From abab3a892d1b6b5bf182a24fd821fb5ede3de8e4 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Thu, 5 Oct 2023 19:05:52 +0200 Subject: [PATCH] Bump boulder version to release-2023-10-04 --- build/build.sh | 2 +- install | 2 +- patches/cert-checker_main.patch | 22 ++++++++++------------ patches/db_migrations.patch | 14 +++++++++++++- patches/errors_errors.patch | 4 ++-- patches/ocsp-responder_main.patch | 6 +++--- patches/ratelimit_rate-limits.patch | 8 ++++---- patches/ratelimits_names.patch | 6 +++--- patches/storer_storer.patch | 22 +++++++++++----------- patches/updater_continuous.patch | 10 +++++----- patches/updater_updater.patch | 4 ++-- patches/wfe2_main.patch | 4 ++-- 12 files changed, 57 insertions(+), 47 deletions(-) diff --git a/build/build.sh b/build/build.sh index b7512b6..6eb35c2 100755 --- a/build/build.sh +++ b/build/build.sh @@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src} boulderDir=$TMP_DIR/src -boulderTag="release-2023-09-19" +boulderTag="release-2023-10-04" boulderUrl="https://github.com/letsencrypt/boulder/" cloneDir=$(pwd)/.. diff --git a/install b/install index 70bb9a1..8ed2651 100755 --- a/install +++ b/install @@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2023-09-19" +boulderTag="release-2023-10-04" # Feature flags flag_skip_redis=true diff --git a/patches/cert-checker_main.patch b/patches/cert-checker_main.patch index 5ac8c1b..f795fe7 100644 --- a/patches/cert-checker_main.patch +++ b/patches/cert-checker_main.patch @@ -1,8 +1,8 @@ diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go -index 860b4aac..5ad3241f 100644 +index d6403a04..ee3dcf38 100644 --- a/cmd/cert-checker/main.go +++ b/cmd/cert-checker/main.go -@@ -109,6 +109,7 @@ type certChecker struct { +@@ -108,6 +108,7 @@ type certChecker struct { checkPeriod time.Duration acceptableValidityDurations map[time.Duration]bool logger blog.Logger @@ -10,7 +10,7 @@ index 860b4aac..5ad3241f 100644 } func newChecker(saDbMap certDB, -@@ -118,6 +119,7 @@ func newChecker(saDbMap certDB, +@@ -117,6 +118,7 @@ func newChecker(saDbMap certDB, period time.Duration, avd map[time.Duration]bool, logger blog.Logger, @@ -18,7 +18,7 @@ index 860b4aac..5ad3241f 100644 ) certChecker { precertGetter := func(ctx context.Context, serial string) ([]byte, error) { precertPb, err := sa.SelectPrecertificate(ctx, saDbMap, serial) -@@ -138,6 +140,7 @@ func newChecker(saDbMap certDB, +@@ -137,6 +139,7 @@ func newChecker(saDbMap certDB, checkPeriod: period, acceptableValidityDurations: avd, logger: logger, @@ -26,7 +26,7 @@ index 860b4aac..5ad3241f 100644 } } -@@ -366,7 +369,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno +@@ -403,7 +406,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno err = c.pa.WillingToIssueWildcards([]identifier.ACMEIdentifier{id}) if err != nil { problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err)) @@ -35,15 +35,13 @@ index 860b4aac..5ad3241f 100644 // For defense-in-depth, even if the PA was willing to issue for a name // we double check it against a list of forbidden domains. This way even // if the hostnamePolicyFile malfunctions we will flag the forbidden -@@ -444,10 +447,11 @@ type Config struct { - DB cmd.DBConfig - cmd.HostnamePolicyConfig +@@ -483,9 +486,10 @@ type Config struct { -- Workers int `validate:"required,min=1"` + Workers int `validate:"required,min=1"` + // Deprecated: this is ignored, and cert checker always checks both expired and unexpired. - UnexpiredOnly bool - BadResultsOnly bool - CheckPeriod config.Duration -+ Workers int `validate:"required,min=1"` + UnexpiredOnly bool + BadResultsOnly bool + SkipForbiddenDomains bool @@ -51,7 +49,7 @@ index 860b4aac..5ad3241f 100644 // AcceptableValidityDurations is a list of durations which are // acceptable for certificates we issue. -@@ -515,6 +519,8 @@ func main() { +@@ -553,6 +557,8 @@ func main() { acceptableValidityDurations[ninetyDays] = true } @@ -60,7 +58,7 @@ index 860b4aac..5ad3241f 100644 // Validate PA config and set defaults if needed. cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration") -@@ -555,6 +561,7 @@ func main() { +@@ -593,6 +599,7 @@ func main() { config.CertChecker.CheckPeriod.Duration, acceptableValidityDurations, logger, diff --git a/patches/db_migrations.patch b/patches/db_migrations.patch index 1a0e011..313852d 100644 --- a/patches/db_migrations.patch +++ b/patches/db_migrations.patch @@ -200,7 +200,7 @@ index 34d6f151c..1e065a7a6 100644 `id` bigint(20) NOT NULL AUTO_INCREMENT, `jwk` mediumblob NOT NULL, `jwk_sha256` varchar(255) NOT NULL, -@@ -203,20 +206,20 @@ CREATE TABLE `registrations` ( +@@ -203,20 +206,32 @@ CREATE TABLE `registrations` ( KEY `initialIP_createdAt` (`initialIP`,`createdAt`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; @@ -215,6 +215,18 @@ index 34d6f151c..1e065a7a6 100644 -) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 - PARTITION BY RANGE(id) -(PARTITION p_start VALUES LESS THAN (MAXVALUE)); ++) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; ++ ++CREATE TABLE `revokedCertificates` ( ++ `id` bigint(20) NOT NULL AUTO_INCREMENT, ++ `issuerID` bigint(20) NOT NULL, ++ `serial` varchar(255) NOT NULL, ++ `notAfterHour` datetime NOT NULL, ++ `shardIdx` bigint(20) NOT NULL, ++ `revokedDate` datetime NOT NULL, ++ `revokedReason` int(11) NOT NULL, ++ PRIMARY KEY (`id`), ++ KEY `issuerID_shardIdx_notAfterHour_idx` (`issuerID`, `shardIdx`, `notAfterHour`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; -- Tables below have foreign key constraints, so are created after all other tables. diff --git a/patches/errors_errors.patch b/patches/errors_errors.patch index 1d5aeaa..6cd651f 100644 --- a/patches/errors_errors.patch +++ b/patches/errors_errors.patch @@ -1,8 +1,8 @@ diff --git a/errors/errors.go b/errors/errors.go -index f531782e8..4e59a7259 100644 +index 206857bd..9b185064 100644 --- a/errors/errors.go +++ b/errors/errors.go -@@ -166,10 +166,10 @@ func NotFoundError(msg string, args ...interface{}) error { +@@ -168,10 +168,10 @@ func NotFoundError(msg string, args ...interface{}) error { return New(NotFound, msg, args...) } diff --git a/patches/ocsp-responder_main.patch b/patches/ocsp-responder_main.patch index bbd641c..fccc0b2 100644 --- a/patches/ocsp-responder_main.patch +++ b/patches/ocsp-responder_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/ocsp-responder/main.go b/cmd/ocsp-responder/main.go -index 194b417ce..dfa1a95db 100644 +index fa19f679..a6e2835f 100644 --- a/cmd/ocsp-responder/main.go +++ b/cmd/ocsp-responder/main.go @@ -88,7 +88,7 @@ type Config struct { @@ -11,7 +11,7 @@ index 194b417ce..dfa1a95db 100644 // TLS client certificate, private key, and trusted root bundle. TLS cmd.TLSConfig `validate:"required_without=Source,structonly"` -@@ -152,7 +152,7 @@ as generated by Boulder's ceremony command. +@@ -153,7 +153,7 @@ as generated by Boulder's ceremony command. } source, err = responder.NewMemorySourceFromFile(filename, logger) cmd.FailOnError(err, fmt.Sprintf("Couldn't read file: %s", url.Path)) @@ -20,7 +20,7 @@ index 194b417ce..dfa1a95db 100644 // Set up the redis source and the combined multiplex source. rocspRWClient, err := rocsp_config.MakeClient(c.OCSPResponder.Redis, clk, scope) cmd.FailOnError(err, "Could not make redis client") -@@ -196,6 +196,19 @@ as generated by Boulder's ceremony command. +@@ -197,6 +197,19 @@ as generated by Boulder's ceremony command. source, err = redis_responder.NewCheckedRedisSource(rocspSource, dbMap, sac, scope, logger) cmd.FailOnError(err, "Could not create checkedRedis source") diff --git a/patches/ratelimit_rate-limits.patch b/patches/ratelimit_rate-limits.patch index 49ae949..190596e 100644 --- a/patches/ratelimit_rate-limits.patch +++ b/patches/ratelimit_rate-limits.patch @@ -1,8 +1,8 @@ diff --git a/ratelimit/rate-limits.go b/ratelimit/rate-limits.go -index bbca3dc4..37d08b66 100644 +index 0d52801d..bd451521 100644 --- a/ratelimit/rate-limits.go +++ b/ratelimit/rate-limits.go -@@ -56,6 +56,7 @@ type Limits interface { +@@ -57,6 +57,7 @@ type Limits interface { CertificatesPerFQDNSetFast() RateLimitPolicy NewOrdersPerAccount() RateLimitPolicy LoadPolicies(contents []byte) error @@ -10,7 +10,7 @@ index bbca3dc4..37d08b66 100644 } // limitsImpl is an unexported implementation of the Limits interface. It acts -@@ -139,6 +140,15 @@ func (r *limitsImpl) NewOrdersPerAccount() RateLimitPolicy { +@@ -140,6 +141,15 @@ func (r *limitsImpl) NewOrdersPerAccount() RateLimitPolicy { return r.rlPolicy.NewOrdersPerAccount } @@ -26,7 +26,7 @@ index bbca3dc4..37d08b66 100644 // LoadPolicies loads various rate limiting policies from a byte array of // YAML configuration (typically read from disk by a reloader) func (r *limitsImpl) LoadPolicies(contents []byte) error { -@@ -193,6 +203,8 @@ type rateLimitConfig struct { +@@ -194,6 +204,8 @@ type rateLimitConfig struct { // lower threshold and smaller window), so that clients don't have to wait // a long time after a small burst of accidental duplicate issuance. CertificatesPerFQDNSetFast RateLimitPolicy `yaml:"certificatesPerFQDNSetFast"` diff --git a/patches/ratelimits_names.patch b/patches/ratelimits_names.patch index 44a590a..aea9aa9 100644 --- a/patches/ratelimits_names.patch +++ b/patches/ratelimits_names.patch @@ -1,8 +1,8 @@ diff --git a/ratelimits/names.go b/ratelimits/names.go -index bb827e5e8..6e498bf6c 100644 +index b2663982..f1de06b0 100644 --- a/ratelimits/names.go +++ b/ratelimits/names.go -@@ -107,7 +107,11 @@ func validateRegIdDomain(id string) error { +@@ -127,7 +127,11 @@ func validateRegIdDomain(id string) error { return fmt.Errorf( "invalid regId, %q must be formatted 'regId:domain'", id) } @@ -15,7 +15,7 @@ index bb827e5e8..6e498bf6c 100644 return fmt.Errorf( "invalid domain, %q must be formatted 'regId:domain'", id) } -@@ -132,8 +136,12 @@ func validateRegIdFQDNSet(id string) error { +@@ -152,8 +156,12 @@ func validateRegIdFQDNSet(id string) error { return fmt.Errorf( "invalid fqdnSet, %q must be formatted 'regId:fqdnSet'", id) } diff --git a/patches/storer_storer.patch b/patches/storer_storer.patch index 65e6e3f..b73ff80 100644 --- a/patches/storer_storer.patch +++ b/patches/storer_storer.patch @@ -1,8 +1,8 @@ diff --git a/crl/storer/storer.go b/crl/storer/storer.go -index d1470c7a..e58e46a8 100644 +index cd0bf86c..dd492aec 100644 --- a/crl/storer/storer.go +++ b/crl/storer/storer.go -@@ -10,6 +10,9 @@ import ( +@@ -12,6 +12,9 @@ import ( "fmt" "io" "math/big" @@ -12,23 +12,23 @@ index d1470c7a..e58e46a8 100644 "time" "github.com/aws/aws-sdk-go-v2/service/s3" -@@ -34,6 +37,7 @@ type crlStorer struct { +@@ -38,6 +41,7 @@ type crlStorer struct { cspb.UnimplementedCRLStorerServer - s3Client s3Putter + s3Client simpleS3 s3Bucket string + localStorePath string issuers map[issuance.IssuerNameID]*issuance.Certificate uploadCount *prometheus.CounterVec sizeHistogram *prometheus.HistogramVec -@@ -46,6 +50,7 @@ func New( +@@ -50,6 +54,7 @@ func New( issuers []*issuance.Certificate, - s3Client s3Putter, + s3Client simpleS3, s3Bucket string, + localStorePath string, stats prometheus.Registerer, log blog.Logger, clk clock.Clock, -@@ -79,6 +84,7 @@ func New( +@@ -83,6 +88,7 @@ func New( issuers: issuersByNameID, s3Client: s3Client, s3Bucket: s3Bucket, @@ -36,7 +36,7 @@ index d1470c7a..e58e46a8 100644 uploadCount: uploadCount, sizeHistogram: sizeHistogram, latencyHistogram: latencyHistogram, -@@ -157,15 +163,19 @@ func (cs *crlStorer) UploadCRL(stream cspb.CRLStorer_UploadCRLServer) error { +@@ -203,15 +209,19 @@ func (cs *crlStorer) UploadCRL(stream cspb.CRLStorer_UploadCRLServer) error { checksum := sha256.Sum256(crlBytes) checksumb64 := base64.StdEncoding.EncodeToString(checksum[:]) crlContentType := "application/pkix-crl" @@ -65,9 +65,9 @@ index d1470c7a..e58e46a8 100644 latency := cs.clk.Now().Sub(start) cs.latencyHistogram.WithLabelValues(issuer.Subject.CommonName).Observe(latency.Seconds()) -@@ -184,3 +194,46 @@ func (cs *crlStorer) UploadCRL(stream cspb.CRLStorer_UploadCRLServer) error { - - return stream.SendAndClose(&emptypb.Empty{}) +@@ -240,3 +250,46 @@ func getIDPExt(exts []pkix.Extension) []byte { + } + return nil } + +func storeLocalFile(path string, nameID issuance.IssuerNameID, crlNumber *big.Int, shardIdx int64, crlBytes io.Reader) error { diff --git a/patches/updater_continuous.patch b/patches/updater_continuous.patch index 830647e..e0090ea 100644 --- a/patches/updater_continuous.patch +++ b/patches/updater_continuous.patch @@ -1,16 +1,16 @@ diff --git a/crl/updater/continuous.go b/crl/updater/continuous.go -index c4b8f1a4..d78ebf18 100644 +index 05f1d1bf..1c678a9c 100644 --- a/crl/updater/continuous.go +++ b/crl/updater/continuous.go -@@ -4,6 +4,7 @@ import ( +@@ -3,6 +3,7 @@ package updater + import ( "context" - "math/big" "math/rand" + "os" "sync" "time" -@@ -17,6 +18,29 @@ import ( +@@ -16,6 +17,29 @@ import ( func (cu *crlUpdater) Run(ctx context.Context) error { var wg sync.WaitGroup @@ -34,7 +34,7 @@ index c4b8f1a4..d78ebf18 100644 + case <-time.After(2 * time.Minute): + } + -+ cu.RunOnce(ctx, cu.clk.Now()) ++ cu.RunOnce(ctx) + } + shardWorker := func(issuerNameID issuance.IssuerNameID, shardIdx int) { diff --git a/patches/updater_updater.patch b/patches/updater_updater.patch index 1c437bb..c30b95e 100644 --- a/patches/updater_updater.patch +++ b/patches/updater_updater.patch @@ -1,8 +1,8 @@ diff --git a/crl/updater/updater.go b/crl/updater/updater.go -index ab0cc7e0..256927e3 100644 +index 47e03490..faffb1cd 100644 --- a/crl/updater/updater.go +++ b/crl/updater/updater.go -@@ -228,7 +228,7 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN +@@ -231,7 +231,7 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN crlEntries = append(crlEntries, entry) } diff --git a/patches/wfe2_main.patch b/patches/wfe2_main.patch index 33b93ad..fade35c 100644 --- a/patches/wfe2_main.patch +++ b/patches/wfe2_main.patch @@ -1,8 +1,8 @@ diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go -index 9ea4b47ab..9beca8778 100644 +index 13e362c8..c16b0c56 100644 --- a/cmd/boulder-wfe2/main.go +++ b/cmd/boulder-wfe2/main.go -@@ -104,7 +104,7 @@ type Config struct { +@@ -106,7 +106,7 @@ type Config struct { // DirectoryCAAIdentity is used for the /directory response's "meta" // element's "caaIdentities" field. It should match the VA's "issuerDomain" // configuration value (this value is the one used to enforce CAA)