.NewLogger(cmd.SyslogConfig{StdoutLevel: 7})
+ pa, err := policy.New(cfg.PA.Challenges, logger)
+ pa, err := policy.New(cfg.PA.Identifiers, cfg.PA.Challenges, logger)
+ cmd.FailOnError(err, "Failed to create PA")
+ err = pa.LoadHostnamePolicyFile(cfg.NotifyMailer.HostnamePolicyFile)
+ cmd.FailOnError(err, "Failed to load HostnamePolicyFile")

67
patches/policy_pa.patch
View File

@@ -1,8 +1,8 @@
diff --git a/policy/pa.go b/policy/pa.go
index bbe928cd0..0c21848b7 100644
index 661a6b6bc..17dde317f 100644
--- a/policy/pa.go
+++ b/policy/pa.go
@@ -31,6 +31,9 @@ type AuthorityImpl struct {
@@ -32,6 +32,9 @@ type AuthorityImpl struct {
blocklist map[string]bool
exactBlocklist map[string]bool
wildcardExactBlocklist map[string]bool
@@ -11,8 +11,8 @@ index bbe928cd0..0c21848b7 100644
+ ldPublicContacts bool
blocklistMu sync.RWMutex
enabledChallenges map[core.AcmeChallenge]bool
@@ -64,6 +67,10 @@ type blockedNamesPolicy struct {
enabledChallenges map[core.AcmeChallenge]bool
@@ -75,6 +78,10 @@ type blockedNamesPolicy struct {
// time above and beyond the high-risk domains. Managing these entries separately
// from HighRiskBlockedNames makes it easier to vet changes accurately.
AdminBlockedNames []string `yaml:"AdminBlockedNames"`
@@ -23,7 +23,7 @@ index bbe928cd0..0c21848b7 100644
}
// LoadHostnamePolicyFile will load the given policy file, returning an error if
@@ -123,10 +130,21 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error
@@ -134,10 +141,21 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error
// wildcardNameMap to block issuance for `*.`+parts[1]
wildcardNameMap[parts[1]] = true
}
@@ -45,16 +45,16 @@ index bbe928cd0..0c21848b7 100644
pa.blocklistMu.Unlock()
return nil
}
@@ -196,7 +214,7 @@ var (
@@ -209,7 +227,7 @@ var (
// - exactly equal to an IANA registered TLD
//
// It does NOT ensure that the domain is absent from any PA blocked lists.
-func validNonWildcardDomain(domain string) error {
+func (pa *AuthorityImpl) ValidNonWildcardDomain(domain string, isContact bool) error {
if domain == "" {
return errEmptyName
return errEmptyIdentifier
}
@@ -228,7 +246,9 @@ func validNonWildcardDomain(domain string) error {
@@ -241,7 +259,9 @@ func validNonWildcardDomain(domain string) error {
return errTooManyLabels
}
if len(labels) < 2 {
@@ -65,7 +65,7 @@ index bbe928cd0..0c21848b7 100644
}
for _, label := range labels {
// Check that this is a valid LDH Label: "A string consisting of ASCII
@@ -272,6 +292,14 @@ func validNonWildcardDomain(domain string) error {
@@ -285,6 +305,14 @@ func validNonWildcardDomain(domain string) error {
}
}
@@ -80,7 +80,7 @@ index bbe928cd0..0c21848b7 100644
// Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD.
icannTLD, err := iana.ExtractSuffix(domain)
if err != nil {
@@ -287,9 +315,9 @@ func validNonWildcardDomain(domain string) error {
@@ -300,9 +328,9 @@ func validNonWildcardDomain(domain string) error {
// ValidDomain checks that a domain is valid and that it doesn't contain any
// invalid wildcard characters. It does NOT ensure that the domain is absent
// from any PA blocked lists.
@@ -92,7 +92,7 @@ index bbe928cd0..0c21848b7 100644
}
// Names containing more than one wildcard are invalid.
@@ -308,7 +336,7 @@ func ValidDomain(domain string) error {
@@ -321,7 +349,7 @@ func ValidDomain(domain string) error {
// Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD.
icannTLD, err := iana.ExtractSuffix(baseDomain)
@@ -101,7 +101,7 @@ index bbe928cd0..0c21848b7 100644
return errNonPublic
}
// Names must have a non-wildcard label immediately adjacent to the ICANN
@@ -316,7 +344,7 @@ func ValidDomain(domain string) error {
@@ -329,7 +357,7 @@ func ValidDomain(domain string) error {
if baseDomain == icannTLD {
return errICANNTLDWildcard
}
@@ -109,8 +109,8 @@ index bbe928cd0..0c21848b7 100644
+ return pa.ValidNonWildcardDomain(baseDomain, false)
}
// forbiddenMailDomains is a map of domain names we do not allow after the
@@ -334,14 +362,14 @@ var forbiddenMailDomains = map[string]bool{
// validIP checks that an IP address:
@@ -375,14 +403,14 @@ var forbiddenMailDomains = map[string]bool{
// ValidEmail returns an error if the input doesn't parse as an email address,
// the domain isn't a valid hostname in Preferred Name Syntax, or its on the
// list of domains forbidden for mail (because they are often used in examples).
@@ -127,43 +127,42 @@ index bbe928cd0..0c21848b7 100644
if err != nil {
return berrors.InvalidEmailError("contact email has invalid domain: %s", err)
}
@@ -383,7 +411,7 @@ func subError(ident identifier.ACMEIdentifier, err error) berrors.SubBoulderErro
@@ -424,7 +452,7 @@ func subError(ident identifier.ACMEIdentifier, err error) berrors.SubBoulderErro
//
// Precondition: all input identifier values must be in lowercase.
func (pa *AuthorityImpl) WillingToIssue(idents []identifier.ACMEIdentifier) error {
func (pa *AuthorityImpl) WillingToIssue(idents identifier.ACMEIdentifiers) error {
- err := WellFormedIdentifiers(idents)
+ err := pa.WellFormedIdentifiers(idents)
if err != nil {
return err
}
@@ -407,6 +435,10 @@ func (pa *AuthorityImpl) WillingToIssue(idents []identifier.ACMEIdentifier) erro
@@ -454,6 +482,10 @@ func (pa *AuthorityImpl) WillingToIssue(idents identifier.ACMEIdentifiers) error
}
}
}
+ if ok, _ := pa.checkWhitelist(ident.Value, false); ok {
+ return nil
+ }
+ if ok, _ := pa.checkWhitelist(ident.Value, false); ok {
+ return nil
+ }
+
// For both wildcard and non-wildcard domains, check whether any parent domain
// name is on the regular blocklist.
err := pa.checkHostLists(ident.Value)
@@ -441,13 +473,13 @@ func (pa *AuthorityImpl) WillingToIssue(idents []identifier.ACMEIdentifier) erro
// For both wildcard and non-wildcard domains, check whether any parent domain
// name is on the regular blocklist.
err := pa.checkHostLists(ident.Value)
@@ -494,12 +526,12 @@ func (pa *AuthorityImpl) WillingToIssue(idents identifier.ACMEIdentifiers) error
//
// If multiple domains are invalid, the error will contain suberrors specific to
// each domain.
-func WellFormedIdentifiers(idents []identifier.ACMEIdentifier) error {
+func (pa *AuthorityImpl) WellFormedIdentifiers(idents []identifier.ACMEIdentifier) error {
// If multiple identifiers are invalid, the error will contain suberrors
// specific to each identifier.
-func WellFormedIdentifiers(idents identifier.ACMEIdentifiers) error {
+func (pa *AuthorityImpl) WellFormedIdentifiers(idents identifier.ACMEIdentifiers) error {
var subErrors []berrors.SubBoulderError
for _, ident := range idents {
// TODO(#7311): When this gets a third case for TypeIP, this will be
// more elegant as a switch/case.
if ident.Type == identifier.TypeDNS {
switch ident.Type {
case identifier.TypeDNS:
- err := ValidDomain(ident.Value)
+ err := pa.ValidDomain(ident.Value)
if err != nil {
subErrors = append(subErrors, subError(ident, err))
}
@@ -484,6 +516,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error {
@@ -541,6 +573,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error {
return nil
}
@@ -198,7 +197,7 @@ index bbe928cd0..0c21848b7 100644
// checkWildcardHostList checks the wildcardExactBlocklist for a given domain.
// If the domain is not present on the list nil is returned, otherwise
// errPolicyForbidden is returned.
@@ -513,6 +573,9 @@ func (pa *AuthorityImpl) checkHostLists(domain string) error {
@@ -570,6 +630,9 @@ func (pa *AuthorityImpl) checkHostLists(domain string) error {
labels := strings.Split(domain, ".")
for i := range labels {
joined := strings.Join(labels[i:], ".")

8
patches/ra_ra.patch
View File

@@ -1,8 +1,8 @@
diff --git a/ra/ra.go b/ra/ra.go
index 091a40ab6..a89f1e3e2 100644
index e8acf0781..3122449be 100644
--- a/ra/ra.go
+++ b/ra/ra.go
@@ -43,7 +43,6 @@ import (
@@ -44,7 +44,6 @@ import (
"github.com/letsencrypt/boulder/issuance"
blog "github.com/letsencrypt/boulder/log"
"github.com/letsencrypt/boulder/metrics"
@@ -10,7 +10,7 @@ index 091a40ab6..a89f1e3e2 100644
"github.com/letsencrypt/boulder/probs"
pubpb "github.com/letsencrypt/boulder/publisher/proto"
rapb "github.com/letsencrypt/boulder/ra/proto"
@@ -593,7 +592,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
@@ -608,7 +607,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
if !core.IsASCII(contact) {
return berrors.InvalidEmailError("contact email contains non-ASCII characters")
}
@@ -19,7 +19,7 @@ index 091a40ab6..a89f1e3e2 100644
if err != nil {
return err
}
@@ -1906,6 +1905,9 @@ func crlShard(cert *x509.Certificate) (int64, error) {
@@ -1981,6 +1980,9 @@ func crlShard(cert *x509.Certificate) (int64, error) {
return 0, fmt.Errorf("malformed CRLDistributionPoint %q", url)
}
shardStr := url[lastIndex+1:]

14
patches/ratelimits_names.patch
View File

@@ -1,5 +1,5 @@
diff --git a/ratelimits/names.go b/ratelimits/names.go
index 8e8ed80c4..6e3e77639 100644
index bfda772b5..971892f22 100644
--- a/ratelimits/names.go
+++ b/ratelimits/names.go
@@ -102,6 +102,9 @@ var nameToString = map[Name]string{
@@ -20,7 +20,7 @@ index 8e8ed80c4..6e3e77639 100644
+ pa := PA
+ var err error
+ if pa == nil {
+ pa, err = policy.New(nil, nil)
+ pa, err = policy.New(nil, nil, nil)
+ if err != nil {
+ return fmt.Errorf("cannot create policy authority implementation")
+ }
@@ -36,7 +36,7 @@ index 8e8ed80c4..6e3e77639 100644
- err = policy.ValidDomain(regIdDomain[1])
+ pa := PA
+ if pa == nil {
+ pa, err = policy.New(nil, nil)
+ pa, err = policy.New(nil, nil, nil)
+ if err != nil {
+ return fmt.Errorf("cannot create policy authority implementation")
+ }
@@ -45,20 +45,20 @@ index 8e8ed80c4..6e3e77639 100644
if err != nil {
return fmt.Errorf(
"invalid domain, %q must be formatted 'regId:domain': %w", id, err)
@@ -200,7 +218,15 @@ func validateFQDNSet(id string) error {
@@ -202,7 +220,15 @@ func validateFQDNSet(id string) error {
return fmt.Errorf(
"invalid fqdnSet, %q must be formatted 'fqdnSet'", id)
}
- return policy.WellFormedIdentifiers(identifier.FromDNSNames(domains))
- return policy.WellFormedIdentifiers(identifier.NewDNSSlice(domains))
+ pa := PA
+ var err error
+ if pa == nil {
+ pa, err = policy.New(nil, nil)
+ pa, err = policy.New(nil, nil, nil)
+ if err != nil {
+ return fmt.Errorf("cannot create policy authority implementation")
+ }
+ }
+ return pa.WellFormedIdentifiers(identifier.FromDNSNames(domains))
+ return pa.WellFormedIdentifiers(identifier.NewDNSSlice(domains))
}
func validateIdForName(name Name, id string) error {

4
patches/remoteva_main.patch
View File

@@ -1,5 +1,5 @@
diff --git a/cmd/remoteva/main.go b/cmd/remoteva/main.go
index 0dc71028f..19962fb35 100644
index f99ded497..9a1033a87 100644
--- a/cmd/remoteva/main.go
+++ b/cmd/remoteva/main.go
@@ -56,7 +56,8 @@ type Config struct {
@@ -12,7 +12,7 @@ index 0dc71028f..19962fb35 100644
}
Syslog cmd.SyslogConfig
@@ -139,7 +140,8 @@ func main() {
@@ -141,7 +142,8 @@ func main() {
c.RVA.AccountURIPrefixes,
c.RVA.Perspective,
c.RVA.RIR,

86
patches/test_config_ca.patch
View File

@@ -1,31 +1,63 @@
diff --git a/test/config/ca.json b/test/config/ca.json
index a64ec7ac2..09ffa1efe 100644
index 35843b094..2d4e0c951 100644
--- a/test/config/ca.json
+++ b/test/config/ca.json
@@ -1,11 +1,11 @@
{
"ca": {
"tls": {
- "caCertFile": "test/certs/ipki/minica.pem",
- "certFile": "test/certs/ipki/ca.boulder/cert.pem",
- "keyFile": "test/certs/ipki/ca.boulder/key.pem"
+ "caCertFile": "labca/certs/ipki/minica.pem",
+ "certFile": "labca/certs/ipki/ca.boulder/cert.pem",
+ "keyFile": "labca/certs/ipki/ca.boulder/key.pem"
},
- "hostnamePolicyFile": "test/hostname-policy.yaml",
+ "hostnamePolicyFile": "labca/hostname-policy.yaml",
"grpcCA": {
"maxConnectionAge": "30s",
"address": ":9093",
@@ -60,7 +60,8 @@
"allowMustStaple": true,
"includeCRLDistributionPoints": true,
"maxValidityPeriod": "7776000s",
"maxValidityBackdate": "1h5m",
- "lintConfig": "test/config-next/zlint.toml",
+ "includeCRLDistributionPoints": true,
+ "lintConfig": "test/config/zlint.toml",
+ "lintConfig": "labca/config/zlint.toml",
"ignoredLints": [
"w_subject_common_name_included",
"w_ext_subject_key_identifier_not_recommended_subscriber"
@@ -74,7 +75,8 @@
"omitSKID": true,
@@ -76,7 +77,8 @@
"includeCRLDistributionPoints": true,
"maxValidityPeriod": "583200s",
"maxValidityBackdate": "1h5m",
- "lintConfig": "test/config-next/zlint.toml",
+ "includeCRLDistributionPoints": true,
+ "lintConfig": "test/config/zlint.toml",
+ "lintConfig": "labca/config/zlint.toml",
"ignoredLints": [
"w_ext_subject_key_identifier_missing_sub_cert"
]
@@ -101,39 +103,7 @@
@@ -91,7 +93,7 @@
"includeCRLDistributionPoints": true,
"maxValidityPeriod": "160h",
"maxValidityBackdate": "1h5m",
- "lintConfig": "test/config-next/zlint.toml",
+ "lintConfig": "labca/config-next/zlint.toml",
"ignoredLints": [
"w_ext_subject_key_identifier_missing_sub_cert"
]
@@ -100,78 +102,19 @@
"crlProfile": {
"validityInterval": "216h",
"maxBackdate": "1h5m",
- "lintConfig": "test/config/zlint.toml"
+ "lintConfig": "labca/config/zlint.toml"
},
"issuers": [
{
"active": true,
- "crlShards": 10,
- "issuerURL": "http://ca.example.org:4502/int-ecdsa-a",
- "ocspURL": "http://ca.example.org:4002/",
- "crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/43104258997432926/",
@@ -37,6 +69,7 @@ index a64ec7ac2..09ffa1efe 100644
- },
- {
- "active": true,
- "crlShards": 10,
- "issuerURL": "http://ca.example.org:4502/int-ecdsa-b",
- "ocspURL": "http://ca.example.org:4002/",
- "crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/17302365692836921/",
@@ -48,6 +81,7 @@ index a64ec7ac2..09ffa1efe 100644
- },
- {
- "active": false,
- "crlShards": 10,
- "issuerURL": "http://ca.example.org:4502/int-ecdsa-c",
- "ocspURL": "http://ca.example.org:4002/",
- "crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/56560759852043581/",
@@ -60,16 +94,19 @@ index a64ec7ac2..09ffa1efe 100644
- {
- "active": true,
+ "crlShards": 1,
"crlShards": 10,
"issuerURL": "http://ca.example.org:4502/int-rsa-a",
"ocspURL": "http://ca.example.org:4002/",
"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/29947985078257530/",
@@ -142,28 +112,6 @@
"certFile": "test/certs/webpki/int-rsa-a.cert.pem",
"numSessions": 2
}
"location": {
- "configFile": "test/certs/webpki/int-rsa-a.pkcs11.json",
- "certFile": "test/certs/webpki/int-rsa-a.cert.pem",
- "numSessions": 2
- }
- },
- {
- "active": true,
- "crlShards": 10,
- "issuerURL": "http://ca.example.org:4502/int-rsa-b",
- "ocspURL": "http://ca.example.org:4002/",
- "crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/6762885421992935/",
@@ -81,14 +118,33 @@ index a64ec7ac2..09ffa1efe 100644
- },
- {
- "active": false,
- "crlShards": 10,
- "issuerURL": "http://ca.example.org:4502/int-rsa-c",
- "ocspURL": "http://ca.example.org:4002/",
- "crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/56183656833365902/",
- "location": {
- "configFile": "test/certs/webpki/int-rsa-c.pkcs11.json",
- "certFile": "test/certs/webpki/int-rsa-c.cert.pem",
- "numSessions": 2
- }
+ "configFile": "labca/certs/webpki/issuer-01.pkcs11.json",
+ "certFile": "labca/certs/webpki/issuer-01-cert.pem",
"numSessions": 2
}
}
]
},
@@ -183,7 +126,7 @@
"goodkey": {},
"ocspLogMaxLength": 4000,
"ocspLogPeriod": "500ms",
- "ctLogListFile": "test/ct-test-srv/log_list.json",
+ "ctLogListFile": "labca/ct-test-srv/log_list.json",
"features": {}
},
"pa": {
@@ -194,7 +137,7 @@
}
},
"syslog": {
- "stdoutlevel": 4,
+ "stdoutlevel": 6,
"sysloglevel": 4
}
}

4
patches/test_ocsp_helper_helper.patch
View File

@@ -1,5 +1,5 @@
diff --git a/test/ocsp/helper/helper.go b/test/ocsp/helper/helper.go
index a223f5fa6..96ab34aa7 100644
index 469c8cec1..0b2852330 100644
--- a/test/ocsp/helper/helper.go
+++ b/test/ocsp/helper/helper.go
@@ -15,6 +15,7 @@ import (
@@ -10,7 +10,7 @@ index a223f5fa6..96ab34aa7 100644
"strings"
"sync"
"time"
@@ -317,7 +318,7 @@ func sendHTTPRequest(
@@ -327,7 +328,7 @@ func sendHTTPRequest(
var httpRequest *http.Request
var err error
if method == "GET" {

11
patches/updater_updater.patch
View File

@@ -1,7 +1,16 @@
diff --git a/crl/updater/updater.go b/crl/updater/updater.go
index 4d5b06b38..d7cc6dba3 100644
index 600b17f22..bef3305b3 100644
--- a/crl/updater/updater.go
+++ b/crl/updater/updater.go
@@ -80,7 +80,7 @@ func NewUpdater(
return nil, fmt.Errorf("must have positive number of shards, got: %d", numShards)
}
- if updatePeriod >= 24*time.Hour {
+ if updatePeriod > 24*time.Hour {
return nil, fmt.Errorf("must update CRLs at least every 24 hours, got: %s", updatePeriod)
}
@@ -307,7 +307,7 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN
return fmt.Errorf("streaming GetRevokedCerts: %w", err)
}

4
patches/va_http.patch
View File

@@ -1,8 +1,8 @@
diff --git a/va/http.go b/va/http.go
index 04b119ca2..de9e439a5 100644
index 00942ede3..2b4ece730 100644
--- a/va/http.go
+++ b/va/http.go
@@ -338,7 +338,16 @@ func (va *ValidationAuthorityImpl) extractRequestTarget(req *http.Request) (iden
@@ -341,7 +341,16 @@ func (va *ValidationAuthorityImpl) extractRequestTarget(req *http.Request) (iden
}
if _, err := iana.ExtractSuffix(reqHost); err != nil {

8
patches/va_va.patch
View File

@@ -1,8 +1,8 @@
diff --git a/va/va.go b/va/va.go
index 270e9ca66..f8585c9fd 100644
index 5e7732d69..9a908c255 100644
--- a/va/va.go
+++ b/va/va.go
@@ -218,6 +218,7 @@ type ValidationAuthorityImpl struct {
@@ -217,6 +217,7 @@ type ValidationAuthorityImpl struct {
perspective string
rir string
isReservedIPFunc func(ip net.IP) bool
@@ -10,7 +10,7 @@ index 270e9ca66..f8585c9fd 100644
metrics *vaMetrics
}
@@ -238,6 +239,7 @@ func NewValidationAuthorityImpl(
@@ -237,6 +238,7 @@ func NewValidationAuthorityImpl(
perspective string,
rir string,
reservedIPChecker func(ip net.IP) bool,
@@ -18,7 +18,7 @@ index 270e9ca66..f8585c9fd 100644
) (*ValidationAuthorityImpl, error) {
if len(accountURIPrefixes) == 0 {
@@ -275,6 +277,7 @@ func NewValidationAuthorityImpl(
@@ -274,6 +276,7 @@ func NewValidationAuthorityImpl(
perspective: perspective,
rir: rir,
isReservedIPFunc: reservedIPChecker,

21
patches/wfe2_main.patch
View File

@@ -1,8 +1,8 @@
diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go
index 1f33c4746..65b670e96 100644
index 1f33c4746..1b0ad2ddb 100644
--- a/cmd/boulder-wfe2/main.go
+++ b/cmd/boulder-wfe2/main.go
@@ -12,6 +12,7 @@ import (
@@ -12,14 +12,17 @@ import (
"github.com/letsencrypt/boulder/cmd"
"github.com/letsencrypt/boulder/config"
@@ -10,15 +10,17 @@ index 1f33c4746..65b670e96 100644
emailpb "github.com/letsencrypt/boulder/email/proto"
"github.com/letsencrypt/boulder/features"
"github.com/letsencrypt/boulder/goodkey"
@@ -20,6 +21,7 @@ import (
"github.com/letsencrypt/boulder/goodkey/sagoodkey"
bgrpc "github.com/letsencrypt/boulder/grpc"
"github.com/letsencrypt/boulder/grpc/noncebalancer"
+ "github.com/letsencrypt/boulder/identifier"
"github.com/letsencrypt/boulder/issuance"
"github.com/letsencrypt/boulder/nonce"
+ "github.com/letsencrypt/boulder/policy"
rapb "github.com/letsencrypt/boulder/ra/proto"
"github.com/letsencrypt/boulder/ratelimits"
bredis "github.com/letsencrypt/boulder/redis"
@@ -99,7 +101,7 @@ type Config struct {
@@ -99,7 +102,7 @@ type Config struct {
// DirectoryCAAIdentity is used for the /directory response's "meta"
// element's "caaIdentities" field. It should match the VA's "issuerDomain"
// configuration value (this value is the one used to enforce CAA)
@@ -27,7 +29,7 @@ index 1f33c4746..65b670e96 100644
// DirectoryWebsite is used for the /directory response's "meta" element's
// "website" field.
DirectoryWebsite string `validate:"required,url"`
@@ -175,6 +177,8 @@ type Config struct {
@@ -175,6 +178,8 @@ type Config struct {
// to enable the pausing feature.
URL string `validate:"omitempty,required_with=HMACKey JWTLifetime,url,startswith=https://,endsnotwith=/"`
}
@@ -36,7 +38,7 @@ index 1f33c4746..65b670e96 100644
}
Syslog cmd.SyslogConfig
@@ -315,11 +319,22 @@ func main() {
@@ -315,11 +320,25 @@ func main() {
var limiter *ratelimits.Limiter
var txnBuilder *ratelimits.TransactionBuilder
var limiterRedis *bredis.Ring
@@ -47,7 +49,10 @@ index 1f33c4746..65b670e96 100644
cmd.FailOnError(err, "Failed to create Redis ring")
+ // Set Policy Authority for ratelimits
+ pa, err = policy.New(map[core.AcmeChallenge]bool{}, logger)
+ pa, err = policy.New(
+ map[identifier.IdentifierType]bool{identifier.TypeDNS: true, identifier.TypeIP: true},
+ map[core.AcmeChallenge]bool{},
+ logger)
+ cmd.FailOnError(err, "Couldn't create PA")
+ if c.WFE.HostnamePolicyFile == "" {
+ cmd.Fail("HostnamePolicyFile must be provided.")
@@ -59,7 +64,7 @@ index 1f33c4746..65b670e96 100644
source := ratelimits.NewRedisSource(limiterRedis.Ring, clk, stats)
limiter, err = ratelimits.NewLimiter(clk, source, stats)
cmd.FailOnError(err, "Failed to create rate limiter")
@@ -359,6 +374,7 @@ func main() {
@@ -359,6 +378,7 @@ func main() {
unpauseSigner,
c.WFE.Unpause.JWTLifetime.Duration,
c.WFE.Unpause.URL,

18
patches/wfe2_wfe.patch
View File

@@ -1,5 +1,5 @@
diff --git a/wfe2/wfe.go b/wfe2/wfe.go
index 0e14a778e..9dfe9789a 100644
index 462866a1d..287e6af55 100644
--- a/wfe2/wfe.go
+++ b/wfe2/wfe.go
@@ -163,6 +163,8 @@ type WebFrontEndImpl struct {
@@ -38,7 +38,7 @@ index 0e14a778e..9dfe9789a 100644
}
return wfe, nil
@@ -617,7 +625,7 @@ func link(url, relation string) string {
@@ -635,7 +643,7 @@ func link(url, relation string) string {
// contactsToEmails converts a *[]string of contacts (e.g. mailto:
// person@example.com) to a []string of valid email addresses. Non-email
// contacts or contacts with invalid email addresses are ignored.
@@ -47,7 +47,7 @@ index 0e14a778e..9dfe9789a 100644
if contacts == nil {
return nil
}
@@ -627,7 +635,7 @@ func contactsToEmails(contacts *[]string) []string {
@@ -645,7 +653,7 @@ func contactsToEmails(contacts *[]string) []string {
continue
}
address := strings.TrimPrefix(c, "mailto:")
@@ -56,7 +56,7 @@ index 0e14a778e..9dfe9789a 100644
if err != nil {
continue
}
@@ -851,7 +859,7 @@ func (wfe *WebFrontEndImpl) NewAccount(
@@ -869,7 +877,7 @@ func (wfe *WebFrontEndImpl) NewAccount(
}
newRegistrationSuccessful = true
@@ -65,12 +65,12 @@ index 0e14a778e..9dfe9789a 100644
if wfe.ee != nil && len(emails) > 0 {
_, err := wfe.ee.SendContacts(ctx, &emailpb.SendContactsRequest{
// Note: We are explicitly using the contacts provided by the
@@ -2298,7 +2306,7 @@ func (wfe *WebFrontEndImpl) NewOrder(
}
@@ -2300,7 +2308,7 @@ func (wfe *WebFrontEndImpl) NewOrder(
idents = identifier.Normalize(idents)
logEvent.Identifiers = idents
names = core.UniqueLowerNames(names)
- err = policy.WellFormedIdentifiers(identifier.FromDNSNames(names))
+ err = wfe.pa.WellFormedIdentifiers(identifier.FromDNSNames(names))
- err = policy.WellFormedIdentifiers(idents)
+ err = wfe.pa.WellFormedIdentifiers(idents)
if err != nil {
wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "Invalid identifiers requested"), nil)
return