From 120048ff307803420f967e2399a1cad36b65651f Mon Sep 17 00:00:00 2001 From: Arjan H Date: Fri, 13 Dec 2024 18:00:40 +0100 Subject: [PATCH] Bump boulder version to release-2024-12-10 --- build/build.sh | 2 +- build/tmp2.patch | 4 ++-- control_do.sh | 4 ---- gui/apply-boulder | 8 +------- install | 6 +----- patch-cfg.sh | 8 -------- patches/bad-key-revoker_main.patch | 8 ++++---- patches/boulder-va_main.patch | 10 +++++----- patches/ca_ca.patch | 4 ++-- patches/cert-checker_main.patch | 4 ++-- patches/config_ra.patch | 4 ++-- patches/config_wfe2.patch | 8 ++++---- patches/expiration-mailer_main.patch | 10 +++++----- patches/policy_pa.patch | 21 ++++++++++----------- patches/ra_ra.patch | 10 +++++----- patches/ratelimits_names.patch | 8 ++++---- patches/remoteva_main.patch | 4 ++-- patches/va_va.patch | 8 ++++---- patches/wfe2_main.patch | 8 ++++---- patches/wfe2_wfe.patch | 14 +++++++------- 20 files changed, 65 insertions(+), 88 deletions(-) diff --git a/build/build.sh b/build/build.sh index 13426f2..c48b342 100755 --- a/build/build.sh +++ b/build/build.sh @@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src} boulderDir=$TMP_DIR/src -boulderTag="release-2024-10-28" +boulderTag="release-2024-12-10" boulderUrl="https://github.com/letsencrypt/boulder/" cloneDir=$(pwd)/.. diff --git a/build/tmp2.patch b/build/tmp2.patch index 783181d..95729b7 100644 --- a/build/tmp2.patch +++ b/build/tmp2.patch @@ -1,8 +1,8 @@ diff --git a/test/startservers.py b/test/startservers.py -index c3a3ed7b8..ef54a180d 100644 +index 93d0c25bc..237472a2e 100644 --- a/test/startservers.py +++ b/test/startservers.py -@@ -173,6 +173,9 @@ processes = [] +@@ -169,6 +169,9 @@ processes = [] challSrvProcess = None def install(race_detection): diff --git a/control_do.sh b/control_do.sh index 112c0e2..05e2ca6 100755 --- a/control_do.sh +++ b/control_do.sh @@ -36,10 +36,6 @@ setup_boulder_data() { sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-b.json sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va.json sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va.json - sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va-remote-a.json - sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va-remote-a.json - sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va-remote-b.json - sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va-remote-b.json /opt/labca/apply-boulder } diff --git a/gui/apply-boulder b/gui/apply-boulder index 257d834..2424359 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -65,8 +65,6 @@ fi perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/remoteva-a.json perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/remoteva-b.json perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va.json -perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va-remote-a.json -perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va-remote-b.json perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/bad-key-revoker.json perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/expiration-mailer.json for fl in $(grep -Rl maxConnectionAge config/); do @@ -75,8 +73,6 @@ done sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/remoteva-a.json sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/remoteva-b.json sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va.json -sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va-remote-a.json -sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va-remote-b.json sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_DOMAIN\"/" config/wfe2.json if ([ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]) || ([ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]); then @@ -149,8 +145,6 @@ if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ] perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/remoteva-a.json perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/remoteva-b.json perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va.json - perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va-remote-a.json - perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va-remote-b.json fi CRLINT=24h @@ -258,7 +252,7 @@ if [ -e $PKI_ROOT_CERT_BASE.pem ]; then cp -p $PKI_ROOT_CERT_BASE.pem test-root.pem fi -chown -R `ls -l example-weak-keys.json | cut -d" " -f 3,4 | sed 's/ /:/g'` . +chown -R `ls -l helpers.py | cut -d" " -f 3,4 | sed 's/ /:/g'` . if [ -e $PKI_INT_CERT_BASE.key ] && [ -e $PKI_ROOT_CERT_BASE.pem ]; then [ -f setup_complete ] || touch setup_complete diff --git a/install b/install index a14f4f1..e1f8167 100755 --- a/install +++ b/install @@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2024-10-28" +boulderTag="release-2024-12-10" # Feature flags flag_skip_redis=true @@ -676,10 +676,6 @@ config_boulder() { sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-b.json sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va.json sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va.json - sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va-remote-a.json - sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va-remote-a.json - sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va-remote-b.json - sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va-remote-b.json cd "$boulderDir" fi diff --git a/patch-cfg.sh b/patch-cfg.sh index a271cb9..1080eba 100755 --- a/patch-cfg.sh +++ b/patch-cfg.sh @@ -33,13 +33,9 @@ cp test/config/va*.json "$boulderLabCADir/config/" perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va.json perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/remoteva-a.json perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/remoteva-b.json -perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va-remote-a.json -perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va-remote-b.json perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/remoteva-a.json perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/remoteva-b.json perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va.json -perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va-remote-a.json -perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va-remote-b.json if [ "$flag_skip_redis" == true ]; then perl -i -p0e "s/\n \"redis\": \{\n.*? \},//igs" $boulderLabCADir/config/ocsp-responder.json @@ -76,13 +72,9 @@ sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-a.j sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-b.json sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/ra.json sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va.json -sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-a.json -sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-b.json sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/ca.json sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/remoteva-a.json sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/remoteva-b.json -sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/va-remote-a.json -sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/va-remote-b.json sed -i -e "s/\"endpoint\": \".*\"/\"endpoint\": \"\"/" config/sfe.json sed -i -e "s/sleep 1/sleep 5/g" wait-for-it.sh diff --git a/patches/bad-key-revoker_main.patch b/patches/bad-key-revoker_main.patch index cd7b570..1456662 100644 --- a/patches/bad-key-revoker_main.patch +++ b/patches/bad-key-revoker_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/bad-key-revoker/main.go b/cmd/bad-key-revoker/main.go -index e7015e0c8..9e226d2fa 100644 +index c333b88c3..839437c4e 100644 --- a/cmd/bad-key-revoker/main.go +++ b/cmd/bad-key-revoker/main.go @@ -18,6 +18,7 @@ import ( @@ -10,7 +10,7 @@ index e7015e0c8..9e226d2fa 100644 "github.com/letsencrypt/boulder/cmd" "github.com/letsencrypt/boulder/config" "github.com/letsencrypt/boulder/core" -@@ -396,6 +397,11 @@ type Config struct { +@@ -398,6 +399,11 @@ type Config struct { TLS cmd.TLSConfig RAService *cmd.GRPCClientConfig @@ -22,7 +22,7 @@ index e7015e0c8..9e226d2fa 100644 // MaximumRevocations specifies the maximum number of certificates associated with // a key hash that bad-key-revoker will attempt to revoke. If the number of certificates // is higher than MaximumRevocations bad-key-revoker will error out and refuse to -@@ -467,8 +473,35 @@ func main() { +@@ -469,8 +475,35 @@ func main() { cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA") rac := rapb.NewRegistrationAuthorityClient(conn) @@ -59,7 +59,7 @@ index e7015e0c8..9e226d2fa 100644 pem, err := os.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile) cmd.FailOnError(err, "Loading trusted roots file") smtpRoots = x509.NewCertPool() -@@ -488,6 +521,8 @@ func main() { +@@ -490,6 +523,8 @@ func main() { config.BadKeyRevoker.Mailer.Username, smtpPassword, smtpRoots, diff --git a/patches/boulder-va_main.patch b/patches/boulder-va_main.patch index 53b1692..93f7b8f 100644 --- a/patches/boulder-va_main.patch +++ b/patches/boulder-va_main.patch @@ -1,16 +1,16 @@ diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go -index 60353424a..90dbe627a 100644 +index f2c2c8487..86fb29457 100644 --- a/cmd/boulder-va/main.go +++ b/cmd/boulder-va/main.go -@@ -21,6 +21,7 @@ type Config struct { - RemoteVAs []cmd.GRPCClientConfig `validate:"omitempty,dive"` - MaxRemoteValidationFailures int `validate:"omitempty,min=0,required_with=RemoteVAs"` +@@ -56,6 +56,7 @@ type Config struct { + // Deprecated and ignored + MaxRemoteValidationFailures int `validate:"omitempty,min=0,required_with=RemoteVAs"` Features features.Config + LabCADomains []string } Syslog cmd.SyslogConfig -@@ -117,7 +118,8 @@ func main() { +@@ -153,7 +154,8 @@ func main() { logger, c.VA.AccountURIPrefixes, va.PrimaryPerspective, diff --git a/patches/ca_ca.patch b/patches/ca_ca.patch index 32386fe..eec2c0b 100644 --- a/patches/ca_ca.patch +++ b/patches/ca_ca.patch @@ -1,8 +1,8 @@ diff --git a/ca/ca.go b/ca/ca.go -index d2d48e558..a6114ffdd 100644 +index 87a6fc52c..739ce53e7 100644 --- a/ca/ca.go +++ b/ca/ca.go -@@ -159,10 +159,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { +@@ -177,10 +177,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { } } if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 { diff --git a/patches/cert-checker_main.patch b/patches/cert-checker_main.patch index 03cd553..c73f323 100644 --- a/patches/cert-checker_main.patch +++ b/patches/cert-checker_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go -index d432fde00..1380c1cc5 100644 +index 975922c58..3767e83bb 100644 --- a/cmd/cert-checker/main.go +++ b/cmd/cert-checker/main.go @@ -106,6 +106,7 @@ type certChecker struct { @@ -58,7 +58,7 @@ index d432fde00..1380c1cc5 100644 // Validate PA config and set defaults if needed. cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration") -@@ -584,6 +590,7 @@ func main() { +@@ -578,6 +584,7 @@ func main() { config.CertChecker.CheckPeriod.Duration, acceptableValidityDurations, logger, diff --git a/patches/config_ra.patch b/patches/config_ra.patch index b998740..88a7e38 100644 --- a/patches/config_ra.patch +++ b/patches/config_ra.patch @@ -1,8 +1,8 @@ diff --git a/test/config/ra.json b/test/config/ra.json -index e9f79e4f0..204f605c3 100644 +index e13ca9cf8..cda9192ab 100644 --- a/test/config/ra.json +++ b/test/config/ra.json -@@ -14,12 +14,7 @@ +@@ -12,12 +12,7 @@ }, "orderLifetime": "168h", "issuerCerts": [ diff --git a/patches/config_wfe2.patch b/patches/config_wfe2.patch index 5bf7a35..8b6f4a9 100644 --- a/patches/config_wfe2.patch +++ b/patches/config_wfe2.patch @@ -1,5 +1,5 @@ diff --git a/test/config/wfe2.json b/test/config/wfe2.json -index 05d46fe95..c0e4a2a27 100644 +index 6a5f95ef0..b880db50f 100644 --- a/test/config/wfe2.json +++ b/test/config/wfe2.json @@ -12,6 +12,7 @@ @@ -8,9 +8,9 @@ index 05d46fe95..c0e4a2a27 100644 "directoryWebsite": "https://github.com/letsencrypt/boulder", + "hostnamePolicyFile": "test/hostname-policy.yaml", "legacyKeyIDPrefix": "http://boulder.service.consul:4000/reg/", - "goodkey": { - "blockedKeyFile": "test/example-blocked-keys.yaml" -@@ -79,26 +80,6 @@ + "goodkey": {}, + "tls": { +@@ -77,26 +78,6 @@ [ "test/certs/webpki/int-rsa-a.cert.pem", "test/certs/webpki/root-rsa.cert.pem" diff --git a/patches/expiration-mailer_main.patch b/patches/expiration-mailer_main.patch index 4049a91..47591f4 100644 --- a/patches/expiration-mailer_main.patch +++ b/patches/expiration-mailer_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/expiration-mailer/main.go b/cmd/expiration-mailer/main.go -index 46fa939a6..43f7c11b5 100644 +index eed765273..e17bfde1c 100644 --- a/cmd/expiration-mailer/main.go +++ b/cmd/expiration-mailer/main.go @@ -23,6 +23,7 @@ import ( @@ -31,9 +31,9 @@ index 46fa939a6..43f7c11b5 100644 - err = policy.ValidEmail(address) + err = pa.ValidEmail(address) if err != nil { - m.log.Debugf("skipping invalid email %q: %s", address, err) + m.log.Debugf("skipping invalid email: %s", err) continue -@@ -701,6 +706,11 @@ type Config struct { +@@ -697,6 +702,11 @@ type Config struct { TLS cmd.TLSConfig SAService *cmd.GRPCClientConfig @@ -45,7 +45,7 @@ index 46fa939a6..43f7c11b5 100644 // Path to a file containing a list of trusted root certificates for use // during the SMTP connection (as opposed to the gRPC connections). SMTPTrustedRootFile string -@@ -854,8 +864,35 @@ func main() { +@@ -850,8 +860,35 @@ func main() { cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA") sac := sapb.NewStorageAuthorityClient(conn) @@ -82,7 +82,7 @@ index 46fa939a6..43f7c11b5 100644 pem, err := os.ReadFile(c.Mailer.SMTPTrustedRootFile) cmd.FailOnError(err, "Loading trusted roots file") smtpRoots = x509.NewCertPool() -@@ -889,6 +926,8 @@ func main() { +@@ -885,6 +922,8 @@ func main() { c.Mailer.Username, smtpPassword, smtpRoots, diff --git a/patches/policy_pa.patch b/patches/policy_pa.patch index 3912a93..1f1b48b 100644 --- a/patches/policy_pa.patch +++ b/patches/policy_pa.patch @@ -1,5 +1,5 @@ diff --git a/policy/pa.go b/policy/pa.go -index 26edbdbdf..177fddba2 100644 +index fac69d3b9..217c465fe 100644 --- a/policy/pa.go +++ b/policy/pa.go @@ -31,6 +31,9 @@ type AuthorityImpl struct { @@ -110,7 +110,7 @@ index 26edbdbdf..177fddba2 100644 } // forbiddenMailDomains is a map of domain names we do not allow after the -@@ -333,7 +361,7 @@ var forbiddenMailDomains = map[string]bool{ +@@ -333,14 +361,14 @@ var forbiddenMailDomains = map[string]bool{ // ValidEmail returns an error if the input doesn't parse as an email address, // the domain isn't a valid hostname in Preferred Name Syntax, or its on the // list of domains forbidden for mail (because they are often used in examples). @@ -118,17 +118,16 @@ index 26edbdbdf..177fddba2 100644 +func (pa *AuthorityImpl) ValidEmail(address string) error { email, err := mail.ParseAddress(address) if err != nil { - if len(address) > 254 { -@@ -343,7 +371,7 @@ func ValidEmail(address string) error { + return berrors.InvalidEmailError("unable to parse email address") } splitEmail := strings.SplitN(email.Address, "@", -1) domain := strings.ToLower(splitEmail[len(splitEmail)-1]) - err = validNonWildcardDomain(domain) + err = pa.ValidNonWildcardDomain(domain, true) if err != nil { - return berrors.InvalidEmailError( - "contact email %q has invalid domain : %s", -@@ -387,7 +415,7 @@ func subError(name string, err error) berrors.SubBoulderError { + return berrors.InvalidEmailError("contact email has invalid domain: %s", err) + } +@@ -382,7 +410,7 @@ func subError(name string, err error) berrors.SubBoulderError { // // Precondition: all input domain names must be in lowercase. func (pa *AuthorityImpl) WillingToIssue(domains []string) error { @@ -137,7 +136,7 @@ index 26edbdbdf..177fddba2 100644 if err != nil { return err } -@@ -406,6 +434,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error { +@@ -401,6 +429,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error { } } @@ -148,7 +147,7 @@ index 26edbdbdf..177fddba2 100644 // For both wildcard and non-wildcard domains, check whether any parent domain // name is on the regular blocklist. err := pa.checkHostLists(domain) -@@ -439,10 +471,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error { +@@ -434,10 +466,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error { // // If multiple domains are invalid, the error will contain suberrors specific to // each domain. @@ -161,7 +160,7 @@ index 26edbdbdf..177fddba2 100644 if err != nil { subErrors = append(subErrors, subError(domain, err)) } -@@ -476,6 +508,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error { +@@ -471,6 +503,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error { return nil } @@ -196,7 +195,7 @@ index 26edbdbdf..177fddba2 100644 // checkWildcardHostList checks the wildcardExactBlocklist for a given domain. // If the domain is not present on the list nil is returned, otherwise // errPolicyForbidden is returned. -@@ -505,6 +565,9 @@ func (pa *AuthorityImpl) checkHostLists(domain string) error { +@@ -500,6 +560,9 @@ func (pa *AuthorityImpl) checkHostLists(domain string) error { labels := strings.Split(domain, ".") for i := range labels { joined := strings.Join(labels[i:], ".") diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index 5423520..f46705f 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -1,8 +1,8 @@ diff --git a/ra/ra.go b/ra/ra.go -index 63ed21376..018ed136c 100644 +index 64d494c74..7ae5bb471 100644 --- a/ra/ra.go +++ b/ra/ra.go -@@ -44,7 +44,6 @@ import ( +@@ -43,7 +43,6 @@ import ( "github.com/letsencrypt/boulder/issuance" blog "github.com/letsencrypt/boulder/log" "github.com/letsencrypt/boulder/metrics" @@ -10,9 +10,9 @@ index 63ed21376..018ed136c 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -508,7 +507,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { - contact, - ) +@@ -464,7 +463,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { + if !core.IsASCII(contact) { + return berrors.InvalidEmailError("contact email contains non-ASCII characters") } - err = policy.ValidEmail(parsed.Opaque) + err = ra.PA.ValidEmail(parsed.Opaque) diff --git a/patches/ratelimits_names.patch b/patches/ratelimits_names.patch index 5de84ec..2df7b8e 100644 --- a/patches/ratelimits_names.patch +++ b/patches/ratelimits_names.patch @@ -1,8 +1,8 @@ diff --git a/ratelimits/names.go b/ratelimits/names.go -index c70f39536..b0e14209c 100644 +index 99221ae0c..6106a34e7 100644 --- a/ratelimits/names.go +++ b/ratelimits/names.go -@@ -151,7 +151,11 @@ func validateRegId(id string) error { +@@ -162,7 +162,11 @@ func validateRegId(id string) error { // validateDomain validates that the provided string is formatted 'domain', // where domain is a domain name. func validateDomain(id string) error { @@ -15,7 +15,7 @@ index c70f39536..b0e14209c 100644 if err != nil { return fmt.Errorf("invalid domain, %q must be formatted 'domain': %w", id, err) } -@@ -172,7 +176,11 @@ func validateRegIdDomain(id string) error { +@@ -183,7 +187,11 @@ func validateRegIdDomain(id string) error { return fmt.Errorf( "invalid regId, %q must be formatted 'regId:domain'", id) } @@ -28,7 +28,7 @@ index c70f39536..b0e14209c 100644 if err != nil { return fmt.Errorf( "invalid domain, %q must be formatted 'regId:domain': %w", id, err) -@@ -188,7 +196,11 @@ func validateFQDNSet(id string) error { +@@ -199,7 +207,11 @@ func validateFQDNSet(id string) error { return fmt.Errorf( "invalid fqdnSet, %q must be formatted 'fqdnSet'", id) } diff --git a/patches/remoteva_main.patch b/patches/remoteva_main.patch index f014802..cf03bbb 100644 --- a/patches/remoteva_main.patch +++ b/patches/remoteva_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/remoteva/main.go b/cmd/remoteva/main.go -index 49db5c179..7c5931a04 100644 +index 97320f971..6df388e3f 100644 --- a/cmd/remoteva/main.go +++ b/cmd/remoteva/main.go @@ -60,7 +60,8 @@ type Config struct { @@ -12,7 +12,7 @@ index 49db5c179..7c5931a04 100644 } Syslog cmd.SyslogConfig -@@ -143,7 +144,8 @@ func main() { +@@ -142,7 +143,8 @@ func main() { logger, c.RVA.AccountURIPrefixes, c.RVA.Perspective, diff --git a/patches/va_va.patch b/patches/va_va.patch index f0bbb86..360e0b8 100644 --- a/patches/va_va.patch +++ b/patches/va_va.patch @@ -1,8 +1,8 @@ diff --git a/va/va.go b/va/va.go -index 17c03cf6e..237d82c6b 100644 +index a1e2cd449..883298092 100644 --- a/va/va.go +++ b/va/va.go -@@ -260,6 +260,7 @@ type ValidationAuthorityImpl struct { +@@ -215,6 +215,7 @@ type ValidationAuthorityImpl struct { singleDialTimeout time.Duration perspective string rir string @@ -10,7 +10,7 @@ index 17c03cf6e..237d82c6b 100644 metrics *vaMetrics } -@@ -280,6 +281,7 @@ func NewValidationAuthorityImpl( +@@ -234,6 +235,7 @@ func NewValidationAuthorityImpl( accountURIPrefixes []string, perspective string, rir string, @@ -18,7 +18,7 @@ index 17c03cf6e..237d82c6b 100644 ) (*ValidationAuthorityImpl, error) { if len(accountURIPrefixes) == 0 { -@@ -308,6 +310,7 @@ func NewValidationAuthorityImpl( +@@ -271,6 +273,7 @@ func NewValidationAuthorityImpl( singleDialTimeout: 10 * time.Second, perspective: perspective, rir: rir, diff --git a/patches/wfe2_main.patch b/patches/wfe2_main.patch index 3788f2d..f436761 100644 --- a/patches/wfe2_main.patch +++ b/patches/wfe2_main.patch @@ -1,8 +1,8 @@ diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go -index 61698d16c..0bebc2d4b 100644 +index 699ed0d78..01ae1f741 100644 --- a/cmd/boulder-wfe2/main.go +++ b/cmd/boulder-wfe2/main.go -@@ -95,7 +95,7 @@ type Config struct { +@@ -105,7 +105,7 @@ type Config struct { // DirectoryCAAIdentity is used for the /directory response's "meta" // element's "caaIdentities" field. It should match the VA's "issuerDomain" // configuration value (this value is the one used to enforce CAA) @@ -11,7 +11,7 @@ index 61698d16c..0bebc2d4b 100644 // DirectoryWebsite is used for the /directory response's "meta" element's // "website" field. DirectoryWebsite string `validate:"required,url"` -@@ -182,6 +182,8 @@ type Config struct { +@@ -192,6 +192,8 @@ type Config struct { // to enable the pausing feature. URL string `validate:"omitempty,required_with=HMACKey JWTLifetime,url,startswith=https://,endsnotwith=/"` } @@ -20,7 +20,7 @@ index 61698d16c..0bebc2d4b 100644 } Syslog cmd.SyslogConfig -@@ -387,6 +389,7 @@ func main() { +@@ -403,6 +405,7 @@ func main() { unpauseSigner, c.WFE.Unpause.JWTLifetime.Duration, c.WFE.Unpause.URL, diff --git a/patches/wfe2_wfe.patch b/patches/wfe2_wfe.patch index 0042cef..6b32eff 100644 --- a/patches/wfe2_wfe.patch +++ b/patches/wfe2_wfe.patch @@ -1,16 +1,16 @@ diff --git a/wfe2/wfe.go b/wfe2/wfe.go -index 1f4b11fa5..64239cf58 100644 +index 6b753b53d..e49164461 100644 --- a/wfe2/wfe.go +++ b/wfe2/wfe.go -@@ -25,6 +25,7 @@ import ( - "golang.org/x/exp/maps" +@@ -23,6 +23,7 @@ import ( + "go.opentelemetry.io/otel/trace" "google.golang.org/protobuf/types/known/emptypb" + "github.com/letsencrypt/boulder/cmd" "github.com/letsencrypt/boulder/core" corepb "github.com/letsencrypt/boulder/core/proto" berrors "github.com/letsencrypt/boulder/errors" -@@ -174,6 +175,8 @@ type WebFrontEndImpl struct { +@@ -177,6 +178,8 @@ type WebFrontEndImpl struct { // descriptions (perhaps including URLs) of those profiles. NewOrder // Requests with a profile name not present in this map will be rejected. certProfiles map[string]string @@ -19,7 +19,7 @@ index 1f4b11fa5..64239cf58 100644 } // NewWebFrontEndImpl constructs a web service for Boulder -@@ -201,6 +204,7 @@ func NewWebFrontEndImpl( +@@ -204,6 +207,7 @@ func NewWebFrontEndImpl( unpauseSigner unpause.JWTSigner, unpauseJWTLifetime time.Duration, unpauseURL string, @@ -27,7 +27,7 @@ index 1f4b11fa5..64239cf58 100644 ) (WebFrontEndImpl, error) { if len(issuerCertificates) == 0 { return WebFrontEndImpl{}, errors.New("must provide at least one issuer certificate") -@@ -242,6 +246,7 @@ func NewWebFrontEndImpl( +@@ -245,6 +249,7 @@ func NewWebFrontEndImpl( unpauseSigner: unpauseSigner, unpauseJWTLifetime: unpauseJWTLifetime, unpauseURL: unpauseURL, @@ -35,7 +35,7 @@ index 1f4b11fa5..64239cf58 100644 } return wfe, nil -@@ -2308,8 +2313,25 @@ func (wfe *WebFrontEndImpl) NewOrder( +@@ -2374,8 +2379,25 @@ func (wfe *WebFrontEndImpl) NewOrder( names[i] = ident.Value }