From 5d27e00fa41c4d16d082b5feca765a36103c5fb5 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Sat, 4 May 2024 21:26:13 +0200 Subject: [PATCH] Bump boulder version to release-2024-04-30 --- build/build.sh | 2 +- build/docker-compose.yml | 15 +++++++----- build/tmp.patch | 16 ++++++------- gui/apply-boulder | 6 ++--- install | 2 +- patch.sh | 1 + patches/ca_ca.patch | 17 +++++++++++++ patches/ca_crl.patch | 4 ++-- patches/cert-checker_main.patch | 16 ++++++------- patches/docker-compose-redis.patch | 12 +++++----- patches/docker-compose.patch | 38 ++++++++++++------------------ patches/ra_ra.patch | 6 ++--- patches/test_config_ca.patch | 12 +++++----- 13 files changed, 80 insertions(+), 67 deletions(-) create mode 100644 patches/ca_ca.patch diff --git a/build/build.sh b/build/build.sh index 60581df..1eeab73 100755 --- a/build/build.sh +++ b/build/build.sh @@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src} boulderDir=$TMP_DIR/src -boulderTag="release-2024-04-08" +boulderTag="release-2024-04-30" boulderUrl="https://github.com/letsencrypt/boulder/" cloneDir=$(pwd)/.. diff --git a/build/docker-compose.yml b/build/docker-compose.yml index 5f3d31f..d24e873 100644 --- a/build/docker-compose.yml +++ b/build/docker-compose.yml @@ -18,8 +18,6 @@ services: BOULDER_CONFIG_DIR: labca/config GOCACHE: /boulder/.gocache/go-build GOFLAGS: -mod=vendor - # Forward the parent env's GOEXPERIMENT value into the container. - GOEXPERIMENT: ${GOEXPERIMENT:-} volumes: - boulder_data:/opt/boulder/labca - nginx_html:/opt/wwwstatic @@ -41,10 +39,15 @@ services: # TODO: Remove this when ServerAddress is deprecated in favor of SRV records # and DNSAuthority. dns: 10.55.55.10 - expose: - - 4001 # ACMEv2 - - 4002 # OCSP - - 4003 # OCSP + extra_hosts: + # Allow the boulder container to be reached as "ca.example.org", so that + # we can put that name inside our integration test certs (e.g. as a crl + # url) and have it look like a publicly-accessible name. + - "ca.example.org:10.77.77.77" + ports: + - 4001:4001 # ACMEv2 + - 4002:4002 # OCSP + - 4003:4003 # OCSP depends_on: - bmysql - bconsul diff --git a/build/tmp.patch b/build/tmp.patch index 2fd454b..1e1e362 100644 --- a/build/tmp.patch +++ b/build/tmp.patch @@ -1,5 +1,5 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 7efd16c4c..5f3d31f77 100644 +index 176d452e0..d24e8738d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,7 +4,7 @@ services: @@ -11,9 +11,9 @@ index 7efd16c4c..5f3d31f77 100644 build: context: test/boulder-tools/ # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh. -@@ -21,12 +21,10 @@ services: - # Forward the parent env's GOEXPERIMENT value into the container. - GOEXPERIMENT: ${GOEXPERIMENT:-} +@@ -19,12 +19,10 @@ services: + GOCACHE: /boulder/.gocache/go-build + GOFLAGS: -mod=vendor volumes: - - .:/opt/boulder:cached - - /home/labca/boulder_labca:/opt/boulder/labca @@ -28,7 +28,7 @@ index 7efd16c4c..5f3d31f77 100644 networks: bouldernet: ipv4_address: 10.77.77.77 -@@ -50,6 +48,7 @@ services: +@@ -53,6 +51,7 @@ services: depends_on: - bmysql - bconsul @@ -36,7 +36,7 @@ index 7efd16c4c..5f3d31f77 100644 entrypoint: labca/entrypoint.sh working_dir: &boulder_working_dir /opt/boulder logging: -@@ -84,34 +83,37 @@ services: +@@ -87,34 +86,37 @@ services: bconsul: image: hashicorp/consul:1.15.4 @@ -85,7 +85,7 @@ index 7efd16c4c..5f3d31f77 100644 logging: driver: "json-file" options: -@@ -128,27 +130,26 @@ services: +@@ -131,27 +133,26 @@ services: - 80:80 - 443:443 volumes: @@ -127,7 +127,7 @@ index 7efd16c4c..5f3d31f77 100644 expose: - 3030 environment: -@@ -159,6 +160,15 @@ services: +@@ -162,6 +163,15 @@ services: volumes: dbdata: diff --git a/gui/apply-boulder b/gui/apply-boulder index 105cf31..04fb8fc 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -68,8 +68,8 @@ sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_D if ([ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]) || ([ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]); then perl -i -p0e "s/(\"badResultsOnly\":[^\n]*).*?(\s+)(\"checkPeriod\":)/\1\2\"skipForbiddenDomains\": true,\2\3/igs" config/cert-checker.json - perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"n_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\3/igs" config/cert-checker.json - perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"n_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\3/igs" config/ca.json + perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"w_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\3/igs" config/cert-checker.json + perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"w_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\3/igs" config/ca.json fi [ -e ../test/hostname-policy.yaml ] && cp ../test/hostname-policy.yaml ./ || true @@ -106,7 +106,7 @@ if [ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]; done fi if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ]; then - sed -i -e "s/\(\"n_subject_common_name_included\"\).*\]/\1,\"e_dnsname_not_valid_tld\"\]/" config/ca.json + sed -i -e "s/\(\"w_subject_common_name_included\"\).*\]/\1,\"e_dnsname_not_valid_tld\"\]/" config/ca.json REPLACEMENT="" LABCA_DOMAINS="" diff --git a/install b/install index f112d8c..4b4633a 100755 --- a/install +++ b/install @@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2024-04-08" +boulderTag="release-2024-04-30" # Feature flags flag_skip_redis=true diff --git a/patch.sh b/patch.sh index 45cdec7..8ceedbf 100755 --- a/patch.sh +++ b/patch.sh @@ -20,6 +20,7 @@ fi $SUDO patch -p1 < $cloneDir/patches/bad-key-revoker_main.patch $SUDO patch -p1 < $cloneDir/patches/boulder-va_main.patch +$SUDO patch -p1 < $cloneDir/patches/ca_ca.patch $SUDO patch -p1 < $cloneDir/patches/ca_crl.patch $SUDO patch -p1 < $cloneDir/patches/cert-checker_main.patch $SUDO patch -p1 < $cloneDir/patches/cmd_config.patch diff --git a/patches/ca_ca.patch b/patches/ca_ca.patch new file mode 100644 index 0000000..baf2219 --- /dev/null +++ b/patches/ca_ca.patch @@ -0,0 +1,17 @@ +diff --git a/ca/ca.go b/ca/ca.go +index 252fa87d9..6630b731c 100644 +--- a/ca/ca.go ++++ b/ca/ca.go +@@ -118,10 +118,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { + } + } + if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 { +- return issuerMaps{}, errors.New("no ECDSA issuers configured") ++ fmt.Println("WARNING: no ECDSA issuers configured") + } + if i, ok := issuersByAlg[x509.RSA]; !ok || len(i) == 0 { +- return issuerMaps{}, errors.New("no RSA issuers configured") ++ fmt.Println("WARNING: no RSA issuers configured") + } + return issuerMaps{issuersByAlg, issuersByNameID}, nil + } diff --git a/patches/ca_crl.patch b/patches/ca_crl.patch index 9101c2a..216f0d0 100644 --- a/patches/ca_crl.patch +++ b/patches/ca_crl.patch @@ -1,8 +1,8 @@ diff --git a/ca/crl.go b/ca/crl.go -index 35b7caff7..31d27857f 100644 +index 23d8d3ab1..bc28fc618 100644 --- a/ca/crl.go +++ b/ca/crl.go -@@ -143,8 +143,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error +@@ -134,8 +134,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error builder = strings.Builder{} } } diff --git a/patches/cert-checker_main.patch b/patches/cert-checker_main.patch index 09c2764..993b851 100644 --- a/patches/cert-checker_main.patch +++ b/patches/cert-checker_main.patch @@ -1,8 +1,8 @@ diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go -index 6cf2dee45..008f383d3 100644 +index 37ce5933a..c32225212 100644 --- a/cmd/cert-checker/main.go +++ b/cmd/cert-checker/main.go -@@ -107,6 +107,7 @@ type certChecker struct { +@@ -106,6 +106,7 @@ type certChecker struct { checkPeriod time.Duration acceptableValidityDurations map[time.Duration]bool logger blog.Logger @@ -10,7 +10,7 @@ index 6cf2dee45..008f383d3 100644 } func newChecker(saDbMap certDB, -@@ -116,6 +117,7 @@ func newChecker(saDbMap certDB, +@@ -115,6 +116,7 @@ func newChecker(saDbMap certDB, period time.Duration, avd map[time.Duration]bool, logger blog.Logger, @@ -18,7 +18,7 @@ index 6cf2dee45..008f383d3 100644 ) certChecker { precertGetter := func(ctx context.Context, serial string) ([]byte, error) { precertPb, err := sa.SelectPrecertificate(ctx, saDbMap, serial) -@@ -136,6 +138,7 @@ func newChecker(saDbMap certDB, +@@ -135,6 +137,7 @@ func newChecker(saDbMap certDB, checkPeriod: period, acceptableValidityDurations: avd, logger: logger, @@ -26,7 +26,7 @@ index 6cf2dee45..008f383d3 100644 } } -@@ -410,7 +413,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno +@@ -409,7 +412,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno err = c.pa.WillingToIssue([]string{name}) if err != nil { problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err)) @@ -35,7 +35,7 @@ index 6cf2dee45..008f383d3 100644 // For defense-in-depth, even if the PA was willing to issue for a name // we double check it against a list of forbidden domains. This way even // if the hostnamePolicyFile malfunctions we will flag the forbidden -@@ -490,9 +493,10 @@ type Config struct { +@@ -489,9 +492,10 @@ type Config struct { Workers int `validate:"required,min=1"` // Deprecated: this is ignored, and cert checker always checks both expired and unexpired. @@ -49,7 +49,7 @@ index 6cf2dee45..008f383d3 100644 // AcceptableValidityDurations is a list of durations which are // acceptable for certificates we issue. -@@ -559,6 +563,8 @@ func main() { +@@ -546,6 +550,8 @@ func main() { acceptableValidityDurations[ninetyDays] = true } @@ -58,7 +58,7 @@ index 6cf2dee45..008f383d3 100644 // Validate PA config and set defaults if needed. cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration") -@@ -599,6 +605,7 @@ func main() { +@@ -586,6 +592,7 @@ func main() { config.CertChecker.CheckPeriod.Duration, acceptableValidityDurations, logger, diff --git a/patches/docker-compose-redis.patch b/patches/docker-compose-redis.patch index f46a709..00e3458 100644 --- a/patches/docker-compose-redis.patch +++ b/patches/docker-compose-redis.patch @@ -1,8 +1,8 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 928c11bec..0d59c1228 100644 +index b7dc73ed4..235330460 100644 --- a/docker-compose.yml +++ b/docker-compose.yml -@@ -30,8 +30,6 @@ services: +@@ -27,8 +27,6 @@ services: ipv4_address: 10.77.77.77 integrationtestnet: ipv4_address: 10.88.88.88 @@ -11,7 +11,7 @@ index 928c11bec..0d59c1228 100644 consulnet: ipv4_address: 10.55.55.55 # Use consul as a backup to Docker's embedded DNS server. If there's a name -@@ -50,10 +48,6 @@ services: +@@ -52,10 +50,6 @@ services: depends_on: - bmysql - bproxysql @@ -21,8 +21,8 @@ index 928c11bec..0d59c1228 100644 - - bredis_4 - bconsul - bjaeger - entrypoint: test/entrypoint.sh -@@ -91,42 +85,6 @@ services: + - bpkilint +@@ -94,42 +88,6 @@ services: aliases: - boulder-proxysql @@ -65,7 +65,7 @@ index 928c11bec..0d59c1228 100644 bconsul: image: hashicorp/consul:1.15.4 volumes: -@@ -171,13 +129,6 @@ networks: +@@ -181,13 +139,6 @@ networks: config: - subnet: 10.88.88.0/24 diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch index 8ee621a..2e0e65e 100644 --- a/patches/docker-compose.patch +++ b/patches/docker-compose.patch @@ -1,9 +1,8 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 8971dbdb4..1918202dd 100644 +index 235330460..176d452e0 100644 --- a/docker-compose.yml +++ b/docker-compose.yml -@@ -1,10 +1,10 @@ --version: '3' +@@ -1,9 +1,10 @@ +name: labca services: boulder: @@ -15,7 +14,7 @@ index 8971dbdb4..1918202dd 100644 build: context: test/boulder-tools/ # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh. -@@ -15,13 +15,15 @@ services: +@@ -14,11 +15,13 @@ services: # to the IP address where your ACME client's solver is listening. # FAKE_DNS: 172.17.0.1 FAKE_DNS: 10.77.77.77 @@ -23,9 +22,6 @@ index 8971dbdb4..1918202dd 100644 + BOULDER_CONFIG_DIR: labca/config GOCACHE: /boulder/.gocache/go-build GOFLAGS: -mod=vendor - # Forward the parent env's GOEXPERIMENT value into the container. -- GOEXPERIMENT: ${GOEXPERIMENT} -+ GOEXPERIMENT: ${GOEXPERIMENT:-} volumes: - - .:/boulder:cached + - .:/opt/boulder:cached @@ -34,23 +30,14 @@ index 8971dbdb4..1918202dd 100644 - ./.gocache:/root/.cache/go-build:cached - ./.hierarchy:/hierarchy/:cached - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached -@@ -41,20 +43,26 @@ services: - # TODO: Remove this when ServerAddress is deprecated in favor of SRV records - # and DNSAuthority. - dns: 10.55.55.10 -- ports: -- - 4001:4001 # ACMEv2 -- - 4002:4002 # OCSP -- - 4003:4003 # OCSP -+ expose: -+ - 4001 # ACMEv2 -+ - 4002 # OCSP -+ - 4003 # OCSP +@@ -49,15 +52,20 @@ services: + - 4003:4003 # OCSP depends_on: - bmysql - - bproxysql - bconsul - - bjaeger +- - bpkilint - entrypoint: test/entrypoint.sh - working_dir: &boulder_working_dir /boulder + entrypoint: labca/entrypoint.sh @@ -69,7 +56,7 @@ index 8971dbdb4..1918202dd 100644 networks: bouldernet: aliases: -@@ -68,22 +76,11 @@ services: +@@ -71,22 +79,11 @@ services: # small. command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON logging: @@ -97,7 +84,7 @@ index 8971dbdb4..1918202dd 100644 bconsul: image: hashicorp/consul:1.15.4 -@@ -95,12 +92,73 @@ services: +@@ -98,19 +95,73 @@ services: bouldernet: ipv4_address: 10.77.77.10 command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl" @@ -131,11 +118,16 @@ index 8971dbdb4..1918202dd 100644 + max-size: "500k" + max-file: "5" + restart: always -+ + +- bpkilint: +- image: ghcr.io/digicert/pkilint:v0.10.1 + nginx: + image: nginx:1.25.4 + restart: always -+ networks: + networks: +- bouldernet: +- ipv4_address: 10.77.77.9 +- command: "gunicorn -w 8 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:80 pkilint.rest:app" + - bouldernet + ports: + - 80:80 diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index 321cbbd..698e4ed 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -1,8 +1,8 @@ diff --git a/ra/ra.go b/ra/ra.go -index ea609da8f..2ad0fb2a6 100644 +index c442fc5a7..050e60c93 100644 --- a/ra/ra.go +++ b/ra/ra.go -@@ -43,7 +43,6 @@ import ( +@@ -44,7 +44,6 @@ import ( "github.com/letsencrypt/boulder/issuance" blog "github.com/letsencrypt/boulder/log" "github.com/letsencrypt/boulder/metrics" @@ -10,7 +10,7 @@ index ea609da8f..2ad0fb2a6 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -561,7 +560,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { +@@ -568,7 +567,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { contact, ) } diff --git a/patches/test_config_ca.patch b/patches/test_config_ca.patch index b50b35e..669b6de 100644 --- a/patches/test_config_ca.patch +++ b/patches/test_config_ca.patch @@ -8,8 +8,8 @@ index 53ae91f2d..1937e5580 100644 { - "useForRSALeaves": false, - "useForECDSALeaves": true, -- "issuerURL": "http://127.0.0.1:4502/int ecdsa a", -- "ocspURL": "http://127.0.0.1:4002/", +- "issuerURL": "http://ca.example.org:4502/int-ecdsa-a", +- "ocspURL": "http://ca.example.org:4002/", - "location": { - "configFile": "/hierarchy/int-ecdsa-a.pkcs11.json", - "certFile": "/hierarchy/int-ecdsa-a.cert.pem", @@ -19,8 +19,8 @@ index 53ae91f2d..1937e5580 100644 - { "useForRSALeaves": true, "useForECDSALeaves": true, - "issuerURL": "http://127.0.0.1:4502/int rsa a", - "ocspURL": "http://127.0.0.1:4002/", + "issuerURL": "http://ca.example.org:4502/int-rsa-a", + "ocspURL": "http://ca.example.org:4002/", "location": { - "configFile": "/hierarchy/int-rsa-a.pkcs11.json", - "certFile": "/hierarchy/int-rsa-a.cert.pem", @@ -30,8 +30,8 @@ index 53ae91f2d..1937e5580 100644 - { - "useForRSALeaves": false, - "useForECDSALeaves": false, -- "issuerURL": "http://127.0.0.1:4502/int rsa b", -- "ocspURL": "http://127.0.0.1:4002/", +- "issuerURL": "http://ca.example.org:4502/int-rsa-b", +- "ocspURL": "http://ca.example.org:4003/", - "location": { - "configFile": "/hierarchy/int-rsa-b.pkcs11.json", - "certFile": "/hierarchy/int-rsa-b.cert.pem",