Bump boulder version to release-2024-07-10

2026-01-27 10:19:34 +00:00 · 2024-08-29 18:54:36 +02:00
parent a0aa9e5f01
commit 575f738443
15 changed files with 58 additions and 42 deletions
--- a/build/build.sh
+++ b/build/build.sh
@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}

 boulderDir=$TMP_DIR/src
-boulderTag="release-2024-06-10"
+boulderTag="release-2024-07-10"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..

--- a/build/tmp2.patch
+++ b/build/tmp2.patch
@@ -1,10 +1,10 @@
 diff --git a/test/startservers.py b/test/startservers.py
-index 5d19996ad..e1ccf8f45 100644
+index c3a3ed7b8..ef54a180d 100644
 --- a/test/startservers.py
 +++ b/test/startservers.py
-@@ -169,6 +169,9 @@ processes = []
+@@ -173,6 +173,9 @@ processes = []
 challSrvProcess = None
-
+ 
 def install(race_detection):
 +    return True
 +
--- a/2
+++ b/2
@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2024-06-10"
+boulderTag="release-2024-07-10"

 # Feature flags
 flag_skip_redis=true
--- a/patches/ca_ca.patch
+++ b/patches/ca_ca.patch
@@ -1,8 +1,8 @@
 diff --git a/ca/ca.go b/ca/ca.go
-index 239a5a4c3..775ffa8a4 100644
+index d38f7e2e5..f8364d1d6 100644
 --- a/ca/ca.go
 +++ b/ca/ca.go
-@@ -160,10 +160,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
+@@ -156,10 +156,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
 		}
 	}
 	if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {
--- a/patches/cert-checker_main.patch
+++ b/patches/cert-checker_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
-index 37ce5933a..c32225212 100644
+index d432fde00..1380c1cc5 100644
 --- a/cmd/cert-checker/main.go
 +++ b/cmd/cert-checker/main.go
@@ -106,6 +106,7 @@ type certChecker struct {
@@ -35,7 +35,7 @@ index 37ce5933a..c32225212 100644
 				// For defense-in-depth, even if the PA was willing to issue for a name
 				// we double check it against a list of forbidden domains. This way even
 				// if the hostnamePolicyFile malfunctions we will flag the forbidden
-@@ -489,9 +492,10 @@ type Config struct {
+@@ -487,9 +490,10 @@ type Config struct {
 
 		Workers int `validate:"required,min=1"`
 		// Deprecated: this is ignored, and cert checker always checks both expired and unexpired.
@@ -49,7 +49,7 @@ index 37ce5933a..c32225212 100644
 
 		// AcceptableValidityDurations is a list of durations which are
 		// acceptable for certificates we issue.
-@@ -546,6 +550,8 @@ func main() {
+@@ -544,6 +548,8 @@ func main() {
 		acceptableValidityDurations[ninetyDays] = true
 	}
 
@@ -58,7 +58,7 @@ index 37ce5933a..c32225212 100644
 	// Validate PA config and set defaults if needed.
 	cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
 
-@@ -586,6 +592,7 @@ func main() {
+@@ -584,6 +590,7 @@ func main() {
 		config.CertChecker.CheckPeriod.Duration,
 		acceptableValidityDurations,
 		logger,
--- a/patches/cmd_shell.patch
+++ b/patches/cmd_shell.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/shell.go b/cmd/shell.go
-index 373bb0229..e660317d2 100644
+index ef4105500..e602adc56 100644
 --- a/cmd/shell.go
 +++ b/cmd/shell.go
-@@ -221,7 +221,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger {
+@@ -222,7 +222,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger {
 	// Boulder's conception of time.
 	go func() {
 		for {
--- a/patches/config_crl-storer.patch
+++ b/patches/config_crl-storer.patch
@@ -1,14 +1,17 @@
 diff --git a/test/config/crl-storer.json b/test/config/crl-storer.json
-index ef70c2ffc..a53b75d86 100644
+index 3ab267b0f..3c6f5c6a2 100644
 --- a/test/config/crl-storer.json
 +++ b/test/config/crl-storer.json
-@@ -23,10 +23,9 @@
+@@ -23,13 +23,9 @@
 			}
 		},
 		"issuerCerts": [
 -			"test/certs/webpki/int-rsa-a.cert.pem",
 -			"test/certs/webpki/int-rsa-b.cert.pem",
-			"test/certs/webpki/int-ecdsa-a.cert.pem"
+-			"test/certs/webpki/int-rsa-c.cert.pem",
+-			"test/certs/webpki/int-ecdsa-a.cert.pem",
+-			"test/certs/webpki/int-ecdsa-b.cert.pem",
+-			"test/certs/webpki/int-ecdsa-c.cert.pem"
 +			"test/certs/webpki/int-rsa-a.cert.pem"
 		],
 +		"localStorePath": "/opt/wwwstatic/crl",
--- a/patches/config_crl-updater.patch
+++ b/patches/config_crl-updater.patch
@@ -1,14 +1,17 @@
 diff --git a/test/config/crl-updater.json b/test/config/crl-updater.json
-index f6b70123f..a6c1471e5 100644
+index 21f3603bb..77450c65f 100644
 --- a/test/config/crl-updater.json
 +++ b/test/config/crl-updater.json
-@@ -36,16 +36,14 @@
+@@ -36,19 +36,14 @@
 			"hostOverride": "crl-storer.boulder"
 		},
 		"issuerCerts": [
 -			"test/certs/webpki/int-rsa-a.cert.pem",
 -			"test/certs/webpki/int-rsa-b.cert.pem",
-			"test/certs/webpki/int-ecdsa-a.cert.pem"
+-			"test/certs/webpki/int-rsa-c.cert.pem",
+-			"test/certs/webpki/int-ecdsa-a.cert.pem",
+-			"test/certs/webpki/int-ecdsa-b.cert.pem",
+-			"test/certs/webpki/int-ecdsa-c.cert.pem"
 +			"test/certs/webpki/int-rsa-a.cert.pem"
 		],
 -		"numShards": 10,
--- a/patches/config_duration.patch
+++ b/patches/config_duration.patch
@@ -1,13 +1,13 @@
 diff --git a/config/duration.go b/config/duration.go
-index c97eeb486..6167bf768 100644
+index 90cb2277d..44b56bc18 100644
 --- a/config/duration.go
 +++ b/config/duration.go
-@@ -9,7 +9,7 @@ import (
- // Duration is just an alias for time.Duration that allows
- // serialization to YAML as well as JSON.
+@@ -10,7 +10,7 @@ import (
+ // Duration is custom type embedding a time.Duration which allows defining
+ // methods such as serialization to YAML or JSON.
 type Duration struct {
 -	time.Duration `validate:"required"`
 +	time.Duration
 }
 
- // ErrDurationMustBeString is returned when a non-string value is
+ // DurationCustomTypeFunc enables registration of our custom config.Duration
--- a/patches/config_ocsp-responder.patch
+++ b/patches/config_ocsp-responder.patch
@@ -1,5 +1,5 @@
 diff --git a/test/config/ocsp-responder.json b/test/config/ocsp-responder.json
-index bfea858d..fecea919 100644
+index c67aa41f7..92fe8a28f 100644
 --- a/test/config/ocsp-responder.json
 +++ b/test/config/ocsp-responder.json
@@ -4,22 +4,6 @@
@@ -25,13 +25,16 @@ index bfea858d..fecea919 100644
 		"tls": {
 			"caCertFile": "test/certs/ipki/minica.pem",
 			"certFile": "test/certs/ipki/ocsp-responder.boulder/cert.pem",
-@@ -49,9 +33,7 @@
+@@ -49,12 +33,7 @@
 		"path": "/",
 		"listenAddress": "0.0.0.0:4002",
 		"issuerCerts": [
 -			"test/certs/webpki/int-rsa-a.cert.pem",
 -			"test/certs/webpki/int-rsa-b.cert.pem",
-			"test/certs/webpki/int-ecdsa-a.cert.pem"
+-			"test/certs/webpki/int-rsa-c.cert.pem",
+-			"test/certs/webpki/int-ecdsa-a.cert.pem",
+-			"test/certs/webpki/int-ecdsa-b.cert.pem",
+-			"test/certs/webpki/int-ecdsa-c.cert.pem"
 +			"test/certs/webpki/int-rsa-a.cert.pem"
 		],
 		"liveSigningPeriod": "60h",
--- a/patches/config_ra.patch
+++ b/patches/config_ra.patch
@@ -1,14 +1,17 @@
 diff --git a/test/config/ra.json b/test/config/ra.json
-index 6f0baae9..6ad0f08c 100644
+index e9f79e4f0..204f605c3 100644
 --- a/test/config/ra.json
 +++ b/test/config/ra.json
-@@ -14,9 +14,7 @@
+@@ -14,12 +14,7 @@
 		},
 		"orderLifetime": "168h",
 		"issuerCerts": [
 -			"test/certs/webpki/int-rsa-a.cert.pem",
 -			"test/certs/webpki/int-rsa-b.cert.pem",
-			"test/certs/webpki/int-ecdsa-a.cert.pem"
+-			"test/certs/webpki/int-rsa-c.cert.pem",
+-			"test/certs/webpki/int-ecdsa-a.cert.pem",
+-			"test/certs/webpki/int-ecdsa-b.cert.pem",
+-			"test/certs/webpki/int-ecdsa-c.cert.pem"
 +			"test/certs/webpki/int-rsa-a.cert.pem"
 		],
 		"tls": {
--- a/patches/entrypoint.patch
+++ b/patches/entrypoint.patch
@@ -1,14 +1,17 @@
 diff --git a/test/entrypoint.sh b/test/entrypoint.sh
-index 12d0397c4..23d9693de 100755
+index a47fd2c9a..90148c0d5 100755
 --- a/test/entrypoint.sh
 +++ b/test/entrypoint.sh
-@@ -13,12 +13,24 @@ service rsyslog start
+@@ -13,15 +13,27 @@ service rsyslog start
 # make sure we can reach the mysqldb.
 ./test/wait-for-it.sh boulder-mysql 3306
 
 -# make sure we can reach the proxysql.
 -./test/wait-for-it.sh bproxysql 6032
 -
+ # make sure we can reach pkilint
+ ./test/wait-for-it.sh bpkilint 80
+ 
 # create the database
 MYSQL_CONTAINER=1 $DIR/create_db.sh
 
--- a/patches/ra_ra.patch
+++ b/patches/ra_ra.patch
@@ -1,8 +1,8 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index 300610496..906573e63 100644
+index a873276f5..b984a9731 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
-@@ -44,7 +44,6 @@ import (
+@@ -46,7 +46,6 @@ import (
 	"github.com/letsencrypt/boulder/issuance"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
@@ -10,7 +10,7 @@ index 300610496..906573e63 100644
 	"github.com/letsencrypt/boulder/probs"
 	pubpb "github.com/letsencrypt/boulder/publisher/proto"
 	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -578,7 +577,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
+@@ -581,7 +580,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
 				contact,
 			)
 		}
--- a/patches/wfe2_main.patch
+++ b/patches/wfe2_main.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go
-index 83ff247f8..8f0449b9f 100644
+index 90ad22417..ad57a1ae3 100644
 --- a/cmd/boulder-wfe2/main.go
 +++ b/cmd/boulder-wfe2/main.go
-@@ -96,7 +96,7 @@ type Config struct {
+@@ -92,7 +92,7 @@ type Config struct {
 		// DirectoryCAAIdentity is used for the /directory response's "meta"
 		// element's "caaIdentities" field. It should match the VA's "issuerDomain"
 		// configuration value (this value is the one used to enforce CAA)
@@ -11,7 +11,7 @@ index 83ff247f8..8f0449b9f 100644
 		// DirectoryWebsite is used for the /directory response's "meta" element's
 		// "website" field.
 		DirectoryWebsite string `validate:"required,url"`
-@@ -164,6 +164,8 @@ type Config struct {
+@@ -160,6 +160,8 @@ type Config struct {
 		// list will be rejected. This field is optional; if unset, no profile
 		// names are accepted.
 		CertificateProfileNames []string `validate:"omitempty,dive,alphanum,min=1,max=32"`
@@ -20,7 +20,7 @@ index 83ff247f8..8f0449b9f 100644
 	}
 
 	Syslog        cmd.SyslogConfig
-@@ -382,6 +384,7 @@ func main() {
+@@ -356,6 +358,7 @@ func main() {
 		txnBuilder,
 		maxNames,
 		c.WFE.CertificateProfileNames,
--- a/patches/wfe2_wfe.patch
+++ b/patches/wfe2_wfe.patch
@@ -1,5 +1,5 @@
 diff --git a/wfe2/wfe.go b/wfe2/wfe.go
-index 756cef2f2..0e95a1dc2 100644
+index 708fbad94..6b7235659 100644
 --- a/wfe2/wfe.go
 +++ b/wfe2/wfe.go
@@ -23,6 +23,7 @@ import (
@@ -35,11 +35,10 @@ index 756cef2f2..0e95a1dc2 100644
 	}
 
 	return wfe, nil
-@@ -2337,7 +2342,24 @@ func (wfe *WebFrontEndImpl) NewOrder(
+@@ -2260,8 +2265,25 @@ func (wfe *WebFrontEndImpl) NewOrder(
 		names[i] = ident.Value
 	}
 
-	err = policy.WellFormedDomainNames(names)
 +	logger := cmd.NewLogger(cmd.SyslogConfig{StdoutLevel: 7})
 +	pa, err := policy.New(map[core.AcmeChallenge]bool{}, logger)
 +	if err != nil {
@@ -57,6 +56,8 @@ index 756cef2f2..0e95a1dc2 100644
 +		return
 +	}
 +
+ 	names = core.UniqueLowerNames(names)
+-	err = policy.WellFormedDomainNames(names)
 +	err = pa.WellFormedDomainNames(names)
 	if err != nil {
 		wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "Invalid identifiers requested"), nil)