diff --git a/build/build.sh b/build/build.sh index 363b25f..936fbac 100755 --- a/build/build.sh +++ b/build/build.sh @@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src} boulderDir=$TMP_DIR/src -boulderTag="release-2025-03-10" +boulderTag="release-2025-03-18" boulderUrl="https://github.com/letsencrypt/boulder/" cloneDir=$(pwd)/.. diff --git a/build/docker-compose.yml b/build/docker-compose.yml index eeb84b4..f8da450 100644 --- a/build/docker-compose.yml +++ b/build/docker-compose.yml @@ -54,7 +54,7 @@ services: - bmysql - bredis - bconsul - - bpkilint + - bpkimetal - control entrypoint: labca/entrypoint.sh working_dir: &boulder_working_dir /opt/boulder @@ -181,12 +181,11 @@ services: command: ./control.sh restart: always - bpkilint: - image: ghcr.io/digicert/pkilint:v0.10.1 + bpkimetal: + image: ghcr.io/pkimetal/pkimetal:v1.19.0 networks: bouldernet: ipv4_address: 10.77.77.9 - command: "gunicorn -w 1 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:80 pkilint.rest:app" restart: always volumes: diff --git a/build/tmp.patch b/build/tmp.patch index 67d61a0..bf753ea 100644 --- a/build/tmp.patch +++ b/build/tmp.patch @@ -1,5 +1,5 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 2f7f62688..30425c570 100644 +index 96edbf4ec..f8da4502c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,7 +4,7 @@ services: @@ -131,7 +131,7 @@ index 2f7f62688..30425c570 100644 expose: - 3030 environment: -@@ -191,6 +191,15 @@ services: +@@ -190,6 +190,15 @@ services: volumes: dbdata: diff --git a/commander b/commander index 6f09402..33114e3 100755 --- a/commander +++ b/commander @@ -39,11 +39,11 @@ read txt case $txt in "docker-restart") cd /opt/boulder - COMPOSE_HTTP_TIMEOUT=120 docker compose restart boulder bmysql bconsul bpkilint bredis gui nginx &>>$LOGFILE + COMPOSE_HTTP_TIMEOUT=120 docker compose restart boulder bmysql bconsul bpkimetal bredis gui nginx &>>$LOGFILE sleep 45 wait_up $PS_MYSQL &>>$LOGFILE wait_up $PS_CONSUL 2 &>>$LOGFILE - wait_up $PS_PKILINT &>>$LOGFILE + wait_up $PS_PKIMETAL &>>$LOGFILE wait_up $PS_LABCA &>>$LOGFILE wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE ;; @@ -169,9 +169,9 @@ case $txt in labca=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- labca-gui) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/") mysql=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -bmysql-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/") consul=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -bconsul-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/") - pkilint=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -bpkilint-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/") + pkimetal=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -bpkimetal-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/") redis=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -bredis-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/") - echo "$nginx|$svc|$boulder|$labca|$mysql|$consul|$pkilint|$redis" + echo "$nginx|$svc|$boulder|$labca|$mysql|$consul|$pkimetal|$redis" exit 0 ;; "log-uptime") @@ -197,29 +197,29 @@ case $txt in ;; "boulder-start") cd /opt/boulder - COMPOSE_HTTP_TIMEOUT=120 docker compose up -d bmysql bconsul bpkilint bredis + COMPOSE_HTTP_TIMEOUT=120 docker compose up -d bmysql bconsul bpkimetal bredis wait_up $PS_MYSQL &>>$LOGFILE wait_up $PS_CONSUL 2 &>>$LOGFILE - wait_up $PS_PKILINT &>>$LOGFILE + wait_up $PS_PKIMETAL &>>$LOGFILE COMPOSE_HTTP_TIMEOUT=120 docker compose up -d boulder wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE ;; "boulder-stop") cd /opt/boulder docker compose stop boulder - docker compose stop bmysql bconsul bpkilint bredis + docker compose stop bmysql bconsul bpkimetal bredis wait_down $PS_MYSQL &>>$LOGFILE wait_down $PS_CONSUL &>>$LOGFILE - wait_down $PS_PKILINT &>>$LOGFILE + wait_down $PS_PKIMETAL &>>$LOGFILE wait_down $PS_BOULDER &>>$LOGFILE ;; "boulder-restart") cd /opt/boulder - COMPOSE_HTTP_TIMEOUT=120 docker compose restart boulder bmysql bconsul bpkilint bredis &>>$LOGFILE + COMPOSE_HTTP_TIMEOUT=120 docker compose restart boulder bmysql bconsul bpkimetal bredis &>>$LOGFILE sleep 30 wait_up $PS_MYSQL &>>$LOGFILE wait_up $PS_CONSUL 2 &>>$LOGFILE - wait_up $PS_PKILINT &>>$LOGFILE + wait_up $PS_PKIMETAL &>>$LOGFILE wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE ;; "labca-restart") @@ -240,10 +240,10 @@ case $txt in COMPOSE_HTTP_TIMEOUT=120 docker compose restart bconsul set -e ;; -"pkilint-restart") +"pkimetal-restart") cd /opt/boulder set +e - COMPOSE_HTTP_TIMEOUT=120 docker compose restart bpkilint + COMPOSE_HTTP_TIMEOUT=120 docker compose restart bpkimetal set -e ;; "redis-restart") diff --git a/gui/apply-boulder b/gui/apply-boulder index 22986bb..7215bc1 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -79,9 +79,10 @@ if ([ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]) | perl -i -p0e "s/(\"badResultsOnly\":[^\n]*).*?(\s+)(\"checkPeriod\":)/\1\2\"skipForbiddenDomains\": true,\2\3/igs" config/cert-checker.json perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"w_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\"w_sub_cert_aia_contains_internal_names\",\2\3/igs" config/cert-checker.json perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"w_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\"w_sub_cert_aia_contains_internal_names\",\2\3/igs" config/ca.json - perl -i -p0e "s/(\"modern\".*)(\"ignoredLints\": \[).*?(\s+)(\"w_ext_subject_key_identifier_missing_sub_cert\")/\1\2\3\"e_dnsname_not_valid_tld\",\3\"w_sub_cert_aia_contains_internal_names\",\3\4/igs" config/ca.json + perl -i -p0e "s/(\"modern\".*?)(\"ignoredLints\": \[).*?(\s+)(\"w_ext_subject_key_identifier_missing_sub_cert\")/\1\2\3\"e_dnsname_not_valid_tld\",\3\"w_sub_cert_aia_contains_internal_names\",\3\4/igs" config/ca.json + perl -i -p0e "s/(\"shortlived\".*?)(\"ignoredLints\": \[).*?(\s+)(\"w_ext_subject_key_identifier_missing_sub_cert\")/\1\2\3\"e_dnsname_not_valid_tld\",\3\"w_sub_cert_aia_contains_internal_names\",\3\4/igs" config/ca.json - perl -i -p0e "s/(\"SubscriberKeyUsageValidator:cabf.serverauth.subscriber_rsa_digitalsignature_and_keyencipherment_present\",).*(\])/\1\n \"GeneralNameDnsNameInternalDomainNameValidator:cabf.internal_domain_name\",\n \"GeneralNameUriInternalDomainNameValidator:cabf.internal_domain_name\",\n\2/igs" config/zlint.toml + perl -i -p0e "s/(\"pkilint:cabf.serverauth.subscriber_rsa_digitalsignature_and_keyencipherment_present\",).*?(\])/\1\n \"pkilint:cabf.internal_domain_name\",\n \"zlint:e_dnsname_not_valid_tld\",\n \"zlint:w_sub_cert_aia_contains_internal_names\",\n \"certlint:\",\n\2/igs" config/zlint.toml fi [ -e ../test/hostname-policy.yaml ] && cp ../test/hostname-policy.yaml ./ || true @@ -191,9 +192,9 @@ if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/crl-storer.json sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/crl-updater.json - sed -i -e "s/pkilint_timeout = .*/pkilint_timeout = 30000000000 # 30 seconds/" config/zlint.toml + sed -i -e "s/timeout = .*/timeout = 30000000000 # 30 seconds/" config/zlint.toml else - sed -i -e "s/pkilint_timeout = .*/pkilint_timeout = 10000000000 # 10 seconds/" config/zlint.toml + sed -i -e "s/timeout = .*/timeout = 10000000000 # 10 seconds/" config/zlint.toml fi sed -i -e "s/\"timeout\": \"1s\"/\"timeout\": \"5s\"/" config/health-checker.json diff --git a/gui/dashboard.go b/gui/dashboard.go index fe12018..2458eb3 100644 --- a/gui/dashboard.go +++ b/gui/dashboard.go @@ -228,7 +228,7 @@ func _parseComponents(data string) []Component { if len(parts) < 7 { components = append(components, Component{Name: "Boulder (ACME)"}) components = append(components, Component{Name: "consul (Boulder)"}) - components = append(components, Component{Name: "pkilint (Boulder)"}) + components = append(components, Component{Name: "pkimetal (Boulder)"}) components = append(components, Component{Name: "redis (Boulder)"}) components = append(components, Component{Name: "LabCA Application"}) components = append(components, Component{Name: "LabCA Controller"}) @@ -297,14 +297,14 @@ func _parseComponents(data string) []Component { consulClass = "" } - pkilint, err := time.Parse(time.RFC3339Nano, parts[6]) - pkilintReal := "" - pkilintNice := "stopped" - pkilintClass := "error" + pkimetal, err := time.Parse(time.RFC3339Nano, parts[6]) + pkimetalReal := "" + pkimetalNice := "stopped" + pkimetalClass := "error" if err == nil { - pkilintReal = pkilint.Format("02-Jan-2006 15:04:05 MST") - pkilintNice = humanize.RelTime(pkilint, time.Now(), "", "") - pkilintClass = "" + pkimetalReal = pkimetal.Format("02-Jan-2006 15:04:05 MST") + pkimetalNice = humanize.RelTime(pkimetal, time.Now(), "", "") + pkimetalClass = "" } redis, err := time.Parse(time.RFC3339Nano, parts[7]) @@ -319,7 +319,7 @@ func _parseComponents(data string) []Component { components = append(components, Component{Name: "Boulder (ACME)", Timestamp: boulderReal, TimestampRel: boulderNice, Class: boulderClass}) components = append(components, Component{Name: "consul (Boulder)", Timestamp: consulReal, TimestampRel: consulNice, Class: consulClass}) - components = append(components, Component{Name: "pkilint (Boulder)", Timestamp: pkilintReal, TimestampRel: pkilintNice, Class: pkilintClass}) + components = append(components, Component{Name: "pkimetal (Boulder)", Timestamp: pkimetalReal, TimestampRel: pkimetalNice, Class: pkimetalClass}) components = append(components, Component{Name: "redis (Boulder)", Timestamp: redisReal, TimestampRel: redisNice, Class: redisClass}) components = append(components, Component{Name: "LabCA Application", Timestamp: labcaReal, TimestampRel: labcaNice, Class: labcaClass}) components = append(components, Component{Name: "LabCA Controller", Timestamp: svcReal, TimestampRel: svcNice, Class: svcClass}) @@ -530,8 +530,8 @@ func parseDockerStats(data string) []AjaxStat { if strings.Contains(docker.Name, "-bconsul-") { stat.Name = "consul (Boulder)" } - if strings.Contains(docker.Name, "-bpkilint-") { - stat.Name = "pkilint (Boulder)" + if strings.Contains(docker.Name, "-bpkimetal-") { + stat.Name = "pkimetal (Boulder)" } if strings.Contains(docker.Name, "-bredis-") { stat.Name = "redis (Boulder)" diff --git a/gui/main.go b/gui/main.go index 706d863..c3cf157 100644 --- a/gui/main.go +++ b/gui/main.go @@ -1124,7 +1124,7 @@ func (res *Result) ManageComponents(w http.ResponseWriter, r *http.Request, acti (components[i].Name == "Boulder (ACME)" && (action == "boulder-start" || action == "boulder-stop" || action == "boulder-restart")) || (components[i].Name == "LabCA Application" && action == "labca-restart") || (components[i].Name == "consul (Boulder)" && action == "consul-restart") || - (components[i].Name == "pkilint (Boulder)" && action == "pkilint-restart") || + (components[i].Name == "pkimetal (Boulder)" && action == "pkimetal-restart") || (components[i].Name == "redis (Boulder)" && action == "redis-restart") || (components[i].Name == "MySQL Database" && action == "mysql-restart") { res.Timestamp = components[i].Timestamp @@ -1353,7 +1353,7 @@ func _managePost(w http.ResponseWriter, r *http.Request) { "cert-export", "mysql-restart", "consul-restart", - "pkilint-restart", + "pkimetal-restart", "redis-restart", "nginx-reload", "nginx-restart", @@ -1548,14 +1548,14 @@ func _manageGet(w http.ResponseWriter, r *http.Request) { components[i].Buttons = append(components[i].Buttons, btn) } - if components[i].Name == "pkilint (Boulder)" { + if components[i].Name == "pkimetal (Boulder)" { components[i].LogURL = "" components[i].LogTitle = "" btn := make(map[string]interface{}) btn["Class"] = "btn-warning" - btn["Id"] = "pkilint-restart" - btn["Title"] = "Restart the internal pkilint helper" + btn["Id"] = "pkimetal-restart" + btn["Title"] = "Restart the internal pkimetal helper" btn["Label"] = "Restart" components[i].Buttons = append(components[i].Buttons, btn) } diff --git a/install b/install index a26da61..18c8f59 100755 --- a/install +++ b/install @@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2025-03-10" +boulderTag="release-2025-03-18" # # Color configuration @@ -744,10 +744,10 @@ startup() { # Cleanup any remaining containers with old names docker compose -p boulder stop &>>$installLog || true docker compose -p boulder rm -f &>>$installLog || true - for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6; do + for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6 bpkilint; do [ -z "$(docker ps | grep $ct)" ] || docker stop $ct &>>$installLog done - for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6; do + for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6 bpkilint; do [ -z "$(docker ps -a | grep -e "$ct\$")" ] || docker rm -f $ct &>>$installLog done docker network rm -f boulder_bluenet boulder_consulnet boulder_rednet &>>$installLog || true @@ -762,7 +762,7 @@ startup() { wait_down $PS_NGINX &>>$installLog || true wait_down $PS_MYSQL &>>$installLog || true wait_down $PS_CONSUL &>>$installLog || true - wait_down $PS_PKILINT &>>$installLog || true + wait_down $PS_PKIMETAL &>>$installLog || true wait_down $PS_LABCA &>>$installLog || true wait_down $PS_CONTROL &>>$installLog || true wait_down $PS_BOULDER &>>$installLog || true @@ -797,7 +797,7 @@ startup() { wait_up $PS_NGINX &>>$installLog || true wait_up $PS_MYSQL &>>$installLog || true wait_up $PS_CONSUL 2 &>>$installLog || true - wait_up $PS_PKILINT &>>$installLog || true + wait_up $PS_PKIMETAL &>>$installLog || true wait_up $PS_LABCA &>>$installLog || true wait_up $PS_CONTROL &>>$installLog || true docker exec -i labca-bmysql-1 mysql_upgrade &>>$installLog diff --git a/patches/cert-checker_main.patch b/patches/cert-checker_main.patch index 2dd2ca9..b05d2e4 100644 --- a/patches/cert-checker_main.patch +++ b/patches/cert-checker_main.patch @@ -1,33 +1,33 @@ diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go -index 883378779..679a794ed 100644 +index 615abe3c1..621c597c2 100644 --- a/cmd/cert-checker/main.go +++ b/cmd/cert-checker/main.go -@@ -106,6 +106,7 @@ type certChecker struct { - checkPeriod time.Duration +@@ -108,6 +108,7 @@ type certChecker struct { acceptableValidityDurations map[time.Duration]bool + lints lint.Registry logger blog.Logger + skipForbiddenDomains bool } func newChecker(saDbMap certDB, -@@ -115,6 +116,7 @@ func newChecker(saDbMap certDB, - period time.Duration, +@@ -118,6 +119,7 @@ func newChecker(saDbMap certDB, avd map[time.Duration]bool, + lints lint.Registry, logger blog.Logger, + sfd bool, ) certChecker { precertGetter := func(ctx context.Context, serial string) ([]byte, error) { precertPb, err := sa.SelectPrecertificate(ctx, saDbMap, serial) -@@ -135,6 +137,7 @@ func newChecker(saDbMap certDB, - checkPeriod: period, +@@ -139,6 +141,7 @@ func newChecker(saDbMap certDB, acceptableValidityDurations: avd, + lints: lints, logger: logger, + skipForbiddenDomains: sfd, } } -@@ -409,7 +412,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno - err = c.pa.WillingToIssue([]string{name}) +@@ -415,7 +418,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate) ([]s + err = c.pa.WillingToIssue([]identifier.ACMEIdentifier{identifier.NewDNS(name)}) if err != nil { problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err)) - } else { @@ -35,7 +35,7 @@ index 883378779..679a794ed 100644 // For defense-in-depth, even if the PA was willing to issue for a name // we double check it against a list of forbidden domains. This way even // if the hostnamePolicyFile malfunctions we will flag the forbidden -@@ -489,9 +492,10 @@ type Config struct { +@@ -495,9 +498,10 @@ type Config struct { Workers int `validate:"required,min=1"` // Deprecated: this is ignored, and cert checker always checks both expired and unexpired. @@ -49,7 +49,7 @@ index 883378779..679a794ed 100644 // AcceptableValidityDurations is a list of durations which are // acceptable for certificates we issue. -@@ -546,6 +550,8 @@ func main() { +@@ -555,6 +559,8 @@ func main() { acceptableValidityDurations[ninetyDays] = true } @@ -58,9 +58,9 @@ index 883378779..679a794ed 100644 // Validate PA config and set defaults if needed. cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration") -@@ -580,6 +586,7 @@ func main() { - config.CertChecker.CheckPeriod.Duration, +@@ -598,6 +604,7 @@ func main() { acceptableValidityDurations, + lints, logger, + skipForbiddenDomains, ) diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch index 97226a5..4067cda 100644 --- a/patches/docker-compose.patch +++ b/patches/docker-compose.patch @@ -1,5 +1,5 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 2dfa6c278..2f7f62688 100644 +index b66a13d04..96edbf4ec 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,3 +1,4 @@ @@ -38,7 +38,7 @@ index 2dfa6c278..2f7f62688 100644 + - bredis - bconsul - - bjaeger - - bpkilint + - bpkimetal - entrypoint: test/entrypoint.sh - working_dir: &boulder_working_dir /boulder - @@ -72,7 +72,7 @@ index 2dfa6c278..2f7f62688 100644 networks: bouldernet: aliases: -@@ -90,82 +83,114 @@ services: +@@ -90,81 +83,113 @@ services: # small. command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON logging: @@ -226,13 +226,11 @@ index 2dfa6c278..2f7f62688 100644 + command: ./control.sh + restart: always - bpkilint: - image: ghcr.io/digicert/pkilint:v0.10.1 + bpkimetal: + image: ghcr.io/pkimetal/pkimetal:v1.19.0 networks: bouldernet: ipv4_address: 10.77.77.9 -- command: "gunicorn -w 8 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:80 pkilint.rest:app" -+ command: "gunicorn -w 1 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:80 pkilint.rest:app" + restart: always + +volumes: diff --git a/patches/entrypoint.patch b/patches/entrypoint.patch index 6ca33cd..e0fd62d 100644 --- a/patches/entrypoint.patch +++ b/patches/entrypoint.patch @@ -1,5 +1,5 @@ diff --git a/test/entrypoint.sh b/test/entrypoint.sh -index a47fd2c9a..626d57155 100755 +index 343979a0c..3733ba952 100755 --- a/test/entrypoint.sh +++ b/test/entrypoint.sh @@ -13,15 +13,15 @@ service rsyslog start @@ -10,7 +10,7 @@ index a47fd2c9a..626d57155 100755 -./test/wait-for-it.sh bproxysql 6032 - # make sure we can reach pkilint - ./test/wait-for-it.sh bpkilint 80 + ./test/wait-for-it.sh bpkimetal 8080 # create the database MYSQL_CONTAINER=1 $DIR/create_db.sh diff --git a/patches/issuance_crl.patch b/patches/issuance_crl.patch index f5fee98..04b2824 100644 --- a/patches/issuance_crl.patch +++ b/patches/issuance_crl.patch @@ -1,5 +1,5 @@ diff --git a/issuance/crl.go b/issuance/crl.go -index 9e2de44a6..5447faf7e 100644 +index f33af1883..b78acf9be 100644 --- a/issuance/crl.go +++ b/issuance/crl.go @@ -5,6 +5,7 @@ import ( @@ -10,7 +10,7 @@ index 9e2de44a6..5447faf7e 100644 "time" "github.com/zmap/zlint/v3/lint" -@@ -61,7 +62,11 @@ type CRLRequest struct { +@@ -75,7 +76,11 @@ type CRLRequest struct { // crlURL combines the CRL URL base with a shard, and adds a suffix. func (i *Issuer) crlURL(shard int) string { diff --git a/patches/linter_linter.patch b/patches/linter_linter.patch index a5278a4..43a06ca 100644 --- a/patches/linter_linter.patch +++ b/patches/linter_linter.patch @@ -1,8 +1,8 @@ diff --git a/linter/linter.go b/linter/linter.go -index 249e5ab91..59cc14b57 100644 +index 522dd5ee5..a58708f7b 100644 --- a/linter/linter.go +++ b/linter/linter.go -@@ -201,10 +201,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C +@@ -200,10 +200,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C SubjectKeyId: realIssuer.SubjectKeyId, URIs: realIssuer.URIs, UnknownExtKeyUsage: realIssuer.UnknownExtKeyUsage, diff --git a/patches/policy_pa.patch b/patches/policy_pa.patch index 1f1b48b..f45ad40 100644 --- a/patches/policy_pa.patch +++ b/patches/policy_pa.patch @@ -1,5 +1,5 @@ diff --git a/policy/pa.go b/policy/pa.go -index fac69d3b9..217c465fe 100644 +index bbe928cd0..0c21848b7 100644 --- a/policy/pa.go +++ b/policy/pa.go @@ -31,6 +31,9 @@ type AuthorityImpl struct { @@ -45,7 +45,7 @@ index fac69d3b9..217c465fe 100644 pa.blocklistMu.Unlock() return nil } -@@ -195,7 +213,7 @@ var ( +@@ -196,7 +214,7 @@ var ( // - exactly equal to an IANA registered TLD // // It does NOT ensure that the domain is absent from any PA blocked lists. @@ -54,7 +54,7 @@ index fac69d3b9..217c465fe 100644 if domain == "" { return errEmptyName } -@@ -227,7 +245,9 @@ func validNonWildcardDomain(domain string) error { +@@ -228,7 +246,9 @@ func validNonWildcardDomain(domain string) error { return errTooManyLabels } if len(labels) < 2 { @@ -65,7 +65,7 @@ index fac69d3b9..217c465fe 100644 } for _, label := range labels { // Check that this is a valid LDH Label: "A string consisting of ASCII -@@ -271,6 +291,14 @@ func validNonWildcardDomain(domain string) error { +@@ -272,6 +292,14 @@ func validNonWildcardDomain(domain string) error { } } @@ -80,7 +80,7 @@ index fac69d3b9..217c465fe 100644 // Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD. icannTLD, err := iana.ExtractSuffix(domain) if err != nil { -@@ -286,9 +314,9 @@ func validNonWildcardDomain(domain string) error { +@@ -287,9 +315,9 @@ func validNonWildcardDomain(domain string) error { // ValidDomain checks that a domain is valid and that it doesn't contain any // invalid wildcard characters. It does NOT ensure that the domain is absent // from any PA blocked lists. @@ -92,7 +92,7 @@ index fac69d3b9..217c465fe 100644 } // Names containing more than one wildcard are invalid. -@@ -307,7 +335,7 @@ func ValidDomain(domain string) error { +@@ -308,7 +336,7 @@ func ValidDomain(domain string) error { // Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD. icannTLD, err := iana.ExtractSuffix(baseDomain) @@ -101,7 +101,7 @@ index fac69d3b9..217c465fe 100644 return errNonPublic } // Names must have a non-wildcard label immediately adjacent to the ICANN -@@ -315,7 +343,7 @@ func ValidDomain(domain string) error { +@@ -316,7 +344,7 @@ func ValidDomain(domain string) error { if baseDomain == icannTLD { return errICANNTLDWildcard } @@ -110,7 +110,7 @@ index fac69d3b9..217c465fe 100644 } // forbiddenMailDomains is a map of domain names we do not allow after the -@@ -333,14 +361,14 @@ var forbiddenMailDomains = map[string]bool{ +@@ -334,14 +362,14 @@ var forbiddenMailDomains = map[string]bool{ // ValidEmail returns an error if the input doesn't parse as an email address, // the domain isn't a valid hostname in Preferred Name Syntax, or its on the // list of domains forbidden for mail (because they are often used in examples). @@ -127,40 +127,43 @@ index fac69d3b9..217c465fe 100644 if err != nil { return berrors.InvalidEmailError("contact email has invalid domain: %s", err) } -@@ -382,7 +410,7 @@ func subError(name string, err error) berrors.SubBoulderError { +@@ -383,7 +411,7 @@ func subError(ident identifier.ACMEIdentifier, err error) berrors.SubBoulderErro // - // Precondition: all input domain names must be in lowercase. - func (pa *AuthorityImpl) WillingToIssue(domains []string) error { -- err := WellFormedDomainNames(domains) -+ err := pa.WellFormedDomainNames(domains) + // Precondition: all input identifier values must be in lowercase. + func (pa *AuthorityImpl) WillingToIssue(idents []identifier.ACMEIdentifier) error { +- err := WellFormedIdentifiers(idents) ++ err := pa.WellFormedIdentifiers(idents) if err != nil { return err } -@@ -401,6 +429,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error { +@@ -407,6 +435,10 @@ func (pa *AuthorityImpl) WillingToIssue(idents []identifier.ACMEIdentifier) erro } } -+ if ok, _ := pa.checkWhitelist(domain, false); ok { ++ if ok, _ := pa.checkWhitelist(ident.Value, false); ok { + return nil + } + // For both wildcard and non-wildcard domains, check whether any parent domain // name is on the regular blocklist. - err := pa.checkHostLists(domain) -@@ -434,10 +466,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error { + err := pa.checkHostLists(ident.Value) +@@ -441,13 +473,13 @@ func (pa *AuthorityImpl) WillingToIssue(idents []identifier.ACMEIdentifier) erro // // If multiple domains are invalid, the error will contain suberrors specific to // each domain. --func WellFormedDomainNames(domains []string) error { -+func (pa *AuthorityImpl) WellFormedDomainNames(domains []string) error { +-func WellFormedIdentifiers(idents []identifier.ACMEIdentifier) error { ++func (pa *AuthorityImpl) WellFormedIdentifiers(idents []identifier.ACMEIdentifier) error { var subErrors []berrors.SubBoulderError - for _, domain := range domains { -- err := ValidDomain(domain) -+ err := pa.ValidDomain(domain) - if err != nil { - subErrors = append(subErrors, subError(domain, err)) - } -@@ -471,6 +503,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error { + for _, ident := range idents { + // TODO(#7311): When this gets a third case for TypeIP, this will be + // more elegant as a switch/case. + if ident.Type == identifier.TypeDNS { +- err := ValidDomain(ident.Value) ++ err := pa.ValidDomain(ident.Value) + if err != nil { + subErrors = append(subErrors, subError(ident, err)) + } +@@ -484,6 +516,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error { return nil } @@ -195,7 +198,7 @@ index fac69d3b9..217c465fe 100644 // checkWildcardHostList checks the wildcardExactBlocklist for a given domain. // If the domain is not present on the list nil is returned, otherwise // errPolicyForbidden is returned. -@@ -500,6 +560,9 @@ func (pa *AuthorityImpl) checkHostLists(domain string) error { +@@ -513,6 +573,9 @@ func (pa *AuthorityImpl) checkHostLists(domain string) error { labels := strings.Split(domain, ".") for i := range labels { joined := strings.Join(labels[i:], ".") diff --git a/patches/ratelimits_names.patch b/patches/ratelimits_names.patch index 69821fd..f35af13 100644 --- a/patches/ratelimits_names.patch +++ b/patches/ratelimits_names.patch @@ -1,8 +1,8 @@ diff --git a/ratelimits/names.go b/ratelimits/names.go -index 99221ae0c..9abc0d512 100644 +index 8e8ed80c4..6e3e77639 100644 --- a/ratelimits/names.go +++ b/ratelimits/names.go -@@ -101,6 +101,9 @@ var nameToString = map[Name]string{ +@@ -102,6 +102,9 @@ var nameToString = map[Name]string{ FailedAuthorizationsForPausingPerDomainPerAccount: "FailedAuthorizationsForPausingPerDomainPerAccount", } @@ -12,7 +12,7 @@ index 99221ae0c..9abc0d512 100644 // isValid returns true if the Name is a valid rate limit name. func (n Name) isValid() bool { return n > Unknown && n < Name(len(nameToString)) -@@ -162,7 +165,15 @@ func validateRegId(id string) error { +@@ -163,7 +166,15 @@ func validateRegId(id string) error { // validateDomain validates that the provided string is formatted 'domain', // where domain is a domain name. func validateDomain(id string) error { @@ -29,7 +29,7 @@ index 99221ae0c..9abc0d512 100644 if err != nil { return fmt.Errorf("invalid domain, %q must be formatted 'domain': %w", id, err) } -@@ -183,7 +194,14 @@ func validateRegIdDomain(id string) error { +@@ -184,7 +195,14 @@ func validateRegIdDomain(id string) error { return fmt.Errorf( "invalid regId, %q must be formatted 'regId:domain'", id) } @@ -45,11 +45,11 @@ index 99221ae0c..9abc0d512 100644 if err != nil { return fmt.Errorf( "invalid domain, %q must be formatted 'regId:domain': %w", id, err) -@@ -199,7 +217,15 @@ func validateFQDNSet(id string) error { +@@ -200,7 +218,15 @@ func validateFQDNSet(id string) error { return fmt.Errorf( "invalid fqdnSet, %q must be formatted 'fqdnSet'", id) } -- return policy.WellFormedDomainNames(domains) +- return policy.WellFormedIdentifiers(identifier.FromDNSNames(domains)) + pa := PA + var err error + if pa == nil { @@ -58,7 +58,7 @@ index 99221ae0c..9abc0d512 100644 + return fmt.Errorf("cannot create policy authority implementation") + } + } -+ return pa.WellFormedDomainNames(domains) ++ return pa.WellFormedIdentifiers(identifier.FromDNSNames(domains)) } func validateIdForName(name Name, id string) error { diff --git a/patches/test_config_ca.patch b/patches/test_config_ca.patch index 8a90b49..1398ecf 100644 --- a/patches/test_config_ca.patch +++ b/patches/test_config_ca.patch @@ -1,5 +1,5 @@ diff --git a/test/config/ca.json b/test/config/ca.json -index 675304d97..01b2d56ce 100644 +index a64ec7ac2..09ffa1efe 100644 --- a/test/config/ca.json +++ b/test/config/ca.json @@ -60,7 +60,8 @@ @@ -22,7 +22,7 @@ index 675304d97..01b2d56ce 100644 "ignoredLints": [ "w_ext_subject_key_identifier_missing_sub_cert" ] -@@ -100,39 +102,7 @@ +@@ -101,39 +103,7 @@ "issuers": [ { "active": true, @@ -63,7 +63,7 @@ index 675304d97..01b2d56ce 100644 "issuerURL": "http://ca.example.org:4502/int-rsa-a", "ocspURL": "http://ca.example.org:4002/", "crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/29947985078257530/", -@@ -141,28 +111,6 @@ +@@ -142,28 +112,6 @@ "certFile": "test/certs/webpki/int-rsa-a.cert.pem", "numSessions": 2 } diff --git a/patches/va_va.patch b/patches/va_va.patch index c0aeea7..df3ebaa 100644 --- a/patches/va_va.patch +++ b/patches/va_va.patch @@ -1,8 +1,8 @@ diff --git a/va/va.go b/va/va.go -index fcd35a5db..ad2b7c409 100644 +index 270e9ca66..f8585c9fd 100644 --- a/va/va.go +++ b/va/va.go -@@ -217,6 +217,7 @@ type ValidationAuthorityImpl struct { +@@ -218,6 +218,7 @@ type ValidationAuthorityImpl struct { perspective string rir string isReservedIPFunc func(ip net.IP) bool @@ -10,7 +10,7 @@ index fcd35a5db..ad2b7c409 100644 metrics *vaMetrics } -@@ -237,6 +238,7 @@ func NewValidationAuthorityImpl( +@@ -238,6 +239,7 @@ func NewValidationAuthorityImpl( perspective string, rir string, reservedIPChecker func(ip net.IP) bool, @@ -18,7 +18,7 @@ index fcd35a5db..ad2b7c409 100644 ) (*ValidationAuthorityImpl, error) { if len(accountURIPrefixes) == 0 { -@@ -274,6 +276,7 @@ func NewValidationAuthorityImpl( +@@ -275,6 +277,7 @@ func NewValidationAuthorityImpl( perspective: perspective, rir: rir, isReservedIPFunc: reservedIPChecker, diff --git a/patches/wfe2_wfe.patch b/patches/wfe2_wfe.patch index b2ad531..af93c40 100644 --- a/patches/wfe2_wfe.patch +++ b/patches/wfe2_wfe.patch @@ -1,5 +1,5 @@ diff --git a/wfe2/wfe.go b/wfe2/wfe.go -index fe063e4fa..2f7aea67b 100644 +index 0e14a778e..9dfe9789a 100644 --- a/wfe2/wfe.go +++ b/wfe2/wfe.go @@ -163,6 +163,8 @@ type WebFrontEndImpl struct { @@ -65,12 +65,12 @@ index fe063e4fa..2f7aea67b 100644 if wfe.ee != nil && len(emails) > 0 { _, err := wfe.ee.SendContacts(ctx, &emailpb.SendContactsRequest{ // Note: We are explicitly using the contacts provided by the -@@ -2285,7 +2293,7 @@ func (wfe *WebFrontEndImpl) NewOrder( +@@ -2298,7 +2306,7 @@ func (wfe *WebFrontEndImpl) NewOrder( } names = core.UniqueLowerNames(names) -- err = policy.WellFormedDomainNames(names) -+ err = wfe.pa.WellFormedDomainNames(names) +- err = policy.WellFormedIdentifiers(identifier.FromDNSNames(names)) ++ err = wfe.pa.WellFormedIdentifiers(identifier.FromDNSNames(names)) if err != nil { wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "Invalid identifiers requested"), nil) return diff --git a/utils.sh b/utils.sh index a99b77b..65870a9 100644 --- a/utils.sh +++ b/utils.sh @@ -9,7 +9,7 @@ export PS_MYSQL="mysqld" export PS_CONTROL="tcpserver" export PS_NGINX="nginx:" export PS_CONSUL="consul" -export PS_PKILINT="pkilint" +export PS_PKIMETAL="pkimetal" export PS_REDIS="redis-server" LOOPCOUNT=120 @@ -34,8 +34,8 @@ count() { $PS_CONSUL) prefix="docker exec $(docker ps --format "{{.Names}}" | grep -- -bconsul-) " ;; - $PS_PKILINT) - prefix="docker exec $(docker ps --format "{{.Names}}" | grep -- -bpkilint-) " + $PS_PKIMETAL) + prefix="docker exec $(docker ps --format "{{.Names}}" | grep -- -bpkimetal-) " ;; $PS_REDIS) prefix="" @@ -48,7 +48,7 @@ count() { if [ "$pattern" == "$PS_CONSUL" ]; then res=$(${prefix}ps -eo pid,args 2>/dev/null | grep "$pattern" | grep -v grep | wc -l) fi - if [ "$pattern" == "$PS_PKILINT" ]; then + if [ "$pattern" == "$PS_PKIMETAL" ]; then res=$(${prefix}ls -d /proc/[1-9]* 2>/dev/null | wc -l) fi echo $res