Bump boulder version to c33c3c83 2023-03-03

install

@@ -24,7 +24,7 @@ dockerComposeVersion="v2.5.0"
 
 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2023-02-13a"
+boulderTag="c33c3c83"
 
 # Feature flags
 flag_skip_redis=true

mail-tester.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/letsencrypt/boulder/bdns"
 	"github.com/letsencrypt/boulder/cmd"
+	bconfig "github.com/letsencrypt/boulder/config"
 	"github.com/letsencrypt/boulder/features"
 	bmail "github.com/letsencrypt/boulder/mail"
 )
@@ -40,7 +41,7 @@ type config struct {
 		// Path to a text/template email template
 		EmailTemplate string
 
-		Frequency cmd.ConfigDuration
+		Frequency bconfig.Duration
 
 		TLS       cmd.TLSConfig
 		SAService *cmd.GRPCClientConfig

patches/bad-key-revoker_main.patch

@@ -1,16 +1,16 @@
 diff --git a/cmd/bad-key-revoker/main.go b/cmd/bad-key-revoker/main.go
-index 8a199ca1..8e14561c 100644
+index b0b85495..9a21445c 100644
 --- a/cmd/bad-key-revoker/main.go
 +++ b/cmd/bad-key-revoker/main.go
-@@ -14,6 +14,7 @@ import (
+@@ -19,6 +19,7 @@ import (
+ 	"google.golang.org/grpc"
+ 	"google.golang.org/protobuf/types/known/emptypb"
  
- 	"github.com/honeycombio/beeline-go"
- 	"github.com/jmhodges/clock"
 +	"github.com/letsencrypt/boulder/bdns"
  	"github.com/letsencrypt/boulder/cmd"
+ 	"github.com/letsencrypt/boulder/config"
  	"github.com/letsencrypt/boulder/core"
- 	"github.com/letsencrypt/boulder/db"
-@@ -390,6 +391,9 @@ type Config struct {
+@@ -393,6 +394,9 @@ type Config struct {
  		TLS       cmd.TLSConfig
  		RAService *cmd.GRPCClientConfig
  
@@ -20,7 +20,7 @@ index 8a199ca1..8e14561c 100644
  		// MaximumRevocations specifies the maximum number of certificates associated with
  		// a key hash that bad-key-revoker will attempt to revoke. If the number of certificates
  		// is higher than MaximumRevocations bad-key-revoker will error out and refuse to
-@@ -423,6 +427,12 @@ type Config struct {
+@@ -426,6 +430,12 @@ type Config struct {
  
  	Syslog  cmd.SyslogConfig
  	Beeline cmd.BeelineConfig
@@ -33,7 +33,7 @@ index 8a199ca1..8e14561c 100644
  }
  
  func main() {
-@@ -459,6 +469,32 @@ func main() {
+@@ -462,6 +472,32 @@ func main() {
  	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
  	rac := rapb.NewRegistrationAuthorityClient(conn)
  
@@ -66,7 +66,7 @@ index 8a199ca1..8e14561c 100644
  	var smtpRoots *x509.CertPool
  	if config.BadKeyRevoker.Mailer.SMTPTrustedRootFile != "" {
  		pem, err := os.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile)
-@@ -480,6 +516,7 @@ func main() {
+@@ -483,6 +519,7 @@ func main() {
  		config.BadKeyRevoker.Mailer.Username,
  		smtpPassword,
  		smtpRoots,

patches/boulder-va_main.patch

@@ -1,8 +1,8 @@
 diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
-index cd6342bc..bb6f0074 100644
+index 905e1aec..39ce5e6b 100644
 --- a/cmd/boulder-va/main.go
 +++ b/cmd/boulder-va/main.go
-@@ -33,8 +33,10 @@ type Config struct {
+@@ -25,8 +25,10 @@ type Config struct {
  		// The number of times to try a DNS query (that has a temporary error)
  		// before giving up. May be short-circuited by deadlines. A zero value
  		// will be turned into 1.
@@ -15,7 +15,7 @@ index cd6342bc..bb6f0074 100644
  		DNSTimeout                string
  		DNSAllowLoopbackAddresses bool
  
-@@ -102,11 +104,13 @@ func main() {
+@@ -98,11 +100,13 @@ func main() {
  	clk := cmd.Clock()
  
  	var servers bdns.ServerProvider

patches/cert-checker_main.patch

@@ -1,8 +1,8 @@
 diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
-index 340c5629..0dc0389a 100644
+index cbc4f2e4..ec054876 100644
 --- a/cmd/cert-checker/main.go
 +++ b/cmd/cert-checker/main.go
-@@ -100,6 +100,7 @@ type certChecker struct {
+@@ -101,6 +101,7 @@ type certChecker struct {
  	checkPeriod                 time.Duration
  	acceptableValidityDurations map[time.Duration]bool
  	logger                      blog.Logger
@@ -10,7 +10,7 @@ index 340c5629..0dc0389a 100644
  }
  
  func newChecker(saDbMap certDB,
-@@ -109,6 +110,7 @@ func newChecker(saDbMap certDB,
+@@ -110,6 +111,7 @@ func newChecker(saDbMap certDB,
  	period time.Duration,
  	avd map[time.Duration]bool,
  	logger blog.Logger,
@@ -18,7 +18,7 @@ index 340c5629..0dc0389a 100644
  ) certChecker {
  	return certChecker{
  		pa:                          pa,
-@@ -121,6 +123,7 @@ func newChecker(saDbMap certDB,
+@@ -122,6 +124,7 @@ func newChecker(saDbMap certDB,
  		checkPeriod:                 period,
  		acceptableValidityDurations: avd,
  		logger:                      logger,
@@ -26,7 +26,7 @@ index 340c5629..0dc0389a 100644
  	}
  }
  
-@@ -347,7 +350,7 @@ func (c *certChecker) checkCert(cert core.Certificate, ignoredLints map[string]b
+@@ -348,7 +351,7 @@ func (c *certChecker) checkCert(cert core.Certificate, ignoredLints map[string]b
  			err = c.pa.WillingToIssueWildcards([]identifier.ACMEIdentifier{id})
  			if err != nil {
  				problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err))
@@ -35,21 +35,19 @@ index 340c5629..0dc0389a 100644
  				// For defense-in-depth, even if the PA was willing to issue for a name
  				// we double check it against a list of forbidden domains. This way even
  				// if the hostnamePolicyFile malfunctions we will flag the forbidden
-@@ -409,11 +412,12 @@ type Config struct {
+@@ -410,10 +413,11 @@ type Config struct {
  		DB cmd.DBConfig
  		cmd.HostnamePolicyConfig
  
--		Workers             int
--		ReportDirectoryPath string
--		UnexpiredOnly       bool
--		BadResultsOnly      bool
--		CheckPeriod         cmd.ConfigDuration
+-		Workers        int
+-		UnexpiredOnly  bool
+-		BadResultsOnly bool
+-		CheckPeriod    config.Duration
 +		Workers              int
-+		ReportDirectoryPath  string
 +		UnexpiredOnly        bool
 +		BadResultsOnly       bool
 +		SkipForbiddenDomains bool
-+		CheckPeriod          cmd.ConfigDuration
++		CheckPeriod          config.Duration
  
  		// AcceptableValidityDurations is a list of durations which are
  		// acceptable for certificates we issue.

patches/config_expiration-mailer.patch

@@ -2,8 +2,8 @@ diff --git a/test/config/expiration-mailer.json b/test/config/expiration-mailer.
 index 4519fe4d..f52a408c 100644
 --- a/test/config/expiration-mailer.json
 +++ b/test/config/expiration-mailer.json
-@@ -14,6 +14,11 @@
-     "nagCheckInterval": "24h",
+@@ -13,6 +13,11 @@
+     "nagTimes": ["480h", "240h"],
      "emailTemplate": "test/config/expiration-mailer.gotmpl",
      "debugAddr": ":8008",
 +    "dnsTries": 3,
@@ -14,7 +14,7 @@ index 4519fe4d..f52a408c 100644
      "tls": {
        "caCertFile": "test/grpc-creds/minica.pem",
        "certFile": "test/grpc-creds/expiration-mailer.boulder/cert.pem",
-@@ -36,5 +41,9 @@
+@@ -35,5 +40,9 @@
        "mute": true,
        "serviceName": "Test",
        "writeKey": {"passwordFile": "test/secrets/honeycomb_fake_password"}

patches/config_ocsp-responder.patch

@@ -1,8 +1,31 @@
 diff --git a/test/config/ocsp-responder.json b/test/config/ocsp-responder.json
-index ed874d3..a1a78f3 100644
+index bfea858d..fecea919 100644
 --- a/test/config/ocsp-responder.json
 +++ b/test/config/ocsp-responder.json
-@@ -45,9 +45,7 @@
+@@ -4,22 +4,6 @@
+       "dbConnectFile": "test/secrets/ocsp_responder_dburl",
+       "maxOpenConns": 10
+     },
+-    "redis": {
+-      "username": "ocsp-responder",
+-      "passwordFile": "test/secrets/ocsp_responder_redis_password",
+-      "shardAddrs": {
+-        "shard1": "10.33.33.2:4218",
+-        "shard2": "10.33.33.3:4218"
+-      },
+-      "timeout": "5s",
+-      "poolSize": 100,
+-      "routeRandomly": true,
+-      "tls": {
+-        "caCertFile": "test/redis-tls/minica.pem",
+-        "certFile": "test/redis-tls/boulder/cert.pem",
+-        "keyFile": "test/redis-tls/boulder/key.pem"
+-      }
+-    },
+     "tls": {
+       "caCertFile": "test/grpc-creds/minica.pem",
+       "certFile": "test/grpc-creds/ocsp-responder.boulder/cert.pem",
+@@ -39,9 +23,7 @@
      "path": "/",
      "listenAddress": "0.0.0.0:4002",
      "issuerCerts": [

patches/config_ra.patch

@@ -2,7 +2,7 @@ diff --git a/test/config/ra.json b/test/config/ra.json
 index 6f0baae9..6ad0f08c 100644
 --- a/test/config/ra.json
 +++ b/test/config/ra.json
-@@ -15,9 +15,7 @@
+@@ -14,9 +14,7 @@
      },
      "orderLifetime": "168h",
      "issuerCerts": [

patches/docker-compose-redis.patch

@@ -1,8 +1,8 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 4ce7c1d6..ed8da276 100644
+index 6ecb1a9c..acc970d6 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
-@@ -22,8 +22,6 @@ services:
+@@ -17,8 +17,6 @@ services:
          ipv4_address: 10.77.77.77
        rednet:
          ipv4_address: 10.88.88.88
@@ -10,8 +10,8 @@ index 4ce7c1d6..ed8da276 100644
 -        ipv4_address: 10.33.33.33
        consulnet:
          ipv4_address: 10.55.55.55
-     extra_hosts:
-@@ -41,8 +39,6 @@ services:
+     # Use consul as a backup to Docker's embedded DNS server. If there's a name
+@@ -36,8 +34,6 @@ services:
        - 4003:4003 # OCSP
      depends_on:
        - bmysql
@@ -20,7 +20,7 @@ index 4ce7c1d6..ed8da276 100644
        - bconsul
      entrypoint: test/entrypoint.sh
      working_dir: &boulder_working_dir /boulder
-@@ -64,24 +60,6 @@ services:
+@@ -59,24 +55,6 @@ services:
      logging:
        driver: none
  
@@ -45,7 +45,7 @@ index 4ce7c1d6..ed8da276 100644
    bconsul:
      image: hashicorp/consul:1.13.1
      volumes:
-@@ -118,13 +96,6 @@ networks:
+@@ -113,13 +91,6 @@ networks:
        config:
          - subnet: 10.88.88.0/24
  

patches/docker-compose.patch

@@ -1,18 +1,14 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index ed8da276..9171ee2b 100644
+index fd157266..d272bf2d 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
-@@ -6,7 +6,7 @@ services:
-     image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.19.5_2023-02-02}
+@@ -5,10 +5,12 @@ services:
+     image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.20.1_2023-02-22}
      environment:
        FAKE_DNS: 10.77.77.77
 -      BOULDER_CONFIG_DIR: &boulder_config_dir test/config
 +      BOULDER_CONFIG_DIR: &boulder_config_dir labca/config
        GOFLAGS: -mod=vendor
-       # Go 1.18 turned off SHA-1 validation on CSRs (and certs, but that doesn't
-       # affect us) by default, but it can be turned back on with the x509sha1
-@@ -14,6 +14,8 @@ services:
-       GODEBUG: x509sha1=1
      volumes:
        - .:/boulder:cached
 +      - /home/labca/boulder_labca:/boulder/labca
@@ -20,9 +16,9 @@ index ed8da276..9171ee2b 100644
        - ./.gocache:/root/.cache/go-build:cached
        - ./.hierarchy:/hierarchy/:cached
        - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
-@@ -33,18 +35,26 @@ services:
-     # IP (running consul).
-     # (https://docs.docker.com/config/containers/container-networking/#dns-services).
+@@ -28,18 +30,26 @@ services:
+     # TODO: Remove this when ServerAddress is deprecated in favor of SRV records
+     # and DNSAuthority.
      dns: 10.55.55.10
 -    ports:
 -      - 4001:4001 # ACMEv2
@@ -52,7 +48,7 @@ index ed8da276..9171ee2b 100644
      networks:
        bluenet:
          aliases:
-@@ -58,7 +68,11 @@ services:
+@@ -53,7 +63,11 @@ services:
      # small.
      command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
      logging:
@@ -65,7 +61,7 @@ index ed8da276..9171ee2b 100644
  
    bconsul:
      image: hashicorp/consul:1.13.1
-@@ -69,18 +83,68 @@ services:
+@@ -64,18 +78,68 @@ services:
          ipv4_address: 10.55.55.10
      command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
  

patches/errors_errors.patch

@@ -1,8 +1,8 @@
 diff --git a/errors/errors.go b/errors/errors.go
-index 50be1087a..ab2efe9d1 100644
+index 83adf7f1..cc136790 100644
 --- a/errors/errors.go
 +++ b/errors/errors.go
-@@ -113,10 +113,10 @@ func NotFoundError(msg string, args ...interface{}) error {
+@@ -163,10 +163,10 @@ func NotFoundError(msg string, args ...interface{}) error {
  	return New(NotFound, msg, args...)
  }
  

patches/expiration-mailer_main.patch

@@ -1,16 +1,16 @@
 diff --git a/cmd/expiration-mailer/main.go b/cmd/expiration-mailer/main.go
-index b8dc4972..3fb36447 100644
+index d30f0e7d..ce296c61 100644
 --- a/cmd/expiration-mailer/main.go
 +++ b/cmd/expiration-mailer/main.go
-@@ -22,6 +22,7 @@ import (
- 	"github.com/jmhodges/clock"
- 	"google.golang.org/grpc"
+@@ -24,6 +24,7 @@ import (
+ 
+ 	"github.com/prometheus/client_golang/prometheus"
  
 +	"github.com/letsencrypt/boulder/bdns"
  	"github.com/letsencrypt/boulder/cmd"
+ 	"github.com/letsencrypt/boulder/config"
  	"github.com/letsencrypt/boulder/core"
- 	corepb "github.com/letsencrypt/boulder/core/proto"
-@@ -37,7 +38,7 @@ import (
+@@ -39,7 +40,7 @@ import (
  )
  
  const (
@@ -19,7 +19,7 @@ index b8dc4972..3fb36447 100644
  )
  
  type regStore interface {
-@@ -605,6 +606,9 @@ type Config struct {
+@@ -683,6 +684,9 @@ type Config struct {
  		TLS       cmd.TLSConfig
  		SAService *cmd.GRPCClientConfig
  
@@ -29,7 +29,7 @@ index b8dc4972..3fb36447 100644
  		// Path to a file containing a list of trusted root certificates for use
  		// during the SMTP connection (as opposed to the gRPC connections).
  		SMTPTrustedRootFile string
-@@ -614,6 +618,12 @@ type Config struct {
+@@ -692,6 +696,12 @@ type Config struct {
  
  	Syslog  cmd.SyslogConfig
  	Beeline cmd.BeelineConfig
@@ -42,7 +42,7 @@ index b8dc4972..3fb36447 100644
  }
  
  func initStats(stats prometheus.Registerer) mailerStats {
-@@ -750,6 +760,32 @@ func main() {
+@@ -832,6 +842,32 @@ func main() {
  	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
  	sac := sapb.NewStorageAuthorityClient(conn)
  
@@ -75,7 +75,7 @@ index b8dc4972..3fb36447 100644
  	var smtpRoots *x509.CertPool
  	if c.Mailer.SMTPTrustedRootFile != "" {
  		pem, err := os.ReadFile(c.Mailer.SMTPTrustedRootFile)
-@@ -785,6 +821,7 @@ func main() {
+@@ -867,6 +903,7 @@ func main() {
  		c.Mailer.Username,
  		smtpPassword,
  		smtpRoots,

patches/ocsp-responder_main.patch

@@ -1,8 +1,8 @@
 diff --git a/cmd/ocsp-responder/main.go b/cmd/ocsp-responder/main.go
-index 983fb33a..e8a132cd 100644
+index 5c78b895..98abac22 100644
 --- a/cmd/ocsp-responder/main.go
 +++ b/cmd/ocsp-responder/main.go
-@@ -172,49 +172,51 @@ as generated by Boulder's ceremony command.
+@@ -171,49 +171,51 @@ as generated by Boulder's ceremony command.
  		source, err = responder.NewMemorySourceFromFile(filename, logger)
  		cmd.FailOnError(err, fmt.Sprintf("Couldn't read file: %s", url.Path))
  	} else {
@@ -28,7 +28,7 @@ index 983fb33a..e8a132cd 100644
 -		maxInflight := c.OCSPResponder.MaxInflightSignings
 -		if maxInflight == 0 {
 -			maxInflight = 1000
-+		if c.OCSPResponder.Redis.Addrs != nil {
++		if c.OCSPResponder.Redis.ShardAddrs != nil {
 +			// Set up the redis source and the combined multiplex source.
 +			rocspRWClient, err := rocsp_config.MakeClient(&c.OCSPResponder.Redis, clk, scope)
 +			cmd.FailOnError(err, "Could not make redis client")

patches/ra_ra.patch

@@ -1,8 +1,8 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index b55bcd92..e15670a9 100644
+index fea4ac1f..37dfb2ca 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
-@@ -39,7 +39,6 @@ import (
+@@ -41,7 +41,6 @@ import (
  	"github.com/letsencrypt/boulder/issuance"
  	blog "github.com/letsencrypt/boulder/log"
  	"github.com/letsencrypt/boulder/metrics"
@@ -10,7 +10,7 @@ index b55bcd92..e15670a9 100644
  	"github.com/letsencrypt/boulder/probs"
  	pubpb "github.com/letsencrypt/boulder/publisher/proto"
  	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -526,7 +525,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
+@@ -535,7 +534,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
  				contact,
  			)
  		}

patches/ratelimit_rate-limits.patch

@@ -1,8 +1,8 @@
 diff --git a/ratelimit/rate-limits.go b/ratelimit/rate-limits.go
-index c199b1141..474d8f740 100644
+index 35c981bc..5fc6f2ff 100644
 --- a/ratelimit/rate-limits.go
 +++ b/ratelimit/rate-limits.go
-@@ -22,6 +22,7 @@ type Limits interface {
+@@ -21,6 +21,7 @@ type Limits interface {
  	PendingOrdersPerAccount() RateLimitPolicy
  	NewOrdersPerAccount() RateLimitPolicy
  	LoadPolicies(contents []byte) error
@@ -10,7 +10,7 @@ index c199b1141..474d8f740 100644
  }
  
  // limitsImpl is an unexported implementation of the Limits interface. It acts
-@@ -114,6 +115,15 @@ func (r *limitsImpl) NewOrdersPerAccount() RateLimitPolicy {
+@@ -113,6 +114,15 @@ func (r *limitsImpl) NewOrdersPerAccount() RateLimitPolicy {
  	return r.rlPolicy.NewOrdersPerAccount
  }
  
@@ -26,7 +26,7 @@ index c199b1141..474d8f740 100644
  // LoadPolicies loads various rate limiting policies from a byte array of
  // YAML configuration (typically read from disk by a reloader)
  func (r *limitsImpl) LoadPolicies(contents []byte) error {
-@@ -171,6 +181,8 @@ type rateLimitConfig struct {
+@@ -170,6 +180,8 @@ type rateLimitConfig struct {
  	// lower threshold and smaller window), so that clients don't have to wait
  	// a long time after a small burst of accidental duplicate issuance.
  	CertificatesPerFQDNSetFast RateLimitPolicy `yaml:"certificatesPerFQDNSetFast"`

patches/test_config_ca_a.patch

@@ -2,7 +2,7 @@ diff --git a/test/config/ca-a.json b/test/config/ca-a.json
 index 1233a9c95..3c4a0a3ca 100644
 --- a/test/config/ca-a.json
 +++ b/test/config/ca-a.json
-@@ -94,30 +94,7 @@
+@@ -106,30 +106,7 @@
            "crlURL": "http://example.com/crl",
            "location": {
              "configFile": "test/test-ca.key-pkcs11.json",

patches/test_config_ca_b.patch

@@ -2,7 +2,7 @@ diff --git a/test/config/ca-b.json b/test/config/ca-b.json
 index 960d62f95..54b25dd81 100644
 --- a/test/config/ca-b.json
 +++ b/test/config/ca-b.json
-@@ -94,30 +94,7 @@
+@@ -106,30 +106,7 @@
            "crlURL": "http://example.com/crl",
            "location": {
              "configFile": "test/test-ca.key-pkcs11.json",