Bump boulder version to release-2021-03-29

2026-01-27 10:19:34 +00:00 · 2021-05-20 23:01:22 +02:00
parent 8db02e2d38
commit ab1a67bb64
12 changed files with 191 additions and 127 deletions
--- a/config_bad-key-revoker.patch
+++ b/config_bad-key-revoker.patch
@@ -2,9 +2,9 @@ diff --git a/test/config/bad-key-revoker.json b/test/config/bad-key-revoker.json
 index 482fd85fc..3e678aa5b 100644
 --- a/test/config/bad-key-revoker.json
 +++ b/test/config/bad-key-revoker.json
-@@ -3,6 +3,11 @@
-         "dbConnectFile": "test/secrets/badkeyrevoker_dburl",
-         "maxOpenConns": 10,
+@@ -5,6 +5,11 @@
+             "maxOpenConns": 10
+         },
         "debugAddr": ":8020",
 +        "dnsTries": 3,
 +        "dnsResolvers": [
@@ -14,7 +14,7 @@ index 482fd85fc..3e678aa5b 100644
         "tls": {
             "caCertFile": "test/grpc-creds/minica.pem",
             "certFile": "test/grpc-creds/bad-key-revoker.boulder/cert.pem",
-@@ -24,10 +29,14 @@
+@@ -26,10 +31,14 @@
         },
         "maximumRevocations": 15,
         "findCertificatesBatchSize": 10,
--- a/config_expiration-mailer.patch
+++ b/config_expiration-mailer.patch
@@ -1,8 +1,8 @@
 diff --git a/test/config/expiration-mailer.json b/test/config/expiration-mailer.json
-index 444beae43..e9bd228ef 100644
+index 566585628..09ff81a2c 100644
 --- a/test/config/expiration-mailer.json
 +++ b/test/config/expiration-mailer.json
-@@ -11,6 +12,11 @@
+@@ -13,6 +13,11 @@
     "nagCheckInterval": "24h",
     "emailTemplate": "test/example-expiration-template",
     "debugAddr": ":8008",
@@ -14,7 +14,7 @@ index 444beae43..e9bd228ef 100644
     "tls": {
       "caCertFile": "test/grpc-creds/minica.pem",
       "certFile": "test/grpc-creds/expiration-mailer.boulder/cert.pem",
-@@ -27,5 +33,10 @@
+@@ -29,5 +34,10 @@
   "syslog": {
     "stdoutlevel": 6,
     "sysloglevel": 6
--- a/config_notify-mailer.patch
+++ b/config_notify-mailer.patch
@@ -1,8 +1,8 @@
 diff --git a/test/config/notify-mailer.json b/test/config/notify-mailer.json
-index 1d17012..0d061b5 100644
+index 261b689e4..15b2be0b8 100644
 --- a/test/config/notify-mailer.json
 +++ b/test/config/notify-mailer.json
-@@ -2,11 +2,20 @@
+@@ -2,13 +2,22 @@
   "notifyMailer": {
     "server": "localhost",
     "port": "9380",
@@ -10,8 +10,10 @@ index 1d17012..0d061b5 100644
     "username": "cert-manager@example.com",
 +    "from": "notify mailer <test@example.com>",
     "passwordFile": "test/secrets/smtp_password",
-     "dbConnectFile": "test/secrets/mailer_dburl",
-     "maxOpenConns": 10
+     "db": {
+       "dbConnectFile": "test/secrets/mailer_dburl",
+       "maxOpenConns": 10
+     }
   },
 +  "pa": {
 +    "challenges": {
--- a/config_ocsp-responder.patch
+++ b/config_ocsp-responder.patch
@@ -0,0 +1,15 @@
+diff --git a/test/config/ocsp-responder.json b/test/config/ocsp-responder.json
+index fd2c4a8..a5e65d2 100644
+--- a/test/config/ocsp-responder.json
+++ b/test/config/ocsp-responder.json
+@@ -7,9 +7,7 @@
+     "path": "/",
+     "listenAddress": "0.0.0.0:4002",
+     "issuerCerts": [
+-      "/tmp/intermediate-cert-rsa-a.pem",
+-      "/tmp/intermediate-cert-rsa-b.pem",
+-      "/tmp/intermediate-cert-ecdsa-a.pem"
+      "/tmp/intermediate-cert-rsa-a.pem"
+     ],
+     "maxAge": "10s",
+     "timeout": "4.9s",
--- a/config_publisher.patch
+++ b/config_publisher.patch
@@ -0,0 +1,23 @@
+diff --git a/test/config/publisher.json b/test/config/publisher.json
+index 6c75f71..54fb877 100644
+--- a/test/config/publisher.json
+++ b/test/config/publisher.json
+@@ -6,18 +6,6 @@
+       [
+         "/tmp/intermediate-cert-rsa-a.pem",
+         "/tmp/root-cert-rsa.pem"
+-      ],
+-      [
+-        "/tmp/intermediate-cert-rsa-b.pem",
+-        "/tmp/root-cert-rsa.pem"
+-      ],
+-      [
+-        "/tmp/intermediate-cert-ecdsa-a.pem",
+-        "/tmp/root-cert-ecdsa.pem"
+-      ],
+-      [
+-        "/tmp/intermediate-cert-ecdsa-b.pem",
+-        "/tmp/root-cert-ecdsa.pem"
+       ]
+     ],
+     "debugAddr": ":8009",
--- a/core_interfaces.patch
+++ b/core_interfaces.patch
@@ -1,8 +1,8 @@
 diff --git a/core/interfaces.go b/core/interfaces.go
-index 3e0d3f1ae..ffbbe7d11 100644
+index 06576845c..a854745fd 100644
 --- a/core/interfaces.go
 +++ b/core/interfaces.go
-@@ -113,6 +113,7 @@ type PolicyAuthority interface {
+@@ -95,6 +95,7 @@ type PolicyAuthority interface {
 	WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error
 	ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error)
 	ChallengeTypeEnabled(t AcmeChallenge) bool
--- a/docker-compose.patch
+++ b/docker-compose.patch
@@ -1,86 +1,85 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 13cc6a54b..afbfd4bdf 100644
+index c5d84e1c6..8a57bc326 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
-@@ -5,7 +5,7 @@ services:
-         image: letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.15.7_2021-02-25}
-         environment:
-             - FAKE_DNS=10.77.77.77
-            - BOULDER_CONFIG_DIR=test/config
-+            - BOULDER_CONFIG_DIR=labca/config
-             - GOFLAGS=-mod=vendor
-             # This is required so Python doesn't throw an error when printing
-             # non-ASCII to stdout.
-@@ -18,6 +18,7 @@ services:
-             - RACE
-         volumes:
-           - .:/go/src/github.com/letsencrypt/boulder:cached
-+          - /home/labca/boulder_labca:/go/src/github.com/letsencrypt/boulder/labca
-           - ./.gocache:/root/.cache/go-build:cached
-         networks:
-           bluenet:
-@@ -57,10 +58,18 @@ services:
-           - 8055:8055 # dns-test-srv updates
-         depends_on:
-           - bmysql
-        entrypoint: test/entrypoint.sh
-+        entrypoint: labca/entrypoint.sh
-         working_dir: /go/src/github.com/letsencrypt/boulder
-+        logging:
-+          driver: "json-file"
-+          options:
-+            max-size: "500k"
-+            max-file: "5"
-+        restart: always
-     bmysql:
-         image: mariadb:10.5
-+        volumes:
-+          - dbdata:/var/lib/mysql
-         networks:
-           bluenet:
-             aliases:
-@@ -74,20 +83,36 @@ services:
-         # small.
-         command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
-         logging:
-            driver: none
-    netaccess:
-+          driver: "json-file"
-+          options:
-+            max-size: "500k"
-+            max-file: "5"
-+        restart: always
-+    labca:
-         image: letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.15.7_2021-02-25}
-        environment:
-            GO111MODULE: "on"
-            GOFLAGS: "-mod=vendor"
-         networks:
-           - bluenet
-         volumes:
-          - .:/go/src/github.com/letsencrypt/boulder
-        working_dir: /go/src/github.com/letsencrypt/boulder
-        entrypoint: test/entrypoint-netaccess.sh
-+          - /home/labca/admin:/go/src/labca
-+          - ./.gocache:/root/.cache/go-build
-+          - /var/www/html:/wwwstatic
-+          - .:/boulder
-+          - /home/labca/boulder_labca:/boulder/labca
-+        ports:
-+          - 3000:3000
-         depends_on:
-           - bmysql
-+        working_dir: /go/src/labca
-+        command: ./setup.sh
-+        logging:
-+          driver: "json-file"
-+          options:
-+            max-size: "500k"
-+            max-file: "5"
-+        restart: always
+@@ -4,10 +4,11 @@ services:
+     image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.15.7_2021-03-26}
+     environment:
+       FAKE_DNS: 10.77.77.77
+-      BOULDER_CONFIG_DIR: test/config
+      BOULDER_CONFIG_DIR: labca/config
+       GOFLAGS: -mod=vendor
+     volumes:
+       - .:/go/src/github.com/letsencrypt/boulder:cached
+      - /home/labca/boulder_labca:/go/src/github.com/letsencrypt/boulder/labca
+       - ./.gocache:/root/.cache/go-build:cached
+     networks:
+       bluenet:
+@@ -47,11 +48,19 @@ services:
+       - 8055:8055 # dns-test-srv updates
+     depends_on:
+       - bmysql
+-    entrypoint: test/entrypoint.sh
+    entrypoint: labca/entrypoint.sh
+     working_dir: &boulder_working_dir /go/src/github.com/letsencrypt/boulder
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500k"
+        max-file: "5"
+    restart: always
+ 
+   bmysql:
+     image: mariadb:10.5
+    volumes:
+      - dbdata:/var/lib/mysql
+     networks:
+       bluenet:
+         aliases:
+@@ -65,22 +74,37 @@ services:
+     # small.
+     command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
+     logging:
+-        driver: none
+      driver: "json-file"
+      options:
+        max-size: "500k"
+        max-file: "5"
+    restart: always
+ 
+-  netaccess:
+  labca:
+     image: *boulder_image
+-    environment:
+-        GO111MODULE: "on"
+-        GOFLAGS: -mod=vendor
+-        BOULDER_CONFIG_DIR: test/config
+     networks:
+       - bluenet
+     volumes:
+-      - .:/go/src/github.com/letsencrypt/boulder
+-    working_dir: *boulder_working_dir
+-    entrypoint: test/entrypoint-netaccess.sh
+      - /home/labca/admin:/go/src/labca
+      - ./.gocache:/root/.cache/go-build
+      - /var/www/html:/wwwstatic
+      - .:/boulder
+      - /home/labca/boulder_labca:/boulder/labca
+    ports:
+      - 3000:3000
+     depends_on:
+       - bmysql
+    working_dir: /go/src/labca
+    command: ./setup.sh
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500k"
+        max-file: "5"
+    restart: always
 +
 +volumes:
-+    dbdata:
+  dbdata:
 
 networks:
   bluenet:
--- a/gui/apply-boulder
+++ b/gui/apply-boulder
@@ -27,8 +27,8 @@ if [ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ];
    echo "  - \"$PKI_WHITELIST_DOMAINS\"" >> hostname-policy.yaml
 fi
 if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ]; then
-    sed -i -e "s/^\(.*\)\(\"n_subject_common_name_included\"\)/\1\2,\n\1\"e_dnsname_not_valid_tld\"/" config/ca-a.json
-    sed -i -e "s/^\(.*\)\(\"n_subject_common_name_included\"\)/\1\2,\n\1\"e_dnsname_not_valid_tld\"/" config/ca-b.json
+    sed -i -e "s/\(\"n_subject_common_name_included\"\)/\1,\"e_dnsname_not_valid_tld\"/" config/ca-a.json
+    sed -i -e "s/\(\"n_subject_common_name_included\"\)/\1,\"e_dnsname_not_valid_tld\"/" config/ca-b.json

    REPLACEMENT=""
    if [ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]; then
--- a/15
+++ b/15
@@ -24,7 +24,7 @@ dockerComposeVersion="1.28.5"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2021-03-01"
+boulderTag="release-2021-03-29"

 #
 # Color configuration
@@ -367,6 +367,7 @@ update_upgrade() {
    msg_info "Making sure all software is up-to-date"
    apt update &>>$installLog
    apt upgrade -y &>>$installLog
+    apt autoremove -y &>>$installLog
    msg_ok "Software is up-to-date"
 }

@@ -553,6 +554,8 @@ config_boulder() {
    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/expiration-mailer.json" < $cloneDir/config_expiration-mailer.patch &>>$installLog
    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/notify-mailer.json" < $cloneDir/config_notify-mailer.patch &>>$installLog
    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/bad-key-revoker.json" < $cloneDir/config_bad-key-revoker.patch &>>$installLog
+    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/ocsp-responder.json" < $cloneDir/config_ocsp-responder.patch &>>$installLog
+    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/publisher.json" < $cloneDir/config_publisher.patch &>>$installLog

    sed -i -e "s|https://letsencrypt.org/docs/rate-limits/|http://$LABCA_FQDN/rate-limits|" errors/errors.go &>>$installLog
    cp errors/errors.go "$boulderLabCADir/.backup/"
@@ -583,6 +586,10 @@ config_boulder() {
    sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json
    sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe.json
    sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json
+    sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" config/publisher.json
+    sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" integration-test.py
+    sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" helpers.py
+    sed -i -e "s|/tmp/root-cert-rsa.pem|labca/test-root.pem|" v1_integration.py
    sed -i -e "s/5001/443/g" config/va.json
    sed -i -e "s/5002/80/g" config/va.json
    sed -i -e "s/5001/443/g" config/va-remote-a.json
@@ -620,6 +627,7 @@ config_boulder() {
    sed -i -e "s/names/name\(s\)/" example-expiration-template

    rm test-ca2.pem
+    ([ -e mock-vendor.go ] && rm mock-vendor.go) || /bin/true

    local have_config=$(grep restarted $adminDir/data/config.json | grep true)
    if [ "$have_config" != "" ]; then
@@ -694,11 +702,11 @@ startup() {
    msg_info "$msg (this will take a while!!)"

    docker-compose stop &>>$installLog || true
-    docker stop boulder_bhsm_1 &>>$installLog | /bin/true
+    [ -z "$(docker ps | grep boulder_bhsm_1)" ] || docker stop boulder_bhsm_1 &>>$installLog
    wait_down $PS_MYSQL &>>$installLog
    wait_down $PS_LABCA &>>$installLog
    wait_down $PS_BOULDER &>>$installLog
-    docker rm -f boulder_bhsm_1 &>>$installLog | /bin/true
+    [ -z "$(docker ps | grep boulder_bhsm_1)" ] || docker rm -f boulder_bhsm_1 &>>$installLog
    docker-compose up -d &>>$installLog

    [ -h "/etc/init.d/labca" ] || ln -s "$cloneDir/init_d" /etc/init.d/labca
@@ -711,6 +719,7 @@ startup() {

    wait_up $PS_MYSQL &>>$installLog
    wait_up $PS_LABCA &>>$installLog
+    docker exec -it boulder_bmysql_1 mysql_upgrade &>>$installLog
    [ -f "$boulderLabCADir/setup_complete" ] && wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$installLog || /bin/true

    msg_ok "$msg"
--- a/ra_ra.patch
+++ b/ra_ra.patch
@@ -1,5 +1,5 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index cefe8ad1..faaeae66 100644
+index 16e277e9d..159f74f29 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
@@ -30,7 +30,6 @@ import (
@@ -8,9 +8,9 @@ index cefe8ad1..faaeae66 100644
 	"github.com/letsencrypt/boulder/metrics"
 -	"github.com/letsencrypt/boulder/policy"
 	"github.com/letsencrypt/boulder/probs"
+ 	pubpb "github.com/letsencrypt/boulder/publisher/proto"
 	rapb "github.com/letsencrypt/boulder/ra/proto"
- 	"github.com/letsencrypt/boulder/ratelimit"
-@@ -406,7 +405,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
+@@ -442,7 +441,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
 				contact,
 			)
 		}
--- a/test_config_ca_a.patch
+++ b/test_config_ca_a.patch
@@ -1,17 +1,25 @@
 diff --git a/test/config/ca-a.json b/test/config/ca-a.json
-index 51f8416..7668fd5 100644
+index 92b32f094..e220d7d4f 100644
 --- a/test/config/ca-a.json
 +++ b/test/config/ca-a.json
-@@ -122,11 +122,7 @@
-     "ecdsaProfile": "ecdsaEE",
-     "issuers": [{
-       "configFile": "test/test-ca.key-pkcs11.json",
-      "certFile": "/tmp/intermediate-cert-rsa-a.pem",
-      "numSessions": 2
-    },{
-      "configFile": "test/test-ca.key-pkcs11.json",
-      "certFile": "/tmp/intermediate-cert-rsa-b.pem",
-+      "certFile": "test/test-ca.pem",
-       "numSessions": 2
-     }],
-     "expiry": "2160h",
+@@ -58,19 +58,7 @@
+           "crlURL": "http://example.com/crl",
+           "location": {
+             "configFile": "test/test-ca.key-pkcs11.json",
+-            "certFile": "/tmp/intermediate-cert-rsa-a.pem",
+-            "numSessions": 2
+-          }
+-        },
+-        {
+-          "useForRSALeaves": false,
+-          "useForECDSALeaves": false,
+-          "issuerURL": "http://127.0.0.1:4000/acme/issuer-cert",
+-          "ocspURL": "http://127.0.0.1:4002/",
+-          "crlURL": "http://example.com/crl",
+-          "location": {
+-            "configFile": "test/test-ca.key-pkcs11.json",
+-            "certFile": "/tmp/intermediate-cert-rsa-b.pem",
+            "certFile": "test/test-ca.pem",
+             "numSessions": 2
+           }
+         }
--- a/test_config_ca_b.patch
+++ b/test_config_ca_b.patch
@@ -1,17 +1,25 @@
 diff --git a/test/config/ca-b.json b/test/config/ca-b.json
-index 6478be1..6e1e828 100644
+index 6c7d9d272..4e428bc4a 100644
 --- a/test/config/ca-b.json
 +++ b/test/config/ca-b.json
-@@ -122,11 +122,7 @@
-     "ecdsaProfile": "ecdsaEE",
-     "issuers": [{
-       "configFile": "test/test-ca.key-pkcs11.json",
-      "certFile": "/tmp/intermediate-cert-rsa-a.pem",
-      "numSessions": 2
-    },{
-      "configFile": "test/test-ca.key-pkcs11.json",
-      "certFile": "/tmp/intermediate-cert-rsa-b.pem",
-+      "certFile": "test/test-ca.pem",
-       "numSessions": 2
-     }],
-     "expiry": "2160h",
+@@ -58,19 +58,7 @@
+           "crlURL": "http://example.com/crl",
+           "location": {
+             "configFile": "test/test-ca.key-pkcs11.json",
+-            "certFile": "/tmp/intermediate-cert-rsa-a.pem",
+-            "numSessions": 2
+-          }
+-        },
+-        {
+-          "useForRSALeaves": false,
+-          "useForECDSALeaves": false,
+-          "issuerURL": "http://127.0.0.1:4000/acme/issuer-cert",
+-          "ocspURL": "http://127.0.0.1:4002/",
+-          "crlURL": "http://example.com/crl",
+-          "location": {
+-            "configFile": "test/test-ca.key-pkcs11.json",
+-            "certFile": "/tmp/intermediate-cert-rsa-b.pem",
+            "certFile": "test/test-ca.pem",
+             "numSessions": 2
+           }
+         }