Bump boulder version to release-2020-04-27

2026-01-27 18:19:33 +00:00 · 2020-08-09 19:05:47 +02:00
parent 3107f53ac6
commit 2ec50c2776
6 changed files with 125 additions and 9 deletions
--- a/bad-key-revoker_main.patch
+++ b/bad-key-revoker_main.patch
@@ -0,0 +1,74 @@
+diff --git a/cmd/bad-key-revoker/main.go b/cmd/bad-key-revoker/main.go
+index 33ad8cdfb..3aaa489c9 100644
+--- a/cmd/bad-key-revoker/main.go
+++ b/cmd/bad-key-revoker/main.go
+@@ -13,6 +13,7 @@ import (
+ 	"strings"
+ 	"time"
+ 
+	"github.com/letsencrypt/boulder/bdns"
+ 	"github.com/letsencrypt/boulder/cmd"
+ 	"github.com/letsencrypt/boulder/core"
+ 	corepb "github.com/letsencrypt/boulder/core/proto"
+@@ -348,6 +349,9 @@ func main() {
+ 			TLS       cmd.TLSConfig
+ 			RAService *cmd.GRPCClientConfig
+ 
+			DNSTries     int
+			DNSResolvers []string
+
+ 			// MaximumRevocations specifies the maximum number of certificates associated with
+ 			// a key hash that bad-key-revoker will attempt to revoke. If the number of certificates
+ 			// is higher than MaximumRevocations bad-key-revoker will error out and refuse to
+@@ -374,6 +378,12 @@ func main() {
+ 		}
+ 
+ 		Syslog cmd.SyslogConfig
+
+		Common struct {
+			DNSResolver               string
+			DNSTimeout                string
+			DNSAllowLoopbackAddresses bool
+		}
+ 	}
+ 	configPath := flag.String("config", "", "File path to the configuration file for this service")
+ 	flag.Parse()
+@@ -407,6 +417,30 @@ func main() {
+ 	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
+ 	rac := rapb.NewRegistrationAuthorityClient(conn)
+ 
+	dnsTimeout, err := time.ParseDuration(config.Common.DNSTimeout)
+	cmd.FailOnError(err, "Couldn't parse DNS timeout")
+	dnsTries := config.BadKeyRevoker.DNSTries
+	if dnsTries < 1 {
+		dnsTries = 1
+	}
+	var resolver bdns.DNSClient
+	if len(config.Common.DNSResolver) != 0 {
+		config.BadKeyRevoker.DNSResolvers = append(config.BadKeyRevoker.DNSResolvers, config.Common.DNSResolver)
+	}
+	if !config.Common.DNSAllowLoopbackAddresses {
+		r := bdns.NewDNSClientImpl(
+			dnsTimeout,
+			config.BadKeyRevoker.DNSResolvers,
+			scope,
+			clk,
+			dnsTries,
+			logger)
+		resolver = r
+	} else {
+		r := bdns.NewTestDNSClientImpl(dnsTimeout, config.BadKeyRevoker.DNSResolvers, scope, clk, dnsTries, logger)
+		resolver = r
+	}
+
+ 	var smtpRoots *x509.CertPool
+ 	if config.BadKeyRevoker.Mailer.SMTPTrustedRootFile != "" {
+ 		pem, err := ioutil.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile)
+@@ -428,6 +462,7 @@ func main() {
+ 		config.BadKeyRevoker.Mailer.Username,
+ 		smtpPassword,
+ 		smtpRoots,
+		resolver,
+ 		*fromAddress,
+ 		logger,
+ 		scope,
--- a/config_bad-key-revoker.patch
+++ b/config_bad-key-revoker.patch
@@ -0,0 +1,32 @@
+diff --git a/test/config/bad-key-revoker.json b/test/config/bad-key-revoker.json
+index 7d1b704..1bead8d 100644
+--- a/test/config/bad-key-revoker.json
+++ b/test/config/bad-key-revoker.json
+@@ -3,6 +3,10 @@
+         "dbConnectFile": "labca/secrets/badkeyrevoker_dburl",
+         "maxDBConns": 10,
+         "debugAddr": ":8020",
+        "dnsTries": 3,
+        "dnsResolvers": [
+            "127.0.0.1:8053",
+            "127.0.0.1:8054"
+        ],
+         "tls": {
+             "caCertFile": "labca/grpc-creds/minica.pem",
+             "certFile": "labca/grpc-creds/bad-key-revoker.boulder/cert.pem",
+@@ -24,10 +28,14 @@
+         },
+         "maximumRevocations": 15,
+         "findCertificatesBatchSize": 10,
+-        "interval": "1s"
+        "interval": "1h"
+     },
+     "syslog": {
+         "stdoutlevel": 6,
+         "sysloglevel": 4
+    },
+    "common": {
+        "dnsTimeout": "3s",
+        "dnsAllowLoopbackAddresses": true
+     }
+ }
--- a/config_expiration-mailer.patch
+++ b/config_expiration-mailer.patch
@@ -17,7 +17,7 @@ index 444beae43..e9bd228ef 100644
@@ -28,5 +33,10 @@
   "syslog": {
     "stdoutlevel": 6,
-     "sysloglevel": 4
+     "sysloglevel": 6
 +  },
 +
 +  "common": {
--- a/docker-compose.patch
+++ b/docker-compose.patch
@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index e34704a4d..46365bdcf 100644
+index e67d892a6..9b097c8b6 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
@@ -6,7 +6,7 @@ services:
@@ -19,13 +19,19 @@ index e34704a4d..46365bdcf 100644
           - ./.gocache:/root/.cache/go-build
         networks:
           bluenet:
-@@ -54,8 +55,14 @@ services:
+@@ -54,7 +55,7 @@ services:
         depends_on:
           - bhsm
           - bmysql
 -        entrypoint: test/entrypoint.sh
 +        entrypoint: labca/entrypoint.sh
         working_dir: /go/src/github.com/letsencrypt/boulder
+         # This works around a kernel bug that is tickled by Go 1.14:
+         # https://github.com/golang/go/issues/37436
+@@ -63,6 +64,12 @@ services:
+           memlock:
+             soft: -1
+             hard: -1
 +        logging:
 +          driver: "json-file"
 +          options:
@@ -34,8 +40,8 @@ index e34704a4d..46365bdcf 100644
 +        restart: always
     bhsm:
         # To minimize fetching this should be the same version used above
-         image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-04-08
-@@ -68,8 +75,16 @@ services:
+         image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.14.1}:2020-04-23
+@@ -75,8 +82,16 @@ services:
           bluenet:
             aliases:
               - boulder-hsm
@@ -52,7 +58,7 @@ index e34704a4d..46365bdcf 100644
         networks:
           bluenet:
             aliases:
-@@ -83,20 +98,36 @@ services:
+@@ -90,20 +105,36 @@ services:
         # small.
         command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
         logging:
@@ -64,7 +70,7 @@ index e34704a4d..46365bdcf 100644
 +            max-file: "5"
 +        restart: always
 +    labca:
-         image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-04-08
+         image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.14.1}:2020-04-23
 -        environment:
 -            GO111MODULE: "on"
 -            GOFLAGS: "-mod=vendor"
--- a/6
+++ b/6
@@ -24,7 +24,7 @@ dockerComposeVersion="1.22.0"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2020-04-13"
+boulderTag="release-2020-04-27"

 #
 # Color configuration
@@ -492,10 +492,14 @@ config_boulder() {
    sudo -u labca patch -p1 < $cloneDir/notify-mailer_main.patch &>>$installLog
    cp cmd/notify-mailer/main.go "$boulderLabCADir/.backup/"

+    sudo -u labca patch -p1 < $cloneDir/bad-key-revoker_main.patch &>>$installLog
+    cp cmd/bad-key-revoker/main.go "$boulderLabCADir/.backup/"
+
    sudo -u labca patch -p1 -o "$boulderLabCADir/config/ca-a.json" < $cloneDir/test_config_ca_a.patch &>>$installLog
    sudo -u labca patch -p1 -o "$boulderLabCADir/config/ca-b.json" < $cloneDir/test_config_ca_b.patch &>>$installLog

    sudo -u labca patch -p1 -o "$boulderLabCADir/config/expiration-mailer.json" < $cloneDir/config_expiration-mailer.patch &>>$installLog
+    #sudo -u labca patch -p1 -o "$boulderLabCADir/config/bad-key-revoker.json" < $cloneDir/config_bad-key-revoker.patch &>>$installLog

    sed -i -e "s|https://letsencrypt.org/docs/rate-limits/|http://$LABCA_FQDN/rate-limits|" errors/errors.go &>>$installLog
    cp errors/errors.go "$boulderLabCADir/.backup/"
--- a/mail_mailer.patch
+++ b/mail_mailer.patch
@@ -63,7 +63,7 @@ index de6b1de20..60c58128b 100644
 +	addrs, err := di.dnsClient.LookupHost(ctx, di.server)
 	if err != nil {
 -		return nil, err
-+		problem := probs.DNS("%v", err)
+		problem := probs.DNS("%v")
 +		return nil, problem
 	}
 -	client, err := smtp.NewClient(conn, di.server)