Bump boulder version to release-2024-04-30

build/build.sh

@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}
 
 boulderDir=$TMP_DIR/src
-boulderTag="release-2024-04-08"
+boulderTag="release-2024-04-30"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..
 

build/docker-compose.yml

@@ -18,8 +18,6 @@ services:
       BOULDER_CONFIG_DIR: labca/config
       GOCACHE: /boulder/.gocache/go-build
       GOFLAGS: -mod=vendor
-      # Forward the parent env's GOEXPERIMENT value into the container.
-      GOEXPERIMENT: ${GOEXPERIMENT:-}
     volumes:
       - boulder_data:/opt/boulder/labca
       - nginx_html:/opt/wwwstatic
@@ -41,10 +39,15 @@ services:
     # TODO: Remove this when ServerAddress is deprecated in favor of SRV records
     # and DNSAuthority.
     dns: 10.55.55.10
-    expose:
-      - 4001 # ACMEv2
-      - 4002 # OCSP
-      - 4003 # OCSP
+    extra_hosts:
+      # Allow the boulder container to be reached as "ca.example.org", so that
+      # we can put that name inside our integration test certs (e.g. as a crl
+      # url) and have it look like a publicly-accessible name.
+      - "ca.example.org:10.77.77.77"
+    ports:
+      - 4001:4001 # ACMEv2
+      - 4002:4002 # OCSP
+      - 4003:4003 # OCSP
     depends_on:
       - bmysql
       - bconsul

build/tmp.patch

@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 7efd16c4c..5f3d31f77 100644
+index 176d452e0..d24e8738d 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -4,7 +4,7 @@ services:
@@ -11,9 +11,9 @@ index 7efd16c4c..5f3d31f77 100644
      build:
        context: test/boulder-tools/
        # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh.
-@@ -21,12 +21,10 @@ services:
-       # Forward the parent env's GOEXPERIMENT value into the container.
-       GOEXPERIMENT: ${GOEXPERIMENT:-}
+@@ -19,12 +19,10 @@ services:
+       GOCACHE: /boulder/.gocache/go-build
+       GOFLAGS: -mod=vendor
      volumes:
 -      - .:/opt/boulder:cached
 -      - /home/labca/boulder_labca:/opt/boulder/labca
@@ -28,7 +28,7 @@ index 7efd16c4c..5f3d31f77 100644
      networks:
        bouldernet:
          ipv4_address: 10.77.77.77
-@@ -50,6 +48,7 @@ services:
+@@ -53,6 +51,7 @@ services:
      depends_on:
        - bmysql
        - bconsul
@@ -36,7 +36,7 @@ index 7efd16c4c..5f3d31f77 100644
      entrypoint: labca/entrypoint.sh
      working_dir: &boulder_working_dir /opt/boulder
      logging:
-@@ -84,34 +83,37 @@ services:
+@@ -87,34 +86,37 @@ services:
  
    bconsul:
      image: hashicorp/consul:1.15.4
@@ -85,7 +85,7 @@ index 7efd16c4c..5f3d31f77 100644
      logging:
        driver: "json-file"
        options:
-@@ -128,27 +130,26 @@ services:
+@@ -131,27 +133,26 @@ services:
        - 80:80
        - 443:443
      volumes:
@@ -127,7 +127,7 @@ index 7efd16c4c..5f3d31f77 100644
      expose:
        - 3030
      environment:
-@@ -159,6 +160,15 @@ services:
+@@ -162,6 +163,15 @@ services:
  
  volumes:
    dbdata:

gui/apply-boulder

@@ -68,8 +68,8 @@ sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_D
 
 if ([ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]) || ([ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]); then
     perl -i -p0e "s/(\"badResultsOnly\":[^\n]*).*?(\s+)(\"checkPeriod\":)/\1\2\"skipForbiddenDomains\": true,\2\3/igs" config/cert-checker.json
-    perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"n_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\3/igs" config/cert-checker.json
-    perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"n_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\3/igs" config/ca.json
+    perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"w_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\3/igs" config/cert-checker.json
+    perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"w_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\3/igs" config/ca.json
 fi
 
 [ -e ../test/hostname-policy.yaml ] && cp ../test/hostname-policy.yaml ./ || true
@@ -106,7 +106,7 @@ if [ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ];
     done
 fi
 if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ]; then
-    sed -i -e "s/\(\"n_subject_common_name_included\"\).*\]/\1,\"e_dnsname_not_valid_tld\"\]/" config/ca.json
+    sed -i -e "s/\(\"w_subject_common_name_included\"\).*\]/\1,\"e_dnsname_not_valid_tld\"\]/" config/ca.json
 
     REPLACEMENT=""
     LABCA_DOMAINS=""

install

@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"
 
 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2024-04-08"
+boulderTag="release-2024-04-30"
 
 # Feature flags
 flag_skip_redis=true

patch.sh

@@ -20,6 +20,7 @@ fi
 
 $SUDO patch -p1 < $cloneDir/patches/bad-key-revoker_main.patch
 $SUDO patch -p1 < $cloneDir/patches/boulder-va_main.patch
+$SUDO patch -p1 < $cloneDir/patches/ca_ca.patch
 $SUDO patch -p1 < $cloneDir/patches/ca_crl.patch
 $SUDO patch -p1 < $cloneDir/patches/cert-checker_main.patch
 $SUDO patch -p1 < $cloneDir/patches/cmd_config.patch

patches/ca_ca.patch

@@ -0,0 +1,17 @@
+diff --git a/ca/ca.go b/ca/ca.go
+index 252fa87d9..6630b731c 100644
+--- a/ca/ca.go
++++ b/ca/ca.go
+@@ -118,10 +118,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
+ 		}
+ 	}
+ 	if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {
+-		return issuerMaps{}, errors.New("no ECDSA issuers configured")
++		fmt.Println("WARNING: no ECDSA issuers configured")
+ 	}
+ 	if i, ok := issuersByAlg[x509.RSA]; !ok || len(i) == 0 {
+-		return issuerMaps{}, errors.New("no RSA issuers configured")
++		fmt.Println("WARNING: no RSA issuers configured")
+ 	}
+ 	return issuerMaps{issuersByAlg, issuersByNameID}, nil
+ }

patches/ca_crl.patch

@@ -1,8 +1,8 @@
 diff --git a/ca/crl.go b/ca/crl.go
-index 35b7caff7..31d27857f 100644
+index 23d8d3ab1..bc28fc618 100644
 --- a/ca/crl.go
 +++ b/ca/crl.go
-@@ -143,8 +143,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
+@@ -134,8 +134,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
  				builder = strings.Builder{}
  			}
  		}

patches/cert-checker_main.patch

@@ -1,8 +1,8 @@
 diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
-index 6cf2dee45..008f383d3 100644
+index 37ce5933a..c32225212 100644
 --- a/cmd/cert-checker/main.go
 +++ b/cmd/cert-checker/main.go
-@@ -107,6 +107,7 @@ type certChecker struct {
+@@ -106,6 +106,7 @@ type certChecker struct {
  	checkPeriod                 time.Duration
  	acceptableValidityDurations map[time.Duration]bool
  	logger                      blog.Logger
@@ -10,7 +10,7 @@ index 6cf2dee45..008f383d3 100644
  }
  
  func newChecker(saDbMap certDB,
-@@ -116,6 +117,7 @@ func newChecker(saDbMap certDB,
+@@ -115,6 +116,7 @@ func newChecker(saDbMap certDB,
  	period time.Duration,
  	avd map[time.Duration]bool,
  	logger blog.Logger,
@@ -18,7 +18,7 @@ index 6cf2dee45..008f383d3 100644
  ) certChecker {
  	precertGetter := func(ctx context.Context, serial string) ([]byte, error) {
  		precertPb, err := sa.SelectPrecertificate(ctx, saDbMap, serial)
-@@ -136,6 +138,7 @@ func newChecker(saDbMap certDB,
+@@ -135,6 +137,7 @@ func newChecker(saDbMap certDB,
  		checkPeriod:                 period,
  		acceptableValidityDurations: avd,
  		logger:                      logger,
@@ -26,7 +26,7 @@ index 6cf2dee45..008f383d3 100644
  	}
  }
  
-@@ -410,7 +413,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno
+@@ -409,7 +412,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno
  			err = c.pa.WillingToIssue([]string{name})
  			if err != nil {
  				problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err))
@@ -35,7 +35,7 @@ index 6cf2dee45..008f383d3 100644
  				// For defense-in-depth, even if the PA was willing to issue for a name
  				// we double check it against a list of forbidden domains. This way even
  				// if the hostnamePolicyFile malfunctions we will flag the forbidden
-@@ -490,9 +493,10 @@ type Config struct {
+@@ -489,9 +492,10 @@ type Config struct {
  
  		Workers int `validate:"required,min=1"`
  		// Deprecated: this is ignored, and cert checker always checks both expired and unexpired.
@@ -49,7 +49,7 @@ index 6cf2dee45..008f383d3 100644
  
  		// AcceptableValidityDurations is a list of durations which are
  		// acceptable for certificates we issue.
-@@ -559,6 +563,8 @@ func main() {
+@@ -546,6 +550,8 @@ func main() {
  		acceptableValidityDurations[ninetyDays] = true
  	}
  
@@ -58,7 +58,7 @@ index 6cf2dee45..008f383d3 100644
  	// Validate PA config and set defaults if needed.
  	cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
  
-@@ -599,6 +605,7 @@ func main() {
+@@ -586,6 +592,7 @@ func main() {
  		config.CertChecker.CheckPeriod.Duration,
  		acceptableValidityDurations,
  		logger,

patches/docker-compose-redis.patch

@@ -1,8 +1,8 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 928c11bec..0d59c1228 100644
+index b7dc73ed4..235330460 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
-@@ -30,8 +30,6 @@ services:
+@@ -27,8 +27,6 @@ services:
          ipv4_address: 10.77.77.77
        integrationtestnet:
          ipv4_address: 10.88.88.88
@@ -11,7 +11,7 @@ index 928c11bec..0d59c1228 100644
        consulnet:
          ipv4_address: 10.55.55.55
      # Use consul as a backup to Docker's embedded DNS server. If there's a name
-@@ -50,10 +48,6 @@ services:
+@@ -52,10 +50,6 @@ services:
      depends_on:
        - bmysql
        - bproxysql
@@ -21,8 +21,8 @@ index 928c11bec..0d59c1228 100644
 -      - bredis_4
        - bconsul
        - bjaeger
-     entrypoint: test/entrypoint.sh
-@@ -91,42 +85,6 @@ services:
+       - bpkilint
+@@ -94,42 +88,6 @@ services:
          aliases:
            - boulder-proxysql
  
@@ -65,7 +65,7 @@ index 928c11bec..0d59c1228 100644
    bconsul:
      image: hashicorp/consul:1.15.4
      volumes:
-@@ -171,13 +129,6 @@ networks:
+@@ -181,13 +139,6 @@ networks:
        config:
          - subnet: 10.88.88.0/24
  

patches/docker-compose.patch

@@ -1,9 +1,8 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 8971dbdb4..1918202dd 100644
+index 235330460..176d452e0 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
-@@ -1,10 +1,10 @@
--version: '3'
+@@ -1,9 +1,10 @@
 +name: labca
  services:
    boulder:
@@ -15,7 +14,7 @@ index 8971dbdb4..1918202dd 100644
      build:
        context: test/boulder-tools/
        # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh.
-@@ -15,13 +15,15 @@ services:
+@@ -14,11 +15,13 @@ services:
        # to the IP address where your ACME client's solver is listening.
        # FAKE_DNS: 172.17.0.1
        FAKE_DNS: 10.77.77.77
@@ -23,9 +22,6 @@ index 8971dbdb4..1918202dd 100644
 +      BOULDER_CONFIG_DIR: labca/config
        GOCACHE: /boulder/.gocache/go-build
        GOFLAGS: -mod=vendor
-       # Forward the parent env's GOEXPERIMENT value into the container.
--      GOEXPERIMENT: ${GOEXPERIMENT}
-+      GOEXPERIMENT: ${GOEXPERIMENT:-}
      volumes:
 -      - .:/boulder:cached
 +      - .:/opt/boulder:cached
@@ -34,23 +30,14 @@ index 8971dbdb4..1918202dd 100644
        - ./.gocache:/root/.cache/go-build:cached
        - ./.hierarchy:/hierarchy/:cached
        - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
-@@ -41,20 +43,26 @@ services:
-     # TODO: Remove this when ServerAddress is deprecated in favor of SRV records
-     # and DNSAuthority.
-     dns: 10.55.55.10
--    ports:
--      - 4001:4001 # ACMEv2
--      - 4002:4002 # OCSP
--      - 4003:4003 # OCSP
-+    expose:
-+      - 4001 # ACMEv2
-+      - 4002 # OCSP
-+      - 4003 # OCSP
+@@ -49,15 +52,20 @@ services:
+       - 4003:4003 # OCSP
      depends_on:
        - bmysql
 -      - bproxysql
        - bconsul
 -      - bjaeger
+-      - bpkilint
 -    entrypoint: test/entrypoint.sh
 -    working_dir: &boulder_working_dir /boulder
 +    entrypoint: labca/entrypoint.sh
@@ -69,7 +56,7 @@ index 8971dbdb4..1918202dd 100644
      networks:
        bouldernet:
          aliases:
-@@ -68,22 +76,11 @@ services:
+@@ -71,22 +79,11 @@ services:
      # small.
      command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
      logging:
@@ -97,7 +84,7 @@ index 8971dbdb4..1918202dd 100644
  
    bconsul:
      image: hashicorp/consul:1.15.4
-@@ -95,12 +92,73 @@ services:
+@@ -98,19 +95,73 @@ services:
        bouldernet:
          ipv4_address: 10.77.77.10
      command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
@@ -131,11 +118,16 @@ index 8971dbdb4..1918202dd 100644
 +        max-size: "500k"
 +        max-file: "5"
 +    restart: always
-+
+ 
+-  bpkilint:
+-    image: ghcr.io/digicert/pkilint:v0.10.1
 +  nginx:
 +    image: nginx:1.25.4
 +    restart: always
-+    networks:
+     networks:
+-      bouldernet:
+-        ipv4_address: 10.77.77.9
+-    command: "gunicorn -w 8 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:80 pkilint.rest:app"
 +      - bouldernet
 +    ports:
 +      - 80:80

patches/ra_ra.patch

@@ -1,8 +1,8 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index ea609da8f..2ad0fb2a6 100644
+index c442fc5a7..050e60c93 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
-@@ -43,7 +43,6 @@ import (
+@@ -44,7 +44,6 @@ import (
  	"github.com/letsencrypt/boulder/issuance"
  	blog "github.com/letsencrypt/boulder/log"
  	"github.com/letsencrypt/boulder/metrics"
@@ -10,7 +10,7 @@ index ea609da8f..2ad0fb2a6 100644
  	"github.com/letsencrypt/boulder/probs"
  	pubpb "github.com/letsencrypt/boulder/publisher/proto"
  	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -561,7 +560,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
+@@ -568,7 +567,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
  				contact,
  			)
  		}

patches/test_config_ca.patch

@@ -8,8 +8,8 @@ index 53ae91f2d..1937e5580 100644
  				{
 -					"useForRSALeaves": false,
 -					"useForECDSALeaves": true,
--					"issuerURL": "http://127.0.0.1:4502/int ecdsa a",
--					"ocspURL": "http://127.0.0.1:4002/",
+-					"issuerURL": "http://ca.example.org:4502/int-ecdsa-a",
+-					"ocspURL": "http://ca.example.org:4002/",
 -					"location": {
 -						"configFile": "/hierarchy/int-ecdsa-a.pkcs11.json",
 -						"certFile": "/hierarchy/int-ecdsa-a.cert.pem",
@@ -19,8 +19,8 @@ index 53ae91f2d..1937e5580 100644
 -				{
  					"useForRSALeaves": true,
  					"useForECDSALeaves": true,
- 					"issuerURL": "http://127.0.0.1:4502/int rsa a",
- 					"ocspURL": "http://127.0.0.1:4002/",
+ 					"issuerURL": "http://ca.example.org:4502/int-rsa-a",
+ 					"ocspURL": "http://ca.example.org:4002/",
  					"location": {
 -						"configFile": "/hierarchy/int-rsa-a.pkcs11.json",
 -						"certFile": "/hierarchy/int-rsa-a.cert.pem",
@@ -30,8 +30,8 @@ index 53ae91f2d..1937e5580 100644
 -				{
 -					"useForRSALeaves": false,
 -					"useForECDSALeaves": false,
--					"issuerURL": "http://127.0.0.1:4502/int rsa b",
--					"ocspURL": "http://127.0.0.1:4002/",
+-					"issuerURL": "http://ca.example.org:4502/int-rsa-b",
+-					"ocspURL": "http://ca.example.org:4003/",
 -					"location": {
 -						"configFile": "/hierarchy/int-rsa-b.pkcs11.json",
 -						"certFile": "/hierarchy/int-rsa-b.cert.pem",