From 780c10daeb9035a25e4353fc9aa3b6ef4aeec132 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Wed, 26 Oct 2022 20:38:34 +0200 Subject: [PATCH] Bump boulder version to release-2022-10-25 --- gui/apply-boulder | 6 ++- install | 2 +- patch-cfg.sh | 4 ++ patch.sh | 1 + patches/ca_crl.patch | 30 ++++++++++- patches/config_ocsp-responder.patch | 4 +- patches/docker-compose-redis.patch | 10 ++-- patches/docker-compose.patch | 18 +++---- patches/ocsp-responder_main.patch | 84 +++++++++++++++++++++++++++++ patches/ra_ra.patch | 4 +- 10 files changed, 140 insertions(+), 23 deletions(-) create mode 100644 patches/ocsp-responder_main.patch diff --git a/gui/apply-boulder b/gui/apply-boulder index 2ba7f78..8e84f0e 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -64,14 +64,16 @@ if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ] cat rate-limit-policies.yml | tr '\n' '\r' | sed -e "s|\(certificatesPerFQDNSet:.*must-staple.le.wtf: 10000\).*\(certificatesPerFQDNSetFast:.*\)|\1\n${REPLACEMENT}rateLimitsURL: http://$PKI_FQDN/rate-limits\n\2|" | tr '\r' '\n' > rate-limit-policies.yml.bak && mv rate-limit-policies.yml.bak rate-limit-policies.yml fi -perl -i -p0e "s/(\"maxNames\": [^\n]*).*?(\s+)(\"lifespanOCSP\":)/\1\2\"lifespanCRL\": \"96h\",\2\3/igs" config/ca-a.json -perl -i -p0e "s/(\"maxNames\": [^\n]*).*?(\s+)(\"lifespanOCSP\":)/\1\2\"lifespanCRL\": \"96h\",\2\3/igs" config/ca-b.json +sed -i -e "s/\"lifespanCRL\": \".*\"/\"lifespanCRL\": \"96h\"/" config/ca-a.json +sed -i -e "s/\"lifespanCRL\": \".*\"/\"lifespanCRL\": \"96h\"/" config/ca-b.json sed -i -e "s/\"ocspMinTimeToExpiry\": \".*\"/\"ocspMinTimeToExpiry\": \"48h\"/" config/ocsp-updater.json sed -i -e "s|\"issuerURL\": \".*\"|\"issuerURL\": \"http://$PKI_FQDN/aia/issuer/$PKI_ISSUER_NAME_ID\"|" config/ca-a.json sed -i -e "s|\"issuerURL\": \".*\"|\"issuerURL\": \"http://$PKI_FQDN/aia/issuer/$PKI_ISSUER_NAME_ID\"|" config/ca-b.json sed -i -e "s|\"crlURL\": \".*\"|\"crlURL\": \"http://$PKI_FQDN/crl/$PKI_ISSUER_NAME_ID.crl\"|" config/ca-a.json sed -i -e "s|\"crlURL\": \".*\"|\"crlURL\": \"http://$PKI_FQDN/crl/$PKI_ISSUER_NAME_ID.crl\"|" config/ca-b.json +sed -i -e "s|\"crldpBase\": \".*\"|\"crldpBase\": \"http://$PKI_FQDN/crl\"|" config/ca-a.json +sed -i -e "s|\"crldpBase\": \".*\"|\"crldpBase\": \"http://$PKI_FQDN/crl\"|" config/ca-b.json if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ca-a.json diff --git a/install b/install index 756f393..42e837b 100755 --- a/install +++ b/install @@ -24,7 +24,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2022-10-17" +boulderTag="release-2022-10-25" # Feature flags flag_skip_redis=true diff --git a/patch-cfg.sh b/patch-cfg.sh index 972d1a0..44d580f 100755 --- a/patch-cfg.sh +++ b/patch-cfg.sh @@ -2,6 +2,7 @@ set -e +flag_skip_redis=true cloneDir=$(dirname $0) # For legacy mode, when called from the install script... @@ -33,3 +34,6 @@ perl -i -p0e "s/\"dnsResolver\": \"service.consul\",/\"dnsResolvers\": [\n perl -i -p0e "s/\"dnsResolver\": \"service.consul\",/\"dnsResolvers\": [\n \"127.0.0.1:8053\",\n \"127.0.0.1:8054\"\n ],/igs" $boulderLabCADir/config/va-remote-a.json perl -i -p0e "s/\"dnsResolver\": \"service.consul\",/\"dnsResolvers\": [\n \"127.0.0.1:8053\",\n \"127.0.0.1:8054\"\n ],/igs" $boulderLabCADir/config/va-remote-b.json +if [ "$flag_skip_redis" == true ]; then + perl -i -p0e "s/\n \"redis\": \{\n.*? \},//igs" $boulderLabCADir/config/ocsp-responder.json +fi diff --git a/patch.sh b/patch.sh index 8e4c889..9fd9f7e 100755 --- a/patch.sh +++ b/patch.sh @@ -30,6 +30,7 @@ $SUDO patch -p1 < $cloneDir/patches/log-validator_main.patch $SUDO patch -p1 < $cloneDir/patches/mail_mailer.patch $SUDO patch -p1 < $cloneDir/patches/makefile.patch $SUDO patch -p1 < $cloneDir/patches/notify-mailer_main.patch +$SUDO patch -p1 < $cloneDir/patches/ocsp-responder_main.patch $SUDO patch -p1 < $cloneDir/patches/policy_pa.patch $SUDO patch -p1 < $cloneDir/patches/ra_ra.patch $SUDO patch -p1 < $cloneDir/patches/ratelimit_rate-limits.patch diff --git a/patches/ca_crl.patch b/patches/ca_crl.patch index c9b1fac..32dd082 100644 --- a/patches/ca_crl.patch +++ b/patches/ca_crl.patch @@ -1,8 +1,17 @@ diff --git a/ca/crl.go b/ca/crl.go -index 99eb57b5..91e10a40 100644 +index 8600fe58..e15ff35a 100644 --- a/ca/crl.go +++ b/ca/crl.go -@@ -127,8 +127,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error +@@ -117,7 +117,7 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error + } + + // Add the Issuing Distribution Point extension. +- idp, err := makeIDPExt(ci.idpBase, issuer.Cert.NameID(), shard) ++ idp, err := makeIDPExt(ci.idpBase, issuer.Cert.NameID()) + if err != nil { + return fmt.Errorf("creating IDP extension: %w", err) + } +@@ -150,8 +150,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error builder = strings.Builder{} } } @@ -15,3 +24,20 @@ index 99eb57b5..91e10a40 100644 } template.RevokedCertificates = rcs +@@ -256,14 +258,14 @@ type issuingDistributionPoint struct { + // makeIDPExt returns a critical IssuingDistributionPoint extension containing a + // URI built from the base url, the issuer's NameID, and the shard number. It + // also sets the OnlyContainsUserCerts boolean to true. +-func makeIDPExt(base string, issuer issuance.IssuerNameID, shardIdx int64) (*pkix.Extension, error) { ++func makeIDPExt(base string, issuer issuance.IssuerNameID) (*pkix.Extension, error) { + val := issuingDistributionPoint{ + DistributionPoint: distributionPointName{ + []asn1.RawValue{ // GeneralNames + { // GeneralName + Class: 2, // context-specific + Tag: 6, // uniformResourceIdentifier, IA5String +- Bytes: []byte(fmt.Sprintf("%s/%d/%d.crl", base, issuer, shardIdx)), ++ Bytes: []byte(fmt.Sprintf("%s/%d.crl", base, issuer)), + }, + }, + }, diff --git a/patches/config_ocsp-responder.patch b/patches/config_ocsp-responder.patch index a2cbc7d..eb08594 100644 --- a/patches/config_ocsp-responder.patch +++ b/patches/config_ocsp-responder.patch @@ -2,7 +2,7 @@ diff --git a/test/config/ocsp-responder.json b/test/config/ocsp-responder.json index ed874d3..a1a78f3 100644 --- a/test/config/ocsp-responder.json +++ b/test/config/ocsp-responder.json -@@ -7,9 +7,7 @@ +@@ -44,9 +44,7 @@ "path": "/", "listenAddress": "0.0.0.0:4002", "issuerCerts": [ @@ -11,5 +11,5 @@ index ed874d3..a1a78f3 100644 - "/hierarchy/intermediate-cert-ecdsa-a.pem" + "/hierarchy/intermediate-cert-rsa-a.pem" ], + "liveSigningPeriod": "60h", "timeout": "4.9s", - "shutdownStopTimeout": "10s", diff --git a/patches/docker-compose-redis.patch b/patches/docker-compose-redis.patch index 9445fac..1a479d6 100644 --- a/patches/docker-compose-redis.patch +++ b/patches/docker-compose-redis.patch @@ -1,8 +1,8 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 52ccecabd..819611f8c 100644 +index 02460285..ddde0231 100644 --- a/docker-compose.yml +++ b/docker-compose.yml -@@ -25,8 +25,6 @@ services: +@@ -24,8 +24,6 @@ services: ipv4_address: 10.77.77.77 rednet: ipv4_address: 10.88.88.88 @@ -11,7 +11,7 @@ index 52ccecabd..819611f8c 100644 consulnet: ipv4_address: 10.55.55.55 extra_hosts: -@@ -44,7 +42,6 @@ services: +@@ -43,7 +41,6 @@ services: - 4003:4003 # OCSP depends_on: - bmysql @@ -19,7 +19,7 @@ index 52ccecabd..819611f8c 100644 - bconsul entrypoint: test/entrypoint.sh working_dir: &boulder_working_dir /boulder -@@ -66,79 +63,6 @@ services: +@@ -65,79 +62,6 @@ services: logging: driver: none @@ -99,7 +99,7 @@ index 52ccecabd..819611f8c 100644 bconsul: image: hashicorp/consul:1.13.1 volumes: -@@ -175,13 +99,6 @@ networks: +@@ -174,13 +98,6 @@ networks: config: - subnet: 10.88.88.0/24 diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch index fe13a88..a157e6b 100644 --- a/patches/docker-compose.patch +++ b/patches/docker-compose.patch @@ -1,18 +1,18 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 819611f8c..3da7d454e 100644 +index ddde0231..b06711b7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -8,7 +8,7 @@ services: - image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.18.6_2022-09-06} + image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.19.2_2022-10-05} environment: FAKE_DNS: 10.77.77.77 - BOULDER_CONFIG_DIR: test/config + BOULDER_CONFIG_DIR: labca/config GOFLAGS: -mod=vendor - # Go 1.18 turns off SHA-1 validation on CSRs (and certs, but that doesn't - # affect us). It also turns off TLS 1.0 and TLS 1.1. Temporarily go back -@@ -17,6 +17,8 @@ services: - GODEBUG: x509sha1=1,tls10default=1 + # Go 1.18 turned off SHA-1 validation on CSRs (and certs, but that doesn't + # affect us) by default, but it can be turned back on with the x509sha1 +@@ -16,6 +16,8 @@ services: + GODEBUG: x509sha1=1 volumes: - .:/boulder:cached + - /home/labca/boulder_labca:/boulder/labca @@ -20,7 +20,7 @@ index 819611f8c..3da7d454e 100644 - ./.gocache:/root/.cache/go-build:cached - ./.hierarchy:/hierarchy/:cached - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached -@@ -36,18 +38,26 @@ services: +@@ -35,18 +37,26 @@ services: # IP (running consul). # (https://docs.docker.com/config/containers/container-networking/#dns-services). dns: 10.55.55.10 @@ -52,7 +52,7 @@ index 819611f8c..3da7d454e 100644 networks: bluenet: aliases: -@@ -61,7 +71,11 @@ services: +@@ -60,7 +70,11 @@ services: # small. command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON logging: @@ -65,7 +65,7 @@ index 819611f8c..3da7d454e 100644 bconsul: image: hashicorp/consul:1.13.1 -@@ -72,18 +86,68 @@ services: +@@ -71,18 +85,68 @@ services: ipv4_address: 10.55.55.10 command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl" diff --git a/patches/ocsp-responder_main.patch b/patches/ocsp-responder_main.patch new file mode 100644 index 0000000..da80273 --- /dev/null +++ b/patches/ocsp-responder_main.patch @@ -0,0 +1,84 @@ +diff --git a/cmd/ocsp-responder/main.go b/cmd/ocsp-responder/main.go +index f23cf2ad..c5aa7917 100644 +--- a/cmd/ocsp-responder/main.go ++++ b/cmd/ocsp-responder/main.go +@@ -166,42 +166,44 @@ as generated by Boulder's ceremony command. + dbMap, err := sa.InitWrappedDb(config.DB, stats, logger) + cmd.FailOnError(err, "While initializing dbMap") + +- // Set up the redis source and the combined multiplex source. +- rocspReader, err := rocsp_config.MakeClient(&c.OCSPResponder.Redis, clk, stats) +- cmd.FailOnError(err, "Could not make redis client") +- +- err = rocspReader.Ping(context.Background()) +- cmd.FailOnError(err, "pinging Redis") +- +- liveSigningPeriod := c.OCSPResponder.LiveSigningPeriod.Duration +- if liveSigningPeriod == 0 { +- liveSigningPeriod = 60 * time.Hour +- } +- +- tlsConfig, err := c.OCSPResponder.TLS.Load() +- cmd.FailOnError(err, "TLS config") +- clientMetrics := bgrpc.NewClientMetrics(stats) +- raConn, err := bgrpc.ClientSetup(c.OCSPResponder.RAService, tlsConfig, clientMetrics, clk) +- cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA") +- rac := rapb.NewRegistrationAuthorityClient(raConn) +- +- maxInflight := c.OCSPResponder.MaxInflightSignings +- if maxInflight == 0 { +- maxInflight = 1000 +- } +- liveSource := live.New(rac, int64(maxInflight)) +- +- rocspSource, err := redis_responder.NewRedisSource(rocspReader, liveSource, liveSigningPeriod, clk, stats, logger) +- cmd.FailOnError(err, "Could not create redis source") +- +- var sac sapb.StorageAuthorityClient +- if c.OCSPResponder.SAService != nil { +- saConn, err := bgrpc.ClientSetup(c.OCSPResponder.SAService, tlsConfig, clientMetrics, clk) +- cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA") +- sac = sapb.NewStorageAuthorityClient(saConn) ++ if c.OCSPResponder.Redis.Addrs != nil { ++ // Set up the redis source and the combined multiplex source. ++ rocspReader, err := rocsp_config.MakeClient(&c.OCSPResponder.Redis, clk, stats) ++ cmd.FailOnError(err, "Could not make redis client") ++ ++ err = rocspReader.Ping(context.Background()) ++ cmd.FailOnError(err, "pinging Redis") ++ ++ liveSigningPeriod := c.OCSPResponder.LiveSigningPeriod.Duration ++ if liveSigningPeriod == 0 { ++ liveSigningPeriod = 60 * time.Hour ++ } ++ ++ tlsConfig, err := c.OCSPResponder.TLS.Load() ++ cmd.FailOnError(err, "TLS config") ++ clientMetrics := bgrpc.NewClientMetrics(stats) ++ raConn, err := bgrpc.ClientSetup(c.OCSPResponder.RAService, tlsConfig, clientMetrics, clk) ++ cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA") ++ rac := rapb.NewRegistrationAuthorityClient(raConn) ++ ++ maxInflight := c.OCSPResponder.MaxInflightSignings ++ if maxInflight == 0 { ++ maxInflight = 1000 ++ } ++ liveSource := live.New(rac, int64(maxInflight)) ++ ++ rocspSource, err := redis_responder.NewRedisSource(rocspReader, liveSource, liveSigningPeriod, clk, stats, logger) ++ cmd.FailOnError(err, "Could not create redis source") ++ ++ var sac sapb.StorageAuthorityClient ++ if c.OCSPResponder.SAService != nil { ++ saConn, err := bgrpc.ClientSetup(c.OCSPResponder.SAService, tlsConfig, clientMetrics, clk) ++ cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA") ++ sac = sapb.NewStorageAuthorityClient(saConn) ++ } ++ source, err = redis_responder.NewCheckedRedisSource(rocspSource, dbMap, sac, stats, logger) ++ cmd.FailOnError(err, "Could not create checkedRedis source") + } +- source, err = redis_responder.NewCheckedRedisSource(rocspSource, dbMap, sac, stats, logger) +- cmd.FailOnError(err, "Could not create checkedRedis source") + + // Load the certificate from the file path. + issuerCerts := make([]*issuance.Certificate, len(c.OCSPResponder.IssuerCerts)) diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index ac935e1..dc96a64 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -1,5 +1,5 @@ diff --git a/ra/ra.go b/ra/ra.go -index 5edbd8d5b..5022c1a93 100644 +index dd15485e..24e3a4da 100644 --- a/ra/ra.go +++ b/ra/ra.go @@ -32,7 +32,6 @@ import ( @@ -10,7 +10,7 @@ index 5edbd8d5b..5022c1a93 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -476,7 +475,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { +@@ -477,7 +476,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { contact, ) }