Bump boulder version to release-2020-02-17

2026-01-27 10:19:34 +00:00 · 2020-03-01 09:54:43 +01:00
parent 8e54e303f1
commit 2d22f2dd46
10 changed files with 80 additions and 50 deletions
--- a/config_expiration-mailer.patch
+++ b/config_expiration-mailer.patch
@@ -1,5 +1,5 @@
 diff --git a/test/config/expiration-mailer.json b/test/config/expiration-mailer.json
-index 86e8a43..7988b1b 100644
+index 444beae43..e9bd228ef 100644
 --- a/test/config/expiration-mailer.json
 +++ b/test/config/expiration-mailer.json
@@ -12,6 +12,11 @@
--- a/docker-compose.patch
+++ b/docker-compose.patch
@@ -1,8 +1,8 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 87840f02..fc6eae34 100644
+index f3279eeab..76573dabe 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
-@@ -6,11 +6,12 @@ services:
+@@ -6,7 +6,7 @@ services:
         environment:
             FAKE_DNS: 10.77.77.77
             PKCS11_PROXY_SOCKET: tcp://boulder-hsm:5657
@@ -10,13 +10,16 @@ index 87840f02..fc6eae34 100644
 +            BOULDER_CONFIG_DIR: labca/config
             GO111MODULE: "on"
             GOFLAGS: "-mod=vendor"
+             # This is required so Python doesn't throw an error when printing
+@@ -14,6 +14,7 @@ services:
+             PYTHONIOENCODING: "utf-8"
         volumes:
           - .:/go/src/github.com/letsencrypt/boulder
 +          - /home/labca/boulder_labca:/go/src/github.com/letsencrypt/boulder/labca
           - ./.gocache:/root/.cache/go-build
         networks:
           bluenet:
-@@ -51,8 +52,14 @@ services:
+@@ -54,8 +55,14 @@ services:
         depends_on:
           - bhsm
           - bmysql
@@ -31,8 +34,8 @@ index 87840f02..fc6eae34 100644
 +        restart: always
     bhsm:
         # To minimize fetching this should be the same version used above
-         image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.12}:2019-04-08
-@@ -65,8 +72,16 @@ services:
+         image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-01-07
+@@ -68,8 +75,16 @@ services:
           bluenet:
             aliases:
               - boulder-hsm
@@ -49,9 +52,9 @@ index 87840f02..fc6eae34 100644
         networks:
           bluenet:
             aliases:
-@@ -75,20 +90,36 @@ services:
-             MYSQL_ALLOW_EMPTY_PASSWORD: "yes"
-         command: mysqld --bind-address=0.0.0.0
+@@ -83,20 +98,36 @@ services:
+         # small.
+         command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
         logging:
 -            driver: none
 -    netaccess:
@@ -61,7 +64,7 @@ index 87840f02..fc6eae34 100644
 +            max-file: "5"
 +        restart: always
 +    labca:
-         image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.12}:2019-04-08
+         image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-01-07
 -        environment:
 -            GO111MODULE: "on"
 -            GOFLAGS: "-mod=vendor"
@@ -91,6 +94,6 @@ index 87840f02..fc6eae34 100644
 +
 +volumes:
 +    dbdata:
-
+ 
 networks:
   bluenet:
--- a/expiration-mailer_main.patch
+++ b/expiration-mailer_main.patch
@@ -1,16 +1,16 @@
 diff --git a/cmd/expiration-mailer/main.go b/cmd/expiration-mailer/main.go
-index de4af4a0..b58405ef 100644
+index 49ce1a265..9d47457b9 100644
 --- a/cmd/expiration-mailer/main.go
 +++ b/cmd/expiration-mailer/main.go
-@@ -21,6 +21,7 @@ import (
+@@ -19,6 +19,7 @@ import (
+ 
 	"github.com/jmhodges/clock"
- 	"gopkg.in/go-gorp/gorp.v2"
 
 +	"github.com/letsencrypt/boulder/bdns"
 	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/core"
- 	"github.com/letsencrypt/boulder/features"
-@@ -35,7 +36,7 @@ import (
+ 	"github.com/letsencrypt/boulder/db"
+@@ -34,7 +35,7 @@ import (
 
 const (
 	defaultNagCheckInterval  = 24 * time.Hour
@@ -19,7 +19,7 @@ index de4af4a0..b58405ef 100644
 )
 
 type regStore interface {
-@@ -376,6 +377,9 @@ type config struct {
+@@ -384,6 +385,9 @@ type config struct {
 		TLS       cmd.TLSConfig
 		SAService *cmd.GRPCClientConfig
 
@@ -29,7 +29,7 @@ index de4af4a0..b58405ef 100644
 		// Path to a file containing a list of trusted root certificates for use
 		// during the SMTP connection (as opposed to the gRPC connections).
 		SMTPTrustedRootFile string
-@@ -384,6 +388,12 @@ type config struct {
+@@ -392,6 +396,12 @@ type config struct {
 	}
 
 	Syslog cmd.SyslogConfig
@@ -41,8 +41,8 @@ index de4af4a0..b58405ef 100644
 +	}
 }
 
- func initStats(scope metrics.Scope) mailerStats {
-@@ -485,6 +495,29 @@ func main() {
+ func initStats(stats prometheus.Registerer) mailerStats {
+@@ -495,6 +505,30 @@ func main() {
 	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
 	sac := bgrpc.NewStorageAuthorityClient(sapb.NewStorageAuthorityClient(conn))
 
@@ -62,17 +62,18 @@ index de4af4a0..b58405ef 100644
 +			c.Mailer.DNSResolvers,
 +			scope,
 +			clk,
-+			dnsTries)
+			dnsTries,
+			logger)
 +		resolver = r
 +	} else {
-+		r := bdns.NewTestDNSClientImpl(dnsTimeout, c.Mailer.DNSResolvers, scope, clk, dnsTries)
+		r := bdns.NewTestDNSClientImpl(dnsTimeout, c.Mailer.DNSResolvers, scope, clk, dnsTries, logger)
 +		resolver = r
 +	}
 +
 	var smtpRoots *x509.CertPool
 	if c.Mailer.SMTPTrustedRootFile != "" {
 		pem, err := ioutil.ReadFile(c.Mailer.SMTPTrustedRootFile)
-@@ -520,6 +553,7 @@ func main() {
+@@ -530,6 +564,7 @@ func main() {
 		c.Mailer.Username,
 		smtpPassword,
 		smtpRoots,
--- a/gui/apply-boulder
+++ b/gui/apply-boulder
@@ -19,6 +19,10 @@ if [ "$PKI_DOMAIN_MODE" == "whitelist" ]; then
    echo "Whitelist:" >> hostname-policy.yaml
    echo "  - \"$PKI_LOCKDOWN_DOMAINS\"" >> hostname-policy.yaml
 fi
+if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ]; then
+    sed -i -e "s/^\(.*\)\(\"n_subject_common_name_included\"\)/\1\2,\n\1\"e_dnsname_not_valid_tld\"/" config/ca-a.json
+    sed -i -e "s/^\(.*\)\(\"n_subject_common_name_included\"\)/\1\2,\n\1\"e_dnsname_not_valid_tld\"/" config/ca-b.json
+fi

 if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then
    sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ca-a.json
@@ -52,12 +56,15 @@ rm -f test-ca.der
 rm -f test-root.key
 rm -f test-root.key.der
 rm -f test-root.pem
+rm -f test-root.der

 cp -p $PKI_INT_CERT_BASE.key test-ca.key
 cp -p $PKI_INT_CERT_BASE.key.der test-ca.key.der
 cp -p $PKI_INT_CERT_BASE.pem test-ca.pem
+openssl rsa -in $PKI_INT_CERT_BASE.key -pubout > test-ca.pubkey.der
 cp -p $PKI_ROOT_CERT_BASE.key test-root.key
 cp -p $PKI_ROOT_CERT_BASE.key.der test-root.key.der
 cp -p $PKI_ROOT_CERT_BASE.pem test-root.pem
+openssl rsa -in $PKI_ROOT_CERT_BASE.key -pubout > test-root.pubkey.der

 chown -R `ls -l rate-limit-policies.yml | cut -d" " -f 3,4 | sed 's/ /:/g'` .
--- a/gui/templates/base.tmpl
+++ b/gui/templates/base.tmpl
@@ -32,7 +32,7 @@
                        <small>{{ if .Version }}Version {{ .Version }}{{ end }}</small>
                    </div>
                    <div class="col-sm-6 footer text-muted text-right" id="footer">
-                        <small>Copyright &copy; 2018-2019 LabCA</small>
+                        <small>Copyright &copy; 2018-2020 LabCA</small>
                    </div>
                </div>
            </div>
--- a/12
+++ b/12
@@ -24,7 +24,7 @@ dockerComposeVersion="1.22.0"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2019-06-28"
+boulderTag="release-2020-02-17"

 #
 # Color configuration
@@ -441,8 +441,12 @@ get_boulder() {

    cd "$boulderDir"
    sudo -u labca git reset --hard $boulderTag &>>$installLog
-    sudo -u labca cp sa/_db-next/migrations/20190221140139_AddAuthz2.sql sa/_db/migrations/
-    sudo -u labca cp sa/_db-next/migrations/20190524120239_AddAuthz2ExpiresIndex.sql sa/_db/migrations/
+    if [ -e "sa/_db-next/migrations/20190221140139_AddAuthz2.sql" ]; then
+        sudo -u labca cp sa/_db-next/migrations/20190221140139_AddAuthz2.sql sa/_db/migrations/
+    fi
+    if [ -e "sa/_db-next/migrations/20190524120239_AddAuthz2ExpiresIndex.sql" ]; then
+        sudo -u labca cp sa/_db-next/migrations/20190524120239_AddAuthz2ExpiresIndex.sql sa/_db/migrations/
+    fi
    msg_ok "Boulder checkout '$boulderTag'"
 }

@@ -556,7 +560,7 @@ config_boulder() {
        export PKI_EMAIL_USER=$(grep user $adminDir/data/config.json | head -1 | perl -p0e 's/.*?:\s+(.*)/\1/' | sed -e 's/\",//g' | sed -e 's/\"//g')
        export PKI_EMAIL_FROM=$(grep from $adminDir/data/config.json | head -1 | perl -p0e 's/.*?:\s+(.*)/\1/' | sed -e 's/\",//g' | sed -e 's/\"//g')

-        $adminDir/apply-boulder
+        $adminDir/apply-boulder &>>$installLog
    else
        chown -R labca:labca "$boulderLabCADir"
    fi
--- a/mail-tester.go
+++ b/mail-tester.go
@@ -89,10 +89,11 @@ func main() {
 			c.Mailer.DNSResolvers,
 			scope,
 			clk,
-			dnsTries)
+			dnsTries,
+			logger)
 		resolver = r
 	} else {
-		r := bdns.NewTestDNSClientImpl(dnsTimeout, c.Mailer.DNSResolvers, scope, clk, dnsTries)
+		r := bdns.NewTestDNSClientImpl(dnsTimeout, c.Mailer.DNSResolvers, scope, clk, dnsTries, logger)
 		resolver = r
 	}

--- a/mail_mailer.patch
+++ b/mail_mailer.patch
@@ -1,38 +1,39 @@
 diff --git a/mail/mailer.go b/mail/mailer.go
-index 6dac0ab5..dfab66f4 100644
+index de6b1de20..60c58128b 100644
 --- a/mail/mailer.go
 +++ b/mail/mailer.go
-@@ -20,10 +20,13 @@ import (
+@@ -20,10 +20,14 @@ import (
 	"time"
 
 	"github.com/jmhodges/clock"
 +	"golang.org/x/net/context"
+ 	"github.com/prometheus/client_golang/prometheus"
 
 	"github.com/letsencrypt/boulder/core"
 +	"github.com/letsencrypt/boulder/bdns"
 	blog "github.com/letsencrypt/boulder/log"
- 	"github.com/letsencrypt/boulder/metrics"
+	berrors "github.com/letsencrypt/boulder/errors"
 +	"github.com/letsencrypt/boulder/probs"
 )
 
 type idGenerator interface {
-@@ -113,6 +116,7 @@ func New(
+@@ -119,6 +123,7 @@ func New(
 	username,
 	password string,
 	rootCAs *x509.CertPool,
 +	resolver bdns.DNSClient,
 	from mail.Address,
 	logger blog.Logger,
- 	stats metrics.Scope,
-@@ -125,6 +129,7 @@ func New(
+ 	stats prometheus.Registerer,
+@@ -138,6 +143,7 @@ func New(
 			server:   server,
 			port:     port,
 			rootCAs:  rootCAs,
 +			dnsClient: resolver,
 		},
- 		log:           logger,
- 		from:          from,
-@@ -163,7 +168,7 @@ func (m *MailerImpl) generateMessage(to []string, subject, body string) ([]byte,
+ 		log:              logger,
+ 		from:             from,
+@@ -178,7 +184,7 @@ func (m *MailerImpl) generateMessage(to []string, subject, body string) ([]byte,
 		fmt.Sprintf("To: %s", strings.Join(addrs, ", ")),
 		fmt.Sprintf("From: %s", m.from.String()),
 		fmt.Sprintf("Subject: %s", subject),
@@ -41,7 +42,7 @@ index 6dac0ab5..dfab66f4 100644
 		fmt.Sprintf("Message-Id: <%s.%s.%s>", now.Format("20060102T150405"), mid.String(), m.from.Address),
 		"MIME-Version: 1.0",
 		"Content-Type: text/plain; charset=UTF-8",
-@@ -220,23 +225,32 @@ func (m *MailerImpl) Connect() error {
+@@ -235,23 +241,32 @@ func (m *MailerImpl) Connect() error {
 type dialerImpl struct {
 	username, password, server, port string
 	rootCAs                          *x509.CertPool
@@ -67,7 +68,7 @@ index 6dac0ab5..dfab66f4 100644
 	}
 -	client, err := smtp.NewClient(conn, di.server)
 +	if len(addrs) == 0 {
-+		return nil, probs.UnknownHost("No valid IP addresses found for %s", di.server)
+		return nil, berrors.DNSError("No valid IP addresses found for %s", di.server)
 +	}
 +
 +	hostport := net.JoinHostPort(addrs[0].String(), di.port)
--- a/notify-mailer_main.patch
+++ b/notify-mailer_main.patch
@@ -1,12 +1,12 @@
 diff --git a/cmd/notify-mailer/main.go b/cmd/notify-mailer/main.go
-index 8979edce..885f2247 100644
+index f61f21086..87504c55b 100644
 --- a/cmd/notify-mailer/main.go
 +++ b/cmd/notify-mailer/main.go
-@@ -348,6 +348,7 @@ func main() {
+@@ -472,6 +472,7 @@ func main() {
 			cfg.NotifyMailer.Username,
 			smtpPassword,
 			nil,
 +			nil,
 			*address,
 			log,
- 			metrics.NewNoopScope(),
+ 			metrics.NoopRegisterer,
--- a/policy_pa.patch
+++ b/policy_pa.patch
@@ -1,8 +1,8 @@
 diff --git a/policy/pa.go b/policy/pa.go
-index 3d097365..53cf6020 100644
+index f6c908363..5de2d9ddc 100644
 --- a/policy/pa.go
 +++ b/policy/pa.go
-@@ -30,6 +30,8 @@ type AuthorityImpl struct {
+@@ -29,6 +29,8 @@ type AuthorityImpl struct {
 	blocklist              map[string]bool
 	exactBlocklist         map[string]bool
 	wildcardExactBlocklist map[string]bool
@@ -11,7 +11,7 @@ index 3d097365..53cf6020 100644
 	blocklistMu            sync.RWMutex
 
 	enabledChallenges map[string]bool
-@@ -70,6 +72,9 @@ type blockedNamesPolicy struct {
+@@ -69,6 +71,9 @@ type blockedNamesPolicy struct {
 	// time above and beyond the high-risk domains. Managing these entries separately
 	// from HighRiskBlockedNames makes it easier to vet changes accurately.
 	AdminBlockedNames []string `yaml:"AdminBlockedNames"`
@@ -21,7 +21,7 @@ index 3d097365..53cf6020 100644
 }
 
 // SetHostnamePolicyFile will load the given policy file, returning error if it
-@@ -138,10 +143,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error
+@@ -137,10 +142,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error
 		// wildcardNameMap to block issuance for `*.`+parts[1]
 		wildcardNameMap[parts[1]] = true
 	}
@@ -42,7 +42,7 @@ index 3d097365..53cf6020 100644
 	pa.blocklistMu.Unlock()
 	return nil
 }
-@@ -287,6 +302,14 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
+@@ -280,6 +295,14 @@ func (pa *AuthorityImpl) ValidDomain(domain string) error {
 		}
 	}
 
@@ -57,7 +57,20 @@ index 3d097365..53cf6020 100644
 	// Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD.
 	icannTLD, err := iana.ExtractSuffix(domain)
 	if err != nil {
-@@ -304,6 +327,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
+@@ -322,14 +345,44 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
+ 		return err
+ 	}
+ 
+	if ok, _ := pa.checkWhitelist(domain); ok {
+		return nil
+	}
+
+ 	// Require no match against hostname block lists
+ 	if err := pa.checkHostLists(domain); err != nil {
+		fmt.Print("*** oopsie hij komt niet door checkhostlists...\n")
+ 		return err
+ 	}
+ 
 	return nil
 }