Bump boulder version to release-2023-10-04

2026-01-27 10:19:34 +00:00 · 2023-10-05 19:05:52 +02:00
parent da63bbfe07
commit abab3a892d
12 changed files with 57 additions and 47 deletions
--- a/build/build.sh
+++ b/build/build.sh
@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}

 boulderDir=$TMP_DIR/src
-boulderTag="release-2023-09-19"
+boulderTag="release-2023-10-04"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..

--- a/2
+++ b/2
@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2023-09-19"
+boulderTag="release-2023-10-04"

 # Feature flags
 flag_skip_redis=true
--- a/patches/cert-checker_main.patch
+++ b/patches/cert-checker_main.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
-index 860b4aac..5ad3241f 100644
+index d6403a04..ee3dcf38 100644
 --- a/cmd/cert-checker/main.go
 +++ b/cmd/cert-checker/main.go
-@@ -109,6 +109,7 @@ type certChecker struct {
+@@ -108,6 +108,7 @@ type certChecker struct {
 	checkPeriod                 time.Duration
 	acceptableValidityDurations map[time.Duration]bool
 	logger                      blog.Logger
@@ -10,7 +10,7 @@ index 860b4aac..5ad3241f 100644
 }
 
 func newChecker(saDbMap certDB,
-@@ -118,6 +119,7 @@ func newChecker(saDbMap certDB,
+@@ -117,6 +118,7 @@ func newChecker(saDbMap certDB,
 	period time.Duration,
 	avd map[time.Duration]bool,
 	logger blog.Logger,
@@ -18,7 +18,7 @@ index 860b4aac..5ad3241f 100644
 ) certChecker {
 	precertGetter := func(ctx context.Context, serial string) ([]byte, error) {
 		precertPb, err := sa.SelectPrecertificate(ctx, saDbMap, serial)
-@@ -138,6 +140,7 @@ func newChecker(saDbMap certDB,
+@@ -137,6 +139,7 @@ func newChecker(saDbMap certDB,
 		checkPeriod:                 period,
 		acceptableValidityDurations: avd,
 		logger:                      logger,
@@ -26,7 +26,7 @@ index 860b4aac..5ad3241f 100644
 	}
 }
 
-@@ -366,7 +369,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno
+@@ -403,7 +406,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno
 			err = c.pa.WillingToIssueWildcards([]identifier.ACMEIdentifier{id})
 			if err != nil {
 				problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err))
@@ -35,15 +35,13 @@ index 860b4aac..5ad3241f 100644
 				// For defense-in-depth, even if the PA was willing to issue for a name
 				// we double check it against a list of forbidden domains. This way even
 				// if the hostnamePolicyFile malfunctions we will flag the forbidden
-@@ -444,10 +447,11 @@ type Config struct {
- 		DB cmd.DBConfig
- 		cmd.HostnamePolicyConfig
+@@ -483,9 +486,10 @@ type Config struct {
 
-		Workers        int `validate:"required,min=1"`
+ 		Workers int `validate:"required,min=1"`
+ 		// Deprecated: this is ignored, and cert checker always checks both expired and unexpired.
 -		UnexpiredOnly  bool
 -		BadResultsOnly bool
 -		CheckPeriod    config.Duration
-+		Workers              int `validate:"required,min=1"`
 +		UnexpiredOnly        bool
 +		BadResultsOnly       bool
 +		SkipForbiddenDomains bool
@@ -51,7 +49,7 @@ index 860b4aac..5ad3241f 100644
 
 		// AcceptableValidityDurations is a list of durations which are
 		// acceptable for certificates we issue.
-@@ -515,6 +519,8 @@ func main() {
+@@ -553,6 +557,8 @@ func main() {
 		acceptableValidityDurations[ninetyDays] = true
 	}
 
@@ -60,7 +58,7 @@ index 860b4aac..5ad3241f 100644
 	// Validate PA config and set defaults if needed.
 	cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
 
-@@ -555,6 +561,7 @@ func main() {
+@@ -593,6 +599,7 @@ func main() {
 		config.CertChecker.CheckPeriod.Duration,
 		acceptableValidityDurations,
 		logger,
--- a/patches/db_migrations.patch
+++ b/patches/db_migrations.patch
@@ -200,7 +200,7 @@ index 34d6f151c..1e065a7a6 100644
   `id` bigint(20) NOT NULL AUTO_INCREMENT,
   `jwk` mediumblob NOT NULL,
   `jwk_sha256` varchar(255) NOT NULL,
-@@ -203,20 +206,20 @@ CREATE TABLE `registrations` (
+@@ -203,20 +206,32 @@ CREATE TABLE `registrations` (
   KEY `initialIP_createdAt` (`initialIP`,`createdAt`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
 
@@ -215,6 +215,18 @@ index 34d6f151c..1e065a7a6 100644
 -) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4
 - PARTITION BY RANGE(id)
 -(PARTITION p_start VALUES LESS THAN (MAXVALUE));
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
+
+CREATE TABLE `revokedCertificates` (
+  `id` bigint(20) NOT NULL AUTO_INCREMENT,
+  `issuerID` bigint(20) NOT NULL,
+  `serial` varchar(255) NOT NULL,
+  `notAfterHour` datetime NOT NULL,
+  `shardIdx` bigint(20) NOT NULL,
+  `revokedDate` datetime NOT NULL,
+  `revokedReason` int(11) NOT NULL,
+  PRIMARY KEY (`id`),
+  KEY `issuerID_shardIdx_notAfterHour_idx` (`issuerID`, `shardIdx`, `notAfterHour`)
 +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
 
 -- Tables below have foreign key constraints, so are created after all other tables.
--- a/patches/errors_errors.patch
+++ b/patches/errors_errors.patch
@@ -1,8 +1,8 @@
 diff --git a/errors/errors.go b/errors/errors.go
-index f531782e8..4e59a7259 100644
+index 206857bd..9b185064 100644
 --- a/errors/errors.go
 +++ b/errors/errors.go
-@@ -166,10 +166,10 @@ func NotFoundError(msg string, args ...interface{}) error {
+@@ -168,10 +168,10 @@ func NotFoundError(msg string, args ...interface{}) error {
 	return New(NotFound, msg, args...)
 }
 
--- a/patches/ocsp-responder_main.patch
+++ b/patches/ocsp-responder_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/ocsp-responder/main.go b/cmd/ocsp-responder/main.go
-index 194b417ce..dfa1a95db 100644
+index fa19f679..a6e2835f 100644
 --- a/cmd/ocsp-responder/main.go
 +++ b/cmd/ocsp-responder/main.go
@@ -88,7 +88,7 @@ type Config struct {
@@ -11,7 +11,7 @@ index 194b417ce..dfa1a95db 100644
 
 		// TLS client certificate, private key, and trusted root bundle.
 		TLS cmd.TLSConfig `validate:"required_without=Source,structonly"`
-@@ -152,7 +152,7 @@ as generated by Boulder's ceremony command.
+@@ -153,7 +153,7 @@ as generated by Boulder's ceremony command.
 		}
 		source, err = responder.NewMemorySourceFromFile(filename, logger)
 		cmd.FailOnError(err, fmt.Sprintf("Couldn't read file: %s", url.Path))
@@ -20,7 +20,7 @@ index 194b417ce..dfa1a95db 100644
 		// Set up the redis source and the combined multiplex source.
 		rocspRWClient, err := rocsp_config.MakeClient(c.OCSPResponder.Redis, clk, scope)
 		cmd.FailOnError(err, "Could not make redis client")
-@@ -196,6 +196,19 @@ as generated by Boulder's ceremony command.
+@@ -197,6 +197,19 @@ as generated by Boulder's ceremony command.
 
 		source, err = redis_responder.NewCheckedRedisSource(rocspSource, dbMap, sac, scope, logger)
 		cmd.FailOnError(err, "Could not create checkedRedis source")
--- a/patches/ratelimit_rate-limits.patch
+++ b/patches/ratelimit_rate-limits.patch
@@ -1,8 +1,8 @@
 diff --git a/ratelimit/rate-limits.go b/ratelimit/rate-limits.go
-index bbca3dc4..37d08b66 100644
+index 0d52801d..bd451521 100644
 --- a/ratelimit/rate-limits.go
 +++ b/ratelimit/rate-limits.go
-@@ -56,6 +56,7 @@ type Limits interface {
+@@ -57,6 +57,7 @@ type Limits interface {
 	CertificatesPerFQDNSetFast() RateLimitPolicy
 	NewOrdersPerAccount() RateLimitPolicy
 	LoadPolicies(contents []byte) error
@@ -10,7 +10,7 @@ index bbca3dc4..37d08b66 100644
 }
 
 // limitsImpl is an unexported implementation of the Limits interface. It acts
-@@ -139,6 +140,15 @@ func (r *limitsImpl) NewOrdersPerAccount() RateLimitPolicy {
+@@ -140,6 +141,15 @@ func (r *limitsImpl) NewOrdersPerAccount() RateLimitPolicy {
 	return r.rlPolicy.NewOrdersPerAccount
 }
 
@@ -26,7 +26,7 @@ index bbca3dc4..37d08b66 100644
 // LoadPolicies loads various rate limiting policies from a byte array of
 // YAML configuration (typically read from disk by a reloader)
 func (r *limitsImpl) LoadPolicies(contents []byte) error {
-@@ -193,6 +203,8 @@ type rateLimitConfig struct {
+@@ -194,6 +204,8 @@ type rateLimitConfig struct {
 	// lower threshold and smaller window), so that clients don't have to wait
 	// a long time after a small burst of accidental duplicate issuance.
 	CertificatesPerFQDNSetFast RateLimitPolicy `yaml:"certificatesPerFQDNSetFast"`
--- a/patches/ratelimits_names.patch
+++ b/patches/ratelimits_names.patch
@@ -1,8 +1,8 @@
 diff --git a/ratelimits/names.go b/ratelimits/names.go
-index bb827e5e8..6e498bf6c 100644
+index b2663982..f1de06b0 100644
 --- a/ratelimits/names.go
 +++ b/ratelimits/names.go
-@@ -107,7 +107,11 @@ func validateRegIdDomain(id string) error {
+@@ -127,7 +127,11 @@ func validateRegIdDomain(id string) error {
 		return fmt.Errorf(
 			"invalid regId, %q must be formatted 'regId:domain'", id)
 	}
@@ -15,7 +15,7 @@ index bb827e5e8..6e498bf6c 100644
 		return fmt.Errorf(
 			"invalid domain, %q must be formatted 'regId:domain'", id)
 	}
-@@ -132,8 +136,12 @@ func validateRegIdFQDNSet(id string) error {
+@@ -152,8 +156,12 @@ func validateRegIdFQDNSet(id string) error {
 		return fmt.Errorf(
 			"invalid fqdnSet, %q must be formatted 'regId:fqdnSet'", id)
 	}
--- a/patches/storer_storer.patch
+++ b/patches/storer_storer.patch
@@ -1,8 +1,8 @@
 diff --git a/crl/storer/storer.go b/crl/storer/storer.go
-index d1470c7a..e58e46a8 100644
+index cd0bf86c..dd492aec 100644
 --- a/crl/storer/storer.go
 +++ b/crl/storer/storer.go
-@@ -10,6 +10,9 @@ import (
+@@ -12,6 +12,9 @@ import (
 	"fmt"
 	"io"
 	"math/big"
@@ -12,23 +12,23 @@ index d1470c7a..e58e46a8 100644
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/service/s3"
-@@ -34,6 +37,7 @@ type crlStorer struct {
+@@ -38,6 +41,7 @@ type crlStorer struct {
 	cspb.UnimplementedCRLStorerServer
- 	s3Client         s3Putter
+ 	s3Client         simpleS3
 	s3Bucket         string
 +	localStorePath   string
 	issuers          map[issuance.IssuerNameID]*issuance.Certificate
 	uploadCount      *prometheus.CounterVec
 	sizeHistogram    *prometheus.HistogramVec
-@@ -46,6 +50,7 @@ func New(
+@@ -50,6 +54,7 @@ func New(
 	issuers []*issuance.Certificate,
- 	s3Client s3Putter,
+ 	s3Client simpleS3,
 	s3Bucket string,
 +	localStorePath string,
 	stats prometheus.Registerer,
 	log blog.Logger,
 	clk clock.Clock,
-@@ -79,6 +84,7 @@ func New(
+@@ -83,6 +88,7 @@ func New(
 		issuers:          issuersByNameID,
 		s3Client:         s3Client,
 		s3Bucket:         s3Bucket,
@@ -36,7 +36,7 @@ index d1470c7a..e58e46a8 100644
 		uploadCount:      uploadCount,
 		sizeHistogram:    sizeHistogram,
 		latencyHistogram: latencyHistogram,
-@@ -157,15 +163,19 @@ func (cs *crlStorer) UploadCRL(stream cspb.CRLStorer_UploadCRLServer) error {
+@@ -203,15 +209,19 @@ func (cs *crlStorer) UploadCRL(stream cspb.CRLStorer_UploadCRLServer) error {
 	checksum := sha256.Sum256(crlBytes)
 	checksumb64 := base64.StdEncoding.EncodeToString(checksum[:])
 	crlContentType := "application/pkix-crl"
@@ -65,9 +65,9 @@ index d1470c7a..e58e46a8 100644
 
 	latency := cs.clk.Now().Sub(start)
 	cs.latencyHistogram.WithLabelValues(issuer.Subject.CommonName).Observe(latency.Seconds())
-@@ -184,3 +194,46 @@ func (cs *crlStorer) UploadCRL(stream cspb.CRLStorer_UploadCRLServer) error {
- 
- 	return stream.SendAndClose(&emptypb.Empty{})
+@@ -240,3 +250,46 @@ func getIDPExt(exts []pkix.Extension) []byte {
+ 	}
+ 	return nil
 }
 +
 +func storeLocalFile(path string, nameID issuance.IssuerNameID, crlNumber *big.Int, shardIdx int64, crlBytes io.Reader) error {
--- a/patches/updater_continuous.patch
+++ b/patches/updater_continuous.patch
@@ -1,16 +1,16 @@
 diff --git a/crl/updater/continuous.go b/crl/updater/continuous.go
-index c4b8f1a4..d78ebf18 100644
+index 05f1d1bf..1c678a9c 100644
 --- a/crl/updater/continuous.go
 +++ b/crl/updater/continuous.go
-@@ -4,6 +4,7 @@ import (
+@@ -3,6 +3,7 @@ package updater
+ import (
 	"context"
- 	"math/big"
 	"math/rand"
 +	"os"
 	"sync"
 	"time"
 
-@@ -17,6 +18,29 @@ import (
+@@ -16,6 +17,29 @@ import (
 func (cu *crlUpdater) Run(ctx context.Context) error {
 	var wg sync.WaitGroup
 
@@ -34,7 +34,7 @@ index c4b8f1a4..d78ebf18 100644
 +		case <-time.After(2 * time.Minute):
 +		}
 +
-+		cu.RunOnce(ctx, cu.clk.Now())
+		cu.RunOnce(ctx)
 +	}
 +
 	shardWorker := func(issuerNameID issuance.IssuerNameID, shardIdx int) {
--- a/patches/updater_updater.patch
+++ b/patches/updater_updater.patch
@@ -1,8 +1,8 @@
 diff --git a/crl/updater/updater.go b/crl/updater/updater.go
-index ab0cc7e0..256927e3 100644
+index 47e03490..faffb1cd 100644
 --- a/crl/updater/updater.go
 +++ b/crl/updater/updater.go
-@@ -228,7 +228,7 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN
+@@ -231,7 +231,7 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN
 			crlEntries = append(crlEntries, entry)
 		}
 
--- a/patches/wfe2_main.patch
+++ b/patches/wfe2_main.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go
-index 9ea4b47ab..9beca8778 100644
+index 13e362c8..c16b0c56 100644
 --- a/cmd/boulder-wfe2/main.go
 +++ b/cmd/boulder-wfe2/main.go
-@@ -104,7 +104,7 @@ type Config struct {
+@@ -106,7 +106,7 @@ type Config struct {
 		// DirectoryCAAIdentity is used for the /directory response's "meta"
 		// element's "caaIdentities" field. It should match the VA's "issuerDomain"
 		// configuration value (this value is the one used to enforce CAA)