diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 596642c..917f2e0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: fail-fast: false matrix: GO_VERSION: - - 1.21.3 + - 1.21.4 steps: - name: Checkout diff --git a/build/Dockerfile-boulder b/build/Dockerfile-boulder index 5bf4f9f..67c21a6 100644 --- a/build/Dockerfile-boulder +++ b/build/Dockerfile-boulder @@ -1,4 +1,4 @@ -FROM letsencrypt/boulder-tools:go1.21.3_2023-10-12 AS boulder-tools +FROM letsencrypt/boulder-tools:go1.21.4_2023-11-09 AS boulder-tools FROM ubuntu:focal diff --git a/build/build.sh b/build/build.sh index 645eb61..d4380d1 100755 --- a/build/build.sh +++ b/build/build.sh @@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src} boulderDir=$TMP_DIR/src -boulderTag="release-2023-10-30" +boulderTag="release-2023-11-20" boulderUrl="https://github.com/letsencrypt/boulder/" cloneDir=$(pwd)/.. diff --git a/build/tmp.patch b/build/tmp.patch index 9e2af03..7b67ebc 100644 --- a/build/tmp.patch +++ b/build/tmp.patch @@ -1,17 +1,17 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 06ee3b61f..7d9fb59c6 100644 +index 74f1cf0f8..da119321b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,7 +3,7 @@ name: labca services: boulder: # Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh. -- image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.21.3_2023-10-12} +- image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.21.4_2023-11-09} + image: ghcr.io/hakwerk/labca-boulder:${LABCA_IMAGE_VERSION:-latest} environment: # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS # to the IP address where your ACME client's solver is listening. -@@ -14,12 +14,9 @@ services: +@@ -15,12 +15,9 @@ services: # Forward the parent env's GOEXPERIMENT value into the container. GOEXPERIMENT: ${GOEXPERIMENT:-} volumes: @@ -27,7 +27,7 @@ index 06ee3b61f..7d9fb59c6 100644 networks: bluenet: ipv4_address: 10.77.77.77 -@@ -43,6 +40,7 @@ services: +@@ -44,6 +41,7 @@ services: depends_on: - bmysql - bconsul @@ -35,7 +35,7 @@ index 06ee3b61f..7d9fb59c6 100644 entrypoint: labca/entrypoint.sh working_dir: &boulder_working_dir /opt/boulder logging: -@@ -77,8 +75,10 @@ services: +@@ -78,8 +76,10 @@ services: bconsul: image: hashicorp/consul:1.15.4 @@ -47,7 +47,7 @@ index 06ee3b61f..7d9fb59c6 100644 networks: consulnet: ipv4_address: 10.55.55.10 -@@ -86,27 +86,28 @@ services: +@@ -87,27 +87,28 @@ services: ipv4_address: 10.77.77.10 rednet: ipv4_address: 10.88.88.10 @@ -86,7 +86,7 @@ index 06ee3b61f..7d9fb59c6 100644 logging: driver: "json-file" options: -@@ -123,27 +124,26 @@ services: +@@ -124,27 +125,26 @@ services: - 80:80 - 443:443 volumes: @@ -128,7 +128,7 @@ index 06ee3b61f..7d9fb59c6 100644 expose: - 3030 environment: -@@ -154,6 +154,14 @@ services: +@@ -155,6 +155,14 @@ services: volumes: dbdata: diff --git a/install b/install index 3fff82d..1dcc7b3 100755 --- a/install +++ b/install @@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2023-10-30" +boulderTag="release-2023-11-20" # Feature flags flag_skip_redis=true diff --git a/patches/cert-checker_main.patch b/patches/cert-checker_main.patch index f795fe7..c91e633 100644 --- a/patches/cert-checker_main.patch +++ b/patches/cert-checker_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go -index d6403a04..ee3dcf38 100644 +index 03f66481f..17f0839a4 100644 --- a/cmd/cert-checker/main.go +++ b/cmd/cert-checker/main.go @@ -108,6 +108,7 @@ type certChecker struct { @@ -26,7 +26,7 @@ index d6403a04..ee3dcf38 100644 } } -@@ -403,7 +406,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno +@@ -412,7 +415,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno err = c.pa.WillingToIssueWildcards([]identifier.ACMEIdentifier{id}) if err != nil { problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err)) @@ -35,7 +35,7 @@ index d6403a04..ee3dcf38 100644 // For defense-in-depth, even if the PA was willing to issue for a name // we double check it against a list of forbidden domains. This way even // if the hostnamePolicyFile malfunctions we will flag the forbidden -@@ -483,9 +486,10 @@ type Config struct { +@@ -492,9 +495,10 @@ type Config struct { Workers int `validate:"required,min=1"` // Deprecated: this is ignored, and cert checker always checks both expired and unexpired. @@ -49,7 +49,7 @@ index d6403a04..ee3dcf38 100644 // AcceptableValidityDurations is a list of durations which are // acceptable for certificates we issue. -@@ -553,6 +557,8 @@ func main() { +@@ -562,6 +566,8 @@ func main() { acceptableValidityDurations[ninetyDays] = true } @@ -58,7 +58,7 @@ index d6403a04..ee3dcf38 100644 // Validate PA config and set defaults if needed. cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration") -@@ -593,6 +599,7 @@ func main() { +@@ -602,6 +608,7 @@ func main() { config.CertChecker.CheckPeriod.Duration, acceptableValidityDurations, logger, diff --git a/patches/docker-compose-redis.patch b/patches/docker-compose-redis.patch index 45db218..cd503da 100644 --- a/patches/docker-compose-redis.patch +++ b/patches/docker-compose-redis.patch @@ -1,8 +1,8 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 3c174f334..4020f447d 100644 +index f6473c8ef..6ff3f70c6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml -@@ -22,8 +22,6 @@ services: +@@ -23,8 +23,6 @@ services: ipv4_address: 10.77.77.77 rednet: ipv4_address: 10.88.88.88 @@ -11,7 +11,7 @@ index 3c174f334..4020f447d 100644 consulnet: ipv4_address: 10.55.55.55 # Use consul as a backup to Docker's embedded DNS server. If there's a name -@@ -42,10 +40,6 @@ services: +@@ -43,10 +41,6 @@ services: depends_on: - bmysql - bproxysql @@ -22,7 +22,7 @@ index 3c174f334..4020f447d 100644 - bconsul - bjaeger entrypoint: test/entrypoint.sh -@@ -83,42 +77,6 @@ services: +@@ -84,42 +78,6 @@ services: aliases: - boulder-proxysql @@ -65,7 +65,7 @@ index 3c174f334..4020f447d 100644 bconsul: image: hashicorp/consul:1.15.4 volumes: -@@ -166,13 +124,6 @@ networks: +@@ -154,13 +112,6 @@ networks: config: - subnet: 10.88.88.0/24 diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch index 339d146..18c8f5f 100644 --- a/patches/docker-compose.patch +++ b/patches/docker-compose.patch @@ -1,19 +1,23 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 4020f447d..8d9819d01 100644 +index 6ff3f70c6..74f1cf0f8 100644 --- a/docker-compose.yml +++ b/docker-compose.yml -@@ -1,4 +1,5 @@ +@@ -1,20 +1,23 @@ version: '3' +name: labca services: boulder: # Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh. -@@ -8,12 +9,14 @@ services: +- image: letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.21.4_2023-11-09} ++ image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.21.4_2023-11-09} + environment: + # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS # to the IP address where your ACME client's solver is listening. # FAKE_DNS: 172.17.0.1 FAKE_DNS: 10.77.77.77 -- BOULDER_CONFIG_DIR: &boulder_config_dir test/config -+ BOULDER_CONFIG_DIR: &boulder_config_dir labca/config +- BOULDER_CONFIG_DIR: test/config ++ BOULDER_CONFIG_DIR: labca/config + GOCACHE: /boulder/.gocache/go-build GOFLAGS: -mod=vendor # Forward the parent env's GOEXPERIMENT value into the container. - GOEXPERIMENT: ${GOEXPERIMENT} @@ -26,7 +30,7 @@ index 4020f447d..8d9819d01 100644 - ./.gocache:/root/.cache/go-build:cached - ./.hierarchy:/hierarchy/:cached - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached -@@ -33,20 +36,26 @@ services: +@@ -34,20 +37,26 @@ services: # TODO: Remove this when ServerAddress is deprecated in favor of SRV records # and DNSAuthority. dns: 10.55.55.10 @@ -61,7 +65,7 @@ index 4020f447d..8d9819d01 100644 networks: bluenet: aliases: -@@ -60,22 +69,11 @@ services: +@@ -61,22 +70,11 @@ services: # small. command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON logging: @@ -89,25 +93,21 @@ index 4020f447d..8d9819d01 100644 bconsul: image: hashicorp/consul:1.15.4 -@@ -89,25 +87,73 @@ services: +@@ -90,12 +88,73 @@ services: rednet: ipv4_address: 10.88.88.10 command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl" + restart: always -- netaccess: +- bjaeger: +- image: jaegertracing/all-in-one:1.50 + gui: - image: *boulder_image -- environment: -- GO111MODULE: "on" -- GOFLAGS: -mod=vendor -- BOULDER_CONFIG_DIR: *boulder_config_dir ++ image: *boulder_image networks: - - bluenet - volumes: -- - .:/boulder -- working_dir: *boulder_working_dir -- entrypoint: test/entrypoint-netaccess.sh +- bluenet: +- ipv4_address: 10.77.77.17 ++ - bluenet ++ volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /home/labca/admin:/go/src/labca + - ./.gocache:/root/.cache/go-build @@ -127,15 +127,11 @@ index 4020f447d..8d9819d01 100644 + max-size: "500k" + max-file: "5" + restart: always - -- bjaeger: -- image: jaegertracing/all-in-one:1.50 ++ + nginx: + image: nginx:1.25.3 + restart: always - networks: -- bluenet: -- ipv4_address: 10.77.77.17 ++ networks: + - bluenet + ports: + - 80:80 diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index 4e02a26..ae76f29 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -1,5 +1,5 @@ diff --git a/ra/ra.go b/ra/ra.go -index 3dd269aad..22b43a30d 100644 +index 611a32fd1..4e621ec5e 100644 --- a/ra/ra.go +++ b/ra/ra.go @@ -44,7 +44,6 @@ import ( @@ -10,7 +10,7 @@ index 3dd269aad..22b43a30d 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -563,7 +562,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { +@@ -562,7 +561,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { contact, ) } diff --git a/patches/ratelimits_names.patch b/patches/ratelimits_names.patch index aea9aa9..e5fdc25 100644 --- a/patches/ratelimits_names.patch +++ b/patches/ratelimits_names.patch @@ -1,31 +1,31 @@ diff --git a/ratelimits/names.go b/ratelimits/names.go -index b2663982..f1de06b0 100644 +index b0d581e76..a4774ae10 100644 --- a/ratelimits/names.go +++ b/ratelimits/names.go -@@ -127,7 +127,11 @@ func validateRegIdDomain(id string) error { - return fmt.Errorf( - "invalid regId, %q must be formatted 'regId:domain'", id) - } -- if policy.ValidDomain(parts[1]) != nil { +@@ -135,7 +135,11 @@ func validateRegId(id string) error { + // validateDomain validates that the provided string is formatted 'domain', + // where domain is a domain name. + func validateDomain(id string) error { +- err := policy.ValidDomain(id) + pa, err := policy.New(nil, nil) + if err != nil { + return fmt.Errorf("cannot create policy authority implementation") + } -+ if pa.ValidDomain(parts[1]) != nil { - return fmt.Errorf( - "invalid domain, %q must be formatted 'regId:domain'", id) ++ err = pa.ValidDomain(id) + if err != nil { + return fmt.Errorf("invalid domain, %q must be formatted 'domain'", id) } -@@ -152,8 +156,12 @@ func validateRegIdFQDNSet(id string) error { +@@ -150,8 +154,12 @@ func validateFQDNSet(id string) error { return fmt.Errorf( - "invalid fqdnSet, %q must be formatted 'regId:fqdnSet'", id) + "invalid fqdnSet, %q must be formatted 'fqdnSet'", id) } + pa, err := policy.New(nil, nil) + if err != nil { + return fmt.Errorf("cannot create policy authority implementation") + } for _, domain := range domains { -- if policy.ValidDomain(domain) != nil { -+ if pa.ValidDomain(domain) != nil { +- err := policy.ValidDomain(domain) ++ err = pa.ValidDomain(domain) + if err != nil { return fmt.Errorf( - "invalid domain, %q must be formatted 'regId:fqdnSet'", id) - } + "invalid domain, %q must be formatted 'fqdnSet'", id) diff --git a/patches/test_config_ca_a.patch b/patches/test_config_ca_a.patch index 4a92147..3687fc1 100644 --- a/patches/test_config_ca_a.patch +++ b/patches/test_config_ca_a.patch @@ -2,7 +2,7 @@ diff --git a/test/config/ca-a.json b/test/config/ca-a.json index 1233a9c95..3c4a0a3ca 100644 --- a/test/config/ca-a.json +++ b/test/config/ca-a.json -@@ -54,17 +54,6 @@ +@@ -54,35 +54,13 @@ }, "issuers": [ { @@ -20,8 +20,7 @@ index 1233a9c95..3c4a0a3ca 100644 "useForRSALeaves": true, "useForECDSALeaves": true, "issuerURL": "http://127.0.0.1:4001/aia/issuer/6605440498369741", -@@ -72,19 +61,7 @@ - "crlURL": "http://example.com/crl", + "ocspURL": "http://127.0.0.1:4002/", "location": { "configFile": "test/test-ca.key-pkcs11.json", - "certFile": "/hierarchy/intermediate-cert-rsa-a.pem", @@ -33,7 +32,6 @@ index 1233a9c95..3c4a0a3ca 100644 - "useForECDSALeaves": false, - "issuerURL": "http://127.0.0.1:4001/aia/issuer/41127673797486028", - "ocspURL": "http://127.0.0.1:4002/", -- "crlURL": "http://example.com/crl", - "location": { - "configFile": "test/test-ca.key-pkcs11.json", - "certFile": "/hierarchy/intermediate-cert-rsa-b.pem", diff --git a/patches/test_config_ca_b.patch b/patches/test_config_ca_b.patch index b44f5b5..6a125c7 100644 --- a/patches/test_config_ca_b.patch +++ b/patches/test_config_ca_b.patch @@ -2,7 +2,7 @@ diff --git a/test/config/ca-b.json b/test/config/ca-b.json index 960d62f95..54b25dd81 100644 --- a/test/config/ca-b.json +++ b/test/config/ca-b.json -@@ -54,17 +54,6 @@ +@@ -54,35 +54,13 @@ }, "issuers": [ { @@ -20,8 +20,7 @@ index 960d62f95..54b25dd81 100644 "useForRSALeaves": true, "useForECDSALeaves": true, "issuerURL": "http://127.0.0.1:4001/aia/issuer/6605440498369741", -@@ -72,19 +61,7 @@ - "crlURL": "http://example.com/crl", + "ocspURL": "http://127.0.0.1:4002/", "location": { "configFile": "test/test-ca.key-pkcs11.json", - "certFile": "/hierarchy/intermediate-cert-rsa-a.pem", @@ -33,7 +32,6 @@ index 960d62f95..54b25dd81 100644 - "useForECDSALeaves": false, - "issuerURL": "http://127.0.0.1:4001/aia/issuer/41127673797486028", - "ocspURL": "http://127.0.0.1:4002/", -- "crlURL": "http://example.com/crl", - "location": { - "configFile": "test/test-ca.key-pkcs11.json", - "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",