From 0febdd24e622697a0e7bc3336fc12fe39059f541 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Sat, 31 May 2025 12:29:07 +0200 Subject: [PATCH] Bump boulder version to release-2025-05-27 --- build/Dockerfile-boulder | 9 ++- build/Dockerfile-control | 6 +- build/Dockerfile-gui | 4 +- build/Dockerfile-standalone | 2 +- build/build.sh | 2 +- build/docker-compose.yml | 5 +- build/tmp.patch | 10 ++-- control_do.sh | 2 + gui/apply-boulder | 13 +++- install | 4 +- mail-tester.go | 5 +- patch-cfg.sh | 4 ++ patch.sh | 3 + patches/bad-key-revoker_main.patch | 18 ++++-- patches/boulder-ra_main.patch | 4 +- patches/boulder-va_main.patch | 4 +- patches/ca_ca.patch | 4 +- patches/ca_ca_keytype_hack.patch | 4 +- patches/ceremony_crl.patch | 13 ++++ patches/cert-checker_main.patch | 50 ++++++++++------ patches/cmd_config.patch | 4 +- patches/config_crl-updater.patch | 17 ++++-- patches/config_publisher.patch | 27 +++++++-- patches/config_ra.patch | 59 ++++++++++++++++-- patches/config_wfe2.patch | 82 ++++++++++++++++++++++--- patches/contact-auditor_main.patch | 13 ++-- patches/docker-compose.patch | 6 +- patches/expiration-mailer_main.patch | 23 ++++--- patches/issuance_issuer.patch | 12 ++-- patches/mail_mailer.patch | 16 +++-- patches/notify-mailer_main.patch | 4 +- patches/policy_pa.patch | 67 ++++++++++----------- patches/ra_ra.patch | 8 +-- patches/ratelimits_names.patch | 14 ++--- patches/remoteva_main.patch | 4 +- patches/test_config_ca.patch | 86 ++++++++++++++++++++++----- patches/test_ocsp_helper_helper.patch | 4 +- patches/updater_updater.patch | 11 +++- patches/va_http.patch | 4 +- patches/va_va.patch | 8 +-- patches/wfe2_main.patch | 21 ++++--- patches/wfe2_wfe.patch | 18 +++--- 42 files changed, 481 insertions(+), 193 deletions(-) create mode 100644 patches/ceremony_crl.patch diff --git a/build/Dockerfile-boulder b/build/Dockerfile-boulder index b2135ed..65e6935 100644 --- a/build/Dockerfile-boulder +++ b/build/Dockerfile-boulder @@ -1,21 +1,20 @@ # syntax=docker/dockerfile:1 -FROM letsencrypt/boulder-tools:go1.24.1_2025-03-10 AS boulder-tools +FROM letsencrypt/boulder-tools:go1.24.1_2025-04-30 AS boulder-tools -FROM ubuntu:focal +FROM ubuntu:noble RUN apt-get update && \ apt-get install -y --no-install-recommends \ ca-certificates \ - mariadb-client-core-10.3 \ + mariadb-client-core \ net-tools \ python3-pip \ rsyslog \ softhsm2 \ && rm -rf /var/lib/apt/lists/* \ - && pip3 install requests + && pip3 install --break-system-packages requests COPY --from=boulder-tools /usr/local/bin/sql-migrate /usr/local/bin/sql-migrate -COPY --from=boulder-tools /usr/local/bin/pebble-challtestsrv /usr/local/bin/pebble-challtestsrv COPY --from=boulder-tools /usr/local/bin/minica /usr/local/bin/minica COPY tmp/bin /opt/boulder/bin COPY tmp/src/start.py /opt/boulder diff --git a/build/Dockerfile-control b/build/Dockerfile-control index c25567b..5860f95 100644 --- a/build/Dockerfile-control +++ b/build/Dockerfile-control @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 -FROM letsencrypt/boulder-tools:go1.23.1_2024-09-05 AS boulder-tools +FROM letsencrypt/boulder-tools:go1.24.1_2025-04-30 AS boulder-tools -FROM ubuntu:focal as builder +FROM ubuntu:noble AS builder RUN export DEBIAN_FRONTEND=noninteractive \ && apt-get update \ @@ -29,7 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive \ fi \ && rm -rf /var/lib/apt/lists/* -FROM ubuntu:focal +FROM ubuntu:noble RUN export DEBIAN_FRONTEND=noninteractive \ && apt update \ diff --git a/build/Dockerfile-gui b/build/Dockerfile-gui index 1f5d1da..3335ebc 100644 --- a/build/Dockerfile-gui +++ b/build/Dockerfile-gui @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:1 -FROM ubuntu:focal AS builder +FROM ubuntu:noble AS builder RUN export DEBIAN_FRONTEND=noninteractive \ && apt-get update \ @@ -27,7 +27,7 @@ RUN export DEBIAN_FRONTEND=noninteractive \ fi \ && rm -rf /var/lib/apt/lists/* -FROM ubuntu:focal +FROM ubuntu:noble RUN apt-get update && \ apt-get install -y --no-install-recommends \ diff --git a/build/Dockerfile-standalone b/build/Dockerfile-standalone index 812834a..8b90f3a 100644 --- a/build/Dockerfile-standalone +++ b/build/Dockerfile-standalone @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:1 -FROM ubuntu:24.04 +FROM ubuntu:noble ARG TARGETARCH diff --git a/build/build.sh b/build/build.sh index fd6cbf1..a239d0d 100755 --- a/build/build.sh +++ b/build/build.sh @@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src} boulderDir=$TMP_DIR/src -boulderTag="release-2025-03-18" +boulderTag="release-2025-05-27" boulderUrl="https://github.com/letsencrypt/boulder/" cloneDir=$(pwd)/.. diff --git a/build/docker-compose.yml b/build/docker-compose.yml index fc25e3b..cf6585c 100644 --- a/build/docker-compose.yml +++ b/build/docker-compose.yml @@ -46,6 +46,9 @@ services: # we can put that name inside our integration test certs (e.g. as a crl # url) and have it look like a publicly-accessible name. - "ca.example.org:10.77.77.77" + # Allow the boulder container to be reached as "integration.trust", for + # similar reasons, but intended for use as a SAN rather than a CRLDP. + - "integration.trust:10.77.77.77" ports: - 4001:4001 # ACMEv2 - 4002:4002 # OCSP @@ -177,7 +180,7 @@ services: restart: always bpkimetal: - image: ghcr.io/pkimetal/pkimetal:v1.19.0 + image: ghcr.io/pkimetal/pkimetal:v1.20.0 networks: bouldernet: ipv4_address: 10.77.77.9 diff --git a/build/tmp.patch b/build/tmp.patch index 620f706..929dea4 100644 --- a/build/tmp.patch +++ b/build/tmp.patch @@ -1,5 +1,5 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 6e06c3578..fc25e3b88 100644 +index e981e30ec..cf6585c65 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,7 +4,7 @@ services: @@ -27,7 +27,7 @@ index 6e06c3578..fc25e3b88 100644 networks: bouldernet: ipv4_address: 10.77.77.77 -@@ -87,7 +86,8 @@ services: +@@ -90,7 +89,8 @@ services: bredis: image: redis:6.2.7 volumes: @@ -37,7 +37,7 @@ index 6e06c3578..fc25e3b88 100644 command: redis-server /opt/boulder/labca/redis-ratelimits.config networks: redisnet: -@@ -99,35 +99,37 @@ services: +@@ -102,35 +102,37 @@ services: depends_on: - control volumes: @@ -86,7 +86,7 @@ index 6e06c3578..fc25e3b88 100644 logging: driver: "json-file" options: -@@ -144,30 +146,28 @@ services: +@@ -147,30 +149,28 @@ services: - 80:80 - 443:443 volumes: @@ -131,7 +131,7 @@ index 6e06c3578..fc25e3b88 100644 expose: - 3030 environment: -@@ -185,6 +185,15 @@ services: +@@ -188,6 +188,15 @@ services: volumes: dbdata: diff --git a/control_do.sh b/control_do.sh index 1f240ff..d0980d9 100755 --- a/control_do.sh +++ b/control_do.sh @@ -34,6 +34,8 @@ setup_boulder_data() { sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-a.json sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/remoteva-b.json sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-b.json + sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/remoteva-c.json + sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-c.json sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va.json sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va.json diff --git a/gui/apply-boulder b/gui/apply-boulder index 7215bc1..c917a13 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -64,14 +64,23 @@ fi perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/remoteva-a.json perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/remoteva-b.json +perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/remoteva-c.json perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va.json perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/bad-key-revoker.json perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/expiration-mailer.json + +# Disable DOH as long as it is a feature... +sed -i -e "s/\(\"DOH\":\s*\).*/\1false/" config/remoteva-a.json +sed -i -e "s/\(\"DOH\":\s*\).*/\1false/" config/remoteva-b.json +sed -i -e "s/\(\"DOH\":\s*\).*/\1false/" config/remoteva-c.json +sed -i -e "s/\(\"DOH\":\s*\).*/\1false/" config/va.json + for fl in $(grep -Rl maxConnectionAge config/); do perl -i -p0e "s/(\s+\"maxConnectionAge\":[^\n]+)//igs" $fl done sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/remoteva-a.json sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/remoteva-b.json +sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/remoteva-c.json sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va.json sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_DOMAIN\"/" config/wfe2.json @@ -82,7 +91,8 @@ if ([ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]) | perl -i -p0e "s/(\"modern\".*?)(\"ignoredLints\": \[).*?(\s+)(\"w_ext_subject_key_identifier_missing_sub_cert\")/\1\2\3\"e_dnsname_not_valid_tld\",\3\"w_sub_cert_aia_contains_internal_names\",\3\4/igs" config/ca.json perl -i -p0e "s/(\"shortlived\".*?)(\"ignoredLints\": \[).*?(\s+)(\"w_ext_subject_key_identifier_missing_sub_cert\")/\1\2\3\"e_dnsname_not_valid_tld\",\3\"w_sub_cert_aia_contains_internal_names\",\3\4/igs" config/ca.json - perl -i -p0e "s/(\"pkilint:cabf.serverauth.subscriber_rsa_digitalsignature_and_keyencipherment_present\",).*?(\])/\1\n \"pkilint:cabf.internal_domain_name\",\n \"zlint:e_dnsname_not_valid_tld\",\n \"zlint:w_sub_cert_aia_contains_internal_names\",\n \"certlint:\",\n\2/igs" config/zlint.toml + perl -i -p0e "s/(\"pkilint:cabf.serverauth.subscriber_rsa_digitalsignature_and_keyencipherment_present\",).*?(\])/\1\n \"pkilint:cabf.internal_domain_name\",\n \"zlint:e_dnsname_not_valid_tld\",\n \"zlint:w_sub_cert_aia_contains_internal_names\",\n \"certlint:special_name_in_san\",\n \"certlint:br_certificates_must_include_an_http_url_of_the_ocsp_responder\",\n \"x509lint:no_ocsp_over_http\",\n\2/igs" config/zlint.toml + perl -p0e "s/(ignore_lints = \[).*(\])/\1\"zlint:e_crl_next_update_invalid\"\2/igs" config/zlint.toml fi [ -e ../test/hostname-policy.yaml ] && cp ../test/hostname-policy.yaml ./ || true @@ -153,6 +163,7 @@ if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ] perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/remoteva-a.json perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/remoteva-b.json + perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/remoteva-c.json perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va.json fi diff --git a/install b/install index ce6229d..e5f2738 100755 --- a/install +++ b/install @@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2025-03-18" +boulderTag="release-2025-05-27" # # Color configuration @@ -667,6 +667,8 @@ config_boulder() { sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-a.json sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/remoteva-b.json sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-b.json + sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/remoteva-c.json + sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-c.json sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va.json sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va.json cd "$boulderDir" diff --git a/mail-tester.go b/mail-tester.go index c78839c..c1779a3 100644 --- a/mail-tester.go +++ b/mail-tester.go @@ -57,6 +57,8 @@ type config struct { // during the SMTP connection (as opposed to the gRPC connections). SMTPTrustedRootFile string + UserAgent string + Features features.Config } @@ -110,11 +112,12 @@ func main() { scope, clk, dnsTries, + c.Mailer.UserAgent, logger, tlsConfig) resolver = r } else { - r := bdns.NewTest(dnsTimeout, servers, scope, clk, dnsTries, logger, tlsConfig) + r := bdns.NewTest(dnsTimeout, servers, scope, clk, dnsTries, c.Mailer.UserAgent, logger, tlsConfig) resolver = r } diff --git a/patch-cfg.sh b/patch-cfg.sh index 25aa1f2..b1799a0 100755 --- a/patch-cfg.sh +++ b/patch-cfg.sh @@ -32,8 +32,10 @@ cp test/config/va*.json "$boulderLabCADir/config/" perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va.json perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/remoteva-a.json perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/remoteva-b.json +perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/remoteva-c.json perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/remoteva-a.json perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/remoteva-b.json +perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/remoteva-c.json perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va.json perl -i -p0e "s/\n \"redis\": \{\n.*? \},//igs" $boulderLabCADir/config/ocsp-responder.json @@ -60,11 +62,13 @@ sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca.json sed -i -e "s/ocspURL.Path = encodedReq/ocspURL.Path += encodedReq/" ocsp/helper/helper.go sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-a.json sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-b.json +sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-c.json sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/ra.json sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va.json sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/ca.json sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/remoteva-a.json sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/remoteva-b.json +sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/remoteva-c.json sed -i -e "s/\"endpoint\": \".*\"/\"endpoint\": \"\"/" config/sfe.json sed -i -e "s/sleep 1/sleep 5/g" wait-for-it.sh diff --git a/patch.sh b/patch.sh index 21e8c48..94ff6f7 100755 --- a/patch.sh +++ b/patch.sh @@ -20,6 +20,7 @@ $SUDO patch -p1 < $cloneDir/patches/boulder-va_main.patch $SUDO patch -p1 < $cloneDir/patches/ca_ca.patch $SUDO patch -p1 < $cloneDir/patches/ca_ca_keytype_hack.patch $SUDO patch -p1 < $cloneDir/patches/ca_crl.patch +$SUDO patch -p1 < $cloneDir/patches/ceremony_crl.patch $SUDO patch -p1 < $cloneDir/patches/ceremony_ecdsa.patch $SUDO patch -p1 < $cloneDir/patches/ceremony_key.patch $SUDO patch -p1 < $cloneDir/patches/ceremony_main.patch @@ -73,6 +74,8 @@ sed -i -e "s|./test|./labca|" start.py sed -i -e "s/proxysql:6033/mysql:3306/" sa/db/dbconfig.yml +sed -i -e "s/\(.*overrides.*\)/-- \1/" sa/db-users/boulder_sa.sql + mkdir -p "cmd/mail-tester" cp $cloneDir/mail-tester.go cmd/mail-tester/main.go perl -i -p0e "s/(\n\t\"github.com\/letsencrypt\/boulder\/cmd\")/\t_ \"github.com\/letsencrypt\/boulder\/cmd\/mail-tester\"\n\1/igs" cmd/boulder/main.go diff --git a/patches/bad-key-revoker_main.patch b/patches/bad-key-revoker_main.patch index 2e8011b..212e0ef 100644 --- a/patches/bad-key-revoker_main.patch +++ b/patches/bad-key-revoker_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/bad-key-revoker/main.go b/cmd/bad-key-revoker/main.go -index c333b88c3..839437c4e 100644 +index c333b88c3..8e9cc21bd 100644 --- a/cmd/bad-key-revoker/main.go +++ b/cmd/bad-key-revoker/main.go @@ -18,6 +18,7 @@ import ( @@ -22,7 +22,16 @@ index c333b88c3..839437c4e 100644 // MaximumRevocations specifies the maximum number of certificates associated with // a key hash that bad-key-revoker will attempt to revoke. If the number of certificates // is higher than MaximumRevocations bad-key-revoker will error out and refuse to -@@ -469,8 +475,35 @@ func main() { +@@ -417,6 +423,8 @@ type Config struct { + // or no work to do. + BackoffIntervalMax config.Duration `validate:"-"` + ++ UserAgent string ++ + Mailer struct { + cmd.SMTPConfig + // Path to a file containing a list of trusted root certificates for use +@@ -469,8 +477,36 @@ func main() { cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA") rac := rapb.NewRegistrationAuthorityClient(conn) @@ -42,11 +51,12 @@ index c333b88c3..839437c4e 100644 + scope, + clk, + dnsTries, ++ config.BadKeyRevoker.UserAgent, + logger, + tlsConfig) + resolver = r + } else { -+ r := bdns.NewTest(dnsTimeout, servers, scope, clk, dnsTries, logger, tlsConfig) ++ r := bdns.NewTest(dnsTimeout, servers, scope, clk, dnsTries, config.BadKeyRevoker.UserAgent, logger, tlsConfig) + resolver = r + } + @@ -59,7 +69,7 @@ index c333b88c3..839437c4e 100644 pem, err := os.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile) cmd.FailOnError(err, "Loading trusted roots file") smtpRoots = x509.NewCertPool() -@@ -490,6 +523,8 @@ func main() { +@@ -490,6 +526,8 @@ func main() { config.BadKeyRevoker.Mailer.Username, smtpPassword, smtpRoots, diff --git a/patches/boulder-ra_main.patch b/patches/boulder-ra_main.patch index 0f97c30..3674031 100644 --- a/patches/boulder-ra_main.patch +++ b/patches/boulder-ra_main.patch @@ -1,8 +1,8 @@ diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go -index 5bc425c60..842277b13 100644 +index 9aa809e42..0facecca5 100644 --- a/cmd/boulder-ra/main.go +++ b/cmd/boulder-ra/main.go -@@ -281,6 +281,8 @@ func main() { +@@ -270,6 +270,8 @@ func main() { limiterRedis, err = bredis.NewRingFromConfig(*c.RA.Limiter.Redis, scope, logger) cmd.FailOnError(err, "Failed to create Redis ring") diff --git a/patches/boulder-va_main.patch b/patches/boulder-va_main.patch index a48fef3..691d7dc 100644 --- a/patches/boulder-va_main.patch +++ b/patches/boulder-va_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go -index e18989222..809e0c19e 100644 +index 981c4f9b5..9d5db072d 100644 --- a/cmd/boulder-va/main.go +++ b/cmd/boulder-va/main.go @@ -52,6 +52,7 @@ type Config struct { @@ -10,7 +10,7 @@ index e18989222..809e0c19e 100644 } Syslog cmd.SyslogConfig -@@ -150,7 +151,8 @@ func main() { +@@ -152,7 +153,8 @@ func main() { c.VA.AccountURIPrefixes, va.PrimaryPerspective, "", diff --git a/patches/ca_ca.patch b/patches/ca_ca.patch index be6a73c..1d683a0 100644 --- a/patches/ca_ca.patch +++ b/patches/ca_ca.patch @@ -1,8 +1,8 @@ diff --git a/ca/ca.go b/ca/ca.go -index a598fc5cd..264ec35cc 100644 +index f8caf76fb..400d2b613 100644 --- a/ca/ca.go +++ b/ca/ca.go -@@ -182,10 +182,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { +@@ -171,10 +171,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { } } if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 { diff --git a/patches/ca_ca_keytype_hack.patch b/patches/ca_ca_keytype_hack.patch index 8898730..2e4f6f1 100644 --- a/patches/ca_ca_keytype_hack.patch +++ b/patches/ca_ca_keytype_hack.patch @@ -1,8 +1,8 @@ diff --git a/ca/ca.go b/ca/ca.go -index 264ec35cc..f56e9a342 100644 +index 400d2b613..09e651a96 100644 --- a/ca/ca.go +++ b/ca/ca.go -@@ -182,10 +182,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { +@@ -171,10 +171,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { } } if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 { diff --git a/patches/ceremony_crl.patch b/patches/ceremony_crl.patch new file mode 100644 index 0000000..2e5bc84 --- /dev/null +++ b/patches/ceremony_crl.patch @@ -0,0 +1,13 @@ +diff --git a/cmd/ceremony/crl.go b/cmd/ceremony/crl.go +index 98790d906..4de35ae5c 100644 +--- a/cmd/ceremony/crl.go ++++ b/cmd/ceremony/crl.go +@@ -42,7 +42,7 @@ func generateCRL(signer crypto.Signer, issuer *x509.Certificate, thisUpdate, nex + } + template.ExtraExtensions = append(template.ExtraExtensions, *idp) + +- err = linter.CheckCRL(template, issuer, signer, []string{}) ++ err = linter.CheckCRL(template, issuer, signer, []string{"e_crl_next_update_invalid"}) + if err != nil { + return nil, fmt.Errorf("crl failed pre-issuance lint: %w", err) + } diff --git a/patches/cert-checker_main.patch b/patches/cert-checker_main.patch index b05d2e4..70af171 100644 --- a/patches/cert-checker_main.patch +++ b/patches/cert-checker_main.patch @@ -1,8 +1,8 @@ diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go -index 615abe3c1..621c597c2 100644 +index a323e70b8..df64d3e94 100644 --- a/cmd/cert-checker/main.go +++ b/cmd/cert-checker/main.go -@@ -108,6 +108,7 @@ type certChecker struct { +@@ -109,6 +109,7 @@ type certChecker struct { acceptableValidityDurations map[time.Duration]bool lints lint.Registry logger blog.Logger @@ -10,7 +10,7 @@ index 615abe3c1..621c597c2 100644 } func newChecker(saDbMap certDB, -@@ -118,6 +119,7 @@ func newChecker(saDbMap certDB, +@@ -119,6 +120,7 @@ func newChecker(saDbMap certDB, avd map[time.Duration]bool, lints lint.Registry, logger blog.Logger, @@ -18,7 +18,7 @@ index 615abe3c1..621c597c2 100644 ) certChecker { precertGetter := func(ctx context.Context, serial string) ([]byte, error) { precertPb, err := sa.SelectPrecertificate(ctx, saDbMap, serial) -@@ -139,6 +141,7 @@ func newChecker(saDbMap certDB, +@@ -140,6 +142,7 @@ func newChecker(saDbMap certDB, acceptableValidityDurations: avd, lints: lints, logger: logger, @@ -26,16 +26,32 @@ index 615abe3c1..621c597c2 100644 } } -@@ -415,7 +418,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate) ([]s - err = c.pa.WillingToIssue([]identifier.ACMEIdentifier{identifier.NewDNS(name)}) - if err != nil { - problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err)) -- } else { -+ } else if !c.skipForbiddenDomains { - // For defense-in-depth, even if the PA was willing to issue for a name - // we double check it against a list of forbidden domains. This way even - // if the hostnamePolicyFile malfunctions we will flag the forbidden -@@ -495,9 +498,10 @@ type Config struct { +@@ -437,14 +440,16 @@ func (c *certChecker) checkCert(ctx context.Context, cert *corepb.Certificate) ( + problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err)) + continue + } +- // For defense-in-depth, even if the PA was willing to issue for a name +- // we double check it against a list of forbidden domains. This way even +- // if the hostnamePolicyFile malfunctions we will flag the forbidden +- // domain matches +- if forbidden, pattern := isForbiddenDomain(name); forbidden { +- problems = append(problems, fmt.Sprintf( +- "Policy Authority was willing to issue but domain '%s' matches "+ +- "forbiddenDomains entry %q", name, pattern)) ++ if !c.skipForbiddenDomains { ++ // For defense-in-depth, even if the PA was willing to issue for a name ++ // we double check it against a list of forbidden domains. This way even ++ // if the hostnamePolicyFile malfunctions we will flag the forbidden ++ // domain matches ++ if forbidden, pattern := isForbiddenDomain(name); forbidden { ++ problems = append(problems, fmt.Sprintf( ++ "Policy Authority was willing to issue but domain '%s' matches "+ ++ "forbiddenDomains entry %q", name, pattern)) ++ } + } + } + for _, name := range parsedCert.IPAddresses { +@@ -533,9 +538,10 @@ type Config struct { Workers int `validate:"required,min=1"` // Deprecated: this is ignored, and cert checker always checks both expired and unexpired. @@ -49,7 +65,7 @@ index 615abe3c1..621c597c2 100644 // AcceptableValidityDurations is a list of durations which are // acceptable for certificates we issue. -@@ -555,6 +559,8 @@ func main() { +@@ -593,6 +599,8 @@ func main() { acceptableValidityDurations[ninetyDays] = true } @@ -57,8 +73,8 @@ index 615abe3c1..621c597c2 100644 + // Validate PA config and set defaults if needed. cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration") - -@@ -598,6 +604,7 @@ func main() { + cmd.FailOnError(config.PA.CheckIdentifiers(), "Invalid PA configuration") +@@ -637,6 +645,7 @@ func main() { acceptableValidityDurations, lints, logger, diff --git a/patches/cmd_config.patch b/patches/cmd_config.patch index 580139d..bccf4a6 100644 --- a/patches/cmd_config.patch +++ b/patches/cmd_config.patch @@ -1,8 +1,8 @@ diff --git a/cmd/config.go b/cmd/config.go -index 3072f206c..f7271cb7c 100644 +index f8b6b847f..38ea91f33 100644 --- a/cmd/config.go +++ b/cmd/config.go -@@ -456,7 +456,7 @@ type GRPCServerConfig struct { +@@ -469,7 +469,7 @@ type GRPCServerConfig struct { // this controls how long it takes before a client learns about changes to its // backends. // https://pkg.go.dev/google.golang.org/grpc/keepalive#ServerParameters diff --git a/patches/config_crl-updater.patch b/patches/config_crl-updater.patch index f5c6cfe..202e6f3 100644 --- a/patches/config_crl-updater.patch +++ b/patches/config_crl-updater.patch @@ -1,8 +1,8 @@ diff --git a/test/config/crl-updater.json b/test/config/crl-updater.json -index eb5ba23e0..c4d40af92 100644 +index adb2b01e5..6066b7e5e 100644 --- a/test/config/crl-updater.json +++ b/test/config/crl-updater.json -@@ -36,18 +36,13 @@ +@@ -36,24 +36,19 @@ "hostOverride": "crl-storer.boulder" }, "issuerCerts": [ @@ -17,13 +17,20 @@ index eb5ba23e0..c4d40af92 100644 - "numShards": 10, - "shardWidth": "240h", - "lookbackPeriod": "24h", -- "updatePeriod": "6h", -- "maxParallelism": 10, +- "updatePeriod": "10m", +- "updateTimeout": "1m", + "numShards": 1, + "shardWidth": "24h", + "lookbackPeriod": "96h", + "updatePeriod": "24h", ++ "updateTimeout": "2m", + "expiresMargin": "5m", + "cacheControl": "stale-if-error=60", + "temporallyShardedSerialPrefixes": [ + "7f" + ], +- "maxParallelism": 10, + "maxParallelism": 1, - "maxAttempts": 5, + "maxAttempts": 2, "features": {} }, diff --git a/patches/config_publisher.patch b/patches/config_publisher.patch index f54d7ba..bd4a25a 100644 --- a/patches/config_publisher.patch +++ b/patches/config_publisher.patch @@ -1,11 +1,13 @@ diff --git a/test/config/publisher.json b/test/config/publisher.json -index 6e0337c..1e5ed7b 100644 +index 1909a6f60..795de12e6 100644 --- a/test/config/publisher.json +++ b/test/config/publisher.json -@@ -6,18 +6,6 @@ +@@ -4,20 +4,8 @@ + "blockProfileRate": 1000000000, + "chains": [ [ - "test/certs/webpki/int-rsa-a.cert.pem", - "test/certs/webpki/root-rsa.cert.pem" +- "test/certs/webpki/int-rsa-a.cert.pem", +- "test/certs/webpki/root-rsa.cert.pem" - ], - [ - "test/certs/webpki/int-rsa-b.cert.pem", @@ -18,6 +20,21 @@ index 6e0337c..1e5ed7b 100644 - [ - "test/certs/webpki/int-ecdsa-b.cert.pem", - "test/certs/webpki/root-ecdsa.cert.pem" ++ "labca/certs/webpki/issuer-01-cert.pem", ++ "labca/certs/webpki/root-01-cert.pem" ] ], - "debugAddr": ":8009", + "grpc": { +@@ -36,9 +24,9 @@ + } + }, + "tls": { +- "caCertFile": "test/certs/ipki/minica.pem", +- "certFile": "test/certs/ipki/publisher.boulder/cert.pem", +- "keyFile": "test/certs/ipki/publisher.boulder/key.pem" ++ "caCertFile": "labca/certs/ipki/minica.pem", ++ "certFile": "labca/certs/ipki/publisher.boulder/cert.pem", ++ "keyFile": "labca/certs/ipki/publisher.boulder/key.pem" + }, + "features": {} + }, diff --git a/patches/config_ra.patch b/patches/config_ra.patch index f855d25..2e6b4ae 100644 --- a/patches/config_ra.patch +++ b/patches/config_ra.patch @@ -1,10 +1,39 @@ diff --git a/test/config/ra.json b/test/config/ra.json -index 23c277c6c..0aa9a0088 100644 +index c16978e12..15e8252c0 100644 --- a/test/config/ra.json +++ b/test/config/ra.json -@@ -33,12 +33,7 @@ - "fermatRounds": 100 +@@ -3,7 +3,8 @@ + "limiter": { + "redis": { + "username": "boulder-wfe", +- "passwordFile": "test/secrets/wfe_ratelimits_redis_password", ++ "passwordFile": "labca/secrets/wfe_ratelimits_redis_password", ++ "db": 1, + "lookups": [ + { + "Service": "redisratelimits", +@@ -16,25 +17,20 @@ + "poolSize": 100, + "routeRandomly": true, + "tls": { +- "caCertFile": "test/certs/ipki/minica.pem", +- "certFile": "test/certs/ipki/wfe.boulder/cert.pem", +- "keyFile": "test/certs/ipki/wfe.boulder/key.pem" ++ "caCertFile": "labca/certs/ipki/minica.pem", ++ "certFile": "labca/certs/ipki/wfe.boulder/cert.pem", ++ "keyFile": "labca/certs/ipki/wfe.boulder/key.pem" + } + }, +- "Defaults": "test/config/wfe2-ratelimit-defaults.yml", +- "Overrides": "test/config/wfe2-ratelimit-overrides.yml" ++ "Defaults": "labca/config/wfe2-ratelimit-defaults.yml", ++ "Overrides": "labca/config/wfe2-ratelimit-overrides.yml" }, + "maxContactsPerRegistration": 3, + "debugAddr": ":8002", +- "hostnamePolicyFile": "test/hostname-policy.yaml", ++ "hostnamePolicyFile": "labca/hostname-policy.yaml", + "goodkey": {}, "issuerCerts": [ - "test/certs/webpki/int-rsa-a.cert.pem", - "test/certs/webpki/int-rsa-b.cert.pem", @@ -12,7 +41,29 @@ index 23c277c6c..0aa9a0088 100644 - "test/certs/webpki/int-ecdsa-a.cert.pem", - "test/certs/webpki/int-ecdsa-b.cert.pem", - "test/certs/webpki/int-ecdsa-c.cert.pem" -+ "test/certs/webpki/int-rsa-a.cert.pem" ++ "labca/certs/webpki/issuer-01-cert.pem" ], "validationProfiles": { "legacy": { +@@ -58,9 +54,9 @@ + }, + "defaultProfileName": "legacy", + "tls": { +- "caCertFile": "test/certs/ipki/minica.pem", +- "certFile": "test/certs/ipki/ra.boulder/cert.pem", +- "keyFile": "test/certs/ipki/ra.boulder/key.pem" ++ "caCertFile": "labca/certs/ipki/minica.pem", ++ "certFile": "labca/certs/ipki/ra.boulder/cert.pem", ++ "keyFile": "labca/certs/ipki/ra.boulder/key.pem" + }, + "vaService": { + "dnsAuthority": "consul.service.consul", +@@ -154,7 +150,7 @@ + }, + "ctLogs": { + "stagger": "500ms", +- "logListFile": "test/ct-test-srv/log_list.json", ++ "logListFile": "labca/ct-test-srv/log_list.json", + "sctLogs": [ + "A1 Current", + "A1 Future", diff --git a/patches/config_wfe2.patch b/patches/config_wfe2.patch index 8b6f4a9..4bb9f87 100644 --- a/patches/config_wfe2.patch +++ b/patches/config_wfe2.patch @@ -1,19 +1,48 @@ diff --git a/test/config/wfe2.json b/test/config/wfe2.json -index 6a5f95ef0..b880db50f 100644 +index 51c7aa8ef..1ed5d37af 100644 --- a/test/config/wfe2.json +++ b/test/config/wfe2.json -@@ -12,6 +12,7 @@ +@@ -3,8 +3,8 @@ + "timeout": "30s", + "listenAddress": "0.0.0.0:4001", + "TLSListenAddress": "0.0.0.0:4431", +- "serverCertificatePath": "test/certs/ipki/boulder/cert.pem", +- "serverKeyPath": "test/certs/ipki/boulder/key.pem", ++ "serverCertificatePath": "labca/certs/ipki/boulder/cert.pem", ++ "serverKeyPath": "labca/certs/ipki/boulder/key.pem", + "allowOrigins": [ + "*" + ], +@@ -12,13 +12,14 @@ + "subscriberAgreementURL": "https://boulder.service.consul:4431/terms/v7", "debugAddr": ":8013", "directoryCAAIdentity": "happy-hacker-ca.invalid", - "directoryWebsite": "https://github.com/letsencrypt/boulder", -+ "hostnamePolicyFile": "test/hostname-policy.yaml", +- "directoryWebsite": "https://github.com/letsencrypt/boulder", ++ "directoryWebsite": "https://github.com/hakwerk/labca", ++ "hostnamePolicyFile": "labca/hostname-policy.yaml", "legacyKeyIDPrefix": "http://boulder.service.consul:4000/reg/", "goodkey": {}, "tls": { -@@ -77,26 +78,6 @@ +- "caCertFile": "test/certs/ipki/minica.pem", +- "certFile": "test/certs/ipki/wfe.boulder/cert.pem", +- "keyFile": "test/certs/ipki/wfe.boulder/key.pem" ++ "caCertFile": "labca/certs/ipki/minica.pem", ++ "certFile": "labca/certs/ipki/wfe.boulder/cert.pem", ++ "keyFile": "labca/certs/ipki/wfe.boulder/key.pem" + }, + "raService": { + "dnsAuthority": "consul.service.consul", +@@ -72,39 +73,20 @@ + "hostOverride": "nonce.boulder" + }, + "nonceHMACKey": { +- "keyFile": "test/secrets/nonce_prefix_key" ++ "keyFile": "labca/secrets/nonce_prefix_key" + }, + "chains": [ [ - "test/certs/webpki/int-rsa-a.cert.pem", - "test/certs/webpki/root-rsa.cert.pem" +- "test/certs/webpki/int-rsa-a.cert.pem", +- "test/certs/webpki/root-rsa.cert.pem" - ], - [ - "test/certs/webpki/int-rsa-b.cert.pem", @@ -34,6 +63,45 @@ index 6a5f95ef0..b880db50f 100644 - [ - "test/certs/webpki/int-ecdsa-b-cross.cert.pem", - "test/certs/webpki/root-rsa.cert.pem" ++ "labca/certs/webpki/issuer-01-cert.pem", ++ "labca/certs/webpki/root-01-cert.pem" ] ], "staleTimeout": "5m", + "limiter": { + "redis": { + "username": "boulder-wfe", +- "passwordFile": "test/secrets/wfe_ratelimits_redis_password", ++ "passwordFile": "labca/secrets/wfe_ratelimits_redis_password", ++ "db": 1, + "lookups": [ + { + "Service": "redisratelimits", +@@ -117,13 +99,13 @@ + "poolSize": 100, + "routeRandomly": true, + "tls": { +- "caCertFile": "test/certs/ipki/minica.pem", +- "certFile": "test/certs/ipki/wfe.boulder/cert.pem", +- "keyFile": "test/certs/ipki/wfe.boulder/key.pem" ++ "caCertFile": "labca/certs/ipki/minica.pem", ++ "certFile": "labca/certs/ipki/wfe.boulder/cert.pem", ++ "keyFile": "labca/certs/ipki/wfe.boulder/key.pem" + } + }, +- "Defaults": "test/config/wfe2-ratelimit-defaults.yml", +- "Overrides": "test/config/wfe2-ratelimit-overrides.yml" ++ "Defaults": "labca/config/wfe2-ratelimit-defaults.yml", ++ "Overrides": "labca/config/wfe2-ratelimit-overrides.yml" + }, + "features": { + "ServeRenewalInfo": true, +@@ -136,7 +118,7 @@ + }, + "unpause": { + "hmacKey": { +- "keyFile": "test/secrets/sfe_unpause_key" ++ "keyFile": "labca/secrets/sfe_unpause_key" + }, + "jwtLifetime": "336h", + "url": "https://boulder.service.consul:4003" diff --git a/patches/contact-auditor_main.patch b/patches/contact-auditor_main.patch index 7b90dcd..6b008d5 100644 --- a/patches/contact-auditor_main.patch +++ b/patches/contact-auditor_main.patch @@ -1,22 +1,27 @@ diff --git a/cmd/contact-auditor/main.go b/cmd/contact-auditor/main.go -index a20560b6f..ac0d567f8 100644 +index fdec0c660..cc62d91c0 100644 --- a/cmd/contact-auditor/main.go +++ b/cmd/contact-auditor/main.go -@@ -12,6 +12,7 @@ import ( +@@ -12,7 +12,9 @@ import ( "time" "github.com/letsencrypt/boulder/cmd" + "github.com/letsencrypt/boulder/core" "github.com/letsencrypt/boulder/db" ++ "github.com/letsencrypt/boulder/identifier" blog "github.com/letsencrypt/boulder/log" "github.com/letsencrypt/boulder/policy" -@@ -50,9 +51,13 @@ func validateContacts(id int64, createdAt string, contacts []string) error { + "github.com/letsencrypt/boulder/sa" +@@ -50,9 +52,16 @@ func validateContacts(id int64, createdAt string, contacts []string) error { fmt.Fprintf(&probsBuff, "%d\t%s\tvalidation\t%q\t%q\t%q\n", id, createdAt, contact, prob, contacts) } + var pa *policy.AuthorityImpl + logger := cmd.NewLogger(cmd.SyslogConfig{StdoutLevel: 7}) -+ pa, _ = policy.New(map[core.AcmeChallenge]bool{}, logger) ++ pa, _ = policy.New( ++ map[identifier.IdentifierType]bool{identifier.TypeDNS: true, identifier.TypeIP: true}, ++ map[core.AcmeChallenge]bool{}, ++ logger) + for _, contact := range contacts { if strings.HasPrefix(contact, "mailto:") { diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch index e01a54a..32b305f 100644 --- a/patches/docker-compose.patch +++ b/patches/docker-compose.patch @@ -1,5 +1,5 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index b66a13d04..6e06c3578 100644 +index 9b05172ef..e981e30ec 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,3 +1,4 @@ @@ -26,7 +26,7 @@ index b66a13d04..6e06c3578 100644 networks: bouldernet: ipv4_address: 10.77.77.77 -@@ -50,121 +53,138 @@ services: +@@ -53,121 +56,138 @@ services: - 4003:4003 # SFE depends_on: - bmysql @@ -234,7 +234,7 @@ index b66a13d04..6e06c3578 100644 + restart: always bpkimetal: - image: ghcr.io/pkimetal/pkimetal:v1.19.0 + image: ghcr.io/pkimetal/pkimetal:v1.20.0 networks: bouldernet: ipv4_address: 10.77.77.9 diff --git a/patches/expiration-mailer_main.patch b/patches/expiration-mailer_main.patch index 47591f4..383edab 100644 --- a/patches/expiration-mailer_main.patch +++ b/patches/expiration-mailer_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/expiration-mailer/main.go b/cmd/expiration-mailer/main.go -index eed765273..e17bfde1c 100644 +index 8c80c8408..4102e879b 100644 --- a/cmd/expiration-mailer/main.go +++ b/cmd/expiration-mailer/main.go @@ -23,6 +23,7 @@ import ( @@ -10,7 +10,7 @@ index eed765273..e17bfde1c 100644 "github.com/letsencrypt/boulder/cmd" "github.com/letsencrypt/boulder/config" "github.com/letsencrypt/boulder/core" -@@ -39,7 +40,7 @@ import ( +@@ -40,7 +41,7 @@ import ( ) const ( @@ -19,11 +19,11 @@ index eed765273..e17bfde1c 100644 ) var ( -@@ -161,8 +162,12 @@ func (m *mailer) sendNags(conn bmail.Conn, contacts []string, certs []*x509.Cert +@@ -162,8 +163,12 @@ func (m *mailer) sendNags(conn bmail.Conn, contacts []string, certs []*x509.Cert if parsed.Scheme != "mailto" { continue } -+ pa, err := policy.New(nil, nil) ++ pa, err := policy.New(nil, nil, nil) + if err != nil { + return fmt.Errorf("cannot create policy authority implementation") + } @@ -33,7 +33,7 @@ index eed765273..e17bfde1c 100644 if err != nil { m.log.Debugf("skipping invalid email: %s", err) continue -@@ -697,6 +702,11 @@ type Config struct { +@@ -697,10 +702,17 @@ type Config struct { TLS cmd.TLSConfig SAService *cmd.GRPCClientConfig @@ -45,7 +45,13 @@ index eed765273..e17bfde1c 100644 // Path to a file containing a list of trusted root certificates for use // during the SMTP connection (as opposed to the gRPC connections). SMTPTrustedRootFile string -@@ -850,8 +860,35 @@ func main() { + ++ UserAgent string ++ + Features features.Config + } + +@@ -850,8 +862,36 @@ func main() { cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA") sac := sapb.NewStorageAuthorityClient(conn) @@ -65,11 +71,12 @@ index eed765273..e17bfde1c 100644 + scope, + clk, + dnsTries, ++ c.Mailer.UserAgent, + logger, + tlsConfig) + resolver = r + } else { -+ r := bdns.NewTest(dnsTimeout, servers, scope, clk, dnsTries, logger, tlsConfig) ++ r := bdns.NewTest(dnsTimeout, servers, scope, clk, dnsTries, c.Mailer.UserAgent, logger, tlsConfig) + resolver = r + } + @@ -82,7 +89,7 @@ index eed765273..e17bfde1c 100644 pem, err := os.ReadFile(c.Mailer.SMTPTrustedRootFile) cmd.FailOnError(err, "Loading trusted roots file") smtpRoots = x509.NewCertPool() -@@ -885,6 +922,8 @@ func main() { +@@ -885,6 +925,8 @@ func main() { c.Mailer.Username, smtpPassword, smtpRoots, diff --git a/patches/issuance_issuer.patch b/patches/issuance_issuer.patch index 62be085..6e9b664 100644 --- a/patches/issuance_issuer.patch +++ b/patches/issuance_issuer.patch @@ -1,17 +1,17 @@ diff --git a/issuance/issuer.go b/issuance/issuer.go -index 950ce44ce..b2264e86a 100644 +index 95d2f03a7..c3129fe97 100644 --- a/issuance/issuer.go +++ b/issuance/issuer.go -@@ -162,7 +162,7 @@ type IssuerConfig struct { +@@ -161,7 +161,7 @@ type IssuerConfig struct { + Active bool IssuerURL string `validate:"required,url"` - OCSPURL string `validate:"required,url"` - CRLURLBase string `validate:"required,url,startswith=http://,endswith=/"` + CRLURLBase string `validate:"required,url,startswith=http://"` - // Number of CRL shards. - // This must be nonzero if adding CRLDistributionPoints to certificates -@@ -252,9 +252,6 @@ func newIssuer(config IssuerConfig, cert *Certificate, signer crypto.Signer, clk + // TODO(#8177): Remove this. + OCSPURL string `validate:"omitempty,url"` +@@ -248,9 +248,6 @@ func newIssuer(config IssuerConfig, cert *Certificate, signer crypto.Signer, clk if !strings.HasPrefix(config.CRLURLBase, "http://") { return nil, fmt.Errorf("crlURLBase must use HTTP scheme, got %q", config.CRLURLBase) } diff --git a/patches/mail_mailer.patch b/patches/mail_mailer.patch index 6909c9b..0cab39f 100644 --- a/patches/mail_mailer.patch +++ b/patches/mail_mailer.patch @@ -1,5 +1,5 @@ diff --git a/mail/mailer.go b/mail/mailer.go -index 31ebd40b1..61add3ec2 100644 +index 31ebd40b1..760b0b66e 100644 --- a/mail/mailer.go +++ b/mail/mailer.go @@ -2,6 +2,7 @@ package mail @@ -10,7 +10,7 @@ index 31ebd40b1..61add3ec2 100644 "crypto/rand" "crypto/tls" "crypto/x509" -@@ -23,8 +24,11 @@ import ( +@@ -23,7 +24,9 @@ import ( "github.com/jmhodges/clock" "github.com/prometheus/client_golang/prometheus" @@ -18,11 +18,9 @@ index 31ebd40b1..61add3ec2 100644 "github.com/letsencrypt/boulder/core" + berrors "github.com/letsencrypt/boulder/errors" blog "github.com/letsencrypt/boulder/log" -+ "github.com/letsencrypt/boulder/probs" ) - type idGenerator interface { -@@ -139,6 +143,8 @@ func New( +@@ -139,6 +142,8 @@ func New( username, password string, rootCAs *x509.CertPool, @@ -31,7 +29,7 @@ index 31ebd40b1..61add3ec2 100644 from mail.Address, logger blog.Logger, stats prometheus.Registerer, -@@ -154,11 +160,13 @@ func New( +@@ -154,11 +159,13 @@ func New( return &mailerImpl{ config: config{ dialer: &dialerImpl{ @@ -50,7 +48,7 @@ index 31ebd40b1..61add3ec2 100644 }, log: logger, from: from, -@@ -202,7 +210,7 @@ func (c config) generateMessage(to []string, subject, body string) ([]byte, erro +@@ -202,7 +209,7 @@ func (c config) generateMessage(to []string, subject, body string) ([]byte, erro fmt.Sprintf("To: %s", strings.Join(addrs, ", ")), fmt.Sprintf("From: %s", c.from.String()), fmt.Sprintf("Subject: %s", subject), @@ -59,7 +57,7 @@ index 31ebd40b1..61add3ec2 100644 fmt.Sprintf("Message-Id: <%s.%s.%s>", now.Format("20060102T150405"), mid.String(), c.from.Address), "MIME-Version: 1.0", "Content-Type: text/plain; charset=UTF-8", -@@ -259,23 +267,41 @@ func (m *mailerImpl) Connect() (Conn, error) { +@@ -259,23 +266,41 @@ func (m *mailerImpl) Connect() (Conn, error) { type dialerImpl struct { username, password, server, port string rootCAs *x509.CertPool @@ -81,7 +79,7 @@ index 31ebd40b1..61add3ec2 100644 + addrs, _, err := di.dnsClient.LookupHost(ctx, di.server) if err != nil { - return nil, err -+ problem := probs.DNS("%v") ++ problem := berrors.DNSError("%v") + return nil, problem + } + diff --git a/patches/notify-mailer_main.patch b/patches/notify-mailer_main.patch index 4677e96..279f29a 100644 --- a/patches/notify-mailer_main.patch +++ b/patches/notify-mailer_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/notify-mailer/main.go b/cmd/notify-mailer/main.go -index 6c01efd64..23b1f4f9d 100644 +index 6c01efd64..6da77c7eb 100644 --- a/cmd/notify-mailer/main.go +++ b/cmd/notify-mailer/main.go @@ -2,6 +2,7 @@ package notmain @@ -48,7 +48,7 @@ index 6c01efd64..23b1f4f9d 100644 + cmd.FailOnError(cfg.PA.CheckChallenges(), "Invalid PA configuration") + + logger := cmd.NewLogger(cmd.SyslogConfig{StdoutLevel: 7}) -+ pa, err := policy.New(cfg.PA.Challenges, logger) ++ pa, err := policy.New(cfg.PA.Identifiers, cfg.PA.Challenges, logger) + cmd.FailOnError(err, "Failed to create PA") + err = pa.LoadHostnamePolicyFile(cfg.NotifyMailer.HostnamePolicyFile) + cmd.FailOnError(err, "Failed to load HostnamePolicyFile") diff --git a/patches/policy_pa.patch b/patches/policy_pa.patch index f45ad40..b0b5408 100644 --- a/patches/policy_pa.patch +++ b/patches/policy_pa.patch @@ -1,8 +1,8 @@ diff --git a/policy/pa.go b/policy/pa.go -index bbe928cd0..0c21848b7 100644 +index 661a6b6bc..17dde317f 100644 --- a/policy/pa.go +++ b/policy/pa.go -@@ -31,6 +31,9 @@ type AuthorityImpl struct { +@@ -32,6 +32,9 @@ type AuthorityImpl struct { blocklist map[string]bool exactBlocklist map[string]bool wildcardExactBlocklist map[string]bool @@ -11,8 +11,8 @@ index bbe928cd0..0c21848b7 100644 + ldPublicContacts bool blocklistMu sync.RWMutex - enabledChallenges map[core.AcmeChallenge]bool -@@ -64,6 +67,10 @@ type blockedNamesPolicy struct { + enabledChallenges map[core.AcmeChallenge]bool +@@ -75,6 +78,10 @@ type blockedNamesPolicy struct { // time above and beyond the high-risk domains. Managing these entries separately // from HighRiskBlockedNames makes it easier to vet changes accurately. AdminBlockedNames []string `yaml:"AdminBlockedNames"` @@ -23,7 +23,7 @@ index bbe928cd0..0c21848b7 100644 } // LoadHostnamePolicyFile will load the given policy file, returning an error if -@@ -123,10 +130,21 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error +@@ -134,10 +141,21 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error // wildcardNameMap to block issuance for `*.`+parts[1] wildcardNameMap[parts[1]] = true } @@ -45,16 +45,16 @@ index bbe928cd0..0c21848b7 100644 pa.blocklistMu.Unlock() return nil } -@@ -196,7 +214,7 @@ var ( +@@ -209,7 +227,7 @@ var ( // - exactly equal to an IANA registered TLD // // It does NOT ensure that the domain is absent from any PA blocked lists. -func validNonWildcardDomain(domain string) error { +func (pa *AuthorityImpl) ValidNonWildcardDomain(domain string, isContact bool) error { if domain == "" { - return errEmptyName + return errEmptyIdentifier } -@@ -228,7 +246,9 @@ func validNonWildcardDomain(domain string) error { +@@ -241,7 +259,9 @@ func validNonWildcardDomain(domain string) error { return errTooManyLabels } if len(labels) < 2 { @@ -65,7 +65,7 @@ index bbe928cd0..0c21848b7 100644 } for _, label := range labels { // Check that this is a valid LDH Label: "A string consisting of ASCII -@@ -272,6 +292,14 @@ func validNonWildcardDomain(domain string) error { +@@ -285,6 +305,14 @@ func validNonWildcardDomain(domain string) error { } } @@ -80,7 +80,7 @@ index bbe928cd0..0c21848b7 100644 // Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD. icannTLD, err := iana.ExtractSuffix(domain) if err != nil { -@@ -287,9 +315,9 @@ func validNonWildcardDomain(domain string) error { +@@ -300,9 +328,9 @@ func validNonWildcardDomain(domain string) error { // ValidDomain checks that a domain is valid and that it doesn't contain any // invalid wildcard characters. It does NOT ensure that the domain is absent // from any PA blocked lists. @@ -92,7 +92,7 @@ index bbe928cd0..0c21848b7 100644 } // Names containing more than one wildcard are invalid. -@@ -308,7 +336,7 @@ func ValidDomain(domain string) error { +@@ -321,7 +349,7 @@ func ValidDomain(domain string) error { // Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD. icannTLD, err := iana.ExtractSuffix(baseDomain) @@ -101,7 +101,7 @@ index bbe928cd0..0c21848b7 100644 return errNonPublic } // Names must have a non-wildcard label immediately adjacent to the ICANN -@@ -316,7 +344,7 @@ func ValidDomain(domain string) error { +@@ -329,7 +357,7 @@ func ValidDomain(domain string) error { if baseDomain == icannTLD { return errICANNTLDWildcard } @@ -109,8 +109,8 @@ index bbe928cd0..0c21848b7 100644 + return pa.ValidNonWildcardDomain(baseDomain, false) } - // forbiddenMailDomains is a map of domain names we do not allow after the -@@ -334,14 +362,14 @@ var forbiddenMailDomains = map[string]bool{ + // validIP checks that an IP address: +@@ -375,14 +403,14 @@ var forbiddenMailDomains = map[string]bool{ // ValidEmail returns an error if the input doesn't parse as an email address, // the domain isn't a valid hostname in Preferred Name Syntax, or its on the // list of domains forbidden for mail (because they are often used in examples). @@ -127,43 +127,42 @@ index bbe928cd0..0c21848b7 100644 if err != nil { return berrors.InvalidEmailError("contact email has invalid domain: %s", err) } -@@ -383,7 +411,7 @@ func subError(ident identifier.ACMEIdentifier, err error) berrors.SubBoulderErro +@@ -424,7 +452,7 @@ func subError(ident identifier.ACMEIdentifier, err error) berrors.SubBoulderErro // // Precondition: all input identifier values must be in lowercase. - func (pa *AuthorityImpl) WillingToIssue(idents []identifier.ACMEIdentifier) error { + func (pa *AuthorityImpl) WillingToIssue(idents identifier.ACMEIdentifiers) error { - err := WellFormedIdentifiers(idents) + err := pa.WellFormedIdentifiers(idents) if err != nil { return err } -@@ -407,6 +435,10 @@ func (pa *AuthorityImpl) WillingToIssue(idents []identifier.ACMEIdentifier) erro +@@ -454,6 +482,10 @@ func (pa *AuthorityImpl) WillingToIssue(idents identifier.ACMEIdentifiers) error + } } - } -+ if ok, _ := pa.checkWhitelist(ident.Value, false); ok { -+ return nil -+ } ++ if ok, _ := pa.checkWhitelist(ident.Value, false); ok { ++ return nil ++ } + - // For both wildcard and non-wildcard domains, check whether any parent domain - // name is on the regular blocklist. - err := pa.checkHostLists(ident.Value) -@@ -441,13 +473,13 @@ func (pa *AuthorityImpl) WillingToIssue(idents []identifier.ACMEIdentifier) erro + // For both wildcard and non-wildcard domains, check whether any parent domain + // name is on the regular blocklist. + err := pa.checkHostLists(ident.Value) +@@ -494,12 +526,12 @@ func (pa *AuthorityImpl) WillingToIssue(idents identifier.ACMEIdentifiers) error // - // If multiple domains are invalid, the error will contain suberrors specific to - // each domain. --func WellFormedIdentifiers(idents []identifier.ACMEIdentifier) error { -+func (pa *AuthorityImpl) WellFormedIdentifiers(idents []identifier.ACMEIdentifier) error { + // If multiple identifiers are invalid, the error will contain suberrors + // specific to each identifier. +-func WellFormedIdentifiers(idents identifier.ACMEIdentifiers) error { ++func (pa *AuthorityImpl) WellFormedIdentifiers(idents identifier.ACMEIdentifiers) error { var subErrors []berrors.SubBoulderError for _, ident := range idents { - // TODO(#7311): When this gets a third case for TypeIP, this will be - // more elegant as a switch/case. - if ident.Type == identifier.TypeDNS { + switch ident.Type { + case identifier.TypeDNS: - err := ValidDomain(ident.Value) + err := pa.ValidDomain(ident.Value) if err != nil { subErrors = append(subErrors, subError(ident, err)) } -@@ -484,6 +516,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error { +@@ -541,6 +573,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error { return nil } @@ -198,7 +197,7 @@ index bbe928cd0..0c21848b7 100644 // checkWildcardHostList checks the wildcardExactBlocklist for a given domain. // If the domain is not present on the list nil is returned, otherwise // errPolicyForbidden is returned. -@@ -513,6 +573,9 @@ func (pa *AuthorityImpl) checkHostLists(domain string) error { +@@ -570,6 +630,9 @@ func (pa *AuthorityImpl) checkHostLists(domain string) error { labels := strings.Split(domain, ".") for i := range labels { joined := strings.Join(labels[i:], ".") diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index 383635a..d340ae1 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -1,8 +1,8 @@ diff --git a/ra/ra.go b/ra/ra.go -index 091a40ab6..a89f1e3e2 100644 +index e8acf0781..3122449be 100644 --- a/ra/ra.go +++ b/ra/ra.go -@@ -43,7 +43,6 @@ import ( +@@ -44,7 +44,6 @@ import ( "github.com/letsencrypt/boulder/issuance" blog "github.com/letsencrypt/boulder/log" "github.com/letsencrypt/boulder/metrics" @@ -10,7 +10,7 @@ index 091a40ab6..a89f1e3e2 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -593,7 +592,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { +@@ -608,7 +607,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { if !core.IsASCII(contact) { return berrors.InvalidEmailError("contact email contains non-ASCII characters") } @@ -19,7 +19,7 @@ index 091a40ab6..a89f1e3e2 100644 if err != nil { return err } -@@ -1906,6 +1905,9 @@ func crlShard(cert *x509.Certificate) (int64, error) { +@@ -1981,6 +1980,9 @@ func crlShard(cert *x509.Certificate) (int64, error) { return 0, fmt.Errorf("malformed CRLDistributionPoint %q", url) } shardStr := url[lastIndex+1:] diff --git a/patches/ratelimits_names.patch b/patches/ratelimits_names.patch index f35af13..a9bc69b 100644 --- a/patches/ratelimits_names.patch +++ b/patches/ratelimits_names.patch @@ -1,5 +1,5 @@ diff --git a/ratelimits/names.go b/ratelimits/names.go -index 8e8ed80c4..6e3e77639 100644 +index bfda772b5..971892f22 100644 --- a/ratelimits/names.go +++ b/ratelimits/names.go @@ -102,6 +102,9 @@ var nameToString = map[Name]string{ @@ -20,7 +20,7 @@ index 8e8ed80c4..6e3e77639 100644 + pa := PA + var err error + if pa == nil { -+ pa, err = policy.New(nil, nil) ++ pa, err = policy.New(nil, nil, nil) + if err != nil { + return fmt.Errorf("cannot create policy authority implementation") + } @@ -36,7 +36,7 @@ index 8e8ed80c4..6e3e77639 100644 - err = policy.ValidDomain(regIdDomain[1]) + pa := PA + if pa == nil { -+ pa, err = policy.New(nil, nil) ++ pa, err = policy.New(nil, nil, nil) + if err != nil { + return fmt.Errorf("cannot create policy authority implementation") + } @@ -45,20 +45,20 @@ index 8e8ed80c4..6e3e77639 100644 if err != nil { return fmt.Errorf( "invalid domain, %q must be formatted 'regId:domain': %w", id, err) -@@ -200,7 +218,15 @@ func validateFQDNSet(id string) error { +@@ -202,7 +220,15 @@ func validateFQDNSet(id string) error { return fmt.Errorf( "invalid fqdnSet, %q must be formatted 'fqdnSet'", id) } -- return policy.WellFormedIdentifiers(identifier.FromDNSNames(domains)) +- return policy.WellFormedIdentifiers(identifier.NewDNSSlice(domains)) + pa := PA + var err error + if pa == nil { -+ pa, err = policy.New(nil, nil) ++ pa, err = policy.New(nil, nil, nil) + if err != nil { + return fmt.Errorf("cannot create policy authority implementation") + } + } -+ return pa.WellFormedIdentifiers(identifier.FromDNSNames(domains)) ++ return pa.WellFormedIdentifiers(identifier.NewDNSSlice(domains)) } func validateIdForName(name Name, id string) error { diff --git a/patches/remoteva_main.patch b/patches/remoteva_main.patch index f105429..47aa8ff 100644 --- a/patches/remoteva_main.patch +++ b/patches/remoteva_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/remoteva/main.go b/cmd/remoteva/main.go -index 0dc71028f..19962fb35 100644 +index f99ded497..9a1033a87 100644 --- a/cmd/remoteva/main.go +++ b/cmd/remoteva/main.go @@ -56,7 +56,8 @@ type Config struct { @@ -12,7 +12,7 @@ index 0dc71028f..19962fb35 100644 } Syslog cmd.SyslogConfig -@@ -139,7 +140,8 @@ func main() { +@@ -141,7 +142,8 @@ func main() { c.RVA.AccountURIPrefixes, c.RVA.Perspective, c.RVA.RIR, diff --git a/patches/test_config_ca.patch b/patches/test_config_ca.patch index 1398ecf..50f2879 100644 --- a/patches/test_config_ca.patch +++ b/patches/test_config_ca.patch @@ -1,31 +1,63 @@ diff --git a/test/config/ca.json b/test/config/ca.json -index a64ec7ac2..09ffa1efe 100644 +index 35843b094..2d4e0c951 100644 --- a/test/config/ca.json +++ b/test/config/ca.json +@@ -1,11 +1,11 @@ + { + "ca": { + "tls": { +- "caCertFile": "test/certs/ipki/minica.pem", +- "certFile": "test/certs/ipki/ca.boulder/cert.pem", +- "keyFile": "test/certs/ipki/ca.boulder/key.pem" ++ "caCertFile": "labca/certs/ipki/minica.pem", ++ "certFile": "labca/certs/ipki/ca.boulder/cert.pem", ++ "keyFile": "labca/certs/ipki/ca.boulder/key.pem" + }, +- "hostnamePolicyFile": "test/hostname-policy.yaml", ++ "hostnamePolicyFile": "labca/hostname-policy.yaml", + "grpcCA": { + "maxConnectionAge": "30s", + "address": ":9093", @@ -60,7 +60,8 @@ - "allowMustStaple": true, + "includeCRLDistributionPoints": true, "maxValidityPeriod": "7776000s", "maxValidityBackdate": "1h5m", - "lintConfig": "test/config-next/zlint.toml", + "includeCRLDistributionPoints": true, -+ "lintConfig": "test/config/zlint.toml", ++ "lintConfig": "labca/config/zlint.toml", "ignoredLints": [ "w_subject_common_name_included", "w_ext_subject_key_identifier_not_recommended_subscriber" -@@ -74,7 +75,8 @@ - "omitSKID": true, +@@ -76,7 +77,8 @@ + "includeCRLDistributionPoints": true, "maxValidityPeriod": "583200s", "maxValidityBackdate": "1h5m", - "lintConfig": "test/config-next/zlint.toml", + "includeCRLDistributionPoints": true, -+ "lintConfig": "test/config/zlint.toml", ++ "lintConfig": "labca/config/zlint.toml", "ignoredLints": [ "w_ext_subject_key_identifier_missing_sub_cert" ] -@@ -101,39 +103,7 @@ +@@ -91,7 +93,7 @@ + "includeCRLDistributionPoints": true, + "maxValidityPeriod": "160h", + "maxValidityBackdate": "1h5m", +- "lintConfig": "test/config-next/zlint.toml", ++ "lintConfig": "labca/config-next/zlint.toml", + "ignoredLints": [ + "w_ext_subject_key_identifier_missing_sub_cert" + ] +@@ -100,78 +102,19 @@ + "crlProfile": { + "validityInterval": "216h", + "maxBackdate": "1h5m", +- "lintConfig": "test/config/zlint.toml" ++ "lintConfig": "labca/config/zlint.toml" + }, "issuers": [ { "active": true, +- "crlShards": 10, - "issuerURL": "http://ca.example.org:4502/int-ecdsa-a", - "ocspURL": "http://ca.example.org:4002/", - "crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/43104258997432926/", @@ -37,6 +69,7 @@ index a64ec7ac2..09ffa1efe 100644 - }, - { - "active": true, +- "crlShards": 10, - "issuerURL": "http://ca.example.org:4502/int-ecdsa-b", - "ocspURL": "http://ca.example.org:4002/", - "crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/17302365692836921/", @@ -48,6 +81,7 @@ index a64ec7ac2..09ffa1efe 100644 - }, - { - "active": false, +- "crlShards": 10, - "issuerURL": "http://ca.example.org:4502/int-ecdsa-c", - "ocspURL": "http://ca.example.org:4002/", - "crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/56560759852043581/", @@ -60,16 +94,19 @@ index a64ec7ac2..09ffa1efe 100644 - { - "active": true, + "crlShards": 1, + "crlShards": 10, "issuerURL": "http://ca.example.org:4502/int-rsa-a", "ocspURL": "http://ca.example.org:4002/", "crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/29947985078257530/", -@@ -142,28 +112,6 @@ - "certFile": "test/certs/webpki/int-rsa-a.cert.pem", - "numSessions": 2 - } + "location": { +- "configFile": "test/certs/webpki/int-rsa-a.pkcs11.json", +- "certFile": "test/certs/webpki/int-rsa-a.cert.pem", +- "numSessions": 2 +- } - }, - { - "active": true, +- "crlShards": 10, - "issuerURL": "http://ca.example.org:4502/int-rsa-b", - "ocspURL": "http://ca.example.org:4002/", - "crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/6762885421992935/", @@ -81,14 +118,33 @@ index a64ec7ac2..09ffa1efe 100644 - }, - { - "active": false, +- "crlShards": 10, - "issuerURL": "http://ca.example.org:4502/int-rsa-c", - "ocspURL": "http://ca.example.org:4002/", - "crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/56183656833365902/", - "location": { - "configFile": "test/certs/webpki/int-rsa-c.pkcs11.json", - "certFile": "test/certs/webpki/int-rsa-c.cert.pem", -- "numSessions": 2 -- } ++ "configFile": "labca/certs/webpki/issuer-01.pkcs11.json", ++ "certFile": "labca/certs/webpki/issuer-01-cert.pem", + "numSessions": 2 + } } - ] - }, +@@ -183,7 +126,7 @@ + "goodkey": {}, + "ocspLogMaxLength": 4000, + "ocspLogPeriod": "500ms", +- "ctLogListFile": "test/ct-test-srv/log_list.json", ++ "ctLogListFile": "labca/ct-test-srv/log_list.json", + "features": {} + }, + "pa": { +@@ -194,7 +137,7 @@ + } + }, + "syslog": { +- "stdoutlevel": 4, ++ "stdoutlevel": 6, + "sysloglevel": 4 + } + } diff --git a/patches/test_ocsp_helper_helper.patch b/patches/test_ocsp_helper_helper.patch index fe2234c..58bdace 100644 --- a/patches/test_ocsp_helper_helper.patch +++ b/patches/test_ocsp_helper_helper.patch @@ -1,5 +1,5 @@ diff --git a/test/ocsp/helper/helper.go b/test/ocsp/helper/helper.go -index a223f5fa6..96ab34aa7 100644 +index 469c8cec1..0b2852330 100644 --- a/test/ocsp/helper/helper.go +++ b/test/ocsp/helper/helper.go @@ -15,6 +15,7 @@ import ( @@ -10,7 +10,7 @@ index a223f5fa6..96ab34aa7 100644 "strings" "sync" "time" -@@ -317,7 +318,7 @@ func sendHTTPRequest( +@@ -327,7 +328,7 @@ func sendHTTPRequest( var httpRequest *http.Request var err error if method == "GET" { diff --git a/patches/updater_updater.patch b/patches/updater_updater.patch index de402b9..9fd8321 100644 --- a/patches/updater_updater.patch +++ b/patches/updater_updater.patch @@ -1,7 +1,16 @@ diff --git a/crl/updater/updater.go b/crl/updater/updater.go -index 4d5b06b38..d7cc6dba3 100644 +index 600b17f22..bef3305b3 100644 --- a/crl/updater/updater.go +++ b/crl/updater/updater.go +@@ -80,7 +80,7 @@ func NewUpdater( + return nil, fmt.Errorf("must have positive number of shards, got: %d", numShards) + } + +- if updatePeriod >= 24*time.Hour { ++ if updatePeriod > 24*time.Hour { + return nil, fmt.Errorf("must update CRLs at least every 24 hours, got: %s", updatePeriod) + } + @@ -307,7 +307,7 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN return fmt.Errorf("streaming GetRevokedCerts: %w", err) } diff --git a/patches/va_http.patch b/patches/va_http.patch index fa98a17..7fdf5e2 100644 --- a/patches/va_http.patch +++ b/patches/va_http.patch @@ -1,8 +1,8 @@ diff --git a/va/http.go b/va/http.go -index 04b119ca2..de9e439a5 100644 +index 00942ede3..2b4ece730 100644 --- a/va/http.go +++ b/va/http.go -@@ -338,7 +338,16 @@ func (va *ValidationAuthorityImpl) extractRequestTarget(req *http.Request) (iden +@@ -341,7 +341,16 @@ func (va *ValidationAuthorityImpl) extractRequestTarget(req *http.Request) (iden } if _, err := iana.ExtractSuffix(reqHost); err != nil { diff --git a/patches/va_va.patch b/patches/va_va.patch index df3ebaa..816079d 100644 --- a/patches/va_va.patch +++ b/patches/va_va.patch @@ -1,8 +1,8 @@ diff --git a/va/va.go b/va/va.go -index 270e9ca66..f8585c9fd 100644 +index 5e7732d69..9a908c255 100644 --- a/va/va.go +++ b/va/va.go -@@ -218,6 +218,7 @@ type ValidationAuthorityImpl struct { +@@ -217,6 +217,7 @@ type ValidationAuthorityImpl struct { perspective string rir string isReservedIPFunc func(ip net.IP) bool @@ -10,7 +10,7 @@ index 270e9ca66..f8585c9fd 100644 metrics *vaMetrics } -@@ -238,6 +239,7 @@ func NewValidationAuthorityImpl( +@@ -237,6 +238,7 @@ func NewValidationAuthorityImpl( perspective string, rir string, reservedIPChecker func(ip net.IP) bool, @@ -18,7 +18,7 @@ index 270e9ca66..f8585c9fd 100644 ) (*ValidationAuthorityImpl, error) { if len(accountURIPrefixes) == 0 { -@@ -275,6 +277,7 @@ func NewValidationAuthorityImpl( +@@ -274,6 +276,7 @@ func NewValidationAuthorityImpl( perspective: perspective, rir: rir, isReservedIPFunc: reservedIPChecker, diff --git a/patches/wfe2_main.patch b/patches/wfe2_main.patch index 2f5086c..b829821 100644 --- a/patches/wfe2_main.patch +++ b/patches/wfe2_main.patch @@ -1,8 +1,8 @@ diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go -index 1f33c4746..65b670e96 100644 +index 1f33c4746..1b0ad2ddb 100644 --- a/cmd/boulder-wfe2/main.go +++ b/cmd/boulder-wfe2/main.go -@@ -12,6 +12,7 @@ import ( +@@ -12,14 +12,17 @@ import ( "github.com/letsencrypt/boulder/cmd" "github.com/letsencrypt/boulder/config" @@ -10,15 +10,17 @@ index 1f33c4746..65b670e96 100644 emailpb "github.com/letsencrypt/boulder/email/proto" "github.com/letsencrypt/boulder/features" "github.com/letsencrypt/boulder/goodkey" -@@ -20,6 +21,7 @@ import ( + "github.com/letsencrypt/boulder/goodkey/sagoodkey" + bgrpc "github.com/letsencrypt/boulder/grpc" "github.com/letsencrypt/boulder/grpc/noncebalancer" ++ "github.com/letsencrypt/boulder/identifier" "github.com/letsencrypt/boulder/issuance" "github.com/letsencrypt/boulder/nonce" + "github.com/letsencrypt/boulder/policy" rapb "github.com/letsencrypt/boulder/ra/proto" "github.com/letsencrypt/boulder/ratelimits" bredis "github.com/letsencrypt/boulder/redis" -@@ -99,7 +101,7 @@ type Config struct { +@@ -99,7 +102,7 @@ type Config struct { // DirectoryCAAIdentity is used for the /directory response's "meta" // element's "caaIdentities" field. It should match the VA's "issuerDomain" // configuration value (this value is the one used to enforce CAA) @@ -27,7 +29,7 @@ index 1f33c4746..65b670e96 100644 // DirectoryWebsite is used for the /directory response's "meta" element's // "website" field. DirectoryWebsite string `validate:"required,url"` -@@ -175,6 +177,8 @@ type Config struct { +@@ -175,6 +178,8 @@ type Config struct { // to enable the pausing feature. URL string `validate:"omitempty,required_with=HMACKey JWTLifetime,url,startswith=https://,endsnotwith=/"` } @@ -36,7 +38,7 @@ index 1f33c4746..65b670e96 100644 } Syslog cmd.SyslogConfig -@@ -315,11 +319,22 @@ func main() { +@@ -315,11 +320,25 @@ func main() { var limiter *ratelimits.Limiter var txnBuilder *ratelimits.TransactionBuilder var limiterRedis *bredis.Ring @@ -47,7 +49,10 @@ index 1f33c4746..65b670e96 100644 cmd.FailOnError(err, "Failed to create Redis ring") + // Set Policy Authority for ratelimits -+ pa, err = policy.New(map[core.AcmeChallenge]bool{}, logger) ++ pa, err = policy.New( ++ map[identifier.IdentifierType]bool{identifier.TypeDNS: true, identifier.TypeIP: true}, ++ map[core.AcmeChallenge]bool{}, ++ logger) + cmd.FailOnError(err, "Couldn't create PA") + if c.WFE.HostnamePolicyFile == "" { + cmd.Fail("HostnamePolicyFile must be provided.") @@ -59,7 +64,7 @@ index 1f33c4746..65b670e96 100644 source := ratelimits.NewRedisSource(limiterRedis.Ring, clk, stats) limiter, err = ratelimits.NewLimiter(clk, source, stats) cmd.FailOnError(err, "Failed to create rate limiter") -@@ -359,6 +374,7 @@ func main() { +@@ -359,6 +378,7 @@ func main() { unpauseSigner, c.WFE.Unpause.JWTLifetime.Duration, c.WFE.Unpause.URL, diff --git a/patches/wfe2_wfe.patch b/patches/wfe2_wfe.patch index af93c40..be6f0e3 100644 --- a/patches/wfe2_wfe.patch +++ b/patches/wfe2_wfe.patch @@ -1,5 +1,5 @@ diff --git a/wfe2/wfe.go b/wfe2/wfe.go -index 0e14a778e..9dfe9789a 100644 +index 462866a1d..287e6af55 100644 --- a/wfe2/wfe.go +++ b/wfe2/wfe.go @@ -163,6 +163,8 @@ type WebFrontEndImpl struct { @@ -38,7 +38,7 @@ index 0e14a778e..9dfe9789a 100644 } return wfe, nil -@@ -617,7 +625,7 @@ func link(url, relation string) string { +@@ -635,7 +643,7 @@ func link(url, relation string) string { // contactsToEmails converts a *[]string of contacts (e.g. mailto: // person@example.com) to a []string of valid email addresses. Non-email // contacts or contacts with invalid email addresses are ignored. @@ -47,7 +47,7 @@ index 0e14a778e..9dfe9789a 100644 if contacts == nil { return nil } -@@ -627,7 +635,7 @@ func contactsToEmails(contacts *[]string) []string { +@@ -645,7 +653,7 @@ func contactsToEmails(contacts *[]string) []string { continue } address := strings.TrimPrefix(c, "mailto:") @@ -56,7 +56,7 @@ index 0e14a778e..9dfe9789a 100644 if err != nil { continue } -@@ -851,7 +859,7 @@ func (wfe *WebFrontEndImpl) NewAccount( +@@ -869,7 +877,7 @@ func (wfe *WebFrontEndImpl) NewAccount( } newRegistrationSuccessful = true @@ -65,12 +65,12 @@ index 0e14a778e..9dfe9789a 100644 if wfe.ee != nil && len(emails) > 0 { _, err := wfe.ee.SendContacts(ctx, &emailpb.SendContactsRequest{ // Note: We are explicitly using the contacts provided by the -@@ -2298,7 +2306,7 @@ func (wfe *WebFrontEndImpl) NewOrder( - } +@@ -2300,7 +2308,7 @@ func (wfe *WebFrontEndImpl) NewOrder( + idents = identifier.Normalize(idents) + logEvent.Identifiers = idents - names = core.UniqueLowerNames(names) -- err = policy.WellFormedIdentifiers(identifier.FromDNSNames(names)) -+ err = wfe.pa.WellFormedIdentifiers(identifier.FromDNSNames(names)) +- err = policy.WellFormedIdentifiers(idents) ++ err = wfe.pa.WellFormedIdentifiers(idents) if err != nil { wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "Invalid identifiers requested"), nil) return