diff --git a/.github/workflows/build-standalone.yml b/.github/workflows/build-standalone.yml index 7d9b6bb..dd82cb0 100644 --- a/.github/workflows/build-standalone.yml +++ b/.github/workflows/build-standalone.yml @@ -15,7 +15,7 @@ jobs: fail-fast: false matrix: GO_VERSION: - - 1.23.1 + - 1.24.1 steps: - name: Checkout diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f8abe88..a7c4c2e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: fail-fast: false matrix: GO_VERSION: - - 1.23.1 + - 1.24.1 steps: - name: Checkout diff --git a/build/Dockerfile-boulder b/build/Dockerfile-boulder index cf1fbac..30dc806 100644 --- a/build/Dockerfile-boulder +++ b/build/Dockerfile-boulder @@ -1,4 +1,4 @@ -FROM letsencrypt/boulder-tools:go1.23.1_2024-09-05 AS boulder-tools +FROM letsencrypt/boulder-tools:go1.24.1_2025-03-10 AS boulder-tools FROM ubuntu:focal diff --git a/build/build.sh b/build/build.sh index 58b9633..363b25f 100755 --- a/build/build.sh +++ b/build/build.sh @@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src} boulderDir=$TMP_DIR/src -boulderTag="release-2025-02-14" +boulderTag="release-2025-03-10" boulderUrl="https://github.com/letsencrypt/boulder/" cloneDir=$(pwd)/.. diff --git a/build/docker-compose.yml b/build/docker-compose.yml index 30425c5..eeb84b4 100644 --- a/build/docker-compose.yml +++ b/build/docker-compose.yml @@ -9,7 +9,7 @@ services: context: test/boulder-tools/ # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh. args: - GO_VERSION: 1.23.1 + GO_VERSION: 1.24.1 environment: # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS # to the IP address where your ACME client's solver is listening. diff --git a/build/tmp2.patch b/build/tmp2.patch index 95729b7..c801dbf 100644 --- a/build/tmp2.patch +++ b/build/tmp2.patch @@ -1,8 +1,8 @@ diff --git a/test/startservers.py b/test/startservers.py -index 93d0c25bc..237472a2e 100644 +index c42a1bb51..9eeac8906 100644 --- a/test/startservers.py +++ b/test/startservers.py -@@ -169,6 +169,9 @@ processes = [] +@@ -194,6 +194,9 @@ processes = [] challSrvProcess = None def install(race_detection): diff --git a/dev/versions b/dev/versions index 06cab31..784df28 100755 --- a/dev/versions +++ b/dev/versions @@ -57,8 +57,13 @@ colorGoVersion() { local fileName="$1" local expectVersion="$2" - if [ ! -z "$(grep GO_VERSION -A 3 $fileName | egrep "\- [\"0-9]+" | grep $expectVersion || echo "")" ]; then - res=$(grep GO_VERSION -A 3 $fileName | egrep "\- [\"0-9]+" | sed -e "s/$expectVersion/${COL_LIGHT_GREEN}$expectVersion${COL_NC}/") + first=$(echo $expectVersion | cut -d " " -f 1) + second=$(echo $expectVersion | cut -d " " -f 2) + + if [ ! -z "$(grep GO_VERSION -A 3 $fileName | egrep "\- [\"0-9]+" | grep $first || echo "")" ]; then + res=$(grep GO_VERSION -A 3 $fileName | egrep "\- [\"0-9]+" | sed -e "s/$first/${COL_LIGHT_GREEN}$first${COL_NC}/") + elif [ ! -z "$(grep GO_VERSION -A 3 $fileName | egrep "\- [\"0-9]+" | grep $second || echo "")" ]; then + res=$(grep GO_VERSION -A 3 $fileName | egrep "\- [\"0-9]+" | sed -e "s/$second/${COL_YELLOW}$second${COL_NC}/") else res=$(grep GO_VERSION -A 3 $fileName | egrep "\- [\"0-9]+" | sed -e "s/\([0-9\.]*\)/${COL_LIGHT_RED}\1${COL_NC}/g") fi @@ -116,8 +121,8 @@ echo goversion=$(grep GO_VERSION -A 3 ../boulder/.github/workflows/release.yml | egrep "\- [\"0-9]+" | sed -e "s/\s*-\s*//" | sed -e "s/\"//g") echo "Boulder .github/workflows/release.yml" grep GO_VERSION -A 3 ../boulder/.github/workflows/release.yml | egrep "\- [\"0-9]+" | sed -e "s/yml-/yml/" -colorGoVersion .github/workflows/release.yml $goversion -colorGoVersion .github/workflows/build-standalone.yml $goversion +colorGoVersion .github/workflows/release.yml "$goversion" +colorGoVersion .github/workflows/build-standalone.yml "$goversion" echo goversion=$(grep GO_VERSION ../boulder/docker-compose.yml | sed -e "s/\s*GO_VERSION://") diff --git a/install b/install index 98987df..a26da61 100755 --- a/install +++ b/install @@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2025-02-14" +boulderTag="release-2025-03-10" # # Color configuration @@ -238,12 +238,12 @@ clone_or_pull() { # Checkout the latest release tag checkout_release() { local branch="$1" - if [ "$branch" == "" ] || [ "$branch" == "master" ] || [ "$branch" == "main" ]; then + if [ "$branch" == "" ] || [ "$branch" == "master" ]; then cd "$cloneDir" if [ "$curChecksum" == "" ]; then curChecksum=$(md5sum $cloneDir/install 2>/dev/null | cut -d' ' -f1) fi - TAG=$(sudo -u labca -H git describe --tags $(sudo -u labca -H git rev-list --tags --max-count=1)) + TAG=$(sudo -u labca -H git describe --tags origin/master | cut -d "-" -f 1) sudo -u labca -H git reset --hard $TAG &>>$installLog fi } diff --git a/patch.sh b/patch.sh index 77da55f..21e8c48 100755 --- a/patch.sh +++ b/patch.sh @@ -53,6 +53,7 @@ $SUDO patch -p1 < $cloneDir/patches/ratelimits_names.patch $SUDO patch -p1 < $cloneDir/patches/redis_config.patch $SUDO patch -p1 < $cloneDir/patches/remoteva_main.patch $SUDO patch -p1 < $cloneDir/patches/start.patch +$SUDO patch -p1 < $cloneDir/patches/test_startservers.patch if [ "$SUDO" == "" ]; then # TODO: should include this into startservers.patch $SUDO patch -p1 < $cloneDir/build/tmp2.patch diff --git a/patches/boulder-ra_main.patch b/patches/boulder-ra_main.patch index 30550f2..0f97c30 100644 --- a/patches/boulder-ra_main.patch +++ b/patches/boulder-ra_main.patch @@ -1,8 +1,8 @@ diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go -index 038935507..44dadd086 100644 +index 5bc425c60..842277b13 100644 --- a/cmd/boulder-ra/main.go +++ b/cmd/boulder-ra/main.go -@@ -273,6 +273,8 @@ func main() { +@@ -281,6 +281,8 @@ func main() { limiterRedis, err = bredis.NewRingFromConfig(*c.RA.Limiter.Redis, scope, logger) cmd.FailOnError(err, "Failed to create Redis ring") diff --git a/patches/boulder-va_main.patch b/patches/boulder-va_main.patch index 93f7b8f..a48fef3 100644 --- a/patches/boulder-va_main.patch +++ b/patches/boulder-va_main.patch @@ -1,8 +1,8 @@ diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go -index f2c2c8487..86fb29457 100644 +index e18989222..809e0c19e 100644 --- a/cmd/boulder-va/main.go +++ b/cmd/boulder-va/main.go -@@ -56,6 +56,7 @@ type Config struct { +@@ -52,6 +52,7 @@ type Config struct { // Deprecated and ignored MaxRemoteValidationFailures int `validate:"omitempty,min=0,required_with=RemoteVAs"` Features features.Config @@ -10,12 +10,12 @@ index f2c2c8487..86fb29457 100644 } Syslog cmd.SyslogConfig -@@ -153,7 +154,8 @@ func main() { - logger, +@@ -150,7 +151,8 @@ func main() { c.VA.AccountURIPrefixes, va.PrimaryPerspective, -- "") -+ "", + "", +- bdns.IsReservedIP) ++ bdns.IsReservedIP, + c.VA.LabCADomains) cmd.FailOnError(err, "Unable to create VA server") diff --git a/patches/ca_ca.patch b/patches/ca_ca.patch index fafc84a..be6a73c 100644 --- a/patches/ca_ca.patch +++ b/patches/ca_ca.patch @@ -1,8 +1,8 @@ diff --git a/ca/ca.go b/ca/ca.go -index 3c4e8170c..11792593a 100644 +index a598fc5cd..264ec35cc 100644 --- a/ca/ca.go +++ b/ca/ca.go -@@ -171,10 +171,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { +@@ -182,10 +182,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { } } if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 { diff --git a/patches/ca_ca_keytype_hack.patch b/patches/ca_ca_keytype_hack.patch index 6e72027..8898730 100644 --- a/patches/ca_ca_keytype_hack.patch +++ b/patches/ca_ca_keytype_hack.patch @@ -1,8 +1,8 @@ diff --git a/ca/ca.go b/ca/ca.go -index 11792593a..92310d73b 100644 +index 264ec35cc..f56e9a342 100644 --- a/ca/ca.go +++ b/ca/ca.go -@@ -171,10 +171,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { +@@ -182,10 +182,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { } } if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 { diff --git a/patches/ceremony_main.patch b/patches/ceremony_main.patch index 30d5412..ec96430 100644 --- a/patches/ceremony_main.patch +++ b/patches/ceremony_main.patch @@ -1,10 +1,10 @@ diff --git a/cmd/ceremony/main.go b/cmd/ceremony/main.go -index f18979fef..0aa8eb0c7 100644 +index 12cc9249c..8ac5af0a3 100644 --- a/cmd/ceremony/main.go +++ b/cmd/ceremony/main.go @@ -98,6 +98,7 @@ type keyGenConfig struct { Type string `yaml:"type"` - RSAModLength uint `yaml:"rsa-mod-length"` + RSAModLength int `yaml:"rsa-mod-length"` ECDSACurve string `yaml:"ecdsa-curve"` + Extractable bool `yaml:"extractable"` } diff --git a/patches/ceremony_rsa.patch b/patches/ceremony_rsa.patch index ec9523a..2e9fedd 100644 --- a/patches/ceremony_rsa.patch +++ b/patches/ceremony_rsa.patch @@ -1,17 +1,17 @@ diff --git a/cmd/ceremony/rsa.go b/cmd/ceremony/rsa.go -index 69e326b39..1bd60f750 100644 +index 7d0eb4b30..465857f3a 100644 --- a/cmd/ceremony/rsa.go +++ b/cmd/ceremony/rsa.go -@@ -18,7 +18,7 @@ const ( +@@ -19,7 +19,7 @@ const ( // device and specifies which mechanism should be used. modulusLen specifies the // length of the modulus to be generated on the device in bits and exponent // specifies the public exponent that should be used. --func rsaArgs(label string, modulusLen, exponent uint, keyID []byte) generateArgs { -+func rsaArgs(label string, modulusLen, exponent uint, keyID []byte, extractable bool) generateArgs { +-func rsaArgs(label string, modulusLen int, keyID []byte) generateArgs { ++func rsaArgs(label string, modulusLen int, keyID []byte, extractable bool) generateArgs { // Encode as unpadded big endian encoded byte slice - expSlice := big.NewInt(int64(exponent)).Bytes() - log.Printf("\tEncoded public exponent (%d) as: %0X\n", exponent, expSlice) -@@ -44,7 +44,7 @@ func rsaArgs(label string, modulusLen, exponent uint, keyID []byte) generateArgs + expSlice := big.NewInt(rsaExp).Bytes() + log.Printf("\tEncoded public exponent (%d) as: %0X\n", rsaExp, expSlice) +@@ -45,7 +45,7 @@ func rsaArgs(label string, modulusLen int, keyID []byte) generateArgs { // Prevent attributes being retrieved pkcs11.NewAttribute(pkcs11.CKA_SENSITIVE, true), // Prevent the key being extracted from the device @@ -20,20 +20,20 @@ index 69e326b39..1bd60f750 100644 // Allow the key to create signatures pkcs11.NewAttribute(pkcs11.CKA_SIGN, true), }, -@@ -75,14 +75,14 @@ func rsaPub(session *pkcs11helpers.Session, object pkcs11.ObjectHandle, modulusL +@@ -76,14 +76,14 @@ func rsaPub(session *pkcs11helpers.Session, object pkcs11.ObjectHandle, modulusL // specified by modulusLen and with the exponent 65537. // It returns the public part of the generated key pair as a rsa.PublicKey // and the random key ID that the HSM uses to identify the key pair. --func rsaGenerate(session *pkcs11helpers.Session, label string, modulusLen uint) (*rsa.PublicKey, []byte, error) { -+func rsaGenerate(session *pkcs11helpers.Session, label string, modulusLen uint, extractable bool) (*rsa.PublicKey, []byte, error) { +-func rsaGenerate(session *pkcs11helpers.Session, label string, modulusLen int) (*rsa.PublicKey, []byte, error) { ++func rsaGenerate(session *pkcs11helpers.Session, label string, modulusLen int, extractable bool) (*rsa.PublicKey, []byte, error) { keyID := make([]byte, 4) _, err := newRandReader(session).Read(keyID) if err != nil { return nil, nil, err } log.Printf("Generating RSA key with %d bit modulus and public exponent %d and ID %x\n", modulusLen, rsaExp, keyID) -- args := rsaArgs(label, modulusLen, rsaExp, keyID) -+ args := rsaArgs(label, modulusLen, rsaExp, keyID, extractable) +- args := rsaArgs(label, modulusLen, keyID) ++ args := rsaArgs(label, modulusLen, keyID, extractable) pub, _, err := session.GenerateKeyPair(args.mechanism, args.publicAttrs, args.privateAttrs) if err != nil { return nil, nil, err diff --git a/patches/config_crl-updater.patch b/patches/config_crl-updater.patch index 84889bc..f5c6cfe 100644 --- a/patches/config_crl-updater.patch +++ b/patches/config_crl-updater.patch @@ -1,8 +1,8 @@ diff --git a/test/config/crl-updater.json b/test/config/crl-updater.json -index 21f3603bb..77450c65f 100644 +index eb5ba23e0..c4d40af92 100644 --- a/test/config/crl-updater.json +++ b/test/config/crl-updater.json -@@ -36,19 +36,14 @@ +@@ -36,18 +36,13 @@ "hostOverride": "crl-storer.boulder" }, "issuerCerts": [ @@ -18,13 +18,11 @@ index 21f3603bb..77450c65f 100644 - "shardWidth": "240h", - "lookbackPeriod": "24h", - "updatePeriod": "6h", -- "updateOffset": "9120s", - "maxParallelism": 10, + "numShards": 1, + "shardWidth": "24h", + "lookbackPeriod": "96h", + "updatePeriod": "24h", -+ "updateOffset": "5m", + "maxParallelism": 1, "maxAttempts": 5, "features": {} diff --git a/patches/linter_linter.patch b/patches/linter_linter.patch index 4ea459b..a5278a4 100644 --- a/patches/linter_linter.patch +++ b/patches/linter_linter.patch @@ -1,8 +1,8 @@ diff --git a/linter/linter.go b/linter/linter.go -index e9bf33b85..e88cc6b7f 100644 +index 249e5ab91..59cc14b57 100644 --- a/linter/linter.go +++ b/linter/linter.go -@@ -200,10 +200,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C +@@ -201,10 +201,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C SubjectKeyId: realIssuer.SubjectKeyId, URIs: realIssuer.URIs, UnknownExtKeyUsage: realIssuer.UnknownExtKeyUsage, diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index 40323f6..383635a 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -1,8 +1,8 @@ diff --git a/ra/ra.go b/ra/ra.go -index 82244d216..10d15a624 100644 +index 091a40ab6..a89f1e3e2 100644 --- a/ra/ra.go +++ b/ra/ra.go -@@ -44,7 +44,6 @@ import ( +@@ -43,7 +43,6 @@ import ( "github.com/letsencrypt/boulder/issuance" blog "github.com/letsencrypt/boulder/log" "github.com/letsencrypt/boulder/metrics" @@ -10,7 +10,7 @@ index 82244d216..10d15a624 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -582,7 +581,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { +@@ -593,7 +592,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { if !core.IsASCII(contact) { return berrors.InvalidEmailError("contact email contains non-ASCII characters") } @@ -19,7 +19,7 @@ index 82244d216..10d15a624 100644 if err != nil { return err } -@@ -1933,6 +1932,9 @@ func crlShard(cert *x509.Certificate) (int64, error) { +@@ -1906,6 +1905,9 @@ func crlShard(cert *x509.Certificate) (int64, error) { return 0, fmt.Errorf("malformed CRLDistributionPoint %q", url) } shardStr := url[lastIndex+1:] diff --git a/patches/remoteva_main.patch b/patches/remoteva_main.patch index cf03bbb..f105429 100644 --- a/patches/remoteva_main.patch +++ b/patches/remoteva_main.patch @@ -1,8 +1,8 @@ diff --git a/cmd/remoteva/main.go b/cmd/remoteva/main.go -index 97320f971..6df388e3f 100644 +index 0dc71028f..19962fb35 100644 --- a/cmd/remoteva/main.go +++ b/cmd/remoteva/main.go -@@ -60,7 +60,8 @@ type Config struct { +@@ -56,7 +56,8 @@ type Config struct { // For more information, see: https://pkg.go.dev/crypto/tls#ClientAuthType SkipGRPCClientCertVerification bool @@ -12,12 +12,12 @@ index 97320f971..6df388e3f 100644 } Syslog cmd.SyslogConfig -@@ -142,7 +143,8 @@ func main() { - logger, +@@ -139,7 +140,8 @@ func main() { c.RVA.AccountURIPrefixes, c.RVA.Perspective, -- c.RVA.RIR) -+ c.RVA.RIR, + c.RVA.RIR, +- bdns.IsReservedIP) ++ bdns.IsReservedIP, + c.RVA.LabCADomains) cmd.FailOnError(err, "Unable to create Remote-VA server") diff --git a/patches/test_certs_generate.patch b/patches/test_certs_generate.patch index 7939a1c..5f240fe 100644 --- a/patches/test_certs_generate.patch +++ b/patches/test_certs_generate.patch @@ -1,5 +1,5 @@ diff --git a/test/certs/generate.sh b/test/certs/generate.sh -index 3f0e03d2c..7a57d0b3d 100755 +index fbcaa9628..d3bd089e9 100755 --- a/test/certs/generate.sh +++ b/test/certs/generate.sh @@ -63,9 +63,9 @@ webpki() ( @@ -15,7 +15,7 @@ index 3f0e03d2c..7a57d0b3d 100755 ) if ! [ -d ipki ]; then -@@ -73,6 +73,24 @@ if ! [ -d ipki ]; then +@@ -73,6 +73,29 @@ if ! [ -d ipki ]; then ipki fi @@ -25,6 +25,11 @@ index 3f0e03d2c..7a57d0b3d 100755 + minica -domains "admin.boulder" & + cd - +fi ++if ! [ -d ipki/email-exporter.boulder ]; then ++ cd ipki ++ minica -domains "email-exporter.boulder" & ++ cd - ++fi + +end_date=$(openssl x509 -enddate -noout -in ipki/boulder/cert.pem | cut -d= -f2) +end_date_seconds=$(date -d "$end_date" +%s) diff --git a/patches/test_config_ca.patch b/patches/test_config_ca.patch index 085300e..8a90b49 100644 --- a/patches/test_config_ca.patch +++ b/patches/test_config_ca.patch @@ -1,8 +1,8 @@ diff --git a/test/config/ca.json b/test/config/ca.json -index a61df7e7c..9fa88c730 100644 +index 675304d97..01b2d56ce 100644 --- a/test/config/ca.json +++ b/test/config/ca.json -@@ -50,7 +50,8 @@ +@@ -60,7 +60,8 @@ "allowMustStaple": true, "maxValidityPeriod": "7776000s", "maxValidityBackdate": "1h5m", @@ -12,7 +12,7 @@ index a61df7e7c..9fa88c730 100644 "ignoredLints": [ "w_subject_common_name_included", "w_ext_subject_key_identifier_not_recommended_subscriber" -@@ -64,7 +65,8 @@ +@@ -74,7 +75,8 @@ "omitSKID": true, "maxValidityPeriod": "583200s", "maxValidityBackdate": "1h5m", @@ -22,7 +22,7 @@ index a61df7e7c..9fa88c730 100644 "ignoredLints": [ "w_ext_subject_key_identifier_missing_sub_cert" ] -@@ -77,39 +79,7 @@ +@@ -100,39 +102,7 @@ "issuers": [ { "active": true, @@ -63,7 +63,7 @@ index a61df7e7c..9fa88c730 100644 "issuerURL": "http://ca.example.org:4502/int-rsa-a", "ocspURL": "http://ca.example.org:4002/", "crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/29947985078257530/", -@@ -118,28 +88,6 @@ +@@ -141,28 +111,6 @@ "certFile": "test/certs/webpki/int-rsa-a.cert.pem", "numSessions": 2 } diff --git a/patches/test_startservers.patch b/patches/test_startservers.patch new file mode 100644 index 0000000..5dd6bea --- /dev/null +++ b/patches/test_startservers.patch @@ -0,0 +1,15 @@ +diff --git a/test/startservers.py b/test/startservers.py +index 8c812ea01..c42a1bb51 100644 +--- a/test/startservers.py ++++ b/test/startservers.py +@@ -90,6 +90,10 @@ SERVICES = ( + 9667, None, None, + ('./bin/boulder', 'crl-storer', '--config', os.path.join(config_dir, 'crl-storer.json'), '--addr', ':9309', '--debug-addr', ':9667'), + ('s3-test-srv',)), ++ Service('crl-updater', ++ 8021, None, None, ++ ('./bin/boulder', 'crl-updater', '--config', os.path.join(config_dir, 'crl-updater.json'), '--debug-addr', ':8021'), ++ ('boulder-ca-1', 'boulder-ca-2', 'boulder-sa-1', 'boulder-sa-2', 'crl-storer')), + Service('boulder-ra-1', + 8002, 9394, 'ra.boulder', + ('./bin/boulder', 'boulder-ra', '--config', os.path.join(config_dir, 'ra.json'), '--addr', ':9394', '--debug-addr', ':8002'), diff --git a/patches/va_http.patch b/patches/va_http.patch index 8cf38bd..fa98a17 100644 --- a/patches/va_http.patch +++ b/patches/va_http.patch @@ -1,12 +1,12 @@ diff --git a/va/http.go b/va/http.go -index 5eefabcb4..0188d4005 100644 +index 04b119ca2..de9e439a5 100644 --- a/va/http.go +++ b/va/http.go -@@ -326,7 +326,16 @@ func (va *ValidationAuthorityImpl) extractRequestTarget(req *http.Request) (stri +@@ -338,7 +338,16 @@ func (va *ValidationAuthorityImpl) extractRequestTarget(req *http.Request) (iden } if _, err := iana.ExtractSuffix(reqHost); err != nil { -- return "", 0, berrors.ConnectionFailureError("Invalid hostname in redirect target, must end in IANA registered TLD") +- return identifier.ACMEIdentifier{}, 0, berrors.ConnectionFailureError("Invalid host in redirect target, must end in IANA registered TLD") + isLabca := false + for _, domain := range va.labcaDomains { + if strings.HasSuffix(reqHost, "."+domain) { @@ -15,8 +15,8 @@ index 5eefabcb4..0188d4005 100644 + } + + if !isLabca { -+ return "", 0, berrors.ConnectionFailureError("Invalid hostname in redirect target, must end in IANA registered TLD") ++ return identifier.ACMEIdentifier{}, 0, berrors.ConnectionFailureError("Invalid host in redirect target, must end in IANA registered TLD") + } } - return reqHost, reqPort, nil + return identifier.NewDNS(reqHost), reqPort, nil diff --git a/patches/va_va.patch b/patches/va_va.patch index 360e0b8..c0aeea7 100644 --- a/patches/va_va.patch +++ b/patches/va_va.patch @@ -1,27 +1,27 @@ diff --git a/va/va.go b/va/va.go -index a1e2cd449..883298092 100644 +index fcd35a5db..ad2b7c409 100644 --- a/va/va.go +++ b/va/va.go -@@ -215,6 +215,7 @@ type ValidationAuthorityImpl struct { - singleDialTimeout time.Duration +@@ -217,6 +217,7 @@ type ValidationAuthorityImpl struct { perspective string rir string + isReservedIPFunc func(ip net.IP) bool + labcaDomains []string metrics *vaMetrics } -@@ -234,6 +235,7 @@ func NewValidationAuthorityImpl( - accountURIPrefixes []string, +@@ -237,6 +238,7 @@ func NewValidationAuthorityImpl( perspective string, rir string, + reservedIPChecker func(ip net.IP) bool, + labcaDomains []string, ) (*ValidationAuthorityImpl, error) { if len(accountURIPrefixes) == 0 { -@@ -271,6 +273,7 @@ func NewValidationAuthorityImpl( - singleDialTimeout: 10 * time.Second, +@@ -274,6 +276,7 @@ func NewValidationAuthorityImpl( perspective: perspective, rir: rir, + isReservedIPFunc: reservedIPChecker, + labcaDomains: labcaDomains, } diff --git a/patches/wfe2_main.patch b/patches/wfe2_main.patch index d533323..2f5086c 100644 --- a/patches/wfe2_main.patch +++ b/patches/wfe2_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go -index 9a44ce54d..460bef8c4 100644 +index 1f33c4746..65b670e96 100644 --- a/cmd/boulder-wfe2/main.go +++ b/cmd/boulder-wfe2/main.go @@ -12,6 +12,7 @@ import ( @@ -7,10 +7,10 @@ index 9a44ce54d..460bef8c4 100644 "github.com/letsencrypt/boulder/cmd" "github.com/letsencrypt/boulder/config" + "github.com/letsencrypt/boulder/core" + emailpb "github.com/letsencrypt/boulder/email/proto" "github.com/letsencrypt/boulder/features" "github.com/letsencrypt/boulder/goodkey" - "github.com/letsencrypt/boulder/goodkey/sagoodkey" -@@ -19,6 +20,7 @@ import ( +@@ -20,6 +21,7 @@ import ( "github.com/letsencrypt/boulder/grpc/noncebalancer" "github.com/letsencrypt/boulder/issuance" "github.com/letsencrypt/boulder/nonce" @@ -18,7 +18,7 @@ index 9a44ce54d..460bef8c4 100644 rapb "github.com/letsencrypt/boulder/ra/proto" "github.com/letsencrypt/boulder/ratelimits" bredis "github.com/letsencrypt/boulder/redis" -@@ -97,7 +99,7 @@ type Config struct { +@@ -99,7 +101,7 @@ type Config struct { // DirectoryCAAIdentity is used for the /directory response's "meta" // element's "caaIdentities" field. It should match the VA's "issuerDomain" // configuration value (this value is the one used to enforce CAA) @@ -27,7 +27,7 @@ index 9a44ce54d..460bef8c4 100644 // DirectoryWebsite is used for the /directory response's "meta" element's // "website" field. DirectoryWebsite string `validate:"required,url"` -@@ -180,6 +182,8 @@ type Config struct { +@@ -175,6 +177,8 @@ type Config struct { // to enable the pausing feature. URL string `validate:"omitempty,required_with=HMACKey JWTLifetime,url,startswith=https://,endsnotwith=/"` } @@ -36,7 +36,7 @@ index 9a44ce54d..460bef8c4 100644 } Syslog cmd.SyslogConfig -@@ -318,11 +322,22 @@ func main() { +@@ -315,11 +319,22 @@ func main() { var limiter *ratelimits.Limiter var txnBuilder *ratelimits.TransactionBuilder var limiterRedis *bredis.Ring @@ -59,7 +59,7 @@ index 9a44ce54d..460bef8c4 100644 source := ratelimits.NewRedisSource(limiterRedis.Ring, clk, stats) limiter, err = ratelimits.NewLimiter(clk, source, stats) cmd.FailOnError(err, "Failed to create rate limiter") -@@ -362,6 +377,7 @@ func main() { +@@ -359,6 +374,7 @@ func main() { unpauseSigner, c.WFE.Unpause.JWTLifetime.Duration, c.WFE.Unpause.URL, diff --git a/patches/wfe2_wfe.patch b/patches/wfe2_wfe.patch index 8dbfb30..b2ad531 100644 --- a/patches/wfe2_wfe.patch +++ b/patches/wfe2_wfe.patch @@ -1,8 +1,8 @@ diff --git a/wfe2/wfe.go b/wfe2/wfe.go -index a88402313..8a20d72f9 100644 +index fe063e4fa..2f7aea67b 100644 --- a/wfe2/wfe.go +++ b/wfe2/wfe.go -@@ -162,6 +162,8 @@ type WebFrontEndImpl struct { +@@ -163,6 +163,8 @@ type WebFrontEndImpl struct { // descriptions (perhaps including URLs) of those profiles. NewOrder // Requests with a profile name not present in this map will be rejected. certProfiles map[string]string @@ -11,7 +11,7 @@ index a88402313..8a20d72f9 100644 } // NewWebFrontEndImpl constructs a web service for Boulder -@@ -187,6 +189,7 @@ func NewWebFrontEndImpl( +@@ -188,6 +190,7 @@ func NewWebFrontEndImpl( unpauseSigner unpause.JWTSigner, unpauseJWTLifetime time.Duration, unpauseURL string, @@ -19,7 +19,7 @@ index a88402313..8a20d72f9 100644 ) (WebFrontEndImpl, error) { if len(issuerCertificates) == 0 { return WebFrontEndImpl{}, errors.New("must provide at least one issuer certificate") -@@ -204,6 +207,10 @@ func NewWebFrontEndImpl( +@@ -205,6 +208,10 @@ func NewWebFrontEndImpl( return WebFrontEndImpl{}, errors.New("must provide a service for nonce redemption") } @@ -30,7 +30,7 @@ index a88402313..8a20d72f9 100644 wfe := WebFrontEndImpl{ log: logger, clk: clk, -@@ -226,6 +233,7 @@ func NewWebFrontEndImpl( +@@ -227,6 +234,7 @@ func NewWebFrontEndImpl( unpauseSigner: unpauseSigner, unpauseJWTLifetime: unpauseJWTLifetime, unpauseURL: unpauseURL, @@ -38,7 +38,34 @@ index a88402313..8a20d72f9 100644 } return wfe, nil -@@ -2243,7 +2251,7 @@ func (wfe *WebFrontEndImpl) NewOrder( +@@ -617,7 +625,7 @@ func link(url, relation string) string { + // contactsToEmails converts a *[]string of contacts (e.g. mailto: + // person@example.com) to a []string of valid email addresses. Non-email + // contacts or contacts with invalid email addresses are ignored. +-func contactsToEmails(contacts *[]string) []string { ++func contactsToEmails(contacts *[]string, pa *policy.AuthorityImpl) []string { + if contacts == nil { + return nil + } +@@ -627,7 +635,7 @@ func contactsToEmails(contacts *[]string) []string { + continue + } + address := strings.TrimPrefix(c, "mailto:") +- err := policy.ValidEmail(address) ++ err := pa.ValidEmail(address) + if err != nil { + continue + } +@@ -851,7 +859,7 @@ func (wfe *WebFrontEndImpl) NewAccount( + } + newRegistrationSuccessful = true + +- emails := contactsToEmails(accountCreateRequest.Contact) ++ emails := contactsToEmails(accountCreateRequest.Contact, wfe.pa) + if wfe.ee != nil && len(emails) > 0 { + _, err := wfe.ee.SendContacts(ctx, &emailpb.SendContactsRequest{ + // Note: We are explicitly using the contacts provided by the +@@ -2285,7 +2293,7 @@ func (wfe *WebFrontEndImpl) NewOrder( } names = core.UniqueLowerNames(names) diff --git a/utils.sh b/utils.sh index 6748a79..a99b77b 100644 --- a/utils.sh +++ b/utils.sh @@ -4,7 +4,7 @@ set -e export PS_LABCA="bin/labca-gui" export PS_BOULDER="bin/boulder" -export PS_BOULDER_COUNT=24 +export PS_BOULDER_COUNT=27 export PS_MYSQL="mysqld" export PS_CONTROL="tcpserver" export PS_NGINX="nginx:"