From 4eb3ad877ca3c683c596195d72cdc4e2bf18e77b Mon Sep 17 00:00:00 2001 From: Arjan H Date: Tue, 2 Jul 2024 19:47:47 +0200 Subject: [PATCH] Bump boulder version to release-2024-05-06 --- build/build.sh | 2 +- build/tmp2.patch | 4 ++-- control_do.sh | 9 ++++++--- gui/apply-boulder | 10 ++++++++-- install | 11 +++++++---- patch-cfg.sh | 14 ++++++++------ patch.sh | 1 + patches/boulder-va_main.patch | 14 +++++++------- patches/ca_crl.patch | 4 ++-- patches/cmd_config.patch | 4 ++-- patches/issuance_crl.patch | 13 ------------- patches/ratelimits_names.patch | 8 ++++---- patches/remoteva_main.patch | 24 ++++++++++++++++++++++++ patches/startservers.patch | 4 ++-- patches/test_config_ca.patch | 5 ++++- patches/va_http.patch | 4 ++-- 16 files changed, 80 insertions(+), 51 deletions(-) create mode 100644 patches/remoteva_main.patch diff --git a/build/build.sh b/build/build.sh index 1eeab73..76c9a93 100755 --- a/build/build.sh +++ b/build/build.sh @@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src} boulderDir=$TMP_DIR/src -boulderTag="release-2024-04-30" +boulderTag="release-2024-05-06" boulderUrl="https://github.com/letsencrypt/boulder/" cloneDir=$(pwd)/.. diff --git a/build/tmp2.patch b/build/tmp2.patch index 4648be1..195f242 100644 --- a/build/tmp2.patch +++ b/build/tmp2.patch @@ -1,8 +1,8 @@ diff --git a/test/startservers.py b/test/startservers.py -index e24e9085a..6262eccd0 100644 +index 5d19996ad..e1ccf8f45 100644 --- a/test/startservers.py +++ b/test/startservers.py -@@ -175,6 +175,9 @@ def setupHierarchyOriginal(): +@@ -183,6 +183,9 @@ def setupHierarchyOriginal(): def install(race_detection): diff --git a/control_do.sh b/control_do.sh index b7ee02a..ef08220 100755 --- a/control_do.sh +++ b/control_do.sh @@ -27,9 +27,12 @@ setup_boulder_data() { sed -i -e "s|https://boulder.service.consul:4431/terms/v7|https://$LABCA_FQDN/terms/v1|" config/wfe2.json sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/wfe2.json - sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca.json - sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca.json - sed -i -e "s|http://example.com/crl|http://$LABCA_FQDN/crl/|g" config/ca.json + sed -i -e "s|http://ca.example.org:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca.json + sed -i -e "s|http://ca.example.org:4501/rsa-a/|http://$LABCA_FQDN/crl/|g" config/ca.json + sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/remoteva-a.json + sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-a.json + sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/remoteva-b.json + sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-b.json sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va.json sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va.json sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va-remote-a.json diff --git a/gui/apply-boulder b/gui/apply-boulder index 04fb8fc..b2e58d6 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -53,6 +53,8 @@ else fi +perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/remoteva-a.json +perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/remoteva-b.json perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va.json perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va-remote-a.json perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va-remote-b.json @@ -61,6 +63,8 @@ perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2 for fl in $(grep -Rl maxConnectionAge config/); do perl -i -p0e "s/(\s+\"maxConnectionAge\":[^\n]+)//igs" $fl done +sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/remoteva-a.json +sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/remoteva-b.json sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va.json sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va-remote-a.json sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va-remote-b.json @@ -131,6 +135,8 @@ if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ] cat rate-limit-policies.yml | tr '\n' '\r' | sed -e "s/\(must-staple.le.wtf: 10000\).*\( registrationOverrides:\)/\1\n$REPLACEMENT\2/" | tr '\r' '\n' > rate-limit-policies.yml.bak && mv rate-limit-policies.yml.bak rate-limit-policies.yml cat rate-limit-policies.yml | tr '\n' '\r' | sed -e "s|\(certificatesPerFQDNSet:.*must-staple.le.wtf: 10000\).*\(certificatesPerFQDNSetFast:.*\)|\1\n${REPLACEMENT}rateLimitsURL: http://$PKI_FQDN/rate-limits\n\2|" | tr '\r' '\n' > rate-limit-policies.yml.bak && mv rate-limit-policies.yml.bak rate-limit-policies.yml + perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/remoteva-a.json + perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/remoteva-b.json perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va.json perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va-remote-a.json perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va-remote-b.json @@ -156,8 +162,8 @@ rm -f config/ca-a.json rm -f config/ca-b.json sed -i -e "s|\"issuerURL\": \".*\"|\"issuerURL\": \"http://$PKI_FQDN/aia/issuer/$PKI_ISSUER_NAME_ID\"|" config/ca.json -sed -i -e "s|\"crlURL\": \".*\"|\"crlURL\": \"http://$PKI_FQDN/crl/$PKI_ISSUER_NAME_ID.crl\"|" config/ca.json -sed -i -e "s|\"crldpBase\": \".*\"|\"crldpBase\": \"http://$PKI_FQDN/crl\"|" config/ca.json +sed -i -e "s|\"ocspURL\": \".*\"|\"ocspURL\": \"http://$PKI_FQDN/ocsp/\"|" config/ca.json +sed -i -e "s|\"crlURLBase\": \".*\"|\"crlURLBase\": \"http://$PKI_FQDN/crl/\"|" config/ca.json if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ca.json diff --git a/install b/install index 4b4633a..00c136b 100755 --- a/install +++ b/install @@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2024-04-30" +boulderTag="release-2024-05-06" # Feature flags flag_skip_redis=true @@ -666,9 +666,12 @@ config_boulder() { cd "$boulderLabCADir" sed -i -e "s|https://boulder.service.consul:4431/terms/v7|https://$LABCA_FQDN/terms/v1|" config/wfe2.json sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/wfe2.json - sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca.json - sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca.json - sed -i -e "s|http://example.com/crl|http://$LABCA_FQDN/crl/|g" config/ca.json + sed -i -e "s|http://ca.example.org:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca.json + sed -i -e "s|http://ca.example.org:4501/rsa-a/|http://$LABCA_FQDN/crl/|g" config/ca.json + sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/remoteva-a.json + sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-a.json + sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/remoteva-b.json + sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-b.json sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va.json sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va.json sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va-remote-a.json diff --git a/patch-cfg.sh b/patch-cfg.sh index 9f59a56..b712bb4 100755 --- a/patch-cfg.sh +++ b/patch-cfg.sh @@ -30,8 +30,12 @@ $SUDO patch -p1 -o "$boulderLabCADir/config/akamai-purger.json" < $cloneDir/patc cp test/config/va*.json "$boulderLabCADir/config/" perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va.json +perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/remoteva-a.json +perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/remoteva-b.json perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va-remote-a.json perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va-remote-b.json +perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/remoteva-a.json +perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/remoteva-b.json perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va.json perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va-remote-a.json perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va-remote-b.json @@ -63,20 +67,18 @@ sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" config/publisher sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" config/wfe2.json sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" integration-test.py sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" helpers.py -sed -i -e "s/5001/443/g" config/va.json -sed -i -e "s/5002/80/g" config/va.json -sed -i -e "s/5001/443/g" config/va-remote-a.json -sed -i -e "s/5002/80/g" config/va-remote-a.json -sed -i -e "s/5001/443/g" config/va-remote-b.json -sed -i -e "s/5002/80/g" config/va-remote-b.json sed -i -e "s|letsencrypt/boulder|hakwerk/labca|" config/wfe2.json sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca.json sed -i -e "s/ocspURL.Path = encodedReq/ocspURL.Path += encodedReq/" ocsp/helper/helper.go +sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-a.json +sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-b.json sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/ra.json sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va.json sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-a.json sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-b.json sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/ca.json +sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/remoteva-a.json +sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/remoteva-b.json sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/va-remote-a.json sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/va-remote-b.json diff --git a/patch.sh b/patch.sh index 8ceedbf..93760b2 100755 --- a/patch.sh +++ b/patch.sh @@ -46,6 +46,7 @@ $SUDO patch -p1 < $cloneDir/patches/policy_pa.patch $SUDO patch -p1 < $cloneDir/patches/ra_ra.patch $SUDO patch -p1 < $cloneDir/patches/ratelimit_rate-limits.patch $SUDO patch -p1 < $cloneDir/patches/ratelimits_names.patch +$SUDO patch -p1 < $cloneDir/patches/remoteva_main.patch $SUDO patch -p1 < $cloneDir/patches/startservers.patch if [ "$SUDO" == "" ]; then # TODO: should include this into startservers.patch diff --git a/patches/boulder-va_main.patch b/patches/boulder-va_main.patch index 5b7fedd..23fa05d 100644 --- a/patches/boulder-va_main.patch +++ b/patches/boulder-va_main.patch @@ -1,16 +1,16 @@ diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go -index 0bef1d4f1..ec03f44e7 100644 +index 032435fac..d3961512b 100644 --- a/cmd/boulder-va/main.go +++ b/cmd/boulder-va/main.go -@@ -41,6 +41,7 @@ type Config struct { - Features features.Config - - AccountURIPrefixes []string `validate:"min=1,dive,required,url"` -+ LabCADomains []string +@@ -21,6 +21,7 @@ type Config struct { + RemoteVAs []cmd.GRPCClientConfig `validate:"omitempty,dive"` + MaxRemoteValidationFailures int `validate:"omitempty,min=0,required_with=RemoteVAs"` + Features features.Config ++ LabCADomains []string } Syslog cmd.SyslogConfig -@@ -150,7 +151,8 @@ func main() { +@@ -115,7 +116,8 @@ func main() { scope, clk, logger, diff --git a/patches/ca_crl.patch b/patches/ca_crl.patch index 216f0d0..5a2cf27 100644 --- a/patches/ca_crl.patch +++ b/patches/ca_crl.patch @@ -1,8 +1,8 @@ diff --git a/ca/crl.go b/ca/crl.go -index 23d8d3ab1..bc28fc618 100644 +index 35bf4c07d..36316235e 100644 --- a/ca/crl.go +++ b/ca/crl.go -@@ -134,8 +134,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error +@@ -122,8 +122,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error builder = strings.Builder{} } } diff --git a/patches/cmd_config.patch b/patches/cmd_config.patch index bf785b6..7b13e3e 100644 --- a/patches/cmd_config.patch +++ b/patches/cmd_config.patch @@ -1,8 +1,8 @@ diff --git a/cmd/config.go b/cmd/config.go -index d38291d5..13fe4a52 100644 +index 1a3edabff..09369bf88 100644 --- a/cmd/config.go +++ b/cmd/config.go -@@ -454,7 +454,7 @@ type GRPCServerConfig struct { +@@ -455,7 +455,7 @@ type GRPCServerConfig struct { // this controls how long it takes before a client learns about changes to its // backends. // https://pkg.go.dev/google.golang.org/grpc/keepalive#ServerParameters diff --git a/patches/issuance_crl.patch b/patches/issuance_crl.patch index b3acb5f..e69de29 100644 --- a/patches/issuance_crl.patch +++ b/patches/issuance_crl.patch @@ -1,13 +0,0 @@ -diff --git a/issuance/crl.go b/issuance/crl.go -index 9f9619ff1..f0a180a6f 100644 ---- a/issuance/crl.go -+++ b/issuance/crl.go -@@ -91,7 +91,7 @@ func (i *Issuer) IssueCRL(prof *CRLProfile, req *CRLRequest) ([]byte, error) { - if req.DeprecatedIDPBaseURL != "" { - // TODO(#7296): Remove this fallback once CCADB and all non-expired certs - // contain the new-style CRLDP URL instead. -- idps = append(idps, fmt.Sprintf("%s/%d/%d.crl", req.DeprecatedIDPBaseURL, i.NameID(), req.Shard)) -+ idps = append(idps, fmt.Sprintf("%s/%d.crl", req.DeprecatedIDPBaseURL, i.NameID())) - } - idp, err := idp.MakeUserCertsExt(idps) - if err != nil { diff --git a/patches/ratelimits_names.patch b/patches/ratelimits_names.patch index 8f6669a..e917267 100644 --- a/patches/ratelimits_names.patch +++ b/patches/ratelimits_names.patch @@ -1,8 +1,8 @@ diff --git a/ratelimits/names.go b/ratelimits/names.go -index c92970498..f4d6c282b 100644 +index 0037363b0..c2ddc6076 100644 --- a/ratelimits/names.go +++ b/ratelimits/names.go -@@ -148,7 +148,11 @@ func validateRegId(id string) error { +@@ -150,7 +150,11 @@ func validateRegId(id string) error { // validateDomain validates that the provided string is formatted 'domain', // where domain is a domain name. func validateDomain(id string) error { @@ -15,7 +15,7 @@ index c92970498..f4d6c282b 100644 if err != nil { return fmt.Errorf("invalid domain, %q must be formatted 'domain': %w", id, err) } -@@ -169,7 +173,11 @@ func validateRegIdDomain(id string) error { +@@ -171,7 +175,11 @@ func validateRegIdDomain(id string) error { return fmt.Errorf( "invalid regId, %q must be formatted 'regId:domain'", id) } @@ -28,7 +28,7 @@ index c92970498..f4d6c282b 100644 if err != nil { return fmt.Errorf( "invalid domain, %q must be formatted 'regId:domain': %w", id, err) -@@ -185,8 +193,12 @@ func validateFQDNSet(id string) error { +@@ -187,8 +195,12 @@ func validateFQDNSet(id string) error { return fmt.Errorf( "invalid fqdnSet, %q must be formatted 'fqdnSet'", id) } diff --git a/patches/remoteva_main.patch b/patches/remoteva_main.patch new file mode 100644 index 0000000..6fdd698 --- /dev/null +++ b/patches/remoteva_main.patch @@ -0,0 +1,24 @@ +diff --git a/cmd/remoteva/main.go b/cmd/remoteva/main.go +index e83642477..6efab1ca3 100644 +--- a/cmd/remoteva/main.go ++++ b/cmd/remoteva/main.go +@@ -18,7 +18,8 @@ import ( + type Config struct { + RVA struct { + vaConfig.Common +- Features features.Config ++ Features features.Config ++ LabCADomains []string + } + + Syslog cmd.SyslogConfig +@@ -95,7 +96,8 @@ func main() { + scope, + clk, + logger, +- c.RVA.AccountURIPrefixes) ++ c.RVA.AccountURIPrefixes, ++ c.RVA.LabCADomains) + cmd.FailOnError(err, "Unable to create Remote-VA server") + + start, err := bgrpc.NewServer(c.RVA.GRPC, logger).Add( diff --git a/patches/startservers.patch b/patches/startservers.patch index a00f3cc..6c338b2 100644 --- a/patches/startservers.patch +++ b/patches/startservers.patch @@ -1,8 +1,8 @@ diff --git a/test/startservers.py b/test/startservers.py -index 022e08949..e24e9085a 100644 +index fcfdc9423..5d19996ad 100644 --- a/test/startservers.py +++ b/test/startservers.py -@@ -161,6 +161,9 @@ processes = [] +@@ -169,6 +169,9 @@ processes = [] challSrvProcess = None def setupHierarchy(): diff --git a/patches/test_config_ca.patch b/patches/test_config_ca.patch index 669b6de..d83b585 100644 --- a/patches/test_config_ca.patch +++ b/patches/test_config_ca.patch @@ -2,7 +2,7 @@ diff --git a/test/config/ca.json b/test/config/ca.json index 53ae91f2d..1937e5580 100644 --- a/test/config/ca.json +++ b/test/config/ca.json -@@ -59,35 +59,13 @@ +@@ -59,38 +59,14 @@ }, "issuers": [ { @@ -10,6 +10,7 @@ index 53ae91f2d..1937e5580 100644 - "useForECDSALeaves": true, - "issuerURL": "http://ca.example.org:4502/int-ecdsa-a", - "ocspURL": "http://ca.example.org:4002/", +- "crlURLBase": "http://ca.example.org:4501/ecdsa-a/", - "location": { - "configFile": "/hierarchy/int-ecdsa-a.pkcs11.json", - "certFile": "/hierarchy/int-ecdsa-a.cert.pem", @@ -21,6 +22,7 @@ index 53ae91f2d..1937e5580 100644 "useForECDSALeaves": true, "issuerURL": "http://ca.example.org:4502/int-rsa-a", "ocspURL": "http://ca.example.org:4002/", + "crlURLBase": "http://ca.example.org:4501/rsa-a/", "location": { - "configFile": "/hierarchy/int-rsa-a.pkcs11.json", - "certFile": "/hierarchy/int-rsa-a.cert.pem", @@ -32,6 +34,7 @@ index 53ae91f2d..1937e5580 100644 - "useForECDSALeaves": false, - "issuerURL": "http://ca.example.org:4502/int-rsa-b", - "ocspURL": "http://ca.example.org:4003/", +- "crlURLBase": "http://ca.example.org:4501/rsa-b/", - "location": { - "configFile": "/hierarchy/int-rsa-b.pkcs11.json", - "certFile": "/hierarchy/int-rsa-b.cert.pem", diff --git a/patches/va_http.patch b/patches/va_http.patch index f1222e6..8cf38bd 100644 --- a/patches/va_http.patch +++ b/patches/va_http.patch @@ -1,8 +1,8 @@ diff --git a/va/http.go b/va/http.go -index 78df8bf42..db281855c 100644 +index 5eefabcb4..0188d4005 100644 --- a/va/http.go +++ b/va/http.go -@@ -332,7 +332,16 @@ func (va *ValidationAuthorityImpl) extractRequestTarget(req *http.Request) (stri +@@ -326,7 +326,16 @@ func (va *ValidationAuthorityImpl) extractRequestTarget(req *http.Request) (stri } if _, err := iana.ExtractSuffix(reqHost); err != nil {