Bump boulder version to release-2023-05-22

.github/workflows/release.yml

@@ -13,7 +13,7 @@ jobs:
       fail-fast: false
       matrix:
         GO_VERSION:
-          - 1.20.3
+          - 1.20.4
 
     steps:
       - name: Checkout

build/build.sh

@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}
 
 boulderDir=$TMP_DIR/src
-boulderTag="release-2023-04-24"
+boulderTag="release-2023-05-22"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..
 
@@ -18,7 +18,9 @@ BUILD_IMAGE=$(eval echo $(grep boulder-tools ../patches/docker-compose.patch | h
 
 git clone --branch $boulderTag --depth 1 $boulderUrl $boulderDir 2>/dev/null
 cd $boulderDir
-git checkout $boulderTag -b $boulderTag 2>/dev/null
+if [ $boulderTag != "main" ]; then
+    git checkout $boulderTag -b $boulderTag 2>/dev/null
+fi
 
 if [ "$BUILD_IMAGE" == "" ]; then
     BUILD_IMAGE=$(eval echo $(grep boulder-tools $TMP_DIR/src/docker-compose.yml | grep "image:" | head -1 | sed -e "s/image://" | sed -e "s/&boulder_image//"))

build/tmp.patch

@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index cfdcc784a..b50c8b18d 100644
+index 4fe5b4749..e70a007ef 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -1,8 +1,9 @@
@@ -8,7 +8,7 @@ index cfdcc784a..b50c8b18d 100644
  services:
    boulder:
      # Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh.
--    image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.20.3_2023-04-04}
+-    image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.20.4_2023-05-02}
 +    image: ghcr.io/hakwerk/labca-boulder:${LABCA_IMAGE_VERSION:-latest}
      environment:
        # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS

install

@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"
 
 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2023-04-24"
+boulderTag="release-2023-05-22"
 
 # Feature flags
 flag_skip_redis=true

patch.sh

@@ -22,7 +22,9 @@ $SUDO patch -p1 < $cloneDir/patches/bad-key-revoker_main.patch
 $SUDO patch -p1 < $cloneDir/patches/boulder-va_main.patch
 $SUDO patch -p1 < $cloneDir/patches/ca_crl.patch
 $SUDO patch -p1 < $cloneDir/patches/cert-checker_main.patch
+$SUDO patch -p1 < $cloneDir/patches/cmd_config.patch
 $SUDO patch -p1 < $cloneDir/patches/cmd_shell.patch
+$SUDO patch -p1 < $cloneDir/patches/config_duration.patch
 $SUDO patch -p1 < $cloneDir/patches/contact-auditor_main.patch
 $SUDO patch -p1 < $cloneDir/patches/core_interfaces.patch
 $SUDO patch -p1 < $cloneDir/patches/crl-storer_main.patch
@@ -31,7 +33,8 @@ $SUDO patch -p1 < $cloneDir/patches/db_migrations.patch
 $SUDO patch -p1 < $cloneDir/patches/errors_errors.patch
 $SUDO patch -p1 < $cloneDir/patches/expiration-mailer_main.patch
 $SUDO patch -p1 < $cloneDir/patches/linter_linter.patch
-$SUDO patch -p1 < $cloneDir/patches/log_log.patch
+$SUDO patch -p1 < $cloneDir/patches/log_prod_prefix.patch
+$SUDO patch -p1 < $cloneDir/patches/log_test_prefix.patch
 $SUDO patch -p1 < $cloneDir/patches/log-validator_main.patch
 $SUDO patch -p1 < $cloneDir/patches/mail_mailer.patch
 $SUDO patch -p1 < $cloneDir/patches/makefile.patch

patches/boulder-va_main.patch

@@ -1,35 +1,41 @@
 diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
-index ebc83fa14..cfef7773c 100644
+index 3625dace9..55cb7cc18 100644
 --- a/cmd/boulder-va/main.go
 +++ b/cmd/boulder-va/main.go
-@@ -25,8 +25,10 @@ type Config struct {
- 		// DNSTries is the number of times to try a DNS query (that has a temporary error)
+@@ -27,8 +27,9 @@ type Config struct {
  		// before giving up. May be short-circuited by deadlines. A zero value
  		// will be turned into 1.
--		DNSTries                  int
--		DNSResolver               string `validate:"required"`
-+		DNSTries    int
-+		DNSResolver string `validate:"required"`
-+		// Deprecated, replaced by singular DNSResolver above.
+ 		DNSTries                  int
+-		DNSResolver               string           `validate:"required_without=DNSProvider,excluded_with=DNSProvider,omitempty,hostname|hostname_port"`
+-		DNSProvider               *cmd.DNSProvider `validate:"required_without=DNSResolver,excluded_with=DNSResolver,omitempty"`
++		DNSResolver               string `validate:"omitempty,hostname|hostname_port"`
 +		DNSResolvers              []string
- 		DNSTimeout                string
++		DNSProvider               *cmd.DNSProvider `validate:"omitempty"`
+ 		DNSTimeout                config.Duration  `validate:"required"`
  		DNSAllowLoopbackAddresses bool
  
-@@ -94,11 +96,13 @@ func main() {
- 	clk := cmd.Clock()
+@@ -88,7 +89,7 @@ func main() {
+ 		cmd.Fail("Cannot specify both 'dnsResolver' and dnsProvider")
+ 	}
+ 
+-	if c.VA.DNSResolver == "" && c.VA.DNSProvider == nil {
++	if c.VA.DNSResolver == "" && c.VA.DNSProvider == nil && len(c.VA.DNSResolvers) == 0 {
+ 		cmd.Fail("Must specify either 'dnsResolver' or dnsProvider")
+ 	}
+ 
+@@ -101,8 +102,13 @@ func main() {
+ 	}
  
  	var servers bdns.ServerProvider
--	if c.VA.DNSResolver == "" {
--		cmd.Fail("Config key 'dnsresolver' is required")
-+	if c.VA.DNSResolver != "" {
-+		servers, err = bdns.StartDynamicProvider(c.VA.DNSResolver, 60*time.Second)
-+		cmd.FailOnError(err, "Couldn't start dynamic DNS server resolver")
-+	} else {
+-	servers, err = bdns.StartDynamicProvider(c.VA.DNSProvider, 60*time.Second)
+-	cmd.FailOnError(err, "Couldn't start dynamic DNS server resolver")
++	if len(c.VA.DNSResolvers) > 0 {
 +		servers, err = bdns.NewStaticProvider(c.VA.DNSResolvers)
 +		cmd.FailOnError(err, "Couldn't parse static DNS server(s)")
- 	}
--	servers, err = bdns.StartDynamicProvider(c.VA.DNSResolver, 60*time.Second)
--	cmd.FailOnError(err, "Couldn't start dynamic DNS server resolver")
++	} else {
++		servers, err = bdns.StartDynamicProvider(c.VA.DNSProvider, 60*time.Second)
++		cmd.FailOnError(err, "Couldn't start dynamic DNS server resolver")
++	}
  	defer servers.Stop()
  
  	var resolver bdns.Client

patches/cmd_config.patch

@@ -0,0 +1,13 @@
+diff --git a/cmd/config.go b/cmd/config.go
+index 99ff43d02..a91f51d7d 100644
+--- a/cmd/config.go
++++ b/cmd/config.go
+@@ -460,7 +460,7 @@ type GRPCServerConfig struct {
+ 	// this controls how long it takes before a client learns about changes to its
+ 	// backends.
+ 	// https://pkg.go.dev/google.golang.org/grpc/keepalive#ServerParameters
+-	MaxConnectionAge config.Duration `validate:"required"`
++	MaxConnectionAge config.Duration
+ }
+ 
+ // GRPCServiceConfig contains the information needed to configure a gRPC service.

patches/config_bad-key-revoker.patch

@@ -20,7 +20,7 @@ index f4696dc2..b9c19ce3 100644
  		},
  		"maximumRevocations": 15,
  		"findCertificatesBatchSize": 10,
--		"interval": "1s",
+-		"interval": "50ms",
 +		"interval": "5m",
  		"backoffIntervalMax": "2s"
  	},

patches/config_crl-storer.patch

@@ -1,9 +1,9 @@
 diff --git a/test/config/crl-storer.json b/test/config/crl-storer.json
-index 61f14d79..a620896f 100644
+index ef70c2ffc..a53b75d86 100644
 --- a/test/config/crl-storer.json
 +++ b/test/config/crl-storer.json
-@@ -15,10 +15,9 @@
- 			]
+@@ -23,10 +23,9 @@
+ 			}
  		},
  		"issuerCerts": [
 -			"/hierarchy/intermediate-cert-rsa-a.pem",

patches/config_duration.patch

@@ -0,0 +1,13 @@
+diff --git a/config/duration.go b/config/duration.go
+index c97eeb486..6167bf768 100644
+--- a/config/duration.go
++++ b/config/duration.go
+@@ -9,7 +9,7 @@ import (
+ // Duration is just an alias for time.Duration that allows
+ // serialization to YAML as well as JSON.
+ type Duration struct {
+-	time.Duration `validate:"required"`
++	time.Duration
+ }
+ 
+ // ErrDurationMustBeString is returned when a non-string value is

patches/docker-compose-redis.patch

@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index e9b68587b..5699aa777 100644
+index 5eb8a5513..05d16611b 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -20,8 +20,6 @@ services:
@@ -18,9 +18,9 @@ index e9b68587b..5699aa777 100644
 -      - bredis_1
 -      - bredis_2
        - bconsul
+       - bjaeger
      entrypoint: test/entrypoint.sh
-     working_dir: &boulder_working_dir /boulder
-@@ -78,24 +74,6 @@ services:
+@@ -79,24 +75,6 @@ services:
          aliases:
            - boulder-proxysql
  
@@ -45,7 +45,7 @@ index e9b68587b..5699aa777 100644
    bconsul:
      image: hashicorp/consul:1.13.1
      volumes:
-@@ -132,13 +110,6 @@ networks:
+@@ -142,13 +120,6 @@ networks:
        config:
          - subnet: 10.88.88.0/24
  

patches/docker-compose.patch

@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 5699aa777..cfdcc784a 100644
+index 05d16611b..4fe5b4749 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -8,10 +8,12 @@ services:
@@ -17,7 +17,7 @@ index 5699aa777..cfdcc784a 100644
        - ./.gocache:/root/.cache/go-build:cached
        - ./.hierarchy:/hierarchy/:cached
        - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
-@@ -31,19 +33,26 @@ services:
+@@ -31,20 +33,26 @@ services:
      # TODO: Remove this when ServerAddress is deprecated in favor of SRV records
      # and DNSAuthority.
      dns: 10.55.55.10
@@ -33,6 +33,7 @@ index 5699aa777..cfdcc784a 100644
        - bmysql
 -      - bproxysql
        - bconsul
+-      - bjaeger
 -    entrypoint: test/entrypoint.sh
 -    working_dir: &boulder_working_dir /boulder
 +    entrypoint: labca/entrypoint.sh
@@ -51,7 +52,7 @@ index 5699aa777..cfdcc784a 100644
      networks:
        bluenet:
          aliases:
-@@ -57,22 +66,11 @@ services:
+@@ -58,22 +66,11 @@ services:
      # small.
      command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
      logging:
@@ -79,7 +80,7 @@ index 5699aa777..cfdcc784a 100644
  
    bconsul:
      image: hashicorp/consul:1.13.1
-@@ -83,18 +81,70 @@ services:
+@@ -84,26 +81,70 @@ services:
          ipv4_address: 10.55.55.10
      command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
  
@@ -127,10 +128,16 @@ index 5699aa777..cfdcc784a 100644
 +      - /home/labca/nginx_data/conf.d:/etc/nginx/conf.d
 +      - /home/labca/nginx_data/ssl:/etc/nginx/ssl
 +      - /home/labca/nginx_data/static:/var/www/html
-+
+ 
+-  bjaeger:
+-    image: jaegertracing/all-in-one:1.44
+-    environment:
+-      COLLECTOR_OTLP_ENABLED: "true"
 +  control:
 +    image: *boulder_image
-+    networks:
+     networks:
+-      bluenet:
+-        ipv4_address: 10.77.77.17
 +      - bluenet
 +    volumes:
 +      - /var/run/docker.sock:/var/run/docker.sock

patches/errors_errors.patch

@@ -1,8 +1,8 @@
 diff --git a/errors/errors.go b/errors/errors.go
-index 83adf7f1..cc136790 100644
+index f531782e8..4e59a7259 100644
 --- a/errors/errors.go
 +++ b/errors/errors.go
-@@ -163,10 +163,10 @@ func NotFoundError(msg string, args ...interface{}) error {
+@@ -166,10 +166,10 @@ func NotFoundError(msg string, args ...interface{}) error {
  	return New(NotFound, msg, args...)
  }
  

patches/log_log.patch

@@ -1,14 +0,0 @@
-diff --git a/log/log.go b/log/log.go
-index 75262337d..4245e41a9 100644
---- a/log/log.go
-+++ b/log/log.go
-@@ -94,6 +94,9 @@ func newStdoutWriter(level int) *stdoutWriter {
- 	}
- 
- 	prefix := fmt.Sprintf("%s %s %s[%d]:", shortHostname, datacenter, core.Command(), os.Getpid())
-+	if datacenter == "unknown" {
-+		prefix = fmt.Sprintf("%s %s[%d]:", shortHostname, core.Command(), os.Getpid())
-+	}
- 
- 	return &stdoutWriter{
- 		prefix: prefix,

patches/log_prod_prefix.patch

@@ -0,0 +1,14 @@
+diff --git a/log/prod_prefix.go b/log/prod_prefix.go
+index b4cf55daf..91f1aee8b 100644
+--- a/log/prod_prefix.go
++++ b/log/prod_prefix.go
+@@ -25,6 +25,9 @@ func getPrefix() (string, string) {
+ 	}
+ 
+ 	prefix := fmt.Sprintf("%s %s %s[%d]: ", shortHostname, datacenter, core.Command(), os.Getpid())
++	if datacenter == "unknown" {
++		prefix = fmt.Sprintf("%s[%d]: ", core.Command(), os.Getpid())
++	}
+ 	clkFormat := "2006-01-02T15:04:05.000000+00:00Z"
+ 
+ 	return prefix, clkFormat

patches/log_test_prefix.patch

@@ -0,0 +1,24 @@
+diff --git a/log/test_prefix.go b/log/test_prefix.go
+index d1fb89491..8974ac30e 100644
+--- a/log/test_prefix.go
++++ b/log/test_prefix.go
+@@ -2,8 +2,18 @@
+ 
+ package log
+ 
++import (
++	"fmt"
++	"os"
++
++	"github.com/letsencrypt/boulder/core"
++)
++
+ // getPrefix returns the prefix and clkFormat that should be used by the
+ // stdout logger.
+ func getPrefix() (string, string) {
+-	return "", "15:04:05.000000"
++	prefix := fmt.Sprintf("%s[%d]: ", core.Command(), os.Getpid())
++	clkFormat := "2006-01-02T15:04:05.000000+00:00Z"
++
++	return prefix, clkFormat
+ }

patches/ocsp-responder_main.patch

@@ -1,13 +1,22 @@
 diff --git a/cmd/ocsp-responder/main.go b/cmd/ocsp-responder/main.go
-index 2254dc26f..9d3a73c39 100644
+index 39a0dac43..c7e0dc02d 100644
 --- a/cmd/ocsp-responder/main.go
 +++ b/cmd/ocsp-responder/main.go
-@@ -151,49 +151,51 @@ as generated by Boulder's ceremony command.
+@@ -88,7 +88,7 @@ type Config struct {
+ 
+ 		// Configuration for using Redis as a cache. This configuration should
+ 		// allow for both read and write access.
+-		Redis *rocsp_config.RedisConfig `validate:"required_without=Source"`
++		Redis *rocsp_config.RedisConfig
+ 
+ 		// TLS client certificate, private key, and trusted root bundle.
+ 		TLS cmd.TLSConfig `validate:"required_without=Source,structonly"`
+@@ -154,49 +154,51 @@ as generated by Boulder's ceremony command.
  		source, err = responder.NewMemorySourceFromFile(filename, logger)
  		cmd.FailOnError(err, fmt.Sprintf("Couldn't read file: %s", url.Path))
  	} else {
 -		// Set up the redis source and the combined multiplex source.
--		rocspRWClient, err := rocsp_config.MakeClient(&c.OCSPResponder.Redis, clk, scope)
+-		rocspRWClient, err := rocsp_config.MakeClient(c.OCSPResponder.Redis, clk, scope)
 -		cmd.FailOnError(err, "Could not make redis client")
 -
 -		err = rocspRWClient.Ping(context.Background())
@@ -28,9 +37,9 @@ index 2254dc26f..9d3a73c39 100644
 -		maxInflight := c.OCSPResponder.MaxInflightSignings
 -		if maxInflight == 0 {
 -			maxInflight = 1000
-+		if c.OCSPResponder.Redis.ShardAddrs != nil {
++		if c.OCSPResponder.Redis != nil {
 +			// Set up the redis source and the combined multiplex source.
-+			rocspRWClient, err := rocsp_config.MakeClient(&c.OCSPResponder.Redis, clk, scope)
++			rocspRWClient, err := rocsp_config.MakeClient(c.OCSPResponder.Redis, clk, scope)
 +			cmd.FailOnError(err, "Could not make redis client")
 +
 +			err = rocspRWClient.Ping(context.Background())

patches/ra_ra.patch

@@ -1,8 +1,8 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index a3ec42916..a71060a45 100644
+index fb881c4ed..0bb0a317a 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
-@@ -42,7 +42,6 @@ import (
+@@ -43,7 +43,6 @@ import (
  	"github.com/letsencrypt/boulder/issuance"
  	blog "github.com/letsencrypt/boulder/log"
  	"github.com/letsencrypt/boulder/metrics"
@@ -10,7 +10,7 @@ index a3ec42916..a71060a45 100644
  	"github.com/letsencrypt/boulder/probs"
  	pubpb "github.com/letsencrypt/boulder/publisher/proto"
  	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -530,7 +529,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
+@@ -531,7 +530,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
  				contact,
  			)
  		}

patches/updater_updater.patch

@@ -1,5 +1,5 @@
 diff --git a/crl/updater/updater.go b/crl/updater/updater.go
-index 7d28c6e23..9f663706b 100644
+index cf58b3e6f..75ee6f338 100644
 --- a/crl/updater/updater.go
 +++ b/crl/updater/updater.go
 @@ -8,6 +8,7 @@ import (
@@ -10,7 +10,7 @@ index 7d28c6e23..9f663706b 100644
  	"sort"
  	"strings"
  	"time"
-@@ -120,6 +121,29 @@ func NewUpdater(
+@@ -128,6 +129,29 @@ func NewUpdater(
  // next scheduled run time based on the current time and the updateOffset, then
  // begins running once every updatePeriod.
  func (cu *crlUpdater) Run(ctx context.Context) error {
@@ -40,7 +40,7 @@ index 7d28c6e23..9f663706b 100644
  	// We don't want the times at which crlUpdater runs to be dependent on when
  	// the process starts. So wait until the appropriate time before kicking off
  	// the first run and the main ticker loop.
-@@ -141,7 +165,7 @@ func (cu *crlUpdater) Run(ctx context.Context) error {
+@@ -149,7 +173,7 @@ func (cu *crlUpdater) Run(ctx context.Context) error {
  	// counting from the appropriate time.
  	ticker := time.NewTicker(cu.updatePeriod)
  	atTime := cu.clk.Now()
@@ -49,7 +49,7 @@ index 7d28c6e23..9f663706b 100644
  	if err != nil {
  		// We only log, rather than return, so that the long-lived process can
  		// continue and try again at the next tick.
-@@ -327,7 +351,7 @@ func (cu *crlUpdater) tickShard(ctx context.Context, atTime time.Time, issuerNam
+@@ -359,7 +383,7 @@ func (cu *crlUpdater) tickShard(ctx context.Context, atTime time.Time, issuerNam
  			crlEntries = append(crlEntries, entry)
  		}