diff --git a/build/build.sh b/build/build.sh index 97db010..3623bd5 100755 --- a/build/build.sh +++ b/build/build.sh @@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src} boulderDir=$TMP_DIR/src -boulderTag="v0.20251021.0" +boulderTag="v0.20251110.0" boulderUrl="https://github.com/letsencrypt/boulder/" cloneDir=$(pwd)/.. diff --git a/build/docker-compose.yml b/build/docker-compose.yml index c916a19..a09f3b0 100644 --- a/build/docker-compose.yml +++ b/build/docker-compose.yml @@ -94,7 +94,7 @@ services: bash -c "sleep 20 && mysql_upgrade -h bmysql" bredis: - image: redis:6.2.7 + image: redis:7.0.15 volumes: - ./test/:/test/:cached - boulder_data:/opt/boulder/labca @@ -106,7 +106,7 @@ services: restart: always bconsul: - image: hashicorp/consul:1.15.4 + image: hashicorp/consul:1.19.2 depends_on: - control volumes: diff --git a/build/tag_and_upload.sh b/build/tag_and_upload.sh index 7e7140c..d695b6b 100755 --- a/build/tag_and_upload.sh +++ b/build/tag_and_upload.sh @@ -29,8 +29,13 @@ die() { [ -f "tmp/labca-gui" ] || die "LabCA binary does not exist!" docker build -f Dockerfile-gui -t $LABCA_GUI_TAG . +field=3 +if [ $(docker images | grep "DISK USAGE" | wc -l) != "0" ]; then + field=2 +fi + if [ "$BRANCH" == "master" ] || [ "$BRANCH" == "main" ]; then - ID="$(docker images | grep "${REPO_BASE}-gui" | grep -v latest | head -n 1 | awk '{print $3}')" + ID="$(docker images | grep "${REPO_BASE}-gui" | grep -v latest | head -n 1 | awk -v f="$field" '{print $f}')" docker tag "$ID" $LABCA_GUI_LATEST fi @@ -39,14 +44,14 @@ cnt=$(ls -1 tmp/bin | wc -l) docker build -f Dockerfile-boulder -t $LABCA_BOULDER_TAG . if [ "$BRANCH" == "master" ] || [ "$BRANCH" == "main" ]; then - ID="$(docker images | grep "${REPO_BASE}-boulder" | grep -v latest | head -n 1 | awk '{print $3}')" + ID="$(docker images | grep "${REPO_BASE}-boulder" | grep -v latest | head -n 1 | awk -v f="$field" '{print $f}')" docker tag "$ID" $LABCA_BOULDER_LATEST fi docker build -f Dockerfile-control -t $LABCA_CONTROL_TAG . if [ "$BRANCH" == "master" ] || [ "$BRANCH" == "main" ]; then - ID="$(docker images | grep "${REPO_BASE}-control" | grep -v latest | head -n 1 | awk '{print $3}')" + ID="$(docker images | grep "${REPO_BASE}-control" | grep -v latest | head -n 1 | awk -v f="$field" '{print $f}')" docker tag "$ID" $LABCA_CONTROL_LATEST fi diff --git a/build/tmp.patch b/build/tmp.patch index d0ed895..dc1d826 100644 --- a/build/tmp.patch +++ b/build/tmp.patch @@ -50,7 +50,7 @@ index c0c7fc838..fd9a67f35 100644 + bash -c "sleep 20 && mysql_upgrade -h bmysql" + bredis: - image: redis:6.2.7 + image: redis:7.0.15 volumes: - ./test/:/test/:cached - - /home/labca/boulder_labca:/opt/boulder/labca diff --git a/install b/install index e1c7e61..b59dc7d 100755 --- a/install +++ b/install @@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="v0.20251021.0" +boulderTag="v0.20251110.0" # # Color configuration @@ -871,7 +871,9 @@ main() { local curdir="$PWD" echo - check_dockeronly + if [[ "$0" == *" -t"* ]]; then + check_dockeronly + fi start_temporary_log check_root @@ -913,7 +915,8 @@ main() { msg_info "$msg" build/tag_and_upload.sh &>>$installLog || msg_fatal "Could not tag (and upload) docker images!" msg_ok "$msg" - msg_ok "That's it for now!" + sed -i -e "s|ghcr.io/hakwerk/|hakwerk/|" build/docker-compose.yml &>>$installLog + msg_ok "That's it for now! - don't forget to 'export LABCA_FQDN=$(hostname -f)'" exit 0 fi diff --git a/patches/bdns_dns.patch b/patches/bdns_dns.patch index f0ff169..9d2744c 100644 --- a/patches/bdns_dns.patch +++ b/patches/bdns_dns.patch @@ -1,16 +1,16 @@ diff --git a/bdns/dns.go b/bdns/dns.go -index 5d297f3ef..9eabf1239 100644 +index 5fee207b8..f147da8e9 100644 --- a/bdns/dns.go +++ b/bdns/dns.go -@@ -21,6 +21,7 @@ import ( - "github.com/miekg/dns" +@@ -20,6 +20,7 @@ import ( "github.com/prometheus/client_golang/prometheus" + "github.com/prometheus/client_golang/prometheus/promauto" + "github.com/letsencrypt/boulder/features" "github.com/letsencrypt/boulder/iana" blog "github.com/letsencrypt/boulder/log" "github.com/letsencrypt/boulder/metrics" -@@ -77,22 +78,30 @@ func New( +@@ -75,22 +76,30 @@ func New( ) Client { var client exchanger @@ -56,20 +56,20 @@ index 5d297f3ef..9eabf1239 100644 + } } - queryTime := prometheus.NewHistogramVec( -@@ -273,10 +282,17 @@ func (dnsClient *impl) exchangeOne(ctx context.Context, hostname string, qtype u + queryTime := promauto.With(stats).NewHistogramVec( +@@ -260,10 +269,17 @@ func (dnsClient *impl) exchangeOne(ctx context.Context, hostname string, qtype u case r := <-ch: if r.err != nil { var isRetryable bool -- // According to the http package documentation, retryable -- // errors emitted by the http package are of type *url.Error. -- var urlErr *url.Error -- isRetryable = errors.As(r.err, &urlErr) && urlErr.Temporary() +- // Check if the error is a timeout error. Network errors +- // that can timeout implement the net.Error interface. +- var netErr net.Error +- isRetryable = errors.As(r.err, &netErr) && netErr.Timeout() + if features.Get().DOH { -+ // According to the http package documentation, retryable -+ // errors emitted by the http package are of type *url.Error. -+ var urlErr *url.Error -+ isRetryable = errors.As(r.err, &urlErr) && urlErr.Temporary() ++ // Check if the error is a timeout error. Network errors ++ // that can timeout implement the net.Error interface. ++ var netErr net.Error ++ isRetryable = errors.As(r.err, &netErr) && netErr.Timeout() + } else { + // According to the net package documentation, retryable + // errors emitted by the net package are of type *net.OpError. diff --git a/patches/boulder-ra_main.patch b/patches/boulder-ra_main.patch index a162022..6d931ef 100644 --- a/patches/boulder-ra_main.patch +++ b/patches/boulder-ra_main.patch @@ -1,8 +1,8 @@ diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go -index dd30f78cd..a3b6c2e88 100644 +index 7d8b73dde..f37e1581e 100644 --- a/cmd/boulder-ra/main.go +++ b/cmd/boulder-ra/main.go -@@ -268,6 +268,8 @@ func main() { +@@ -261,6 +261,8 @@ func main() { limiterRedis, err = bredis.NewRingFromConfig(*c.RA.Limiter.Redis, scope, logger) cmd.FailOnError(err, "Failed to create Redis ring") diff --git a/patches/boulder-va_main.patch b/patches/boulder-va_main.patch index 0d0f4af..81d8bb7 100644 --- a/patches/boulder-va_main.patch +++ b/patches/boulder-va_main.patch @@ -1,16 +1,16 @@ diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go -index dd3fe9b39..5f6325f51 100644 +index fecf2ed7f..aa4d3320a 100644 --- a/cmd/boulder-va/main.go +++ b/cmd/boulder-va/main.go -@@ -54,6 +54,7 @@ type Config struct { - // Deprecated and ignored - MaxRemoteValidationFailures int `validate:"omitempty,min=0,required_with=RemoteVAs"` - Features features.Config -+ LabCADomains []string +@@ -58,6 +58,7 @@ type Config struct { + // Leaving this value zero means the VA won't early-cancel slow remotes. + SlowRemoteTimeout config.Duration + Features features.Config ++ LabCADomains []string } Syslog cmd.SyslogConfig -@@ -83,12 +84,16 @@ func main() { +@@ -87,12 +88,16 @@ func main() { clk := clock.New() var servers bdns.ServerProvider @@ -28,13 +28,11 @@ index dd3fe9b39..5f6325f51 100644 cmd.FailOnError(err, "Couldn't start dynamic DNS server resolver") } defer servers.Stop() -@@ -149,7 +154,8 @@ func main() { - c.VA.AccountURIPrefixes, +@@ -154,6 +159,7 @@ func main() { va.PrimaryPerspective, "", -- iana.IsReservedAddr) -+ iana.IsReservedAddr, -+ c.VA.LabCADomains) + iana.IsReservedAddr, ++ c.VA.LabCADomains, + c.VA.SlowRemoteTimeout.Duration, + ) cmd.FailOnError(err, "Unable to create VA server") - - start, err := bgrpc.NewServer(c.VA.GRPC, logger).Add( diff --git a/patches/ca_ca.patch b/patches/ca_ca.patch index 56e39dc..2036482 100644 --- a/patches/ca_ca.patch +++ b/patches/ca_ca.patch @@ -1,17 +1,13 @@ diff --git a/ca/ca.go b/ca/ca.go -index 3b33991eb..b63f6a143 100644 +index a5890452f..3a62648c3 100644 --- a/ca/ca.go +++ b/ca/ca.go -@@ -164,10 +164,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { +@@ -192,7 +192,7 @@ func NewCertificateAuthorityImpl( + + for _, keyAlg := range []x509.PublicKeyAlgorithm{x509.ECDSA, x509.RSA} { + if !issuableKeys[keyAlg] { +- return nil, fmt.Errorf("no %s issuers configured", keyAlg) ++ fmt.Printf("WARNING: no %s issuers configured\n", keyAlg) } } - if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 { -- return issuerMaps{}, errors.New("no ECDSA issuers configured") -+ fmt.Println("WARNING: no ECDSA issuers configured") - } - if i, ok := issuersByAlg[x509.RSA]; !ok || len(i) == 0 { -- return issuerMaps{}, errors.New("no RSA issuers configured") -+ fmt.Println("WARNING: no RSA issuers configured") - } - return issuerMaps{issuersByAlg, issuersByNameID}, nil - } + diff --git a/patches/ca_ca_keytype_hack.patch b/patches/ca_ca_keytype_hack.patch index 508edca..5af49c8 100644 --- a/patches/ca_ca_keytype_hack.patch +++ b/patches/ca_ca_keytype_hack.patch @@ -1,21 +1,36 @@ diff --git a/ca/ca.go b/ca/ca.go -index b63f6a143..2ab73db94 100644 +index 3a62648c3..2cb8337ca 100644 --- a/ca/ca.go +++ b/ca/ca.go -@@ -164,10 +164,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { +@@ -190,11 +190,12 @@ func NewCertificateAuthorityImpl( } } - if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 { -- fmt.Println("WARNING: no ECDSA issuers configured") + +- for _, keyAlg := range []x509.PublicKeyAlgorithm{x509.ECDSA, x509.RSA} { +- if !issuableKeys[keyAlg] { +- fmt.Printf("WARNING: no %s issuers configured\n", keyAlg) +- } +- } ++ // TODO: LabCA hack! ++ //for _, keyAlg := range []x509.PublicKeyAlgorithm{x509.ECDSA, x509.RSA} { ++ // if !issuableKeys[keyAlg] { ++ // fmt.Printf("WARNING: no %s issuers configured\n", keyAlg) ++ // } ++ //} + + return &certificateAuthorityImpl{ + sa: sa, +@@ -474,9 +475,10 @@ func (ca *certificateAuthorityImpl) pickIssuer(profileName string, keyAlg x509.P + if !issuer.IsActive() { + continue + } +- if issuer.KeyType() != keyAlg { +- continue +- } + // TODO: LabCA hack! -+ issuersByAlg[x509.ECDSA] = issuersByAlg[x509.RSA] -+ // fmt.Println("WARNING: no ECDSA issuers configured") - } - if i, ok := issuersByAlg[x509.RSA]; !ok || len(i) == 0 { -- fmt.Println("WARNING: no RSA issuers configured") -+ // TODO: LabCA hack! -+ issuersByAlg[x509.RSA] = issuersByAlg[x509.ECDSA] -+ // fmt.Println("WARNING: no RSA issuers configured") - } - return issuerMaps{issuersByAlg, issuersByNameID}, nil - } ++ //if issuer.KeyType() != keyAlg { ++ // continue ++ //} + if !slices.Contains(issuer.Profiles(), profileName) { + continue + } diff --git a/patches/ca_crl.patch b/patches/ca_crl.patch index 50f7b2f..8fdcf10 100644 --- a/patches/ca_crl.patch +++ b/patches/ca_crl.patch @@ -1,8 +1,8 @@ diff --git a/ca/crl.go b/ca/crl.go -index 5937046fe..15c144984 100644 +index 513b9deae..f59b1820c 100644 --- a/ca/crl.go +++ b/ca/crl.go -@@ -132,8 +132,10 @@ func (ci *crlImpl) GenerateCRL(stream grpc.BidiStreamingServer[capb.GenerateCRLR +@@ -137,8 +137,10 @@ func (ci *crlImpl) GenerateCRL(stream grpc.BidiStreamingServer[capb.GenerateCRLR builder = strings.Builder{} } } diff --git a/patches/config_crl-updater.patch b/patches/config_crl-updater.patch index 202e6f3..803c5fb 100644 --- a/patches/config_crl-updater.patch +++ b/patches/config_crl-updater.patch @@ -1,8 +1,8 @@ diff --git a/test/config/crl-updater.json b/test/config/crl-updater.json -index adb2b01e5..6066b7e5e 100644 +index 5c9e12413..5cc6d4716 100644 --- a/test/config/crl-updater.json +++ b/test/config/crl-updater.json -@@ -36,24 +36,19 @@ +@@ -36,18 +36,13 @@ "hostOverride": "crl-storer.boulder" }, "issuerCerts": [ @@ -26,11 +26,4 @@ index adb2b01e5..6066b7e5e 100644 + "updateTimeout": "2m", "expiresMargin": "5m", "cacheControl": "stale-if-error=60", - "temporallyShardedSerialPrefixes": [ - "7f" - ], -- "maxParallelism": 10, -+ "maxParallelism": 1, - "maxAttempts": 2, - "features": {} - }, + "maxParallelism": 10, diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch index e677d05..6defebf 100644 --- a/patches/docker-compose.patch +++ b/patches/docker-compose.patch @@ -1,5 +1,5 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 2e2ff2746..c0c7fc838 100644 +index 39802cd8b..58bb84501 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,3 +1,4 @@ @@ -81,9 +81,14 @@ index 2e2ff2746..c0c7fc838 100644 + command: mysqld --bind-address=0.0.0.0 --log-output=TABLE logging: - driver: none -- ++ driver: "json-file" ++ options: ++ max-size: "500k" ++ max-file: "5" ++ restart: always + - bproxysql: -- image: proxysql/proxysql:2.5.4 +- image: proxysql/proxysql:2.7.2 - # The --initial flag force resets the ProxySQL database on startup. By - # default, ProxySQL ignores new configuration if the database already - # exists. Without this flag, new configuration wouldn't be applied until you @@ -97,15 +102,10 @@ index 2e2ff2746..c0c7fc838 100644 - bouldernet: - aliases: - - boulder-proxysql -+ driver: "json-file" -+ options: -+ max-size: "500k" -+ max-file: "5" -+ restart: always - +- - bredis_1: + bredis: - image: redis:6.2.7 + image: redis:7.0.15 volumes: - ./test/:/test/:cached - command: redis-server /test/redis-ratelimits.config @@ -114,36 +114,31 @@ index 2e2ff2746..c0c7fc838 100644 networks: bouldernet: ipv4_address: 10.77.77.4 -- -- bredis_2: -- image: redis:6.2.7 -- volumes: -- - ./test/:/test/:cached -- command: redis-server /test/redis-ratelimits.config -- networks: -- bouldernet: -- ipv4_address: 10.77.77.5 + restart: always - bconsul: - image: hashicorp/consul:1.15.4 +- bredis_2: +- image: redis:7.0.15 ++ bconsul: ++ image: hashicorp/consul:1.19.2 + depends_on: + - control volumes: -- - ./test/:/test/:cached +- - ./test/:/test/:cached +- command: redis-server /test/redis-ratelimits.config + - /home/labca/boulder_labca:/opt/boulder/labca networks: bouldernet: - ipv4_address: 10.77.77.10 -- command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl" +- ipv4_address: 10.77.77.5 ++ ipv4_address: 10.77.77.10 + command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl" + restart: always -- bjaeger: -- image: jaegertracing/all-in-one:1.50 +- bconsul: +- image: hashicorp/consul:1.19.1 + gui: + image: *boulder_tools_image -+ volumes: + volumes: +- - ./test/:/test/:cached + - /var/run/docker.sock:/var/run/docker.sock + - /home/labca/admin:/go/src/labca + - ./.gocache:/root/.cache/go-build @@ -153,7 +148,10 @@ index 2e2ff2746..c0c7fc838 100644 + - /home/labca/boulder_labca:/opt/boulder/labca + - /home/labca/boulder_labca/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/ networks: - - bouldernet +- bouldernet: +- ipv4_address: 10.77.77.10 +- command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl" ++ - bouldernet + expose: + - 3000 + depends_on: @@ -182,11 +180,13 @@ index 2e2ff2746..c0c7fc838 100644 + - /home/labca/nginx_data/static:/var/www/html + depends_on: + - control -+ + +- bjaeger: +- image: jaegertracing/all-in-one:1.50 + control: + image: *boulder_tools_image -+ networks: -+ - bouldernet + networks: + - bouldernet + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /home/labca/admin/data:/opt/labca/data diff --git a/patches/issuance_issuer.patch b/patches/issuance_issuer.patch index f9f2355..fe25dab 100644 --- a/patches/issuance_issuer.patch +++ b/patches/issuance_issuer.patch @@ -1,8 +1,8 @@ diff --git a/issuance/issuer.go b/issuance/issuer.go -index 1c8b7ed1f..c21910db2 100644 +index 8479470ba..33672c905 100644 --- a/issuance/issuer.go +++ b/issuance/issuer.go -@@ -128,8 +128,8 @@ func LoadChain(certFiles []string) ([]*Certificate, error) { +@@ -129,8 +129,8 @@ func LoadChain(certFiles []string) ([]*Certificate, error) { lastCert := certs[len(certs)-1] err = lastCert.CheckSignatureFrom(lastCert.Certificate) if err != nil { @@ -13,16 +13,16 @@ index 1c8b7ed1f..c21910db2 100644 lastCert.Subject, certFiles[len(certFiles)-1], err) } -@@ -154,7 +154,7 @@ type IssuerConfig struct { - Profiles []string `validate:"omitempty,dive,alphanum,min=1,max=32"` +@@ -156,7 +156,7 @@ type IssuerConfig struct { + Profiles []string `validate:"required_if=Active true,dive,alphanum,min=1,max=32"` IssuerURL string `validate:"required,url"` - CRLURLBase string `validate:"required,url,startswith=http://,endswith=/"` + CRLURLBase string `validate:"required,url,startswith=http://"` - // TODO(#8177): Remove this. - OCSPURL string `validate:"omitempty,url"` -@@ -239,9 +239,6 @@ func newIssuer(config IssuerConfig, cert *Certificate, signer crypto.Signer, clk + // Number of CRL shards. Must be positive, but can be 1 for no sharding. + CRLShards int `validate:"required,min=1"` +@@ -242,9 +242,6 @@ func newIssuer(config IssuerConfig, cert *Certificate, signer crypto.Signer, clk if !strings.HasPrefix(config.CRLURLBase, "http://") { return nil, fmt.Errorf("crlURLBase must use HTTP scheme, got %q", config.CRLURLBase) } @@ -30,5 +30,5 @@ index 1c8b7ed1f..c21910db2 100644 - return nil, fmt.Errorf("crlURLBase must end with exactly one forward slash, got %q", config.CRLURLBase) - } if config.CRLShards <= 0 { - return nil, errors.New("Number of CRL shards is required") + return nil, errors.New("number of CRL shards is required") } diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index 7b4b0a2..fc55c95 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -1,5 +1,5 @@ diff --git a/ra/ra.go b/ra/ra.go -index 54e51cce5..af96bb245 100644 +index cd8c599fb..32d94f68c 100644 --- a/ra/ra.go +++ b/ra/ra.go @@ -41,7 +41,6 @@ import ( @@ -10,7 +10,7 @@ index 54e51cce5..af96bb245 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -567,7 +566,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { +@@ -566,7 +565,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { if !core.IsASCII(contact) { return berrors.InvalidEmailError("contact email contains non-ASCII characters") } @@ -19,7 +19,7 @@ index 54e51cce5..af96bb245 100644 if err != nil { return err } -@@ -1850,6 +1849,9 @@ func crlShard(cert *x509.Certificate) (int64, error) { +@@ -1847,6 +1846,9 @@ func crlShard(cert *x509.Certificate) (int64, error) { return 0, fmt.Errorf("malformed CRLDistributionPoint %q", url) } shardStr := url[lastIndex+1:] diff --git a/patches/remoteva_main.patch b/patches/remoteva_main.patch index d595ece..cb72cff 100644 --- a/patches/remoteva_main.patch +++ b/patches/remoteva_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/remoteva/main.go b/cmd/remoteva/main.go -index d049ba126..16fdca8a4 100644 +index 43b68d621..1c950cff6 100644 --- a/cmd/remoteva/main.go +++ b/cmd/remoteva/main.go @@ -59,7 +59,8 @@ type Config struct { @@ -30,13 +30,11 @@ index d049ba126..16fdca8a4 100644 cmd.FailOnError(err, "Couldn't start dynamic DNS server resolver") } defer servers.Stop() -@@ -140,7 +145,8 @@ func main() { - c.RVA.AccountURIPrefixes, +@@ -141,6 +146,7 @@ func main() { c.RVA.Perspective, c.RVA.RIR, -- iana.IsReservedAddr) -+ iana.IsReservedAddr, -+ c.RVA.LabCADomains) + iana.IsReservedAddr, ++ c.RVA.LabCADomains, + 0, + ) cmd.FailOnError(err, "Unable to create Remote-VA server") - - start, err := bgrpc.NewServer(c.RVA.GRPC, logger).Add( diff --git a/patches/test_config_ca.patch b/patches/test_config_ca.patch index 4358136..afbe376 100644 --- a/patches/test_config_ca.patch +++ b/patches/test_config_ca.patch @@ -1,5 +1,5 @@ diff --git a/test/config/ca.json b/test/config/ca.json -index 477f82b12..9512d98b0 100644 +index 59a1f348c..58f51f5e7 100644 --- a/test/config/ca.json +++ b/test/config/ca.json @@ -1,11 +1,11 @@ @@ -18,28 +18,26 @@ index 477f82b12..9512d98b0 100644 "grpcCA": { "maxConnectionAge": "30s", "address": ":9093", -@@ -59,7 +59,8 @@ - "includeCRLDistributionPoints": true, +@@ -56,7 +56,7 @@ + "omitSKID": false, "maxValidityPeriod": "7776000s", "maxValidityBackdate": "1h5m", - "lintConfig": "test/config-next/zlint.toml", -+ "includeCRLDistributionPoints": true, + "lintConfig": "labca/config/zlint.toml", "ignoredLints": [ "w_subject_common_name_included", "e_dnsname_not_valid_tld", -@@ -76,7 +77,8 @@ - "includeCRLDistributionPoints": true, +@@ -70,7 +70,7 @@ + "omitSKID": true, "maxValidityPeriod": "160h", "maxValidityBackdate": "1h5m", - "lintConfig": "test/config-next/zlint.toml", -+ "includeCRLDistributionPoints": true, + "lintConfig": "labca/config/zlint.toml", "ignoredLints": [ "w_ext_subject_key_identifier_missing_sub_cert", "e_dnsname_not_valid_tld" -@@ -92,7 +94,7 @@ - "includeCRLDistributionPoints": true, +@@ -83,7 +83,7 @@ + "omitSKID": true, "maxValidityPeriod": "583200s", "maxValidityBackdate": "1h5m", - "lintConfig": "test/config-next/zlint.toml", @@ -47,7 +45,7 @@ index 477f82b12..9512d98b0 100644 "ignoredLints": [ "w_ext_subject_key_identifier_missing_sub_cert", "e_dnsname_not_valid_tld" -@@ -102,72 +104,17 @@ +@@ -93,23 +93,9 @@ "crlProfile": { "validityInterval": "216h", "maxBackdate": "1h5m", @@ -55,8 +53,11 @@ index 477f82b12..9512d98b0 100644 + "lintConfig": "labca/config/zlint.toml" }, "issuers": [ - { - "active": true, +- { +- "active": true, +- "profiles": [ +- "legacy" +- ], - "crlShards": 10, - "issuerURL": "http://ca.example.org:4502/int-ecdsa-a", - "crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/43104258997432926/", @@ -66,8 +67,13 @@ index 477f82b12..9512d98b0 100644 - "numSessions": 2 - } - }, -- { -- "active": true, + { + "active": true, + "profiles": [ +@@ -117,64 +103,12 @@ + "modern", + "shortlived" + ], - "crlShards": 10, - "issuerURL": "http://ca.example.org:4502/int-ecdsa-b", - "crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/17302365692836921/", @@ -90,6 +96,9 @@ index 477f82b12..9512d98b0 100644 - }, - { - "active": true, +- "profiles": [ +- "legacy" +- ], - "crlShards": 10, + "crlShards": 1, "issuerURL": "http://ca.example.org:4502/int-rsa-a", @@ -102,6 +111,11 @@ index 477f82b12..9512d98b0 100644 - }, - { - "active": true, +- "profiles": [ +- "legacy", +- "modern", +- "shortlived" +- ], - "crlShards": 10, - "issuerURL": "http://ca.example.org:4502/int-rsa-b", - "crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/6762885421992935/", @@ -124,16 +138,16 @@ index 477f82b12..9512d98b0 100644 "numSessions": 2 } } -@@ -179,7 +126,7 @@ +@@ -184,7 +118,7 @@ + "maxNames": 100, "goodkey": {}, "ocspLogMaxLength": 4000, - "ocspLogPeriod": "500ms", - "ctLogListFile": "test/ct-test-srv/log_list.json", + "ctLogListFile": "labca/ct-test-srv/log_list.json", "features": {} }, "pa": { -@@ -194,7 +141,7 @@ +@@ -199,7 +133,7 @@ } }, "syslog": { diff --git a/patches/va_va.patch b/patches/va_va.patch index 2f44cbb..06d0028 100644 --- a/patches/va_va.patch +++ b/patches/va_va.patch @@ -1,8 +1,8 @@ diff --git a/va/va.go b/va/va.go -index 4993aec36..161cbacda 100644 +index 55211e27b..20c5f0a94 100644 --- a/va/va.go +++ b/va/va.go -@@ -219,6 +219,7 @@ type ValidationAuthorityImpl struct { +@@ -220,6 +220,7 @@ type ValidationAuthorityImpl struct { perspective string rir string isReservedIPFunc func(netip.Addr) error @@ -10,15 +10,15 @@ index 4993aec36..161cbacda 100644 metrics *vaMetrics } -@@ -239,6 +240,7 @@ func NewValidationAuthorityImpl( +@@ -240,6 +241,7 @@ func NewValidationAuthorityImpl( perspective string, rir string, reservedIPChecker func(netip.Addr) error, + labcaDomains []string, + slowRemoteTimeout time.Duration, ) (*ValidationAuthorityImpl, error) { - if len(accountURIPrefixes) == 0 { -@@ -276,6 +278,7 @@ func NewValidationAuthorityImpl( +@@ -278,6 +280,7 @@ func NewValidationAuthorityImpl( perspective: perspective, rir: rir, isReservedIPFunc: reservedIPChecker, diff --git a/patches/wfe2_main.patch b/patches/wfe2_main.patch index 364a594..cc0780b 100644 --- a/patches/wfe2_main.patch +++ b/patches/wfe2_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go -index cc5930699..8e1a14c3c 100644 +index a7a10ca26..4241ad106 100644 --- a/cmd/boulder-wfe2/main.go +++ b/cmd/boulder-wfe2/main.go @@ -14,14 +14,17 @@ import ( @@ -29,7 +29,7 @@ index cc5930699..8e1a14c3c 100644 // DirectoryWebsite is used for the /directory response's "meta" element's // "website" field. DirectoryWebsite string `validate:"required,url"` -@@ -182,6 +185,8 @@ type Config struct { +@@ -186,6 +189,8 @@ type Config struct { // to enable the pausing feature. URL string `validate:"omitempty,required_with=HMACKey JWTLifetime,url,startswith=https://,endsnotwith=/"` } @@ -38,11 +38,12 @@ index cc5930699..8e1a14c3c 100644 } Syslog cmd.SyslogConfig -@@ -326,11 +331,25 @@ func main() { +@@ -330,12 +335,26 @@ func main() { var limiter *ratelimits.Limiter var txnBuilder *ratelimits.TransactionBuilder var limiterRedis *bredis.Ring + var pa *policy.AuthorityImpl + overridesRefresherShutdown := func() {} if c.WFE.Limiter.Defaults != "" { // Setup rate limiting. limiterRedis, err = bredis.NewRingFromConfig(*c.WFE.Limiter.Redis, stats, logger) @@ -64,7 +65,7 @@ index cc5930699..8e1a14c3c 100644 source := ratelimits.NewRedisSource(limiterRedis.Ring, clk, stats) limiter, err = ratelimits.NewLimiter(clk, source, stats) cmd.FailOnError(err, "Failed to create rate limiter") -@@ -371,6 +390,7 @@ func main() { +@@ -384,6 +403,7 @@ func main() { unpauseSigner, c.WFE.Unpause.JWTLifetime.Duration, c.WFE.Unpause.URL, diff --git a/patches/wfe2_wfe.patch b/patches/wfe2_wfe.patch index a02cb21..604286a 100644 --- a/patches/wfe2_wfe.patch +++ b/patches/wfe2_wfe.patch @@ -1,5 +1,5 @@ diff --git a/wfe2/wfe.go b/wfe2/wfe.go -index c225c56f3..294ec463f 100644 +index d82a529fc..3a0129c6c 100644 --- a/wfe2/wfe.go +++ b/wfe2/wfe.go @@ -166,6 +166,8 @@ type WebFrontEndImpl struct { @@ -47,7 +47,7 @@ index c225c56f3..294ec463f 100644 if err != nil { return nil, err } -@@ -2329,7 +2337,7 @@ func (wfe *WebFrontEndImpl) NewOrder( +@@ -2305,7 +2313,7 @@ func (wfe *WebFrontEndImpl) NewOrder( idents = identifier.Normalize(idents) logEvent.Identifiers = idents