Bump boulder version to release-2022-08-15

2026-01-27 10:19:34 +00:00 · 2022-08-16 19:35:01 +02:00
parent 5d36f6ce80
commit 616da91583
12 changed files with 65 additions and 47 deletions
--- a/gui/apply-boulder
+++ b/gui/apply-boulder
@@ -77,6 +77,7 @@ if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then
    sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/expiration-mailer.json
    sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ra.json
    sed -i -e "s/\"timeout\": \"20s\"/\"timeout\": \"40s\"/" config/ra.json
+    sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/crl-storer.json
    sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/crl-updater.json
    sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ocsp-updater.json
    sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/orphan-finder.json
--- a/4
+++ b/4
@@ -24,7 +24,7 @@ dockerComposeVersion="v2.5.0"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2022-08-01"
+boulderTag="release-2022-08-15"

 # Feature flags
 flag_skip_redis=true
@@ -608,6 +608,7 @@ config_boulder() {
    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/wfe2.json" < $cloneDir/patches/config_wfe2.patch &>>$installLog
    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/rocsp-tool.json" < $cloneDir/patches/config_rocsp-tool.patch &>>$installLog
    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/orphan-finder.json" < $cloneDir/patches/config_orphan-finder.patch &>>$installLog
+    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/crl-storer.json" < $cloneDir/patches/config_crl-storer.patch &>>$installLog
    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/crl-updater.json" < $cloneDir/patches/config_crl-updater.patch &>>$installLog
    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/ra.json" < $cloneDir/patches/config_ra.patch &>>$installLog
    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/va.json" < $cloneDir/patches/config_va.patch &>>$installLog
@@ -633,6 +634,7 @@ config_boulder() {
    sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json
    sed -i -e "s|.hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/rocsp-tool.json
    sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/orphan-finder.json
+    sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-storer.json
    sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-updater.json
    sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json
    sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" issuer-ocsp-responder.json
--- a/patches/bad-key-revoker_main.patch
+++ b/patches/bad-key-revoker_main.patch
@@ -2,7 +2,7 @@ diff --git a/cmd/bad-key-revoker/main.go b/cmd/bad-key-revoker/main.go
 index 4f7a476b5..e907b43a1 100644
 --- a/cmd/bad-key-revoker/main.go
 +++ b/cmd/bad-key-revoker/main.go
-@@ -15,6 +15,7 @@ import (
+@@ -14,6 +14,7 @@ import (
 
 	"github.com/honeycombio/beeline-go"
 	"github.com/jmhodges/clock"
@@ -10,7 +10,7 @@ index 4f7a476b5..e907b43a1 100644
 	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/core"
 	"github.com/letsencrypt/boulder/db"
-@@ -386,6 +387,9 @@ type Config struct {
+@@ -385,6 +386,9 @@ type Config struct {
 		TLS       cmd.TLSConfig
 		RAService *cmd.GRPCClientConfig
 
@@ -20,7 +20,7 @@ index 4f7a476b5..e907b43a1 100644
 		// MaximumRevocations specifies the maximum number of certificates associated with
 		// a key hash that bad-key-revoker will attempt to revoke. If the number of certificates
 		// is higher than MaximumRevocations bad-key-revoker will error out and refuse to
-@@ -419,6 +423,12 @@ type Config struct {
+@@ -418,6 +422,12 @@ type Config struct {
 
 	Syslog  cmd.SyslogConfig
 	Beeline cmd.BeelineConfig
@@ -33,7 +33,7 @@ index 4f7a476b5..e907b43a1 100644
 }
 
 func main() {
-@@ -456,6 +466,32 @@ func main() {
+@@ -455,6 +465,32 @@ func main() {
 	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
 	rac := rapb.NewRegistrationAuthorityClient(conn)
 
@@ -65,8 +65,8 @@ index 4f7a476b5..e907b43a1 100644
 +
 	var smtpRoots *x509.CertPool
 	if config.BadKeyRevoker.Mailer.SMTPTrustedRootFile != "" {
- 		pem, err := ioutil.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile)
-@@ -477,6 +513,7 @@ func main() {
+ 		pem, err := os.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile)
+@@ -476,6 +512,7 @@ func main() {
 		config.BadKeyRevoker.Mailer.Username,
 		smtpPassword,
 		smtpRoots,
--- a/patches/ca_crl.patch
+++ b/patches/ca_crl.patch
@@ -1,17 +1,17 @@
 diff --git a/ca/crl.go b/ca/crl.go
-index 8b4ca6ba..da2b8992 100644
+index 99eb57b5..91e10a40 100644
 --- a/ca/crl.go
 +++ b/ca/crl.go
-@@ -126,8 +126,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
- 			builder = strings.Builder{}
+@@ -127,8 +127,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
+ 				builder = strings.Builder{}
+ 			}
 		}
+-		fmt.Fprint(&builder, "]")
+-		ci.log.AuditInfo(builder.String())
+		if builder.Len() > 0 {
+			fmt.Fprint(&builder, "]")
+			ci.log.AuditInfo(builder.String())
+		}
 	}
-	fmt.Fprint(&builder, "]")
-	ci.log.AuditInfo(builder.String())
-+	if builder.Len() > 0 {
-+		fmt.Fprint(&builder, "]")
-+		ci.log.AuditInfo(builder.String())
-+	}
 
 	template.RevokedCertificates = rcs
- 
--- a/patches/config_crl-storer.patch
+++ b/patches/config_crl-storer.patch
@@ -0,0 +1,15 @@
+diff --git a/test/config/crl-storer.json b/test/config/crl-storer.json
+index 61f14d795..4896803c4 100644
+--- a/test/config/crl-storer.json
+++ b/test/config/crl-storer.json
+@@ -15,9 +15,7 @@
+       ]
+     },
+     "issuerCerts": [
+-      "/hierarchy/intermediate-cert-rsa-a.pem",
+-      "/hierarchy/intermediate-cert-rsa-b.pem",
+-      "/hierarchy/intermediate-cert-ecdsa-a.pem"
+      "/hierarchy/intermediate-cert-rsa-a.pem"
+     ],
+     "s3Endpoint": "http://localhost:7890",
+     "s3Region": "us-west-1",
--- a/patches/contact-auditor_main.patch
+++ b/patches/contact-auditor_main.patch
@@ -2,7 +2,7 @@ diff --git a/cmd/contact-auditor/main.go b/cmd/contact-auditor/main.go
 index e595af47..b00458c5 100644
 --- a/cmd/contact-auditor/main.go
 +++ b/cmd/contact-auditor/main.go
-@@ -12,6 +12,7 @@ import (
+@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/letsencrypt/boulder/cmd"
@@ -10,8 +10,8 @@ index e595af47..b00458c5 100644
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/policy"
 	"github.com/letsencrypt/boulder/sa"
-@@ -49,9 +50,12 @@ func validateContacts(id int64, createdAt string, contacts []string) error {
- 		fmt.Fprintf(&probsBuff, "%d\t%s\tvalidation\t%q\t%q\n", id, createdAt, contact, prob)
+@@ -48,9 +49,12 @@ func validateContacts(id int64, createdAt string, contacts []string) error {
+ 		fmt.Fprintf(&probsBuff, "%d\t%s\tvalidation\t%q\t%q\t%q\n", id, createdAt, contact, prob, contacts)
 	}
 
 +	var pa *policy.AuthorityImpl
--- a/patches/docker-compose.patch
+++ b/patches/docker-compose.patch
@@ -3,7 +3,7 @@ index 0cd8c8dd..36619190 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
@@ -8,7 +8,7 @@ services:
-     image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.18.4_2022-07-20}
+     image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.18.4_2022-08-11}
     environment:
       FAKE_DNS: 10.77.77.77
 -      BOULDER_CONFIG_DIR: test/config
--- a/patches/expiration-mailer_main.patch
+++ b/patches/expiration-mailer_main.patch
@@ -2,7 +2,7 @@ diff --git a/cmd/expiration-mailer/main.go b/cmd/expiration-mailer/main.go
 index 229f0ca4..c815a872 100644
 --- a/cmd/expiration-mailer/main.go
 +++ b/cmd/expiration-mailer/main.go
-@@ -23,6 +23,7 @@ import (
+@@ -22,6 +22,7 @@ import (
 	"github.com/jmhodges/clock"
 	"google.golang.org/grpc"
 
@@ -10,7 +10,7 @@ index 229f0ca4..c815a872 100644
 	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/core"
 	corepb "github.com/letsencrypt/boulder/core/proto"
-@@ -38,7 +39,7 @@ import (
+@@ -37,7 +38,7 @@ import (
 )
 
 const (
@@ -19,7 +19,7 @@ index 229f0ca4..c815a872 100644
 )
 
 type regStore interface {
-@@ -507,6 +508,9 @@ type Config struct {
+@@ -506,6 +507,9 @@ type Config struct {
 		TLS       cmd.TLSConfig
 		SAService *cmd.GRPCClientConfig
 
@@ -29,7 +29,7 @@ index 229f0ca4..c815a872 100644
 		// Path to a file containing a list of trusted root certificates for use
 		// during the SMTP connection (as opposed to the gRPC connections).
 		SMTPTrustedRootFile string
-@@ -516,6 +520,12 @@ type Config struct {
+@@ -515,6 +519,12 @@ type Config struct {
 
 	Syslog  cmd.SyslogConfig
 	Beeline cmd.BeelineConfig
@@ -42,7 +42,7 @@ index 229f0ca4..c815a872 100644
 }
 
 func initStats(stats prometheus.Registerer) mailerStats {
-@@ -643,6 +653,32 @@ func main() {
+@@ -642,6 +652,32 @@ func main() {
 	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
 	sac := sapb.NewStorageAuthorityClient(conn)
 
@@ -74,8 +74,8 @@ index 229f0ca4..c815a872 100644
 +
 	var smtpRoots *x509.CertPool
 	if c.Mailer.SMTPTrustedRootFile != "" {
- 		pem, err := ioutil.ReadFile(c.Mailer.SMTPTrustedRootFile)
-@@ -678,6 +714,7 @@ func main() {
+ 		pem, err := os.ReadFile(c.Mailer.SMTPTrustedRootFile)
+@@ -677,6 +713,7 @@ func main() {
 		c.Mailer.Username,
 		smtpPassword,
 		smtpRoots,
--- a/patches/log-validator_main.patch
+++ b/patches/log-validator_main.patch
@@ -2,7 +2,7 @@ diff --git a/cmd/log-validator/main.go b/cmd/log-validator/main.go
 index 24df67e90..565de0c3c 100644
 --- a/cmd/log-validator/main.go
 +++ b/cmd/log-validator/main.go
-@@ -65,8 +65,8 @@ func lineValid(text string) error {
+@@ -64,8 +64,8 @@ func lineValid(text string) error {
 	if strings.Contains(text, errorPrefix) {
 		return nil
 	}
--- a/patches/notify-mailer_main.patch
+++ b/patches/notify-mailer_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/notify-mailer/main.go b/cmd/notify-mailer/main.go
-index f281d85c..449845dc 100644
+index 34f07a9b..ed957946 100644
 --- a/cmd/notify-mailer/main.go
 +++ b/cmd/notify-mailer/main.go
@@ -36,6 +36,7 @@ type mailer struct {
@@ -7,19 +7,19 @@ index f281d85c..449845dc 100644
 	targetRange   interval
 	sleepInterval time.Duration
 +	pa            *policy.AuthorityImpl
+ 	parallelSends uint
 }
 
- // interval defines a range of email addresses to send to in alphabetical order.
-@@ -171,7 +172,7 @@ func (m *mailer) run() error {
- 			continue
- 		}
+@@ -200,7 +201,7 @@ func (m *mailer) run() error {
+ 					continue
+ 				}
 
-		err := policy.ValidEmail(address)
-+		err := m.pa.ValidEmail(address)
- 		if err != nil {
- 			m.log.Infof("Skipping %q due to policy violation: %s", address, err)
- 			continue
-@@ -472,7 +473,9 @@ type Config struct {
+-				err := policy.ValidEmail(w.address)
+				err := m.pa.ValidEmail(w.address)
+ 				if err != nil {
+ 					m.log.Infof("Skipping %q due to policy violation: %s", w.address, err)
+ 					continue
+@@ -501,7 +502,9 @@ type Config struct {
 	NotifyMailer struct {
 		DB cmd.DBConfig
 		cmd.SMTPConfig
@@ -29,7 +29,7 @@ index f281d85c..449845dc 100644
 	Syslog cmd.SyslogConfig
 }
 
-@@ -536,6 +539,14 @@ func main() {
+@@ -569,6 +572,14 @@ func main() {
 		log.Infof("While reading the recipient list file %s", probs)
 	}
 
@@ -44,7 +44,7 @@ index f281d85c..449845dc 100644
 	var mailClient bmail.Mailer
 	if *dryRun {
 		log.Infof("Starting %s in dry-run mode", cmd.VersionString())
-@@ -551,6 +562,7 @@ func main() {
+@@ -584,6 +595,7 @@ func main() {
 			cfg.NotifyMailer.Username,
 			smtpPassword,
 			nil,
@@ -52,11 +52,11 @@ index f281d85c..449845dc 100644
 			*address,
 			log,
 			metrics.NoopRegisterer,
-@@ -571,6 +583,7 @@ func main() {
+@@ -604,6 +616,7 @@ func main() {
 			end:   *end,
 		},
 		sleepInterval: *sleep,
 +		pa:            pa,
+ 		parallelSends: *parallelSends,
 	}
 
- 	err = m.run()
--- a/patches/reloader_reloader.patch
+++ b/patches/reloader_reloader.patch
@@ -2,7 +2,7 @@ diff --git a/reloader/reloader.go b/reloader/reloader.go
 index d885af63..ab71babf 100644
 --- a/reloader/reloader.go
 +++ b/reloader/reloader.go
-@@ -9,7 +9,7 @@ import (
+@@ -8,7 +8,7 @@ import (
 
 // Wrap time.Tick so we can override it in tests.
 var makeTicker = func() (func(), <-chan time.Time) {
@@ -11,7 +11,7 @@ index d885af63..ab71babf 100644
 	return t.Stop, t.C
 }
 
-@@ -55,8 +55,12 @@ func New(filename string, dataCallback func([]byte) error, errorCallback func(er
+@@ -54,8 +54,12 @@ func New(filename string, dataCallback func([]byte) error, errorCallback func(er
 			case <-tickChan:
 				currentFileInfo, err := os.Stat(filename)
 				if err != nil {
--- a/patches/startservers.patch
+++ b/patches/startservers.patch
@@ -2,7 +2,7 @@ diff --git a/test/startservers.py b/test/startservers.py
 index 21ca6259..5b8847eb 100644
 --- a/test/startservers.py
 +++ b/test/startservers.py
-@@ -146,6 +146,9 @@ processes = []
+@@ -154,6 +154,9 @@ processes = []
 challSrvProcess = None
 
 def setupHierarchy():