From 575f738443fcd2b0d8552f1c23890148587261a4 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Thu, 29 Aug 2024 18:54:36 +0200 Subject: [PATCH] Bump boulder version to release-2024-07-10 --- build/build.sh | 2 +- build/tmp2.patch | 6 +++--- install | 2 +- patches/ca_ca.patch | 4 ++-- patches/cert-checker_main.patch | 8 ++++---- patches/cmd_shell.patch | 4 ++-- patches/config_crl-storer.patch | 9 ++++++--- patches/config_crl-updater.patch | 9 ++++++--- patches/config_duration.patch | 10 +++++----- patches/config_ocsp-responder.patch | 9 ++++++--- patches/config_ra.patch | 9 ++++++--- patches/entrypoint.patch | 7 +++++-- patches/ra_ra.patch | 6 +++--- patches/wfe2_main.patch | 8 ++++---- patches/wfe2_wfe.patch | 7 ++++--- 15 files changed, 58 insertions(+), 42 deletions(-) diff --git a/build/build.sh b/build/build.sh index ae5ca19..ca7635e 100755 --- a/build/build.sh +++ b/build/build.sh @@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src} boulderDir=$TMP_DIR/src -boulderTag="release-2024-06-10" +boulderTag="release-2024-07-10" boulderUrl="https://github.com/letsencrypt/boulder/" cloneDir=$(pwd)/.. diff --git a/build/tmp2.patch b/build/tmp2.patch index 4e4e387..783181d 100644 --- a/build/tmp2.patch +++ b/build/tmp2.patch @@ -1,10 +1,10 @@ diff --git a/test/startservers.py b/test/startservers.py -index 5d19996ad..e1ccf8f45 100644 +index c3a3ed7b8..ef54a180d 100644 --- a/test/startservers.py +++ b/test/startservers.py -@@ -169,6 +169,9 @@ processes = [] +@@ -173,6 +173,9 @@ processes = [] challSrvProcess = None - + def install(race_detection): + return True + diff --git a/install b/install index 46c823a..a33c253 100755 --- a/install +++ b/install @@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2024-06-10" +boulderTag="release-2024-07-10" # Feature flags flag_skip_redis=true diff --git a/patches/ca_ca.patch b/patches/ca_ca.patch index 869fb76..afedb48 100644 --- a/patches/ca_ca.patch +++ b/patches/ca_ca.patch @@ -1,8 +1,8 @@ diff --git a/ca/ca.go b/ca/ca.go -index 239a5a4c3..775ffa8a4 100644 +index d38f7e2e5..f8364d1d6 100644 --- a/ca/ca.go +++ b/ca/ca.go -@@ -160,10 +160,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { +@@ -156,10 +156,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { } } if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 { diff --git a/patches/cert-checker_main.patch b/patches/cert-checker_main.patch index 993b851..03cd553 100644 --- a/patches/cert-checker_main.patch +++ b/patches/cert-checker_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go -index 37ce5933a..c32225212 100644 +index d432fde00..1380c1cc5 100644 --- a/cmd/cert-checker/main.go +++ b/cmd/cert-checker/main.go @@ -106,6 +106,7 @@ type certChecker struct { @@ -35,7 +35,7 @@ index 37ce5933a..c32225212 100644 // For defense-in-depth, even if the PA was willing to issue for a name // we double check it against a list of forbidden domains. This way even // if the hostnamePolicyFile malfunctions we will flag the forbidden -@@ -489,9 +492,10 @@ type Config struct { +@@ -487,9 +490,10 @@ type Config struct { Workers int `validate:"required,min=1"` // Deprecated: this is ignored, and cert checker always checks both expired and unexpired. @@ -49,7 +49,7 @@ index 37ce5933a..c32225212 100644 // AcceptableValidityDurations is a list of durations which are // acceptable for certificates we issue. -@@ -546,6 +550,8 @@ func main() { +@@ -544,6 +548,8 @@ func main() { acceptableValidityDurations[ninetyDays] = true } @@ -58,7 +58,7 @@ index 37ce5933a..c32225212 100644 // Validate PA config and set defaults if needed. cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration") -@@ -586,6 +592,7 @@ func main() { +@@ -584,6 +590,7 @@ func main() { config.CertChecker.CheckPeriod.Duration, acceptableValidityDurations, logger, diff --git a/patches/cmd_shell.patch b/patches/cmd_shell.patch index 3fd8108..542cad0 100644 --- a/patches/cmd_shell.patch +++ b/patches/cmd_shell.patch @@ -1,8 +1,8 @@ diff --git a/cmd/shell.go b/cmd/shell.go -index 373bb0229..e660317d2 100644 +index ef4105500..e602adc56 100644 --- a/cmd/shell.go +++ b/cmd/shell.go -@@ -221,7 +221,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger { +@@ -222,7 +222,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger { // Boulder's conception of time. go func() { for { diff --git a/patches/config_crl-storer.patch b/patches/config_crl-storer.patch index 7e9009e..4987aed 100644 --- a/patches/config_crl-storer.patch +++ b/patches/config_crl-storer.patch @@ -1,14 +1,17 @@ diff --git a/test/config/crl-storer.json b/test/config/crl-storer.json -index ef70c2ffc..a53b75d86 100644 +index 3ab267b0f..3c6f5c6a2 100644 --- a/test/config/crl-storer.json +++ b/test/config/crl-storer.json -@@ -23,10 +23,9 @@ +@@ -23,13 +23,9 @@ } }, "issuerCerts": [ - "test/certs/webpki/int-rsa-a.cert.pem", - "test/certs/webpki/int-rsa-b.cert.pem", -- "test/certs/webpki/int-ecdsa-a.cert.pem" +- "test/certs/webpki/int-rsa-c.cert.pem", +- "test/certs/webpki/int-ecdsa-a.cert.pem", +- "test/certs/webpki/int-ecdsa-b.cert.pem", +- "test/certs/webpki/int-ecdsa-c.cert.pem" + "test/certs/webpki/int-rsa-a.cert.pem" ], + "localStorePath": "/opt/wwwstatic/crl", diff --git a/patches/config_crl-updater.patch b/patches/config_crl-updater.patch index 9b97206..84889bc 100644 --- a/patches/config_crl-updater.patch +++ b/patches/config_crl-updater.patch @@ -1,14 +1,17 @@ diff --git a/test/config/crl-updater.json b/test/config/crl-updater.json -index f6b70123f..a6c1471e5 100644 +index 21f3603bb..77450c65f 100644 --- a/test/config/crl-updater.json +++ b/test/config/crl-updater.json -@@ -36,16 +36,14 @@ +@@ -36,19 +36,14 @@ "hostOverride": "crl-storer.boulder" }, "issuerCerts": [ - "test/certs/webpki/int-rsa-a.cert.pem", - "test/certs/webpki/int-rsa-b.cert.pem", -- "test/certs/webpki/int-ecdsa-a.cert.pem" +- "test/certs/webpki/int-rsa-c.cert.pem", +- "test/certs/webpki/int-ecdsa-a.cert.pem", +- "test/certs/webpki/int-ecdsa-b.cert.pem", +- "test/certs/webpki/int-ecdsa-c.cert.pem" + "test/certs/webpki/int-rsa-a.cert.pem" ], - "numShards": 10, diff --git a/patches/config_duration.patch b/patches/config_duration.patch index 8914022..c810dd6 100644 --- a/patches/config_duration.patch +++ b/patches/config_duration.patch @@ -1,13 +1,13 @@ diff --git a/config/duration.go b/config/duration.go -index c97eeb486..6167bf768 100644 +index 90cb2277d..44b56bc18 100644 --- a/config/duration.go +++ b/config/duration.go -@@ -9,7 +9,7 @@ import ( - // Duration is just an alias for time.Duration that allows - // serialization to YAML as well as JSON. +@@ -10,7 +10,7 @@ import ( + // Duration is custom type embedding a time.Duration which allows defining + // methods such as serialization to YAML or JSON. type Duration struct { - time.Duration `validate:"required"` + time.Duration } - // ErrDurationMustBeString is returned when a non-string value is + // DurationCustomTypeFunc enables registration of our custom config.Duration diff --git a/patches/config_ocsp-responder.patch b/patches/config_ocsp-responder.patch index 8ba1b3d..f362609 100644 --- a/patches/config_ocsp-responder.patch +++ b/patches/config_ocsp-responder.patch @@ -1,5 +1,5 @@ diff --git a/test/config/ocsp-responder.json b/test/config/ocsp-responder.json -index bfea858d..fecea919 100644 +index c67aa41f7..92fe8a28f 100644 --- a/test/config/ocsp-responder.json +++ b/test/config/ocsp-responder.json @@ -4,22 +4,6 @@ @@ -25,13 +25,16 @@ index bfea858d..fecea919 100644 "tls": { "caCertFile": "test/certs/ipki/minica.pem", "certFile": "test/certs/ipki/ocsp-responder.boulder/cert.pem", -@@ -49,9 +33,7 @@ +@@ -49,12 +33,7 @@ "path": "/", "listenAddress": "0.0.0.0:4002", "issuerCerts": [ - "test/certs/webpki/int-rsa-a.cert.pem", - "test/certs/webpki/int-rsa-b.cert.pem", -- "test/certs/webpki/int-ecdsa-a.cert.pem" +- "test/certs/webpki/int-rsa-c.cert.pem", +- "test/certs/webpki/int-ecdsa-a.cert.pem", +- "test/certs/webpki/int-ecdsa-b.cert.pem", +- "test/certs/webpki/int-ecdsa-c.cert.pem" + "test/certs/webpki/int-rsa-a.cert.pem" ], "liveSigningPeriod": "60h", diff --git a/patches/config_ra.patch b/patches/config_ra.patch index cd4c0c3..b998740 100644 --- a/patches/config_ra.patch +++ b/patches/config_ra.patch @@ -1,14 +1,17 @@ diff --git a/test/config/ra.json b/test/config/ra.json -index 6f0baae9..6ad0f08c 100644 +index e9f79e4f0..204f605c3 100644 --- a/test/config/ra.json +++ b/test/config/ra.json -@@ -14,9 +14,7 @@ +@@ -14,12 +14,7 @@ }, "orderLifetime": "168h", "issuerCerts": [ - "test/certs/webpki/int-rsa-a.cert.pem", - "test/certs/webpki/int-rsa-b.cert.pem", -- "test/certs/webpki/int-ecdsa-a.cert.pem" +- "test/certs/webpki/int-rsa-c.cert.pem", +- "test/certs/webpki/int-ecdsa-a.cert.pem", +- "test/certs/webpki/int-ecdsa-b.cert.pem", +- "test/certs/webpki/int-ecdsa-c.cert.pem" + "test/certs/webpki/int-rsa-a.cert.pem" ], "tls": { diff --git a/patches/entrypoint.patch b/patches/entrypoint.patch index 3bc65cd..7c0efc9 100644 --- a/patches/entrypoint.patch +++ b/patches/entrypoint.patch @@ -1,14 +1,17 @@ diff --git a/test/entrypoint.sh b/test/entrypoint.sh -index 12d0397c4..23d9693de 100755 +index a47fd2c9a..90148c0d5 100755 --- a/test/entrypoint.sh +++ b/test/entrypoint.sh -@@ -13,12 +13,24 @@ service rsyslog start +@@ -13,15 +13,27 @@ service rsyslog start # make sure we can reach the mysqldb. ./test/wait-for-it.sh boulder-mysql 3306 -# make sure we can reach the proxysql. -./test/wait-for-it.sh bproxysql 6032 - + # make sure we can reach pkilint + ./test/wait-for-it.sh bpkilint 80 + # create the database MYSQL_CONTAINER=1 $DIR/create_db.sh diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index 49b84de..a2d9304 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -1,8 +1,8 @@ diff --git a/ra/ra.go b/ra/ra.go -index 300610496..906573e63 100644 +index a873276f5..b984a9731 100644 --- a/ra/ra.go +++ b/ra/ra.go -@@ -44,7 +44,6 @@ import ( +@@ -46,7 +46,6 @@ import ( "github.com/letsencrypt/boulder/issuance" blog "github.com/letsencrypt/boulder/log" "github.com/letsencrypt/boulder/metrics" @@ -10,7 +10,7 @@ index 300610496..906573e63 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -578,7 +577,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { +@@ -581,7 +580,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { contact, ) } diff --git a/patches/wfe2_main.patch b/patches/wfe2_main.patch index 08540de..b4aada5 100644 --- a/patches/wfe2_main.patch +++ b/patches/wfe2_main.patch @@ -1,8 +1,8 @@ diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go -index 83ff247f8..8f0449b9f 100644 +index 90ad22417..ad57a1ae3 100644 --- a/cmd/boulder-wfe2/main.go +++ b/cmd/boulder-wfe2/main.go -@@ -96,7 +96,7 @@ type Config struct { +@@ -92,7 +92,7 @@ type Config struct { // DirectoryCAAIdentity is used for the /directory response's "meta" // element's "caaIdentities" field. It should match the VA's "issuerDomain" // configuration value (this value is the one used to enforce CAA) @@ -11,7 +11,7 @@ index 83ff247f8..8f0449b9f 100644 // DirectoryWebsite is used for the /directory response's "meta" element's // "website" field. DirectoryWebsite string `validate:"required,url"` -@@ -164,6 +164,8 @@ type Config struct { +@@ -160,6 +160,8 @@ type Config struct { // list will be rejected. This field is optional; if unset, no profile // names are accepted. CertificateProfileNames []string `validate:"omitempty,dive,alphanum,min=1,max=32"` @@ -20,7 +20,7 @@ index 83ff247f8..8f0449b9f 100644 } Syslog cmd.SyslogConfig -@@ -382,6 +384,7 @@ func main() { +@@ -356,6 +358,7 @@ func main() { txnBuilder, maxNames, c.WFE.CertificateProfileNames, diff --git a/patches/wfe2_wfe.patch b/patches/wfe2_wfe.patch index df895f0..6c90249 100644 --- a/patches/wfe2_wfe.patch +++ b/patches/wfe2_wfe.patch @@ -1,5 +1,5 @@ diff --git a/wfe2/wfe.go b/wfe2/wfe.go -index 756cef2f2..0e95a1dc2 100644 +index 708fbad94..6b7235659 100644 --- a/wfe2/wfe.go +++ b/wfe2/wfe.go @@ -23,6 +23,7 @@ import ( @@ -35,11 +35,10 @@ index 756cef2f2..0e95a1dc2 100644 } return wfe, nil -@@ -2337,7 +2342,24 @@ func (wfe *WebFrontEndImpl) NewOrder( +@@ -2260,8 +2265,25 @@ func (wfe *WebFrontEndImpl) NewOrder( names[i] = ident.Value } -- err = policy.WellFormedDomainNames(names) + logger := cmd.NewLogger(cmd.SyslogConfig{StdoutLevel: 7}) + pa, err := policy.New(map[core.AcmeChallenge]bool{}, logger) + if err != nil { @@ -57,6 +56,8 @@ index 756cef2f2..0e95a1dc2 100644 + return + } + + names = core.UniqueLowerNames(names) +- err = policy.WellFormedDomainNames(names) + err = pa.WellFormedDomainNames(names) if err != nil { wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "Invalid identifiers requested"), nil)