From 2d22f2dd469b7980519bf75bed0980a67ba57550 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Sun, 1 Mar 2020 09:54:43 +0100 Subject: [PATCH] Bump boulder version to release-2020-02-17 --- config_expiration-mailer.patch | 2 +- docker-compose.patch | 23 +++++++++++++---------- expiration-mailer_main.patch | 25 +++++++++++++------------ gui/apply-boulder | 7 +++++++ gui/templates/base.tmpl | 2 +- install | 12 ++++++++---- mail-tester.go | 5 +++-- mail_mailer.patch | 23 ++++++++++++----------- notify-mailer_main.patch | 6 +++--- policy_pa.patch | 25 +++++++++++++++++++------ 10 files changed, 80 insertions(+), 50 deletions(-) diff --git a/config_expiration-mailer.patch b/config_expiration-mailer.patch index 1222328..3b48747 100644 --- a/config_expiration-mailer.patch +++ b/config_expiration-mailer.patch @@ -1,5 +1,5 @@ diff --git a/test/config/expiration-mailer.json b/test/config/expiration-mailer.json -index 86e8a43..7988b1b 100644 +index 444beae43..e9bd228ef 100644 --- a/test/config/expiration-mailer.json +++ b/test/config/expiration-mailer.json @@ -12,6 +12,11 @@ diff --git a/docker-compose.patch b/docker-compose.patch index bfe6277..0b39be9 100644 --- a/docker-compose.patch +++ b/docker-compose.patch @@ -1,8 +1,8 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 87840f02..fc6eae34 100644 +index f3279eeab..76573dabe 100644 --- a/docker-compose.yml +++ b/docker-compose.yml -@@ -6,11 +6,12 @@ services: +@@ -6,7 +6,7 @@ services: environment: FAKE_DNS: 10.77.77.77 PKCS11_PROXY_SOCKET: tcp://boulder-hsm:5657 @@ -10,13 +10,16 @@ index 87840f02..fc6eae34 100644 + BOULDER_CONFIG_DIR: labca/config GO111MODULE: "on" GOFLAGS: "-mod=vendor" + # This is required so Python doesn't throw an error when printing +@@ -14,6 +14,7 @@ services: + PYTHONIOENCODING: "utf-8" volumes: - .:/go/src/github.com/letsencrypt/boulder + - /home/labca/boulder_labca:/go/src/github.com/letsencrypt/boulder/labca - ./.gocache:/root/.cache/go-build networks: bluenet: -@@ -51,8 +52,14 @@ services: +@@ -54,8 +55,14 @@ services: depends_on: - bhsm - bmysql @@ -31,8 +34,8 @@ index 87840f02..fc6eae34 100644 + restart: always bhsm: # To minimize fetching this should be the same version used above - image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.12}:2019-04-08 -@@ -65,8 +72,16 @@ services: + image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-01-07 +@@ -68,8 +75,16 @@ services: bluenet: aliases: - boulder-hsm @@ -49,9 +52,9 @@ index 87840f02..fc6eae34 100644 networks: bluenet: aliases: -@@ -75,20 +90,36 @@ services: - MYSQL_ALLOW_EMPTY_PASSWORD: "yes" - command: mysqld --bind-address=0.0.0.0 +@@ -83,20 +98,36 @@ services: + # small. + command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON logging: - driver: none - netaccess: @@ -61,7 +64,7 @@ index 87840f02..fc6eae34 100644 + max-file: "5" + restart: always + labca: - image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.12}:2019-04-08 + image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-01-07 - environment: - GO111MODULE: "on" - GOFLAGS: "-mod=vendor" @@ -91,6 +94,6 @@ index 87840f02..fc6eae34 100644 + +volumes: + dbdata: - + networks: bluenet: diff --git a/expiration-mailer_main.patch b/expiration-mailer_main.patch index 743ae2b..775eb34 100644 --- a/expiration-mailer_main.patch +++ b/expiration-mailer_main.patch @@ -1,16 +1,16 @@ diff --git a/cmd/expiration-mailer/main.go b/cmd/expiration-mailer/main.go -index de4af4a0..b58405ef 100644 +index 49ce1a265..9d47457b9 100644 --- a/cmd/expiration-mailer/main.go +++ b/cmd/expiration-mailer/main.go -@@ -21,6 +21,7 @@ import ( +@@ -19,6 +19,7 @@ import ( + "github.com/jmhodges/clock" - "gopkg.in/go-gorp/gorp.v2" + "github.com/letsencrypt/boulder/bdns" "github.com/letsencrypt/boulder/cmd" "github.com/letsencrypt/boulder/core" - "github.com/letsencrypt/boulder/features" -@@ -35,7 +36,7 @@ import ( + "github.com/letsencrypt/boulder/db" +@@ -34,7 +35,7 @@ import ( const ( defaultNagCheckInterval = 24 * time.Hour @@ -19,7 +19,7 @@ index de4af4a0..b58405ef 100644 ) type regStore interface { -@@ -376,6 +377,9 @@ type config struct { +@@ -384,6 +385,9 @@ type config struct { TLS cmd.TLSConfig SAService *cmd.GRPCClientConfig @@ -29,7 +29,7 @@ index de4af4a0..b58405ef 100644 // Path to a file containing a list of trusted root certificates for use // during the SMTP connection (as opposed to the gRPC connections). SMTPTrustedRootFile string -@@ -384,6 +388,12 @@ type config struct { +@@ -392,6 +396,12 @@ type config struct { } Syslog cmd.SyslogConfig @@ -41,8 +41,8 @@ index de4af4a0..b58405ef 100644 + } } - func initStats(scope metrics.Scope) mailerStats { -@@ -485,6 +495,29 @@ func main() { + func initStats(stats prometheus.Registerer) mailerStats { +@@ -495,6 +505,30 @@ func main() { cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA") sac := bgrpc.NewStorageAuthorityClient(sapb.NewStorageAuthorityClient(conn)) @@ -62,17 +62,18 @@ index de4af4a0..b58405ef 100644 + c.Mailer.DNSResolvers, + scope, + clk, -+ dnsTries) ++ dnsTries, ++ logger) + resolver = r + } else { -+ r := bdns.NewTestDNSClientImpl(dnsTimeout, c.Mailer.DNSResolvers, scope, clk, dnsTries) ++ r := bdns.NewTestDNSClientImpl(dnsTimeout, c.Mailer.DNSResolvers, scope, clk, dnsTries, logger) + resolver = r + } + var smtpRoots *x509.CertPool if c.Mailer.SMTPTrustedRootFile != "" { pem, err := ioutil.ReadFile(c.Mailer.SMTPTrustedRootFile) -@@ -520,6 +553,7 @@ func main() { +@@ -530,6 +564,7 @@ func main() { c.Mailer.Username, smtpPassword, smtpRoots, diff --git a/gui/apply-boulder b/gui/apply-boulder index 8e2bcba..096b460 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -19,6 +19,10 @@ if [ "$PKI_DOMAIN_MODE" == "whitelist" ]; then echo "Whitelist:" >> hostname-policy.yaml echo " - \"$PKI_LOCKDOWN_DOMAINS\"" >> hostname-policy.yaml fi +if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ]; then + sed -i -e "s/^\(.*\)\(\"n_subject_common_name_included\"\)/\1\2,\n\1\"e_dnsname_not_valid_tld\"/" config/ca-a.json + sed -i -e "s/^\(.*\)\(\"n_subject_common_name_included\"\)/\1\2,\n\1\"e_dnsname_not_valid_tld\"/" config/ca-b.json +fi if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ca-a.json @@ -52,12 +56,15 @@ rm -f test-ca.der rm -f test-root.key rm -f test-root.key.der rm -f test-root.pem +rm -f test-root.der cp -p $PKI_INT_CERT_BASE.key test-ca.key cp -p $PKI_INT_CERT_BASE.key.der test-ca.key.der cp -p $PKI_INT_CERT_BASE.pem test-ca.pem +openssl rsa -in $PKI_INT_CERT_BASE.key -pubout > test-ca.pubkey.der cp -p $PKI_ROOT_CERT_BASE.key test-root.key cp -p $PKI_ROOT_CERT_BASE.key.der test-root.key.der cp -p $PKI_ROOT_CERT_BASE.pem test-root.pem +openssl rsa -in $PKI_ROOT_CERT_BASE.key -pubout > test-root.pubkey.der chown -R `ls -l rate-limit-policies.yml | cut -d" " -f 3,4 | sed 's/ /:/g'` . diff --git a/gui/templates/base.tmpl b/gui/templates/base.tmpl index 8755f3f..faa69b6 100644 --- a/gui/templates/base.tmpl +++ b/gui/templates/base.tmpl @@ -32,7 +32,7 @@ {{ if .Version }}Version {{ .Version }}{{ end }}
- Copyright © 2018-2019 LabCA + Copyright © 2018-2020 LabCA
diff --git a/install b/install index a372f36..7daedb9 100755 --- a/install +++ b/install @@ -24,7 +24,7 @@ dockerComposeVersion="1.22.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2019-06-28" +boulderTag="release-2020-02-17" # # Color configuration @@ -441,8 +441,12 @@ get_boulder() { cd "$boulderDir" sudo -u labca git reset --hard $boulderTag &>>$installLog - sudo -u labca cp sa/_db-next/migrations/20190221140139_AddAuthz2.sql sa/_db/migrations/ - sudo -u labca cp sa/_db-next/migrations/20190524120239_AddAuthz2ExpiresIndex.sql sa/_db/migrations/ + if [ -e "sa/_db-next/migrations/20190221140139_AddAuthz2.sql" ]; then + sudo -u labca cp sa/_db-next/migrations/20190221140139_AddAuthz2.sql sa/_db/migrations/ + fi + if [ -e "sa/_db-next/migrations/20190524120239_AddAuthz2ExpiresIndex.sql" ]; then + sudo -u labca cp sa/_db-next/migrations/20190524120239_AddAuthz2ExpiresIndex.sql sa/_db/migrations/ + fi msg_ok "Boulder checkout '$boulderTag'" } @@ -556,7 +560,7 @@ config_boulder() { export PKI_EMAIL_USER=$(grep user $adminDir/data/config.json | head -1 | perl -p0e 's/.*?:\s+(.*)/\1/' | sed -e 's/\",//g' | sed -e 's/\"//g') export PKI_EMAIL_FROM=$(grep from $adminDir/data/config.json | head -1 | perl -p0e 's/.*?:\s+(.*)/\1/' | sed -e 's/\",//g' | sed -e 's/\"//g') - $adminDir/apply-boulder + $adminDir/apply-boulder &>>$installLog else chown -R labca:labca "$boulderLabCADir" fi diff --git a/mail-tester.go b/mail-tester.go index f6eb078..95b03a0 100644 --- a/mail-tester.go +++ b/mail-tester.go @@ -89,10 +89,11 @@ func main() { c.Mailer.DNSResolvers, scope, clk, - dnsTries) + dnsTries, + logger) resolver = r } else { - r := bdns.NewTestDNSClientImpl(dnsTimeout, c.Mailer.DNSResolvers, scope, clk, dnsTries) + r := bdns.NewTestDNSClientImpl(dnsTimeout, c.Mailer.DNSResolvers, scope, clk, dnsTries, logger) resolver = r } diff --git a/mail_mailer.patch b/mail_mailer.patch index 45ae8a7..e3a3aa0 100644 --- a/mail_mailer.patch +++ b/mail_mailer.patch @@ -1,38 +1,39 @@ diff --git a/mail/mailer.go b/mail/mailer.go -index 6dac0ab5..dfab66f4 100644 +index de6b1de20..60c58128b 100644 --- a/mail/mailer.go +++ b/mail/mailer.go -@@ -20,10 +20,13 @@ import ( +@@ -20,10 +20,14 @@ import ( "time" "github.com/jmhodges/clock" + "golang.org/x/net/context" + "github.com/prometheus/client_golang/prometheus" "github.com/letsencrypt/boulder/core" + "github.com/letsencrypt/boulder/bdns" blog "github.com/letsencrypt/boulder/log" - "github.com/letsencrypt/boulder/metrics" ++ berrors "github.com/letsencrypt/boulder/errors" + "github.com/letsencrypt/boulder/probs" ) type idGenerator interface { -@@ -113,6 +116,7 @@ func New( +@@ -119,6 +123,7 @@ func New( username, password string, rootCAs *x509.CertPool, + resolver bdns.DNSClient, from mail.Address, logger blog.Logger, - stats metrics.Scope, -@@ -125,6 +129,7 @@ func New( + stats prometheus.Registerer, +@@ -138,6 +143,7 @@ func New( server: server, port: port, rootCAs: rootCAs, + dnsClient: resolver, }, - log: logger, - from: from, -@@ -163,7 +168,7 @@ func (m *MailerImpl) generateMessage(to []string, subject, body string) ([]byte, + log: logger, + from: from, +@@ -178,7 +184,7 @@ func (m *MailerImpl) generateMessage(to []string, subject, body string) ([]byte, fmt.Sprintf("To: %s", strings.Join(addrs, ", ")), fmt.Sprintf("From: %s", m.from.String()), fmt.Sprintf("Subject: %s", subject), @@ -41,7 +42,7 @@ index 6dac0ab5..dfab66f4 100644 fmt.Sprintf("Message-Id: <%s.%s.%s>", now.Format("20060102T150405"), mid.String(), m.from.Address), "MIME-Version: 1.0", "Content-Type: text/plain; charset=UTF-8", -@@ -220,23 +225,32 @@ func (m *MailerImpl) Connect() error { +@@ -235,23 +241,32 @@ func (m *MailerImpl) Connect() error { type dialerImpl struct { username, password, server, port string rootCAs *x509.CertPool @@ -67,7 +68,7 @@ index 6dac0ab5..dfab66f4 100644 } - client, err := smtp.NewClient(conn, di.server) + if len(addrs) == 0 { -+ return nil, probs.UnknownHost("No valid IP addresses found for %s", di.server) ++ return nil, berrors.DNSError("No valid IP addresses found for %s", di.server) + } + + hostport := net.JoinHostPort(addrs[0].String(), di.port) diff --git a/notify-mailer_main.patch b/notify-mailer_main.patch index 9c35511..a77749a 100644 --- a/notify-mailer_main.patch +++ b/notify-mailer_main.patch @@ -1,12 +1,12 @@ diff --git a/cmd/notify-mailer/main.go b/cmd/notify-mailer/main.go -index 8979edce..885f2247 100644 +index f61f21086..87504c55b 100644 --- a/cmd/notify-mailer/main.go +++ b/cmd/notify-mailer/main.go -@@ -348,6 +348,7 @@ func main() { +@@ -472,6 +472,7 @@ func main() { cfg.NotifyMailer.Username, smtpPassword, nil, + nil, *address, log, - metrics.NewNoopScope(), + metrics.NoopRegisterer, diff --git a/policy_pa.patch b/policy_pa.patch index a9d0fb7..d2bbef2 100644 --- a/policy_pa.patch +++ b/policy_pa.patch @@ -1,8 +1,8 @@ diff --git a/policy/pa.go b/policy/pa.go -index 3d097365..53cf6020 100644 +index f6c908363..5de2d9ddc 100644 --- a/policy/pa.go +++ b/policy/pa.go -@@ -30,6 +30,8 @@ type AuthorityImpl struct { +@@ -29,6 +29,8 @@ type AuthorityImpl struct { blocklist map[string]bool exactBlocklist map[string]bool wildcardExactBlocklist map[string]bool @@ -11,7 +11,7 @@ index 3d097365..53cf6020 100644 blocklistMu sync.RWMutex enabledChallenges map[string]bool -@@ -70,6 +72,9 @@ type blockedNamesPolicy struct { +@@ -69,6 +71,9 @@ type blockedNamesPolicy struct { // time above and beyond the high-risk domains. Managing these entries separately // from HighRiskBlockedNames makes it easier to vet changes accurately. AdminBlockedNames []string `yaml:"AdminBlockedNames"` @@ -21,7 +21,7 @@ index 3d097365..53cf6020 100644 } // SetHostnamePolicyFile will load the given policy file, returning error if it -@@ -138,10 +143,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error +@@ -137,10 +142,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error // wildcardNameMap to block issuance for `*.`+parts[1] wildcardNameMap[parts[1]] = true } @@ -42,7 +42,7 @@ index 3d097365..53cf6020 100644 pa.blocklistMu.Unlock() return nil } -@@ -287,6 +302,14 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { +@@ -280,6 +295,14 @@ func (pa *AuthorityImpl) ValidDomain(domain string) error { } } @@ -57,7 +57,20 @@ index 3d097365..53cf6020 100644 // Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD. icannTLD, err := iana.ExtractSuffix(domain) if err != nil { -@@ -304,6 +327,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { +@@ -322,14 +345,44 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { + return err + } + ++ if ok, _ := pa.checkWhitelist(domain); ok { ++ return nil ++ } ++ + // Require no match against hostname block lists + if err := pa.checkHostLists(domain); err != nil { ++ fmt.Print("*** oopsie hij komt niet door checkhostlists...\n") + return err + } + return nil }