Bump boulder version to release-2023-10-30

.github/workflows/release.yml

@@ -13,7 +13,7 @@ jobs:
       fail-fast: false
       matrix:
         GO_VERSION:
-          - 1.21.1
+          - 1.21.3
 
     steps:
       - name: Checkout

build/Dockerfile-boulder

@@ -1,4 +1,4 @@
-FROM letsencrypt/boulder-tools:go1.21.1_2023-09-07 AS boulder-tools
+FROM letsencrypt/boulder-tools:go1.21.3_2023-10-12 AS boulder-tools
 
 FROM ubuntu:focal
 

build/build.sh

@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}
 
 boulderDir=$TMP_DIR/src
-boulderTag="release-2023-10-04"
+boulderTag="release-2023-10-30"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..
 

build/tmp.patch

@@ -1,12 +1,12 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index d52dfc3e..7d9fb59c 100644
+index 06ee3b61f..7d9fb59c6 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -3,7 +3,7 @@ name: labca
  services:
    boulder:
      # Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh.
--    image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.21.1_2023-09-07}
+-    image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.21.3_2023-10-12}
 +    image: ghcr.io/hakwerk/labca-boulder:${LABCA_IMAGE_VERSION:-latest}
      environment:
        # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS

install

@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"
 
 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2023-10-04"
+boulderTag="release-2023-10-30"
 
 # Feature flags
 flag_skip_redis=true
@@ -622,7 +622,6 @@ config_boulder() {
     cp core/interfaces.go "$boulderLabCADir/.backup/"
     cp policy/pa.go "$boulderLabCADir/.backup/"
     cp ra/ra.go "$boulderLabCADir/.backup/"
-    cp reloader/reloader.go "$boulderLabCADir/.backup/"
     cp mail/mailer.go "$boulderLabCADir/.backup/"
     cp cmd/expiration-mailer/main.go "$boulderLabCADir/.backup/"
     cp cmd/notify-mailer/main.go "$boulderLabCADir/.backup/"

patch.sh

@@ -43,7 +43,6 @@ $SUDO patch -p1 < $cloneDir/patches/policy_pa.patch
 $SUDO patch -p1 < $cloneDir/patches/ra_ra.patch
 $SUDO patch -p1 < $cloneDir/patches/ratelimit_rate-limits.patch
 $SUDO patch -p1 < $cloneDir/patches/ratelimits_names.patch
-$SUDO patch -p1 < $cloneDir/patches/reloader_reloader.patch
 $SUDO patch -p1 < $cloneDir/patches/startservers.patch
 if [ "$SUDO" == "" ]; then
     # TODO: should include this into startservers.patch

patches/docker-compose-redis.patch

@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 5be626d6..4c28fe96 100644
+index 3c174f334..4020f447d 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -22,8 +22,6 @@ services:
@@ -65,7 +65,7 @@ index 5be626d6..4c28fe96 100644
    bconsul:
      image: hashicorp/consul:1.15.4
      volumes:
-@@ -168,13 +126,6 @@ networks:
+@@ -166,13 +124,6 @@ networks:
        config:
          - subnet: 10.88.88.0/24
  

patches/docker-compose.patch

@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 4c28fe96..df62bf8b 100644
+index 4020f447d..8d9819d01 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -1,4 +1,5 @@
@@ -89,7 +89,7 @@ index 4c28fe96..df62bf8b 100644
  
    bconsul:
      image: hashicorp/consul:1.15.4
-@@ -89,27 +87,73 @@ services:
+@@ -89,25 +87,73 @@ services:
        rednet:
          ipv4_address: 10.88.88.10
      command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
@@ -127,11 +127,15 @@ index 4c28fe96..df62bf8b 100644
 +        max-size: "500k"
 +        max-file: "5"
 +    restart: always
-+
+ 
+-  bjaeger:
+-    image: jaegertracing/all-in-one:1.50
 +  nginx:
 +    image: nginx:1.25.3
 +    restart: always
-+    networks:
+     networks:
+-      bluenet:
+-        ipv4_address: 10.77.77.17
 +      - bluenet
 +    ports:
 +      - 80:80
@@ -140,16 +144,10 @@ index 4c28fe96..df62bf8b 100644
 +      - /home/labca/nginx_data/conf.d:/etc/nginx/conf.d
 +      - /home/labca/nginx_data/ssl:/etc/nginx/ssl
 +      - /home/labca/nginx_data/static:/var/www/html
- 
--  bjaeger:
--    image: jaegertracing/all-in-one:1.44
--    environment:
--      COLLECTOR_OTLP_ENABLED: "true"
++
 +  control:
 +    image: *boulder_image
-     networks:
--      bluenet:
--        ipv4_address: 10.77.77.17
++    networks:
 +      - bluenet
 +    volumes:
 +      - /var/run/docker.sock:/var/run/docker.sock

patches/notify-mailer_main.patch

@@ -39,7 +39,7 @@ index a05366c3..da9d78c8 100644
 +	logger := cmd.NewLogger(cmd.SyslogConfig{StdoutLevel: 7})
 +	pa, err := policy.New(cfg.PA.Challenges, logger)
 +	cmd.FailOnError(err, "Failed to create PA")
-+	err = pa.SetHostnamePolicyFile(cfg.NotifyMailer.HostnamePolicyFile)
++	err = pa.LoadHostnamePolicyFile(cfg.NotifyMailer.HostnamePolicyFile)
 +	cmd.FailOnError(err, "Failed to load HostnamePolicyFile")
 +
  	var mailClient bmail.Mailer

patches/policy_pa.patch

@@ -1,5 +1,5 @@
 diff --git a/policy/pa.go b/policy/pa.go
-index ff497a240..c21af1b23 100644
+index 86f79703d..59d42879a 100644
 --- a/policy/pa.go
 +++ b/policy/pa.go
 @@ -32,6 +32,8 @@ type AuthorityImpl struct {
@@ -20,8 +20,8 @@ index ff497a240..c21af1b23 100644
 +	Lockdown  []string `yaml:"Lockdown"`
  }
  
- // SetHostnamePolicyFile will load the given policy file, returning error if it
-@@ -136,10 +141,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error
+ // LoadHostnamePolicyFile will load the given policy file, returning an error if
+@@ -131,10 +136,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error
  		// wildcardNameMap to block issuance for `*.`+parts[1]
  		wildcardNameMap[parts[1]] = true
  	}
@@ -42,7 +42,7 @@ index ff497a240..c21af1b23 100644
  	pa.blocklistMu.Unlock()
  	return nil
  }
-@@ -210,7 +225,7 @@ var (
+@@ -205,7 +220,7 @@ var (
  // * exactly equal to an IANA registered TLD
  //
  // It does _not_ check that the domain isn't on any PA blocked lists.
@@ -51,7 +51,7 @@ index ff497a240..c21af1b23 100644
  	if domain == "" {
  		return errEmptyName
  	}
-@@ -286,6 +301,14 @@ func ValidDomain(domain string) error {
+@@ -281,6 +296,14 @@ func ValidDomain(domain string) error {
  		}
  	}
  
@@ -66,7 +66,7 @@ index ff497a240..c21af1b23 100644
  	// Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD.
  	icannTLD, err := iana.ExtractSuffix(domain)
  	if err != nil {
-@@ -313,7 +336,7 @@ var forbiddenMailDomains = map[string]bool{
+@@ -308,7 +331,7 @@ var forbiddenMailDomains = map[string]bool{
  // ValidEmail returns an error if the input doesn't parse as an email address,
  // the domain isn't a valid hostname in Preferred Name Syntax, or its on the
  // list of domains forbidden for mail (because they are often used in examples).
@@ -75,7 +75,7 @@ index ff497a240..c21af1b23 100644
  	email, err := mail.ParseAddress(address)
  	if err != nil {
  		if len(address) > 254 {
-@@ -323,7 +346,7 @@ func ValidEmail(address string) error {
+@@ -318,7 +341,7 @@ func ValidEmail(address string) error {
  	}
  	splitEmail := strings.SplitN(email.Address, "@", -1)
  	domain := strings.ToLower(splitEmail[len(splitEmail)-1])
@@ -84,7 +84,7 @@ index ff497a240..c21af1b23 100644
  	if err != nil {
  		return berrors.InvalidEmailError(
  			"contact email %q has invalid domain : %s",
-@@ -363,11 +386,15 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error {
+@@ -358,11 +381,15 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error {
  	}
  	domain := id.Value
  
@@ -101,7 +101,7 @@ index ff497a240..c21af1b23 100644
  	// Require no match against hostname block lists
  	err = pa.checkHostLists(domain)
  	if err != nil {
-@@ -377,6 +404,31 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error {
+@@ -372,6 +399,31 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error {
  	return nil
  }
  

patches/ra_ra.patch

@@ -1,8 +1,8 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index 8000e6ad..ef136c00 100644
+index 3dd269aad..22b43a30d 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
-@@ -41,7 +41,6 @@ import (
+@@ -44,7 +44,6 @@ import (
  	"github.com/letsencrypt/boulder/issuance"
  	blog "github.com/letsencrypt/boulder/log"
  	"github.com/letsencrypt/boulder/metrics"
@@ -10,7 +10,7 @@ index 8000e6ad..ef136c00 100644
  	"github.com/letsencrypt/boulder/probs"
  	pubpb "github.com/letsencrypt/boulder/publisher/proto"
  	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -555,7 +554,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
+@@ -563,7 +562,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
  				contact,
  			)
  		}

patches/ratelimit_rate-limits.patch

@@ -1,8 +1,8 @@
 diff --git a/ratelimit/rate-limits.go b/ratelimit/rate-limits.go
-index 0d52801d..bd451521 100644
+index 3c6bd75d0..ad849a4a5 100644
 --- a/ratelimit/rate-limits.go
 +++ b/ratelimit/rate-limits.go
-@@ -57,6 +57,7 @@ type Limits interface {
+@@ -56,6 +56,7 @@ type Limits interface {
  	CertificatesPerFQDNSetFast() RateLimitPolicy
  	NewOrdersPerAccount() RateLimitPolicy
  	LoadPolicies(contents []byte) error
@@ -10,13 +10,11 @@ index 0d52801d..bd451521 100644
  }
  
  // limitsImpl is an unexported implementation of the Limits interface. It acts
-@@ -140,6 +141,15 @@ func (r *limitsImpl) NewOrdersPerAccount() RateLimitPolicy {
+@@ -120,6 +121,13 @@ func (r *limitsImpl) NewOrdersPerAccount() RateLimitPolicy {
  	return r.rlPolicy.NewOrdersPerAccount
  }
  
 +func (r *limitsImpl) RateLimitsURL() string {
-+	r.RLock()
-+	defer r.RUnlock()
 +	if r.rlPolicy == nil {
 +		return ""
 +	}
@@ -24,9 +22,9 @@ index 0d52801d..bd451521 100644
 +}
 +
  // LoadPolicies loads various rate limiting policies from a byte array of
- // YAML configuration (typically read from disk by a reloader)
+ // YAML configuration.
  func (r *limitsImpl) LoadPolicies(contents []byte) error {
-@@ -194,6 +204,8 @@ type rateLimitConfig struct {
+@@ -171,6 +179,8 @@ type rateLimitConfig struct {
  	// lower threshold and smaller window), so that clients don't have to wait
  	// a long time after a small burst of accidental duplicate issuance.
  	CertificatesPerFQDNSetFast RateLimitPolicy `yaml:"certificatesPerFQDNSetFast"`

patches/reloader_reloader.patch

@@ -1,28 +0,0 @@
-diff --git a/reloader/reloader.go b/reloader/reloader.go
-index 7200d707a..989db0eec 100644
---- a/reloader/reloader.go
-+++ b/reloader/reloader.go
-@@ -12,7 +12,7 @@ import (
- 
- // Wrap time.Tick so we can override it in tests.
- var makeTicker = func() (func(), <-chan time.Time) {
--	t := time.NewTicker(1 * time.Second)
-+	t := time.NewTicker(30 * time.Second)
- 	return t.Stop, t.C
- }
- 
-@@ -56,8 +56,12 @@ func New(filename string, dataCallback func([]byte) error, logger blog.Logger) (
- 			case <-tickChan:
- 				currentFileInfo, err := statFile(filename)
- 				if err != nil {
--					logger.Errf("statting %s: %s", filename, err)
--					continue
-+					time.Sleep(10 * time.Second)
-+					currentFileInfo, err = statFile(filename)
-+					if err != nil {
-+						logger.Errf("statting %s: %s", filename, err)
-+						continue
-+					}
- 				}
- 				if !currentFileInfo.ModTime().After(fileInfo.ModTime()) {
- 					continue

patches/updater_updater.patch

@@ -1,8 +1,8 @@
 diff --git a/crl/updater/updater.go b/crl/updater/updater.go
-index 47e03490..faffb1cd 100644
+index b7f4d4d6e..0d2f0c282 100644
 --- a/crl/updater/updater.go
 +++ b/crl/updater/updater.go
-@@ -231,7 +231,7 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN
+@@ -234,7 +234,7 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN
  			crlEntries = append(crlEntries, entry)
  		}