diff --git a/gui/apply-boulder b/gui/apply-boulder index c1a8f51..7e83743 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -77,6 +77,7 @@ if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/expiration-mailer.json sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ra.json sed -i -e "s/\"timeout\": \"20s\"/\"timeout\": \"40s\"/" config/ra.json + sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/crl-storer.json sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/crl-updater.json sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ocsp-updater.json sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/orphan-finder.json diff --git a/install b/install index 6e2b920..a6c8f43 100755 --- a/install +++ b/install @@ -24,7 +24,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2022-08-01" +boulderTag="release-2022-08-15" # Feature flags flag_skip_redis=true @@ -608,6 +608,7 @@ config_boulder() { sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/wfe2.json" < $cloneDir/patches/config_wfe2.patch &>>$installLog sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/rocsp-tool.json" < $cloneDir/patches/config_rocsp-tool.patch &>>$installLog sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/orphan-finder.json" < $cloneDir/patches/config_orphan-finder.patch &>>$installLog + sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/crl-storer.json" < $cloneDir/patches/config_crl-storer.patch &>>$installLog sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/crl-updater.json" < $cloneDir/patches/config_crl-updater.patch &>>$installLog sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/ra.json" < $cloneDir/patches/config_ra.patch &>>$installLog sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/va.json" < $cloneDir/patches/config_va.patch &>>$installLog @@ -633,6 +634,7 @@ config_boulder() { sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json sed -i -e "s|.hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/rocsp-tool.json sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/orphan-finder.json + sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-storer.json sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-updater.json sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" issuer-ocsp-responder.json diff --git a/patches/bad-key-revoker_main.patch b/patches/bad-key-revoker_main.patch index a739fae..241ae75 100644 --- a/patches/bad-key-revoker_main.patch +++ b/patches/bad-key-revoker_main.patch @@ -2,7 +2,7 @@ diff --git a/cmd/bad-key-revoker/main.go b/cmd/bad-key-revoker/main.go index 4f7a476b5..e907b43a1 100644 --- a/cmd/bad-key-revoker/main.go +++ b/cmd/bad-key-revoker/main.go -@@ -15,6 +15,7 @@ import ( +@@ -14,6 +14,7 @@ import ( "github.com/honeycombio/beeline-go" "github.com/jmhodges/clock" @@ -10,7 +10,7 @@ index 4f7a476b5..e907b43a1 100644 "github.com/letsencrypt/boulder/cmd" "github.com/letsencrypt/boulder/core" "github.com/letsencrypt/boulder/db" -@@ -386,6 +387,9 @@ type Config struct { +@@ -385,6 +386,9 @@ type Config struct { TLS cmd.TLSConfig RAService *cmd.GRPCClientConfig @@ -20,7 +20,7 @@ index 4f7a476b5..e907b43a1 100644 // MaximumRevocations specifies the maximum number of certificates associated with // a key hash that bad-key-revoker will attempt to revoke. If the number of certificates // is higher than MaximumRevocations bad-key-revoker will error out and refuse to -@@ -419,6 +423,12 @@ type Config struct { +@@ -418,6 +422,12 @@ type Config struct { Syslog cmd.SyslogConfig Beeline cmd.BeelineConfig @@ -33,7 +33,7 @@ index 4f7a476b5..e907b43a1 100644 } func main() { -@@ -456,6 +466,32 @@ func main() { +@@ -455,6 +465,32 @@ func main() { cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA") rac := rapb.NewRegistrationAuthorityClient(conn) @@ -65,8 +65,8 @@ index 4f7a476b5..e907b43a1 100644 + var smtpRoots *x509.CertPool if config.BadKeyRevoker.Mailer.SMTPTrustedRootFile != "" { - pem, err := ioutil.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile) -@@ -477,6 +513,7 @@ func main() { + pem, err := os.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile) +@@ -476,6 +512,7 @@ func main() { config.BadKeyRevoker.Mailer.Username, smtpPassword, smtpRoots, diff --git a/patches/ca_crl.patch b/patches/ca_crl.patch index 9ee54b3..c9b1fac 100644 --- a/patches/ca_crl.patch +++ b/patches/ca_crl.patch @@ -1,17 +1,17 @@ diff --git a/ca/crl.go b/ca/crl.go -index 8b4ca6ba..da2b8992 100644 +index 99eb57b5..91e10a40 100644 --- a/ca/crl.go +++ b/ca/crl.go -@@ -126,8 +126,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error - builder = strings.Builder{} +@@ -127,8 +127,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error + builder = strings.Builder{} + } } +- fmt.Fprint(&builder, "]") +- ci.log.AuditInfo(builder.String()) ++ if builder.Len() > 0 { ++ fmt.Fprint(&builder, "]") ++ ci.log.AuditInfo(builder.String()) ++ } } -- fmt.Fprint(&builder, "]") -- ci.log.AuditInfo(builder.String()) -+ if builder.Len() > 0 { -+ fmt.Fprint(&builder, "]") -+ ci.log.AuditInfo(builder.String()) -+ } template.RevokedCertificates = rcs - diff --git a/patches/config_crl-storer.patch b/patches/config_crl-storer.patch new file mode 100644 index 0000000..7aef7ac --- /dev/null +++ b/patches/config_crl-storer.patch @@ -0,0 +1,15 @@ +diff --git a/test/config/crl-storer.json b/test/config/crl-storer.json +index 61f14d795..4896803c4 100644 +--- a/test/config/crl-storer.json ++++ b/test/config/crl-storer.json +@@ -15,9 +15,7 @@ + ] + }, + "issuerCerts": [ +- "/hierarchy/intermediate-cert-rsa-a.pem", +- "/hierarchy/intermediate-cert-rsa-b.pem", +- "/hierarchy/intermediate-cert-ecdsa-a.pem" ++ "/hierarchy/intermediate-cert-rsa-a.pem" + ], + "s3Endpoint": "http://localhost:7890", + "s3Region": "us-west-1", diff --git a/patches/contact-auditor_main.patch b/patches/contact-auditor_main.patch index 5812134..8451ada 100644 --- a/patches/contact-auditor_main.patch +++ b/patches/contact-auditor_main.patch @@ -2,7 +2,7 @@ diff --git a/cmd/contact-auditor/main.go b/cmd/contact-auditor/main.go index e595af47..b00458c5 100644 --- a/cmd/contact-auditor/main.go +++ b/cmd/contact-auditor/main.go -@@ -12,6 +12,7 @@ import ( +@@ -11,6 +11,7 @@ import ( "time" "github.com/letsencrypt/boulder/cmd" @@ -10,8 +10,8 @@ index e595af47..b00458c5 100644 blog "github.com/letsencrypt/boulder/log" "github.com/letsencrypt/boulder/policy" "github.com/letsencrypt/boulder/sa" -@@ -49,9 +50,12 @@ func validateContacts(id int64, createdAt string, contacts []string) error { - fmt.Fprintf(&probsBuff, "%d\t%s\tvalidation\t%q\t%q\n", id, createdAt, contact, prob) +@@ -48,9 +49,12 @@ func validateContacts(id int64, createdAt string, contacts []string) error { + fmt.Fprintf(&probsBuff, "%d\t%s\tvalidation\t%q\t%q\t%q\n", id, createdAt, contact, prob, contacts) } + var pa *policy.AuthorityImpl diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch index 1c13f04..9fc3ed8 100644 --- a/patches/docker-compose.patch +++ b/patches/docker-compose.patch @@ -3,7 +3,7 @@ index 0cd8c8dd..36619190 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -8,7 +8,7 @@ services: - image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.18.4_2022-07-20} + image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.18.4_2022-08-11} environment: FAKE_DNS: 10.77.77.77 - BOULDER_CONFIG_DIR: test/config diff --git a/patches/expiration-mailer_main.patch b/patches/expiration-mailer_main.patch index 484c2f1..25a1860 100644 --- a/patches/expiration-mailer_main.patch +++ b/patches/expiration-mailer_main.patch @@ -2,7 +2,7 @@ diff --git a/cmd/expiration-mailer/main.go b/cmd/expiration-mailer/main.go index 229f0ca4..c815a872 100644 --- a/cmd/expiration-mailer/main.go +++ b/cmd/expiration-mailer/main.go -@@ -23,6 +23,7 @@ import ( +@@ -22,6 +22,7 @@ import ( "github.com/jmhodges/clock" "google.golang.org/grpc" @@ -10,7 +10,7 @@ index 229f0ca4..c815a872 100644 "github.com/letsencrypt/boulder/cmd" "github.com/letsencrypt/boulder/core" corepb "github.com/letsencrypt/boulder/core/proto" -@@ -38,7 +39,7 @@ import ( +@@ -37,7 +38,7 @@ import ( ) const ( @@ -19,7 +19,7 @@ index 229f0ca4..c815a872 100644 ) type regStore interface { -@@ -507,6 +508,9 @@ type Config struct { +@@ -506,6 +507,9 @@ type Config struct { TLS cmd.TLSConfig SAService *cmd.GRPCClientConfig @@ -29,7 +29,7 @@ index 229f0ca4..c815a872 100644 // Path to a file containing a list of trusted root certificates for use // during the SMTP connection (as opposed to the gRPC connections). SMTPTrustedRootFile string -@@ -516,6 +520,12 @@ type Config struct { +@@ -515,6 +519,12 @@ type Config struct { Syslog cmd.SyslogConfig Beeline cmd.BeelineConfig @@ -42,7 +42,7 @@ index 229f0ca4..c815a872 100644 } func initStats(stats prometheus.Registerer) mailerStats { -@@ -643,6 +653,32 @@ func main() { +@@ -642,6 +652,32 @@ func main() { cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA") sac := sapb.NewStorageAuthorityClient(conn) @@ -74,8 +74,8 @@ index 229f0ca4..c815a872 100644 + var smtpRoots *x509.CertPool if c.Mailer.SMTPTrustedRootFile != "" { - pem, err := ioutil.ReadFile(c.Mailer.SMTPTrustedRootFile) -@@ -678,6 +714,7 @@ func main() { + pem, err := os.ReadFile(c.Mailer.SMTPTrustedRootFile) +@@ -677,6 +713,7 @@ func main() { c.Mailer.Username, smtpPassword, smtpRoots, diff --git a/patches/log-validator_main.patch b/patches/log-validator_main.patch index 818786a..c8d5337 100644 --- a/patches/log-validator_main.patch +++ b/patches/log-validator_main.patch @@ -2,7 +2,7 @@ diff --git a/cmd/log-validator/main.go b/cmd/log-validator/main.go index 24df67e90..565de0c3c 100644 --- a/cmd/log-validator/main.go +++ b/cmd/log-validator/main.go -@@ -65,8 +65,8 @@ func lineValid(text string) error { +@@ -64,8 +64,8 @@ func lineValid(text string) error { if strings.Contains(text, errorPrefix) { return nil } diff --git a/patches/notify-mailer_main.patch b/patches/notify-mailer_main.patch index 000594a..21f6eab 100644 --- a/patches/notify-mailer_main.patch +++ b/patches/notify-mailer_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/notify-mailer/main.go b/cmd/notify-mailer/main.go -index f281d85c..449845dc 100644 +index 34f07a9b..ed957946 100644 --- a/cmd/notify-mailer/main.go +++ b/cmd/notify-mailer/main.go @@ -36,6 +36,7 @@ type mailer struct { @@ -7,19 +7,19 @@ index f281d85c..449845dc 100644 targetRange interval sleepInterval time.Duration + pa *policy.AuthorityImpl + parallelSends uint } - // interval defines a range of email addresses to send to in alphabetical order. -@@ -171,7 +172,7 @@ func (m *mailer) run() error { - continue - } +@@ -200,7 +201,7 @@ func (m *mailer) run() error { + continue + } -- err := policy.ValidEmail(address) -+ err := m.pa.ValidEmail(address) - if err != nil { - m.log.Infof("Skipping %q due to policy violation: %s", address, err) - continue -@@ -472,7 +473,9 @@ type Config struct { +- err := policy.ValidEmail(w.address) ++ err := m.pa.ValidEmail(w.address) + if err != nil { + m.log.Infof("Skipping %q due to policy violation: %s", w.address, err) + continue +@@ -501,7 +502,9 @@ type Config struct { NotifyMailer struct { DB cmd.DBConfig cmd.SMTPConfig @@ -29,7 +29,7 @@ index f281d85c..449845dc 100644 Syslog cmd.SyslogConfig } -@@ -536,6 +539,14 @@ func main() { +@@ -569,6 +572,14 @@ func main() { log.Infof("While reading the recipient list file %s", probs) } @@ -44,7 +44,7 @@ index f281d85c..449845dc 100644 var mailClient bmail.Mailer if *dryRun { log.Infof("Starting %s in dry-run mode", cmd.VersionString()) -@@ -551,6 +562,7 @@ func main() { +@@ -584,6 +595,7 @@ func main() { cfg.NotifyMailer.Username, smtpPassword, nil, @@ -52,11 +52,11 @@ index f281d85c..449845dc 100644 *address, log, metrics.NoopRegisterer, -@@ -571,6 +583,7 @@ func main() { +@@ -604,6 +616,7 @@ func main() { end: *end, }, sleepInterval: *sleep, + pa: pa, + parallelSends: *parallelSends, } - err = m.run() diff --git a/patches/reloader_reloader.patch b/patches/reloader_reloader.patch index cfe0623..1a2415b 100644 --- a/patches/reloader_reloader.patch +++ b/patches/reloader_reloader.patch @@ -2,7 +2,7 @@ diff --git a/reloader/reloader.go b/reloader/reloader.go index d885af63..ab71babf 100644 --- a/reloader/reloader.go +++ b/reloader/reloader.go -@@ -9,7 +9,7 @@ import ( +@@ -8,7 +8,7 @@ import ( // Wrap time.Tick so we can override it in tests. var makeTicker = func() (func(), <-chan time.Time) { @@ -11,7 +11,7 @@ index d885af63..ab71babf 100644 return t.Stop, t.C } -@@ -55,8 +55,12 @@ func New(filename string, dataCallback func([]byte) error, errorCallback func(er +@@ -54,8 +54,12 @@ func New(filename string, dataCallback func([]byte) error, errorCallback func(er case <-tickChan: currentFileInfo, err := os.Stat(filename) if err != nil { diff --git a/patches/startservers.patch b/patches/startservers.patch index 5d5a6e6..008ba52 100644 --- a/patches/startservers.patch +++ b/patches/startservers.patch @@ -2,7 +2,7 @@ diff --git a/test/startservers.py b/test/startservers.py index 21ca6259..5b8847eb 100644 --- a/test/startservers.py +++ b/test/startservers.py -@@ -146,6 +146,9 @@ processes = [] +@@ -154,6 +154,9 @@ processes = [] challSrvProcess = None def setupHierarchy():