Bump boulder version to release-2025-03-18

build/build.sh

@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}
 
 boulderDir=$TMP_DIR/src
-boulderTag="release-2025-03-10"
+boulderTag="release-2025-03-18"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..
 

build/docker-compose.yml

@@ -54,7 +54,7 @@ services:
       - bmysql
       - bredis
       - bconsul
-      - bpkilint
+      - bpkimetal
       - control
     entrypoint: labca/entrypoint.sh
     working_dir: &boulder_working_dir /opt/boulder
@@ -181,12 +181,11 @@ services:
     command: ./control.sh
     restart: always
 
-  bpkilint:
-    image: ghcr.io/digicert/pkilint:v0.10.1
+  bpkimetal:
+    image: ghcr.io/pkimetal/pkimetal:v1.19.0
     networks:
       bouldernet:
         ipv4_address: 10.77.77.9
-    command: "gunicorn -w 1 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:80 pkilint.rest:app"
     restart: always
 
 volumes:

build/tmp.patch

@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 2f7f62688..30425c570 100644
+index 96edbf4ec..f8da4502c 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -4,7 +4,7 @@ services:
@@ -131,7 +131,7 @@ index 2f7f62688..30425c570 100644
      expose:
        - 3030
      environment:
-@@ -191,6 +191,15 @@ services:
+@@ -190,6 +190,15 @@ services:
  
  volumes:
    dbdata:

commander

@@ -39,11 +39,11 @@ read txt
 case $txt in
 "docker-restart")
     cd /opt/boulder
-    COMPOSE_HTTP_TIMEOUT=120 docker compose restart boulder bmysql bconsul bpkilint bredis gui nginx &>>$LOGFILE
+    COMPOSE_HTTP_TIMEOUT=120 docker compose restart boulder bmysql bconsul bpkimetal bredis gui nginx &>>$LOGFILE
     sleep 45
     wait_up $PS_MYSQL &>>$LOGFILE
     wait_up $PS_CONSUL 2 &>>$LOGFILE
-    wait_up $PS_PKILINT &>>$LOGFILE
+    wait_up $PS_PKIMETAL &>>$LOGFILE
     wait_up $PS_LABCA &>>$LOGFILE
     wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE
     ;;
@@ -169,9 +169,9 @@ case $txt in
     labca=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- labca-gui) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
     mysql=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -bmysql-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
     consul=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -bconsul-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
-    pkilint=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -bpkilint-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
+    pkimetal=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -bpkimetal-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
     redis=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -bredis-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
-    echo "$nginx|$svc|$boulder|$labca|$mysql|$consul|$pkilint|$redis"
+    echo "$nginx|$svc|$boulder|$labca|$mysql|$consul|$pkimetal|$redis"
     exit 0
     ;;
 "log-uptime")
@@ -197,29 +197,29 @@ case $txt in
     ;;
 "boulder-start")
     cd /opt/boulder
-    COMPOSE_HTTP_TIMEOUT=120 docker compose up -d bmysql bconsul bpkilint bredis
+    COMPOSE_HTTP_TIMEOUT=120 docker compose up -d bmysql bconsul bpkimetal bredis
     wait_up $PS_MYSQL &>>$LOGFILE
     wait_up $PS_CONSUL 2 &>>$LOGFILE
-    wait_up $PS_PKILINT &>>$LOGFILE
+    wait_up $PS_PKIMETAL &>>$LOGFILE
     COMPOSE_HTTP_TIMEOUT=120 docker compose up -d boulder
     wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE
     ;;
 "boulder-stop")
     cd /opt/boulder
     docker compose stop boulder
-    docker compose stop bmysql bconsul bpkilint bredis
+    docker compose stop bmysql bconsul bpkimetal bredis
     wait_down $PS_MYSQL &>>$LOGFILE
     wait_down $PS_CONSUL &>>$LOGFILE
-    wait_down $PS_PKILINT &>>$LOGFILE
+    wait_down $PS_PKIMETAL &>>$LOGFILE
     wait_down $PS_BOULDER &>>$LOGFILE
     ;;
 "boulder-restart")
     cd /opt/boulder
-    COMPOSE_HTTP_TIMEOUT=120 docker compose restart boulder bmysql bconsul bpkilint bredis &>>$LOGFILE
+    COMPOSE_HTTP_TIMEOUT=120 docker compose restart boulder bmysql bconsul bpkimetal bredis &>>$LOGFILE
     sleep 30
     wait_up $PS_MYSQL &>>$LOGFILE
     wait_up $PS_CONSUL 2 &>>$LOGFILE
-    wait_up $PS_PKILINT &>>$LOGFILE
+    wait_up $PS_PKIMETAL &>>$LOGFILE
     wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE
     ;;
 "labca-restart")
@@ -240,10 +240,10 @@ case $txt in
     COMPOSE_HTTP_TIMEOUT=120 docker compose restart bconsul
     set -e
     ;;
-"pkilint-restart")
+"pkimetal-restart")
     cd /opt/boulder
     set +e
-    COMPOSE_HTTP_TIMEOUT=120 docker compose restart bpkilint
+    COMPOSE_HTTP_TIMEOUT=120 docker compose restart bpkimetal
     set -e
     ;;
 "redis-restart")

gui/apply-boulder

@@ -79,9 +79,10 @@ if ([ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]) |
     perl -i -p0e "s/(\"badResultsOnly\":[^\n]*).*?(\s+)(\"checkPeriod\":)/\1\2\"skipForbiddenDomains\": true,\2\3/igs" config/cert-checker.json
     perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"w_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\"w_sub_cert_aia_contains_internal_names\",\2\3/igs" config/cert-checker.json
     perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"w_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\"w_sub_cert_aia_contains_internal_names\",\2\3/igs" config/ca.json
-    perl -i -p0e "s/(\"modern\".*)(\"ignoredLints\": \[).*?(\s+)(\"w_ext_subject_key_identifier_missing_sub_cert\")/\1\2\3\"e_dnsname_not_valid_tld\",\3\"w_sub_cert_aia_contains_internal_names\",\3\4/igs" config/ca.json
+    perl -i -p0e "s/(\"modern\".*?)(\"ignoredLints\": \[).*?(\s+)(\"w_ext_subject_key_identifier_missing_sub_cert\")/\1\2\3\"e_dnsname_not_valid_tld\",\3\"w_sub_cert_aia_contains_internal_names\",\3\4/igs" config/ca.json
+    perl -i -p0e "s/(\"shortlived\".*?)(\"ignoredLints\": \[).*?(\s+)(\"w_ext_subject_key_identifier_missing_sub_cert\")/\1\2\3\"e_dnsname_not_valid_tld\",\3\"w_sub_cert_aia_contains_internal_names\",\3\4/igs" config/ca.json
 
-    perl -i -p0e "s/(\"SubscriberKeyUsageValidator:cabf.serverauth.subscriber_rsa_digitalsignature_and_keyencipherment_present\",).*(\])/\1\n  \"GeneralNameDnsNameInternalDomainNameValidator:cabf.internal_domain_name\",\n  \"GeneralNameUriInternalDomainNameValidator:cabf.internal_domain_name\",\n\2/igs" config/zlint.toml
+    perl -i -p0e "s/(\"pkilint:cabf.serverauth.subscriber_rsa_digitalsignature_and_keyencipherment_present\",).*?(\])/\1\n  \"pkilint:cabf.internal_domain_name\",\n  \"zlint:e_dnsname_not_valid_tld\",\n  \"zlint:w_sub_cert_aia_contains_internal_names\",\n  \"certlint:\",\n\2/igs" config/zlint.toml
 fi
 
 [ -e ../test/hostname-policy.yaml ] && cp ../test/hostname-policy.yaml ./ || true
@@ -191,9 +192,9 @@ if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then
     sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/crl-storer.json
     sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/crl-updater.json
 
-    sed -i -e "s/pkilint_timeout = .*/pkilint_timeout = 30000000000 # 30 seconds/" config/zlint.toml
+    sed -i -e "s/timeout = .*/timeout = 30000000000 # 30 seconds/" config/zlint.toml
 else
-    sed -i -e "s/pkilint_timeout = .*/pkilint_timeout = 10000000000 # 10 seconds/" config/zlint.toml
+    sed -i -e "s/timeout = .*/timeout = 10000000000 # 10 seconds/" config/zlint.toml
 fi
 sed -i -e "s/\"timeout\": \"1s\"/\"timeout\": \"5s\"/" config/health-checker.json
 

gui/dashboard.go

@@ -228,7 +228,7 @@ func _parseComponents(data string) []Component {
 	if len(parts) < 7 {
 		components = append(components, Component{Name: "Boulder (ACME)"})
 		components = append(components, Component{Name: "consul (Boulder)"})
-		components = append(components, Component{Name: "pkilint (Boulder)"})
+		components = append(components, Component{Name: "pkimetal (Boulder)"})
 		components = append(components, Component{Name: "redis (Boulder)"})
 		components = append(components, Component{Name: "LabCA Application"})
 		components = append(components, Component{Name: "LabCA Controller"})
@@ -297,14 +297,14 @@ func _parseComponents(data string) []Component {
 		consulClass = ""
 	}
 
-	pkilint, err := time.Parse(time.RFC3339Nano, parts[6])
-	pkilintReal := ""
-	pkilintNice := "stopped"
-	pkilintClass := "error"
+	pkimetal, err := time.Parse(time.RFC3339Nano, parts[6])
+	pkimetalReal := ""
+	pkimetalNice := "stopped"
+	pkimetalClass := "error"
 	if err == nil {
-		pkilintReal = pkilint.Format("02-Jan-2006 15:04:05 MST")
-		pkilintNice = humanize.RelTime(pkilint, time.Now(), "", "")
-		pkilintClass = ""
+		pkimetalReal = pkimetal.Format("02-Jan-2006 15:04:05 MST")
+		pkimetalNice = humanize.RelTime(pkimetal, time.Now(), "", "")
+		pkimetalClass = ""
 	}
 
 	redis, err := time.Parse(time.RFC3339Nano, parts[7])
@@ -319,7 +319,7 @@ func _parseComponents(data string) []Component {
 
 	components = append(components, Component{Name: "Boulder (ACME)", Timestamp: boulderReal, TimestampRel: boulderNice, Class: boulderClass})
 	components = append(components, Component{Name: "consul (Boulder)", Timestamp: consulReal, TimestampRel: consulNice, Class: consulClass})
-	components = append(components, Component{Name: "pkilint (Boulder)", Timestamp: pkilintReal, TimestampRel: pkilintNice, Class: pkilintClass})
+	components = append(components, Component{Name: "pkimetal (Boulder)", Timestamp: pkimetalReal, TimestampRel: pkimetalNice, Class: pkimetalClass})
 	components = append(components, Component{Name: "redis (Boulder)", Timestamp: redisReal, TimestampRel: redisNice, Class: redisClass})
 	components = append(components, Component{Name: "LabCA Application", Timestamp: labcaReal, TimestampRel: labcaNice, Class: labcaClass})
 	components = append(components, Component{Name: "LabCA Controller", Timestamp: svcReal, TimestampRel: svcNice, Class: svcClass})
@@ -530,8 +530,8 @@ func parseDockerStats(data string) []AjaxStat {
 		if strings.Contains(docker.Name, "-bconsul-") {
 			stat.Name = "consul (Boulder)"
 		}
-		if strings.Contains(docker.Name, "-bpkilint-") {
-			stat.Name = "pkilint (Boulder)"
+		if strings.Contains(docker.Name, "-bpkimetal-") {
+			stat.Name = "pkimetal (Boulder)"
 		}
 		if strings.Contains(docker.Name, "-bredis-") {
 			stat.Name = "redis (Boulder)"

gui/main.go

@@ -1124,7 +1124,7 @@ func (res *Result) ManageComponents(w http.ResponseWriter, r *http.Request, acti
 			(components[i].Name == "Boulder (ACME)" && (action == "boulder-start" || action == "boulder-stop" || action == "boulder-restart")) ||
 			(components[i].Name == "LabCA Application" && action == "labca-restart") ||
 			(components[i].Name == "consul (Boulder)" && action == "consul-restart") ||
-			(components[i].Name == "pkilint (Boulder)" && action == "pkilint-restart") ||
+			(components[i].Name == "pkimetal (Boulder)" && action == "pkimetal-restart") ||
 			(components[i].Name == "redis (Boulder)" && action == "redis-restart") ||
 			(components[i].Name == "MySQL Database" && action == "mysql-restart") {
 			res.Timestamp = components[i].Timestamp
@@ -1353,7 +1353,7 @@ func _managePost(w http.ResponseWriter, r *http.Request) {
 		"cert-export",
 		"mysql-restart",
 		"consul-restart",
-		"pkilint-restart",
+		"pkimetal-restart",
 		"redis-restart",
 		"nginx-reload",
 		"nginx-restart",
@@ -1548,14 +1548,14 @@ func _manageGet(w http.ResponseWriter, r *http.Request) {
 				components[i].Buttons = append(components[i].Buttons, btn)
 			}
 
-			if components[i].Name == "pkilint (Boulder)" {
+			if components[i].Name == "pkimetal (Boulder)" {
 				components[i].LogURL = ""
 				components[i].LogTitle = ""
 
 				btn := make(map[string]interface{})
 				btn["Class"] = "btn-warning"
-				btn["Id"] = "pkilint-restart"
-				btn["Title"] = "Restart the internal pkilint helper"
+				btn["Id"] = "pkimetal-restart"
+				btn["Title"] = "Restart the internal pkimetal helper"
 				btn["Label"] = "Restart"
 				components[i].Buttons = append(components[i].Buttons, btn)
 			}

install

@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"
 
 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2025-03-10"
+boulderTag="release-2025-03-18"
 
 #
 # Color configuration
@@ -744,10 +744,10 @@ startup() {
     # Cleanup any remaining containers with old names
     docker compose -p boulder stop &>>$installLog || true
     docker compose -p boulder rm -f &>>$installLog || true
-    for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6; do
+    for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6 bpkilint; do
         [ -z "$(docker ps | grep $ct)" ] || docker stop $ct &>>$installLog
     done
-    for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6; do
+    for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6 bpkilint; do
         [ -z "$(docker ps -a | grep -e "$ct\$")" ] || docker rm -f $ct &>>$installLog
     done
     docker network rm -f boulder_bluenet boulder_consulnet boulder_rednet &>>$installLog || true
@@ -762,7 +762,7 @@ startup() {
     wait_down $PS_NGINX &>>$installLog || true
     wait_down $PS_MYSQL &>>$installLog || true
     wait_down $PS_CONSUL &>>$installLog || true
-    wait_down $PS_PKILINT &>>$installLog || true
+    wait_down $PS_PKIMETAL &>>$installLog || true
     wait_down $PS_LABCA &>>$installLog || true
     wait_down $PS_CONTROL &>>$installLog || true
     wait_down $PS_BOULDER &>>$installLog || true
@@ -797,7 +797,7 @@ startup() {
     wait_up $PS_NGINX &>>$installLog || true
     wait_up $PS_MYSQL &>>$installLog || true
     wait_up $PS_CONSUL 2 &>>$installLog || true
-    wait_up $PS_PKILINT &>>$installLog || true
+    wait_up $PS_PKIMETAL &>>$installLog || true
     wait_up $PS_LABCA &>>$installLog || true
     wait_up $PS_CONTROL &>>$installLog || true
     docker exec -i labca-bmysql-1 mysql_upgrade &>>$installLog

patches/cert-checker_main.patch

@@ -1,33 +1,33 @@
 diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
-index 883378779..679a794ed 100644
+index 615abe3c1..621c597c2 100644
 --- a/cmd/cert-checker/main.go
 +++ b/cmd/cert-checker/main.go
-@@ -106,6 +106,7 @@ type certChecker struct {
- 	checkPeriod                 time.Duration
+@@ -108,6 +108,7 @@ type certChecker struct {
  	acceptableValidityDurations map[time.Duration]bool
+ 	lints                       lint.Registry
  	logger                      blog.Logger
 +	skipForbiddenDomains        bool
  }
  
  func newChecker(saDbMap certDB,
-@@ -115,6 +116,7 @@ func newChecker(saDbMap certDB,
- 	period time.Duration,
+@@ -118,6 +119,7 @@ func newChecker(saDbMap certDB,
  	avd map[time.Duration]bool,
+ 	lints lint.Registry,
  	logger blog.Logger,
 +	sfd bool,
  ) certChecker {
  	precertGetter := func(ctx context.Context, serial string) ([]byte, error) {
  		precertPb, err := sa.SelectPrecertificate(ctx, saDbMap, serial)
-@@ -135,6 +137,7 @@ func newChecker(saDbMap certDB,
- 		checkPeriod:                 period,
+@@ -139,6 +141,7 @@ func newChecker(saDbMap certDB,
  		acceptableValidityDurations: avd,
+ 		lints:                       lints,
  		logger:                      logger,
 +		skipForbiddenDomains:        sfd,
  	}
  }
  
-@@ -409,7 +412,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno
- 			err = c.pa.WillingToIssue([]string{name})
+@@ -415,7 +418,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate) ([]s
+ 			err = c.pa.WillingToIssue([]identifier.ACMEIdentifier{identifier.NewDNS(name)})
  			if err != nil {
  				problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err))
 -			} else {
@@ -35,7 +35,7 @@ index 883378779..679a794ed 100644
  				// For defense-in-depth, even if the PA was willing to issue for a name
  				// we double check it against a list of forbidden domains. This way even
  				// if the hostnamePolicyFile malfunctions we will flag the forbidden
-@@ -489,9 +492,10 @@ type Config struct {
+@@ -495,9 +498,10 @@ type Config struct {
  
  		Workers int `validate:"required,min=1"`
  		// Deprecated: this is ignored, and cert checker always checks both expired and unexpired.
@@ -49,7 +49,7 @@ index 883378779..679a794ed 100644
  
  		// AcceptableValidityDurations is a list of durations which are
  		// acceptable for certificates we issue.
-@@ -546,6 +550,8 @@ func main() {
+@@ -555,6 +559,8 @@ func main() {
  		acceptableValidityDurations[ninetyDays] = true
  	}
  
@@ -58,9 +58,9 @@ index 883378779..679a794ed 100644
  	// Validate PA config and set defaults if needed.
  	cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
  
-@@ -580,6 +586,7 @@ func main() {
- 		config.CertChecker.CheckPeriod.Duration,
+@@ -598,6 +604,7 @@ func main() {
  		acceptableValidityDurations,
+ 		lints,
  		logger,
 +		skipForbiddenDomains,
  	)

patches/docker-compose.patch

@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 2dfa6c278..2f7f62688 100644
+index b66a13d04..96edbf4ec 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -1,3 +1,4 @@
@@ -38,7 +38,7 @@ index 2dfa6c278..2f7f62688 100644
 +      - bredis
        - bconsul
 -      - bjaeger
-       - bpkilint
+       - bpkimetal
 -    entrypoint: test/entrypoint.sh
 -    working_dir: &boulder_working_dir /boulder
 -
@@ -72,7 +72,7 @@ index 2dfa6c278..2f7f62688 100644
      networks:
        bouldernet:
          aliases:
-@@ -90,82 +83,114 @@ services:
+@@ -90,81 +83,113 @@ services:
      # small.
      command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
      logging:
@@ -226,13 +226,11 @@ index 2dfa6c278..2f7f62688 100644
 +    command: ./control.sh
 +    restart: always
  
-   bpkilint:
-     image: ghcr.io/digicert/pkilint:v0.10.1
+   bpkimetal:
+     image: ghcr.io/pkimetal/pkimetal:v1.19.0
      networks:
        bouldernet:
          ipv4_address: 10.77.77.9
--    command: "gunicorn -w 8 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:80 pkilint.rest:app"
-+    command: "gunicorn -w 1 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:80 pkilint.rest:app"
 +    restart: always
 +
 +volumes:

patches/entrypoint.patch

@@ -1,5 +1,5 @@
 diff --git a/test/entrypoint.sh b/test/entrypoint.sh
-index a47fd2c9a..626d57155 100755
+index 343979a0c..3733ba952 100755
 --- a/test/entrypoint.sh
 +++ b/test/entrypoint.sh
 @@ -13,15 +13,15 @@ service rsyslog start
@@ -10,7 +10,7 @@ index a47fd2c9a..626d57155 100755
 -./test/wait-for-it.sh bproxysql 6032
 -
  # make sure we can reach pkilint
- ./test/wait-for-it.sh bpkilint 80
+ ./test/wait-for-it.sh bpkimetal 8080
  
  # create the database
  MYSQL_CONTAINER=1 $DIR/create_db.sh

patches/issuance_crl.patch

@@ -1,5 +1,5 @@
 diff --git a/issuance/crl.go b/issuance/crl.go
-index 9e2de44a6..5447faf7e 100644
+index f33af1883..b78acf9be 100644
 --- a/issuance/crl.go
 +++ b/issuance/crl.go
 @@ -5,6 +5,7 @@ import (
@@ -10,7 +10,7 @@ index 9e2de44a6..5447faf7e 100644
  	"time"
  
  	"github.com/zmap/zlint/v3/lint"
-@@ -61,7 +62,11 @@ type CRLRequest struct {
+@@ -75,7 +76,11 @@ type CRLRequest struct {
  
  // crlURL combines the CRL URL base with a shard, and adds a suffix.
  func (i *Issuer) crlURL(shard int) string {

patches/linter_linter.patch

@@ -1,8 +1,8 @@
 diff --git a/linter/linter.go b/linter/linter.go
-index 249e5ab91..59cc14b57 100644
+index 522dd5ee5..a58708f7b 100644
 --- a/linter/linter.go
 +++ b/linter/linter.go
-@@ -201,10 +201,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
+@@ -200,10 +200,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
  		SubjectKeyId:                realIssuer.SubjectKeyId,
  		URIs:                        realIssuer.URIs,
  		UnknownExtKeyUsage:          realIssuer.UnknownExtKeyUsage,

patches/policy_pa.patch

@@ -1,5 +1,5 @@
 diff --git a/policy/pa.go b/policy/pa.go
-index fac69d3b9..217c465fe 100644
+index bbe928cd0..0c21848b7 100644
 --- a/policy/pa.go
 +++ b/policy/pa.go
 @@ -31,6 +31,9 @@ type AuthorityImpl struct {
@@ -45,7 +45,7 @@ index fac69d3b9..217c465fe 100644
  	pa.blocklistMu.Unlock()
  	return nil
  }
-@@ -195,7 +213,7 @@ var (
+@@ -196,7 +214,7 @@ var (
  //   - exactly equal to an IANA registered TLD
  //
  // It does NOT ensure that the domain is absent from any PA blocked lists.
@@ -54,7 +54,7 @@ index fac69d3b9..217c465fe 100644
  	if domain == "" {
  		return errEmptyName
  	}
-@@ -227,7 +245,9 @@ func validNonWildcardDomain(domain string) error {
+@@ -228,7 +246,9 @@ func validNonWildcardDomain(domain string) error {
  		return errTooManyLabels
  	}
  	if len(labels) < 2 {
@@ -65,7 +65,7 @@ index fac69d3b9..217c465fe 100644
  	}
  	for _, label := range labels {
  		// Check that this is a valid LDH Label: "A string consisting of ASCII
-@@ -271,6 +291,14 @@ func validNonWildcardDomain(domain string) error {
+@@ -272,6 +292,14 @@ func validNonWildcardDomain(domain string) error {
  		}
  	}
  
@@ -80,7 +80,7 @@ index fac69d3b9..217c465fe 100644
  	// Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD.
  	icannTLD, err := iana.ExtractSuffix(domain)
  	if err != nil {
-@@ -286,9 +314,9 @@ func validNonWildcardDomain(domain string) error {
+@@ -287,9 +315,9 @@ func validNonWildcardDomain(domain string) error {
  // ValidDomain checks that a domain is valid and that it doesn't contain any
  // invalid wildcard characters. It does NOT ensure that the domain is absent
  // from any PA blocked lists.
@@ -92,7 +92,7 @@ index fac69d3b9..217c465fe 100644
  	}
  
  	// Names containing more than one wildcard are invalid.
-@@ -307,7 +335,7 @@ func ValidDomain(domain string) error {
+@@ -308,7 +336,7 @@ func ValidDomain(domain string) error {
  
  	// Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD.
  	icannTLD, err := iana.ExtractSuffix(baseDomain)
@@ -101,7 +101,7 @@ index fac69d3b9..217c465fe 100644
  		return errNonPublic
  	}
  	// Names must have a non-wildcard label immediately adjacent to the ICANN
-@@ -315,7 +343,7 @@ func ValidDomain(domain string) error {
+@@ -316,7 +344,7 @@ func ValidDomain(domain string) error {
  	if baseDomain == icannTLD {
  		return errICANNTLDWildcard
  	}
@@ -110,7 +110,7 @@ index fac69d3b9..217c465fe 100644
  }
  
  // forbiddenMailDomains is a map of domain names we do not allow after the
-@@ -333,14 +361,14 @@ var forbiddenMailDomains = map[string]bool{
+@@ -334,14 +362,14 @@ var forbiddenMailDomains = map[string]bool{
  // ValidEmail returns an error if the input doesn't parse as an email address,
  // the domain isn't a valid hostname in Preferred Name Syntax, or its on the
  // list of domains forbidden for mail (because they are often used in examples).
@@ -127,40 +127,43 @@ index fac69d3b9..217c465fe 100644
  	if err != nil {
  		return berrors.InvalidEmailError("contact email has invalid domain: %s", err)
  	}
-@@ -382,7 +410,7 @@ func subError(name string, err error) berrors.SubBoulderError {
+@@ -383,7 +411,7 @@ func subError(ident identifier.ACMEIdentifier, err error) berrors.SubBoulderErro
  //
- // Precondition: all input domain names must be in lowercase.
- func (pa *AuthorityImpl) WillingToIssue(domains []string) error {
--	err := WellFormedDomainNames(domains)
-+	err := pa.WellFormedDomainNames(domains)
+ // Precondition: all input identifier values must be in lowercase.
+ func (pa *AuthorityImpl) WillingToIssue(idents []identifier.ACMEIdentifier) error {
+-	err := WellFormedIdentifiers(idents)
++	err := pa.WellFormedIdentifiers(idents)
  	if err != nil {
  		return err
  	}
-@@ -401,6 +429,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error {
+@@ -407,6 +435,10 @@ func (pa *AuthorityImpl) WillingToIssue(idents []identifier.ACMEIdentifier) erro
  			}
  		}
  
-+		if ok, _ := pa.checkWhitelist(domain, false); ok {
++		if ok, _ := pa.checkWhitelist(ident.Value, false); ok {
 +			return nil
 +		}
 +
  		// For both wildcard and non-wildcard domains, check whether any parent domain
  		// name is on the regular blocklist.
- 		err := pa.checkHostLists(domain)
-@@ -434,10 +466,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error {
+ 		err := pa.checkHostLists(ident.Value)
+@@ -441,13 +473,13 @@ func (pa *AuthorityImpl) WillingToIssue(idents []identifier.ACMEIdentifier) erro
  //
  // If multiple domains are invalid, the error will contain suberrors specific to
  // each domain.
--func WellFormedDomainNames(domains []string) error {
-+func (pa *AuthorityImpl) WellFormedDomainNames(domains []string) error {
+-func WellFormedIdentifiers(idents []identifier.ACMEIdentifier) error {
++func (pa *AuthorityImpl) WellFormedIdentifiers(idents []identifier.ACMEIdentifier) error {
  	var subErrors []berrors.SubBoulderError
- 	for _, domain := range domains {
--		err := ValidDomain(domain)
-+		err := pa.ValidDomain(domain)
- 		if err != nil {
- 			subErrors = append(subErrors, subError(domain, err))
- 		}
-@@ -471,6 +503,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error {
+ 	for _, ident := range idents {
+ 		// TODO(#7311): When this gets a third case for TypeIP, this will be
+ 		// more elegant as a switch/case.
+ 		if ident.Type == identifier.TypeDNS {
+-			err := ValidDomain(ident.Value)
++			err := pa.ValidDomain(ident.Value)
+ 			if err != nil {
+ 				subErrors = append(subErrors, subError(ident, err))
+ 			}
+@@ -484,6 +516,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error {
  	return nil
  }
  
@@ -195,7 +198,7 @@ index fac69d3b9..217c465fe 100644
  // checkWildcardHostList checks the wildcardExactBlocklist for a given domain.
  // If the domain is not present on the list nil is returned, otherwise
  // errPolicyForbidden is returned.
-@@ -500,6 +560,9 @@ func (pa *AuthorityImpl) checkHostLists(domain string) error {
+@@ -513,6 +573,9 @@ func (pa *AuthorityImpl) checkHostLists(domain string) error {
  	labels := strings.Split(domain, ".")
  	for i := range labels {
  		joined := strings.Join(labels[i:], ".")

patches/ratelimits_names.patch

@@ -1,8 +1,8 @@
 diff --git a/ratelimits/names.go b/ratelimits/names.go
-index 99221ae0c..9abc0d512 100644
+index 8e8ed80c4..6e3e77639 100644
 --- a/ratelimits/names.go
 +++ b/ratelimits/names.go
-@@ -101,6 +101,9 @@ var nameToString = map[Name]string{
+@@ -102,6 +102,9 @@ var nameToString = map[Name]string{
  	FailedAuthorizationsForPausingPerDomainPerAccount: "FailedAuthorizationsForPausingPerDomainPerAccount",
  }
  
@@ -12,7 +12,7 @@ index 99221ae0c..9abc0d512 100644
  // isValid returns true if the Name is a valid rate limit name.
  func (n Name) isValid() bool {
  	return n > Unknown && n < Name(len(nameToString))
-@@ -162,7 +165,15 @@ func validateRegId(id string) error {
+@@ -163,7 +166,15 @@ func validateRegId(id string) error {
  // validateDomain validates that the provided string is formatted 'domain',
  // where domain is a domain name.
  func validateDomain(id string) error {
@@ -29,7 +29,7 @@ index 99221ae0c..9abc0d512 100644
  	if err != nil {
  		return fmt.Errorf("invalid domain, %q must be formatted 'domain': %w", id, err)
  	}
-@@ -183,7 +194,14 @@ func validateRegIdDomain(id string) error {
+@@ -184,7 +195,14 @@ func validateRegIdDomain(id string) error {
  		return fmt.Errorf(
  			"invalid regId, %q must be formatted 'regId:domain'", id)
  	}
@@ -45,11 +45,11 @@ index 99221ae0c..9abc0d512 100644
  	if err != nil {
  		return fmt.Errorf(
  			"invalid domain, %q must be formatted 'regId:domain': %w", id, err)
-@@ -199,7 +217,15 @@ func validateFQDNSet(id string) error {
+@@ -200,7 +218,15 @@ func validateFQDNSet(id string) error {
  		return fmt.Errorf(
  			"invalid fqdnSet, %q must be formatted 'fqdnSet'", id)
  	}
--	return policy.WellFormedDomainNames(domains)
+-	return policy.WellFormedIdentifiers(identifier.FromDNSNames(domains))
 +	pa := PA
 +	var err error
 +	if pa == nil {
@@ -58,7 +58,7 @@ index 99221ae0c..9abc0d512 100644
 +			return fmt.Errorf("cannot create policy authority implementation")
 +		}
 +	}
-+	return pa.WellFormedDomainNames(domains)
++	return pa.WellFormedIdentifiers(identifier.FromDNSNames(domains))
  }
  
  func validateIdForName(name Name, id string) error {

patches/test_config_ca.patch

@@ -1,5 +1,5 @@
 diff --git a/test/config/ca.json b/test/config/ca.json
-index 675304d97..01b2d56ce 100644
+index a64ec7ac2..09ffa1efe 100644
 --- a/test/config/ca.json
 +++ b/test/config/ca.json
 @@ -60,7 +60,8 @@
@@ -22,7 +22,7 @@ index 675304d97..01b2d56ce 100644
  					"ignoredLints": [
  						"w_ext_subject_key_identifier_missing_sub_cert"
  					]
-@@ -100,39 +102,7 @@
+@@ -101,39 +103,7 @@
  			"issuers": [
  				{
  					"active": true,
@@ -63,7 +63,7 @@ index 675304d97..01b2d56ce 100644
  					"issuerURL": "http://ca.example.org:4502/int-rsa-a",
  					"ocspURL": "http://ca.example.org:4002/",
  					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/29947985078257530/",
-@@ -141,28 +111,6 @@
+@@ -142,28 +112,6 @@
  						"certFile": "test/certs/webpki/int-rsa-a.cert.pem",
  						"numSessions": 2
  					}

patches/va_va.patch

@@ -1,8 +1,8 @@
 diff --git a/va/va.go b/va/va.go
-index fcd35a5db..ad2b7c409 100644
+index 270e9ca66..f8585c9fd 100644
 --- a/va/va.go
 +++ b/va/va.go
-@@ -217,6 +217,7 @@ type ValidationAuthorityImpl struct {
+@@ -218,6 +218,7 @@ type ValidationAuthorityImpl struct {
  	perspective        string
  	rir                string
  	isReservedIPFunc   func(ip net.IP) bool
@@ -10,7 +10,7 @@ index fcd35a5db..ad2b7c409 100644
  
  	metrics *vaMetrics
  }
-@@ -237,6 +238,7 @@ func NewValidationAuthorityImpl(
+@@ -238,6 +239,7 @@ func NewValidationAuthorityImpl(
  	perspective string,
  	rir string,
  	reservedIPChecker func(ip net.IP) bool,
@@ -18,7 +18,7 @@ index fcd35a5db..ad2b7c409 100644
  ) (*ValidationAuthorityImpl, error) {
  
  	if len(accountURIPrefixes) == 0 {
-@@ -274,6 +276,7 @@ func NewValidationAuthorityImpl(
+@@ -275,6 +277,7 @@ func NewValidationAuthorityImpl(
  		perspective:       perspective,
  		rir:               rir,
  		isReservedIPFunc:  reservedIPChecker,

patches/wfe2_wfe.patch

@@ -1,5 +1,5 @@
 diff --git a/wfe2/wfe.go b/wfe2/wfe.go
-index fe063e4fa..2f7aea67b 100644
+index 0e14a778e..9dfe9789a 100644
 --- a/wfe2/wfe.go
 +++ b/wfe2/wfe.go
 @@ -163,6 +163,8 @@ type WebFrontEndImpl struct {
@@ -65,12 +65,12 @@ index fe063e4fa..2f7aea67b 100644
  	if wfe.ee != nil && len(emails) > 0 {
  		_, err := wfe.ee.SendContacts(ctx, &emailpb.SendContactsRequest{
  			// Note: We are explicitly using the contacts provided by the
-@@ -2285,7 +2293,7 @@ func (wfe *WebFrontEndImpl) NewOrder(
+@@ -2298,7 +2306,7 @@ func (wfe *WebFrontEndImpl) NewOrder(
  	}
  
  	names = core.UniqueLowerNames(names)
--	err = policy.WellFormedDomainNames(names)
-+	err = wfe.pa.WellFormedDomainNames(names)
+-	err = policy.WellFormedIdentifiers(identifier.FromDNSNames(names))
++	err = wfe.pa.WellFormedIdentifiers(identifier.FromDNSNames(names))
  	if err != nil {
  		wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "Invalid identifiers requested"), nil)
  		return

utils.sh

@@ -9,7 +9,7 @@ export PS_MYSQL="mysqld"
 export PS_CONTROL="tcpserver"
 export PS_NGINX="nginx:"
 export PS_CONSUL="consul"
-export PS_PKILINT="pkilint"
+export PS_PKIMETAL="pkimetal"
 export PS_REDIS="redis-server"
 
 LOOPCOUNT=120
@@ -34,8 +34,8 @@ count() {
         $PS_CONSUL)
             prefix="docker exec $(docker ps --format "{{.Names}}" | grep -- -bconsul-) "
             ;;
-        $PS_PKILINT)
-            prefix="docker exec $(docker ps --format "{{.Names}}" | grep -- -bpkilint-) "
+        $PS_PKIMETAL)
+            prefix="docker exec $(docker ps --format "{{.Names}}" | grep -- -bpkimetal-) "
             ;;
         $PS_REDIS)
             prefix=""
@@ -48,7 +48,7 @@ count() {
     if [ "$pattern" == "$PS_CONSUL" ]; then
         res=$(${prefix}ps -eo pid,args 2>/dev/null | grep "$pattern" | grep -v grep | wc -l)
     fi
-    if [ "$pattern" == "$PS_PKILINT" ]; then
+    if [ "$pattern" == "$PS_PKIMETAL" ]; then
         res=$(${prefix}ls -d /proc/[1-9]* 2>/dev/null | wc -l)
     fi
     echo $res