diff --git a/install b/install index 9cc002d..62017e4 100755 --- a/install +++ b/install @@ -24,7 +24,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2022-11-15" +boulderTag="release-2022-12-05" # Feature flags flag_skip_redis=true @@ -456,7 +456,7 @@ static_web() { local msg="Static web pages" msg_info "$msg" - if [ -d /etc/nginx ]; then + if [ -d /etc/nginx ] && [ ! -d /etc/nginx.backup ]; then # Migrate cert from host nginx to dockerized nginx [ -d /home/labca/nginx_data/ssl ] || mkdir -p /home/labca/nginx_data/ssl [ -d /etc/nginx/ssl/ ] && mv /etc/nginx/ssl/* /home/labca/nginx_data/ssl/ || true diff --git a/patches/bad-key-revoker_main.patch b/patches/bad-key-revoker_main.patch index df000ce..9e8ec47 100644 --- a/patches/bad-key-revoker_main.patch +++ b/patches/bad-key-revoker_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/bad-key-revoker/main.go b/cmd/bad-key-revoker/main.go -index 066b69b8..d9e0b57e 100644 +index 8a199ca1..8e14561c 100644 --- a/cmd/bad-key-revoker/main.go +++ b/cmd/bad-key-revoker/main.go @@ -14,6 +14,7 @@ import ( @@ -10,7 +10,7 @@ index 066b69b8..d9e0b57e 100644 "github.com/letsencrypt/boulder/cmd" "github.com/letsencrypt/boulder/core" "github.com/letsencrypt/boulder/db" -@@ -385,6 +386,9 @@ type Config struct { +@@ -390,6 +391,9 @@ type Config struct { TLS cmd.TLSConfig RAService *cmd.GRPCClientConfig @@ -20,7 +20,7 @@ index 066b69b8..d9e0b57e 100644 // MaximumRevocations specifies the maximum number of certificates associated with // a key hash that bad-key-revoker will attempt to revoke. If the number of certificates // is higher than MaximumRevocations bad-key-revoker will error out and refuse to -@@ -418,6 +422,12 @@ type Config struct { +@@ -423,6 +427,12 @@ type Config struct { Syslog cmd.SyslogConfig Beeline cmd.BeelineConfig @@ -33,7 +33,7 @@ index 066b69b8..d9e0b57e 100644 } func main() { -@@ -454,6 +464,32 @@ func main() { +@@ -459,6 +469,32 @@ func main() { cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA") rac := rapb.NewRegistrationAuthorityClient(conn) @@ -66,7 +66,7 @@ index 066b69b8..d9e0b57e 100644 var smtpRoots *x509.CertPool if config.BadKeyRevoker.Mailer.SMTPTrustedRootFile != "" { pem, err := os.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile) -@@ -475,6 +511,7 @@ func main() { +@@ -480,6 +516,7 @@ func main() { config.BadKeyRevoker.Mailer.Username, smtpPassword, smtpRoots, diff --git a/patches/ocsp-responder_main.patch b/patches/ocsp-responder_main.patch index 13fffe1..88e3c58 100644 --- a/patches/ocsp-responder_main.patch +++ b/patches/ocsp-responder_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/ocsp-responder/main.go b/cmd/ocsp-responder/main.go -index c50b8709..c2557ff2 100644 +index e70db31b..ddab5d45 100644 --- a/cmd/ocsp-responder/main.go +++ b/cmd/ocsp-responder/main.go @@ -166,42 +166,44 @@ as generated by Boulder's ceremony command. @@ -34,11 +34,11 @@ index c50b8709..c2557ff2 100644 - rocspSource, err := redis_responder.NewRedisSource(rocspReader, liveSource, liveSigningPeriod, clk, scope, logger) - cmd.FailOnError(err, "Could not create redis source") - -- var sac sapb.StorageAuthorityClient +- var sac sapb.StorageAuthorityReadOnlyClient - if c.OCSPResponder.SAService != nil { - saConn, err := bgrpc.ClientSetup(c.OCSPResponder.SAService, tlsConfig, scope, clk) - cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA") -- sac = sapb.NewStorageAuthorityClient(saConn) +- sac = sapb.NewStorageAuthorityReadOnlyClient(saConn) + if c.OCSPResponder.Redis.Addrs != nil { + // Set up the redis source and the combined multiplex source. + rocspReader, err := rocsp_config.MakeClient(&c.OCSPResponder.Redis, clk, scope) @@ -68,11 +68,11 @@ index c50b8709..c2557ff2 100644 + rocspSource, err := redis_responder.NewRedisSource(rocspReader, liveSource, liveSigningPeriod, clk, scope, logger) + cmd.FailOnError(err, "Could not create redis source") + -+ var sac sapb.StorageAuthorityClient ++ var sac sapb.StorageAuthorityReadOnlyClient + if c.OCSPResponder.SAService != nil { + saConn, err := bgrpc.ClientSetup(c.OCSPResponder.SAService, tlsConfig, scope, clk) + cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA") -+ sac = sapb.NewStorageAuthorityClient(saConn) ++ sac = sapb.NewStorageAuthorityReadOnlyClient(saConn) + } + source, err = redis_responder.NewCheckedRedisSource(rocspSource, dbMap, sac, scope, logger) + cmd.FailOnError(err, "Could not create checkedRedis source")