Bump boulder version to release-2023-07-11

2026-01-27 10:19:34 +00:00 · 2023-07-12 20:20:38 +02:00
parent 5eefbf2ea8
commit 8be46cda73
16 changed files with 48 additions and 53 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,7 +13,7 @@ jobs:
      fail-fast: false
      matrix:
        GO_VERSION:
-          - 1.20.4
+          - 1.20.5

    steps:
      - name: Checkout
--- a/build/build.sh
+++ b/build/build.sh
@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}

 boulderDir=$TMP_DIR/src
-boulderTag="release-2023-06-12"
+boulderTag="release-2023-07-11"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..

--- a/build/docker-compose.yml
+++ b/build/docker-compose.yml
@@ -11,6 +11,8 @@ services:
      FAKE_DNS: 10.77.77.77
      BOULDER_CONFIG_DIR: &boulder_config_dir labca/config
      GOFLAGS: -mod=vendor
+      # Forward the parent env's GOEXPERIMENT value into the container.
+      GOEXPERIMENT: ${GOEXPERIMENT:-}
    volumes:
      - boulder_data:/opt/boulder/labca
      - nginx_html:/opt/wwwstatic
--- a/build/tmp.patch
+++ b/build/tmp.patch
@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 6a1d77c44..c93ed0e3c 100644
+index 02958b245..869b7d5de 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
@@ -1,8 +1,9 @@
@@ -8,14 +8,14 @@ index 6a1d77c44..c93ed0e3c 100644
 services:
   boulder:
     # Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh.
-    image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.20.4_2023-05-02}
+-    image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.20.5_2023-06-20}
 +    image: ghcr.io/hakwerk/labca-boulder:${LABCA_IMAGE_VERSION:-latest}
     environment:
       # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS
       # to the IP address where your ACME client's solver is listening.
-@@ -11,12 +12,9 @@ services:
-       BOULDER_CONFIG_DIR: &boulder_config_dir labca/config
-       GOFLAGS: -mod=vendor
+@@ -13,12 +14,9 @@ services:
+       # Forward the parent env's GOEXPERIMENT value into the container.
+       GOEXPERIMENT: ${GOEXPERIMENT:-}
     volumes:
 -      - .:/opt/boulder:cached
 -      - /home/labca/boulder_labca:/opt/boulder/labca
@@ -29,7 +29,7 @@ index 6a1d77c44..c93ed0e3c 100644
     networks:
       bluenet:
         ipv4_address: 10.77.77.77
-@@ -40,6 +38,7 @@ services:
+@@ -42,6 +40,7 @@ services:
     depends_on:
       - bmysql
       - bconsul
@@ -37,7 +37,7 @@ index 6a1d77c44..c93ed0e3c 100644
     entrypoint: labca/entrypoint.sh
     working_dir: &boulder_working_dir /opt/boulder
     logging:
-@@ -74,8 +73,10 @@ services:
+@@ -76,8 +75,10 @@ services:
 
   bconsul:
     image: hashicorp/consul:1.14.2
@@ -49,7 +49,7 @@ index 6a1d77c44..c93ed0e3c 100644
     networks:
       consulnet:
         ipv4_address: 10.55.55.10
-@@ -83,27 +84,28 @@ services:
+@@ -85,27 +86,28 @@ services:
         ipv4_address: 10.77.77.10
       rednet:
         ipv4_address: 10.88.88.10
@@ -88,7 +88,7 @@ index 6a1d77c44..c93ed0e3c 100644
     logging:
       driver: "json-file"
       options:
-@@ -120,27 +122,26 @@ services:
+@@ -122,27 +124,26 @@ services:
       - 80:80
       - 443:443
     volumes:
@@ -130,7 +130,7 @@ index 6a1d77c44..c93ed0e3c 100644
     expose:
       - 3030
     environment:
-@@ -151,6 +152,14 @@ services:
+@@ -153,6 +154,14 @@ services:
 
 volumes:
   dbdata:
--- a/2
+++ b/2
@@ -2,7 +2,7 @@
 SHELL=/bin/bash
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

-1 6 * * Mon root /opt/labca/backup cron &>>/opt/logs/cron.log
 1 7 * * * root /opt/labca/mailer &>>/opt/logs/cron.log
 5 7 * * * root /opt/labca/checkrenew &>>/opt/logs/cron.log
+11 7 * * Mon root /opt/labca/backup cron &>>/opt/logs/cron.log
 */5 * * * * root /opt/labca/checkcrl &>>/opt/logs/cron.log
--- a/11
+++ b/11
@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2023-06-12"
+boulderTag="release-2023-07-11"

 # Feature flags
 flag_skip_redis=true
@@ -877,15 +877,6 @@ main() {
    get_boulder
    config_boulder

-    #if [ $alphaTest -eq 1 ]; then
-    #    msg="TEST modify docker-compose.yml"
-    #    msg_info "$msg"
-    #    cd "$boulderDir"
-    #    patch -p1 < $(dirname $this)/build/tmp.patch &>>$installLog
-    #    patch -p1 -o "$boulderLabCADir/startservers.py" < $(dirname $this)/build/tmp2.patch
-    #    msg_ok "$msg"
-    #fi
-
    cleanup
    startup

--- a/mail-tester.go
+++ b/mail-tester.go
@@ -86,7 +86,6 @@ func main() {

 	scope, logger, oTelShutdown := cmd.StatsAndLogging(c.Syslog, c.OpenTelemetry, c.Mailer.DebugAddr)
 	defer oTelShutdown(context.Background())
-	defer logger.AuditPanic()
 	logger.Info(cmd.VersionString())

 	clk := cmd.Clock()
--- a/patches/boulder-va_main.patch
+++ b/patches/boulder-va_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
-index 3625dace9..55cb7cc18 100644
+index 8994b9b20..a0f0f9aa6 100644
 --- a/cmd/boulder-va/main.go
 +++ b/cmd/boulder-va/main.go
@@ -27,8 +27,9 @@ type Config struct {
@@ -14,7 +14,7 @@ index 3625dace9..55cb7cc18 100644
 		DNSTimeout                config.Duration  `validate:"required"`
 		DNSAllowLoopbackAddresses bool
 
-@@ -88,7 +89,7 @@ func main() {
+@@ -87,7 +88,7 @@ func main() {
 		cmd.Fail("Cannot specify both 'dnsResolver' and dnsProvider")
 	}
 
@@ -23,7 +23,7 @@ index 3625dace9..55cb7cc18 100644
 		cmd.Fail("Must specify either 'dnsResolver' or dnsProvider")
 	}
 
-@@ -101,8 +102,13 @@ func main() {
+@@ -100,8 +101,13 @@ func main() {
 	}
 
 	var servers bdns.ServerProvider
--- a/patches/cmd_shell.patch
+++ b/patches/cmd_shell.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/shell.go b/cmd/shell.go
-index 2400becf9..0d37c738c 100644
+index 373bb0229..e660317d2 100644
 --- a/cmd/shell.go
 +++ b/cmd/shell.go
-@@ -215,7 +215,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger {
+@@ -221,7 +221,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger {
 	// Boulder's conception of time.
 	go func() {
 		for {
--- a/patches/crl-storer_main.patch
+++ b/patches/crl-storer_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/crl-storer/main.go b/cmd/crl-storer/main.go
-index 073c62032..b59db781c 100644
+index d2fde00a8..410bbbd64 100644
 --- a/cmd/crl-storer/main.go
 +++ b/cmd/crl-storer/main.go
@@ -46,6 +46,9 @@ type Config struct {
@@ -12,7 +12,7 @@ index 073c62032..b59db781c 100644
 		Features map[string]bool
 	}
 
-@@ -122,7 +125,7 @@ func main() {
+@@ -121,7 +124,7 @@ func main() {
 	}
 	s3client := s3.NewFromConfig(awsConfig, s3opts...)
 
--- a/patches/docker-compose-redis.patch
+++ b/patches/docker-compose-redis.patch
@@ -1,8 +1,8 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 4b62cf28d..f2b242fb5 100644
+index f7c4e45c0..59f5423d4 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
-@@ -20,8 +20,6 @@ services:
+@@ -22,8 +22,6 @@ services:
         ipv4_address: 10.77.77.77
       rednet:
         ipv4_address: 10.88.88.88
@@ -11,7 +11,7 @@ index 4b62cf28d..f2b242fb5 100644
       consulnet:
         ipv4_address: 10.55.55.55
     # Use consul as a backup to Docker's embedded DNS server. If there's a name
-@@ -40,8 +38,6 @@ services:
+@@ -42,8 +40,6 @@ services:
     depends_on:
       - bmysql
       - bproxysql
@@ -20,7 +20,7 @@ index 4b62cf28d..f2b242fb5 100644
       - bconsul
       - bjaeger
     entrypoint: test/entrypoint.sh
-@@ -79,24 +75,6 @@ services:
+@@ -81,24 +77,6 @@ services:
         aliases:
           - boulder-proxysql
 
@@ -45,7 +45,7 @@ index 4b62cf28d..f2b242fb5 100644
   bconsul:
     image: hashicorp/consul:1.14.2
     volumes:
-@@ -146,13 +124,6 @@ networks:
+@@ -148,13 +126,6 @@ networks:
       config:
         - subnet: 10.88.88.0/24
 
--- a/patches/docker-compose.patch
+++ b/patches/docker-compose.patch
@@ -1,14 +1,17 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index f2b242fb5..35714ad44 100644
+index 59f5423d4..02958b245 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
-@@ -8,10 +8,12 @@ services:
+@@ -8,12 +8,14 @@ services:
       # to the IP address where your ACME client's solver is listening.
       # FAKE_DNS: 172.17.0.1
       FAKE_DNS: 10.77.77.77
 -      BOULDER_CONFIG_DIR: &boulder_config_dir test/config
 +      BOULDER_CONFIG_DIR: &boulder_config_dir labca/config
       GOFLAGS: -mod=vendor
+       # Forward the parent env's GOEXPERIMENT value into the container.
+-      GOEXPERIMENT: ${GOEXPERIMENT}
+      GOEXPERIMENT: ${GOEXPERIMENT:-}
     volumes:
 -      - .:/boulder:cached
 +      - .:/opt/boulder:cached
@@ -17,7 +20,7 @@ index f2b242fb5..35714ad44 100644
       - ./.gocache:/root/.cache/go-build:cached
       - ./.hierarchy:/hierarchy/:cached
       - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
-@@ -31,20 +33,26 @@ services:
+@@ -33,20 +35,26 @@ services:
     # TODO: Remove this when ServerAddress is deprecated in favor of SRV records
     # and DNSAuthority.
     dns: 10.55.55.10
@@ -52,7 +55,7 @@ index f2b242fb5..35714ad44 100644
     networks:
       bluenet:
         aliases:
-@@ -58,22 +66,11 @@ services:
+@@ -60,22 +68,11 @@ services:
     # small.
     command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
     logging:
@@ -80,7 +83,7 @@ index f2b242fb5..35714ad44 100644
 
   bconsul:
     image: hashicorp/consul:1.14.2
-@@ -87,27 +84,73 @@ services:
+@@ -89,27 +86,73 @@ services:
       rednet:
         ipv4_address: 10.88.88.10
     command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
--- a/patches/expiration-mailer_main.patch
+++ b/patches/expiration-mailer_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/expiration-mailer/main.go b/cmd/expiration-mailer/main.go
-index c1d239343..e7b6a2868 100644
+index d41bc5a0b..cde94e5a0 100644
 --- a/cmd/expiration-mailer/main.go
 +++ b/cmd/expiration-mailer/main.go
@@ -23,6 +23,7 @@ import (
@@ -31,7 +31,7 @@ index c1d239343..e7b6a2868 100644
 		// Path to a file containing a list of trusted root certificates for use
 		// during the SMTP connection (as opposed to the gRPC connections).
 		SMTPTrustedRootFile string
-@@ -834,6 +840,29 @@ func main() {
+@@ -833,6 +839,29 @@ func main() {
 	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
 	sac := sapb.NewStorageAuthorityClient(conn)
 
@@ -61,7 +61,7 @@ index c1d239343..e7b6a2868 100644
 	var smtpRoots *x509.CertPool
 	if c.Mailer.SMTPTrustedRootFile != "" {
 		pem, err := os.ReadFile(c.Mailer.SMTPTrustedRootFile)
-@@ -869,6 +898,7 @@ func main() {
+@@ -868,6 +897,7 @@ func main() {
 		c.Mailer.Username,
 		smtpPassword,
 		smtpRoots,
--- a/patches/linter_linter.patch
+++ b/patches/linter_linter.patch
@@ -1,8 +1,8 @@
 diff --git a/linter/linter.go b/linter/linter.go
-index cb87fcc3e..38ba70b02 100644
+index 7310ef9d4..e179415d1 100644
 --- a/linter/linter.go
 +++ b/linter/linter.go
-@@ -157,10 +157,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
+@@ -155,10 +155,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
 		SubjectKeyId:                realIssuer.SubjectKeyId,
 		URIs:                        realIssuer.URIs,
 		UnknownExtKeyUsage:          realIssuer.UnknownExtKeyUsage,
--- a/patches/notify-mailer_main.patch
+++ b/patches/notify-mailer_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/notify-mailer/main.go b/cmd/notify-mailer/main.go
-index f39ff696..8ab2de84 100644
+index e4b9ef739..7fd57e8f2 100644
 --- a/cmd/notify-mailer/main.go
 +++ b/cmd/notify-mailer/main.go
@@ -36,6 +36,7 @@ type mailer struct {
@@ -29,7 +29,7 @@ index f39ff696..8ab2de84 100644
 	Syslog cmd.SyslogConfig
 }
 
-@@ -569,6 +572,15 @@ func main() {
+@@ -568,6 +571,15 @@ func main() {
 		log.Infof("While reading the recipient list file %s", probs)
 	}
 
@@ -45,7 +45,7 @@ index f39ff696..8ab2de84 100644
 	var mailClient bmail.Mailer
 	if *dryRun {
 		log.Infof("Starting %s in dry-run mode", cmd.VersionString())
-@@ -584,6 +596,7 @@ func main() {
+@@ -583,6 +595,7 @@ func main() {
 			cfg.NotifyMailer.Username,
 			smtpPassword,
 			nil,
@@ -53,7 +53,7 @@ index f39ff696..8ab2de84 100644
 			*address,
 			log,
 			metrics.NoopRegisterer,
-@@ -604,6 +617,7 @@ func main() {
+@@ -603,6 +616,7 @@ func main() {
 			end:   *end,
 		},
 		sleepInterval: *sleep,
--- a/patches/ocsp-responder_main.patch
+++ b/patches/ocsp-responder_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/ocsp-responder/main.go b/cmd/ocsp-responder/main.go
-index 52027e8cd..4dcc9118a 100644
+index 194b417ce..dfa1a95db 100644
 --- a/cmd/ocsp-responder/main.go
 +++ b/cmd/ocsp-responder/main.go
@@ -88,7 +88,7 @@ type Config struct {
@@ -11,7 +11,7 @@ index 52027e8cd..4dcc9118a 100644
 
 		// TLS client certificate, private key, and trusted root bundle.
 		TLS cmd.TLSConfig `validate:"required_without=Source,structonly"`
-@@ -153,7 +153,7 @@ as generated by Boulder's ceremony command.
+@@ -152,7 +152,7 @@ as generated by Boulder's ceremony command.
 		}
 		source, err = responder.NewMemorySourceFromFile(filename, logger)
 		cmd.FailOnError(err, fmt.Sprintf("Couldn't read file: %s", url.Path))
@@ -20,7 +20,7 @@ index 52027e8cd..4dcc9118a 100644
 		// Set up the redis source and the combined multiplex source.
 		rocspRWClient, err := rocsp_config.MakeClient(c.OCSPResponder.Redis, clk, scope)
 		cmd.FailOnError(err, "Could not make redis client")
-@@ -197,6 +197,19 @@ as generated by Boulder's ceremony command.
+@@ -196,6 +196,19 @@ as generated by Boulder's ceremony command.
 
 		source, err = redis_responder.NewCheckedRedisSource(rocspSource, dbMap, sac, scope, logger)
 		cmd.FailOnError(err, "Could not create checkedRedis source")