github-personal/labca
1
0
Fork 0
mirror of https://github.com/outbackdingo/labca.git synced 2026-01-27 10:19:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Bump boulder version to release-2023-11-20

Browse Source
This commit is contained in:
Arjan H
2023-11-23 20:20:59 +01:00
parent c32f653adb
commit 8ba3b97bbb
12 changed files with 64 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/release.yml vendored
View File

@@ -13,7 +13,7 @@ jobs:
fail-fast: false
matrix:
GO_VERSION:
- 1.21.3
- 1.21.4
steps:
- name: Checkout

2
build/Dockerfile-boulder
View File

@@ -1,4 +1,4 @@
FROM letsencrypt/boulder-tools:go1.21.3_2023-10-12 AS boulder-tools
FROM letsencrypt/boulder-tools:go1.21.4_2023-11-09 AS boulder-tools
FROM ubuntu:focal

2
build/build.sh
View File

@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}
boulderDir=$TMP_DIR/src
boulderTag="release-2023-10-30"
boulderTag="release-2023-11-20"
boulderUrl="https://github.com/letsencrypt/boulder/"
cloneDir=$(pwd)/..

16
build/tmp.patch
View File

@@ -1,17 +1,17 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index 06ee3b61f..7d9fb59c6 100644
index 74f1cf0f8..da119321b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,7 +3,7 @@ name: labca
services:
boulder:
# Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh.
- image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.21.3_2023-10-12}
- image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.21.4_2023-11-09}
+ image: ghcr.io/hakwerk/labca-boulder:${LABCA_IMAGE_VERSION:-latest}
environment:
# To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS
# to the IP address where your ACME client's solver is listening.
@@ -14,12 +14,9 @@ services:
@@ -15,12 +15,9 @@ services:
# Forward the parent env's GOEXPERIMENT value into the container.
GOEXPERIMENT: ${GOEXPERIMENT:-}
volumes:
@@ -27,7 +27,7 @@ index 06ee3b61f..7d9fb59c6 100644
networks:
bluenet:
ipv4_address: 10.77.77.77
@@ -43,6 +40,7 @@ services:
@@ -44,6 +41,7 @@ services:
depends_on:
- bmysql
- bconsul
@@ -35,7 +35,7 @@ index 06ee3b61f..7d9fb59c6 100644
entrypoint: labca/entrypoint.sh
working_dir: &boulder_working_dir /opt/boulder
logging:
@@ -77,8 +75,10 @@ services:
@@ -78,8 +76,10 @@ services:
bconsul:
image: hashicorp/consul:1.15.4
@@ -47,7 +47,7 @@ index 06ee3b61f..7d9fb59c6 100644
networks:
consulnet:
ipv4_address: 10.55.55.10
@@ -86,27 +86,28 @@ services:
@@ -87,27 +87,28 @@ services:
ipv4_address: 10.77.77.10
rednet:
ipv4_address: 10.88.88.10
@@ -86,7 +86,7 @@ index 06ee3b61f..7d9fb59c6 100644
logging:
driver: "json-file"
options:
@@ -123,27 +124,26 @@ services:
@@ -124,27 +125,26 @@ services:
- 80:80
- 443:443
volumes:
@@ -128,7 +128,7 @@ index 06ee3b61f..7d9fb59c6 100644
expose:
- 3030
environment:
@@ -154,6 +154,14 @@ services:
@@ -155,6 +155,14 @@ services:
volumes:
dbdata:

2
install
View File

@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"
labcaUrl="https://github.com/hakwerk/labca/"
boulderUrl="https://github.com/letsencrypt/boulder/"
boulderTag="release-2023-10-30"
boulderTag="release-2023-11-20"
# Feature flags
flag_skip_redis=true

10
patches/cert-checker_main.patch
View File

@@ -1,5 +1,5 @@
diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
index d6403a04..ee3dcf38 100644
index 03f66481f..17f0839a4 100644
--- a/cmd/cert-checker/main.go
+++ b/cmd/cert-checker/main.go
@@ -108,6 +108,7 @@ type certChecker struct {
@@ -26,7 +26,7 @@ index d6403a04..ee3dcf38 100644
}
}
@@ -403,7 +406,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno
@@ -412,7 +415,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno
err = c.pa.WillingToIssueWildcards([]identifier.ACMEIdentifier{id})
if err != nil {
problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err))
@@ -35,7 +35,7 @@ index d6403a04..ee3dcf38 100644
// For defense-in-depth, even if the PA was willing to issue for a name
// we double check it against a list of forbidden domains. This way even
// if the hostnamePolicyFile malfunctions we will flag the forbidden
@@ -483,9 +486,10 @@ type Config struct {
@@ -492,9 +495,10 @@ type Config struct {
Workers int `validate:"required,min=1"`
// Deprecated: this is ignored, and cert checker always checks both expired and unexpired.
@@ -49,7 +49,7 @@ index d6403a04..ee3dcf38 100644
// AcceptableValidityDurations is a list of durations which are
// acceptable for certificates we issue.
@@ -553,6 +557,8 @@ func main() {
@@ -562,6 +566,8 @@ func main() {
acceptableValidityDurations[ninetyDays] = true
}
@@ -58,7 +58,7 @@ index d6403a04..ee3dcf38 100644
// Validate PA config and set defaults if needed.
cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
@@ -593,6 +599,7 @@ func main() {
@@ -602,6 +608,7 @@ func main() {
config.CertChecker.CheckPeriod.Duration,
acceptableValidityDurations,
logger,

10
patches/docker-compose-redis.patch
View File

@@ -1,8 +1,8 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index 3c174f334..4020f447d 100644
index f6473c8ef..6ff3f70c6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -22,8 +22,6 @@ services:
@@ -23,8 +23,6 @@ services:
ipv4_address: 10.77.77.77
rednet:
ipv4_address: 10.88.88.88
@@ -11,7 +11,7 @@ index 3c174f334..4020f447d 100644
consulnet:
ipv4_address: 10.55.55.55
# Use consul as a backup to Docker's embedded DNS server. If there's a name
@@ -42,10 +40,6 @@ services:
@@ -43,10 +41,6 @@ services:
depends_on:
- bmysql
- bproxysql
@@ -22,7 +22,7 @@ index 3c174f334..4020f447d 100644
- bconsul
- bjaeger
entrypoint: test/entrypoint.sh
@@ -83,42 +77,6 @@ services:
@@ -84,42 +78,6 @@ services:
aliases:
- boulder-proxysql
@@ -65,7 +65,7 @@ index 3c174f334..4020f447d 100644
bconsul:
image: hashicorp/consul:1.15.4
volumes:
@@ -166,13 +124,6 @@ networks:
@@ -154,13 +112,6 @@ networks:
config:
- subnet: 10.88.88.0/24

46
patches/docker-compose.patch
View File

@@ -1,19 +1,23 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index 4020f447d..8d9819d01 100644
index 6ff3f70c6..74f1cf0f8 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,4 +1,5 @@
@@ -1,20 +1,23 @@
version: '3'
+name: labca
services:
boulder:
# Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh.
@@ -8,12 +9,14 @@ services:
- image: letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.21.4_2023-11-09}
+ image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.21.4_2023-11-09}
environment:
# To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS
# to the IP address where your ACME client's solver is listening.
# FAKE_DNS: 172.17.0.1
FAKE_DNS: 10.77.77.77
- BOULDER_CONFIG_DIR: &boulder_config_dir test/config
+ BOULDER_CONFIG_DIR: &boulder_config_dir labca/config
- BOULDER_CONFIG_DIR: test/config
+ BOULDER_CONFIG_DIR: labca/config
GOCACHE: /boulder/.gocache/go-build
GOFLAGS: -mod=vendor
# Forward the parent env's GOEXPERIMENT value into the container.
- GOEXPERIMENT: ${GOEXPERIMENT}
@@ -26,7 +30,7 @@ index 4020f447d..8d9819d01 100644
- ./.gocache:/root/.cache/go-build:cached
- ./.hierarchy:/hierarchy/:cached
- ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
@@ -33,20 +36,26 @@ services:
@@ -34,20 +37,26 @@ services:
# TODO: Remove this when ServerAddress is deprecated in favor of SRV records
# and DNSAuthority.
dns: 10.55.55.10
@@ -61,7 +65,7 @@ index 4020f447d..8d9819d01 100644
networks:
bluenet:
aliases:
@@ -60,22 +69,11 @@ services:
@@ -61,22 +70,11 @@ services:
# small.
command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
logging:
@@ -89,25 +93,21 @@ index 4020f447d..8d9819d01 100644
bconsul:
image: hashicorp/consul:1.15.4
@@ -89,25 +87,73 @@ services:
@@ -90,12 +88,73 @@ services:
rednet:
ipv4_address: 10.88.88.10
command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
+ restart: always
- netaccess:
- bjaeger:
- image: jaegertracing/all-in-one:1.50
+ gui:
image: *boulder_image
- environment:
- GO111MODULE: "on"
- GOFLAGS: -mod=vendor
- BOULDER_CONFIG_DIR: *boulder_config_dir
+ image: *boulder_image
networks:
- bluenet
volumes:
- - .:/boulder
- working_dir: *boulder_working_dir
- entrypoint: test/entrypoint-netaccess.sh
- bluenet:
- ipv4_address: 10.77.77.17
+ - bluenet
+ volumes:
+ - /var/run/docker.sock:/var/run/docker.sock
+ - /home/labca/admin:/go/src/labca
+ - ./.gocache:/root/.cache/go-build
@@ -127,15 +127,11 @@ index 4020f447d..8d9819d01 100644
+ max-size: "500k"
+ max-file: "5"
+ restart: always
- bjaeger:
- image: jaegertracing/all-in-one:1.50
+
+ nginx:
+ image: nginx:1.25.3
+ restart: always
networks:
- bluenet:
- ipv4_address: 10.77.77.17
+ networks:
+ - bluenet
+ ports:
+ - 80:80

4
patches/ra_ra.patch
View File

@@ -1,5 +1,5 @@
diff --git a/ra/ra.go b/ra/ra.go
index 3dd269aad..22b43a30d 100644
index 611a32fd1..4e621ec5e 100644
--- a/ra/ra.go
+++ b/ra/ra.go
@@ -44,7 +44,6 @@ import (
@@ -10,7 +10,7 @@ index 3dd269aad..22b43a30d 100644
"github.com/letsencrypt/boulder/probs"
pubpb "github.com/letsencrypt/boulder/publisher/proto"
rapb "github.com/letsencrypt/boulder/ra/proto"
@@ -563,7 +562,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
@@ -562,7 +561,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
contact,
)
}

30
patches/ratelimits_names.patch
View File

@@ -1,31 +1,31 @@
diff --git a/ratelimits/names.go b/ratelimits/names.go
index b2663982..f1de06b0 100644
index b0d581e76..a4774ae10 100644
--- a/ratelimits/names.go
+++ b/ratelimits/names.go
@@ -127,7 +127,11 @@ func validateRegIdDomain(id string) error {
return fmt.Errorf(
"invalid regId, %q must be formatted 'regId:domain'", id)
}
- if policy.ValidDomain(parts[1]) != nil {
@@ -135,7 +135,11 @@ func validateRegId(id string) error {
// validateDomain validates that the provided string is formatted 'domain',
// where domain is a domain name.
func validateDomain(id string) error {
- err := policy.ValidDomain(id)
+ pa, err := policy.New(nil, nil)
+ if err != nil {
+ return fmt.Errorf("cannot create policy authority implementation")
+ }
+ if pa.ValidDomain(parts[1]) != nil {
return fmt.Errorf(
"invalid domain, %q must be formatted 'regId:domain'", id)
+ err = pa.ValidDomain(id)
if err != nil {
return fmt.Errorf("invalid domain, %q must be formatted 'domain'", id)
}
@@ -152,8 +156,12 @@ func validateRegIdFQDNSet(id string) error {
@@ -150,8 +154,12 @@ func validateFQDNSet(id string) error {
return fmt.Errorf(
"invalid fqdnSet, %q must be formatted 'regId:fqdnSet'", id)
"invalid fqdnSet, %q must be formatted 'fqdnSet'", id)
}
+ pa, err := policy.New(nil, nil)
+ if err != nil {
+ return fmt.Errorf("cannot create policy authority implementation")
+ }
for _, domain := range domains {
- if policy.ValidDomain(domain) != nil {
+ if pa.ValidDomain(domain) != nil {
- err := policy.ValidDomain(domain)
+ err = pa.ValidDomain(domain)
if err != nil {
return fmt.Errorf(
"invalid domain, %q must be formatted 'regId:fqdnSet'", id)
}
"invalid domain, %q must be formatted 'fqdnSet'", id)

6
patches/test_config_ca_a.patch
View File

@@ -2,7 +2,7 @@ diff --git a/test/config/ca-a.json b/test/config/ca-a.json
index 1233a9c95..3c4a0a3ca 100644
--- a/test/config/ca-a.json
+++ b/test/config/ca-a.json
@@ -54,17 +54,6 @@
@@ -54,35 +54,13 @@
},
"issuers": [
{
@@ -20,8 +20,7 @@ index 1233a9c95..3c4a0a3ca 100644
"useForRSALeaves": true,
"useForECDSALeaves": true,
"issuerURL": "http://127.0.0.1:4001/aia/issuer/6605440498369741",
@@ -72,19 +61,7 @@
"crlURL": "http://example.com/crl",
"ocspURL": "http://127.0.0.1:4002/",
"location": {
"configFile": "test/test-ca.key-pkcs11.json",
- "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
@@ -33,7 +32,6 @@ index 1233a9c95..3c4a0a3ca 100644
- "useForECDSALeaves": false,
- "issuerURL": "http://127.0.0.1:4001/aia/issuer/41127673797486028",
- "ocspURL": "http://127.0.0.1:4002/",
- "crlURL": "http://example.com/crl",
- "location": {
- "configFile": "test/test-ca.key-pkcs11.json",
- "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",

6
patches/test_config_ca_b.patch
View File

@@ -2,7 +2,7 @@ diff --git a/test/config/ca-b.json b/test/config/ca-b.json
index 960d62f95..54b25dd81 100644
--- a/test/config/ca-b.json
+++ b/test/config/ca-b.json
@@ -54,17 +54,6 @@
@@ -54,35 +54,13 @@
},
"issuers": [
{
@@ -20,8 +20,7 @@ index 960d62f95..54b25dd81 100644
"useForRSALeaves": true,
"useForECDSALeaves": true,
"issuerURL": "http://127.0.0.1:4001/aia/issuer/6605440498369741",
@@ -72,19 +61,7 @@
"crlURL": "http://example.com/crl",
"ocspURL": "http://127.0.0.1:4002/",
"location": {
"configFile": "test/test-ca.key-pkcs11.json",
- "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
@@ -33,7 +32,6 @@ index 960d62f95..54b25dd81 100644
- "useForECDSALeaves": false,
- "issuerURL": "http://127.0.0.1:4001/aia/issuer/41127673797486028",
- "ocspURL": "http://127.0.0.1:4002/",
- "crlURL": "http://example.com/crl",
- "location": {
- "configFile": "test/test-ca.key-pkcs11.json",
- "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",