Bump boulder version to release-2024-08-30a

build/Dockerfile-boulder

@@ -1,4 +1,4 @@
-FROM letsencrypt/boulder-tools:go1.22.5_2024-07-03 AS boulder-tools
+FROM letsencrypt/boulder-tools:go1.22.5_2024-08-13 AS boulder-tools
 
 FROM ubuntu:focal
 

build/build.sh

@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}
 
 boulderDir=$TMP_DIR/src
-boulderTag="release-2024-07-29"
+boulderTag="release-2024-08-30a"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..
 

build/docker-compose.yml

@@ -9,7 +9,7 @@ services:
       context: test/boulder-tools/
       # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh.
       args:
-        GO_VERSION: 1.22.5
+        GO_VERSION: 1.23.0
     environment:
       # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS
       # to the IP address where your ACME client's solver is listening.

install

@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"
 
 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2024-07-29"
+boulderTag="release-2024-08-30a"
 
 # Feature flags
 flag_skip_redis=true

patch.sh

@@ -31,6 +31,8 @@ $SUDO patch -p1 < $cloneDir/patches/core_interfaces.patch
 $SUDO patch -p1 < $cloneDir/patches/crl-storer_main.patch
 $SUDO patch -p1 < $cloneDir/patches/db_migrations.patch
 $SUDO patch -p1 < $cloneDir/patches/db_migrations2.patch
+$SUDO patch -p1 < $cloneDir/patches/db_migrations3.patch
+$SUDO patch -p1 < $cloneDir/patches/db_migrations4.patch
 $SUDO patch -p1 < $cloneDir/patches/errors_errors.patch
 $SUDO patch -p1 < $cloneDir/patches/expiration-mailer_main.patch
 $SUDO patch -p1 < $cloneDir/patches/issuance_crl.patch
@@ -64,6 +66,7 @@ $SUDO patch -p1 < $cloneDir/patches/wfe2_wfe.patch
 sed -i -e "s|./test|./labca|" start.py
 
 sed -i -e "s/berrors.RateLimitError(/berrors.RateLimitError(ra.rlPolicies.RateLimitsURL(), /g" ra/ra.go
+sed -i -e "s/berrors.RateLimitError(/berrors.RateLimitError(\"\", /g" ratelimits/limiter.go
 
 sed -i -e "s/proxysql:6033/mysql:3306/" sa/db/dbconfig.yml
 

patches/ca_ca.patch

@@ -1,8 +1,8 @@
 diff --git a/ca/ca.go b/ca/ca.go
-index b99fe702f..ddd5ebfe3 100644
+index e55b2d665..1d4ba7242 100644
 --- a/ca/ca.go
 +++ b/ca/ca.go
-@@ -154,10 +154,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
+@@ -153,10 +153,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
  		}
  	}
  	if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {

patches/core_interfaces.patch

@@ -1,10 +1,10 @@
 diff --git a/core/interfaces.go b/core/interfaces.go
-index 003329c3..c01cd881 100644
+index 35ebf3896..61d2510e3 100644
 --- a/core/interfaces.go
 +++ b/core/interfaces.go
 @@ -11,4 +11,5 @@ type PolicyAuthority interface {
- 	ChallengesFor(identifier.ACMEIdentifier) ([]Challenge, error)
+ 	ChallengeTypesFor(identifier.ACMEIdentifier) ([]AcmeChallenge, error)
  	ChallengeTypeEnabled(AcmeChallenge) bool
- 	CheckAuthz(*Authorization) error
+ 	CheckAuthzChallenges(*Authorization) error
 +	ValidEmail(address string) error
  }

patches/db_migrations3.patch

@@ -0,0 +1,13 @@
+diff --git a/sa/db/boulder_sa/20230919000000_RevokedCertificates.sql b/sa/db/boulder_sa/20230919000000_RevokedCertificates.sql
+index fe86aa71b..f47feb9fb 100644
+--- a/sa/db/boulder_sa/20230919000000_RevokedCertificates.sql
++++ b/sa/db/boulder_sa/20230919000000_RevokedCertificates.sql
+@@ -1,7 +1,7 @@
+ -- +migrate Up
+ -- SQL in section 'Up' is executed when this migration is applied
+ 
+-CREATE TABLE `revokedCertificates` (
++CREATE TABLE IF NOT EXISTS `revokedCertificates` (
+   `id` bigint(20) NOT NULL AUTO_INCREMENT,
+   `issuerID` bigint(20) NOT NULL,
+   `serial` varchar(255) NOT NULL,

patches/db_migrations4.patch

@@ -0,0 +1,13 @@
+diff --git a/sa/db/boulder_sa/20240119000000_ReplacementOrders.sql b/sa/db/boulder_sa/20240119000000_ReplacementOrders.sql
+index c2bc65f9c..d331ca4fd 100644
+--- a/sa/db/boulder_sa/20240119000000_ReplacementOrders.sql
++++ b/sa/db/boulder_sa/20240119000000_ReplacementOrders.sql
+@@ -1,7 +1,7 @@
+ -- +migrate Up
+ -- SQL in section 'Up' is executed when this migration is applied
+ 
+-CREATE TABLE `replacementOrders` (
++CREATE TABLE IF NOT EXISTS `replacementOrders` (
+   `id` bigint(20) NOT NULL AUTO_INCREMENT,
+   `serial` varchar(255) NOT NULL,
+   `orderID` bigint(20) NOT NULL,

patches/policy_pa.patch

@@ -1,8 +1,8 @@
 diff --git a/policy/pa.go b/policy/pa.go
-index ce7857a7d..ef29cb60e 100644
+index 26edbdbdf..177fddba2 100644
 --- a/policy/pa.go
 +++ b/policy/pa.go
-@@ -32,6 +32,9 @@ type AuthorityImpl struct {
+@@ -31,6 +31,9 @@ type AuthorityImpl struct {
  	blocklist              map[string]bool
  	exactBlocklist         map[string]bool
  	wildcardExactBlocklist map[string]bool
@@ -12,7 +12,7 @@ index ce7857a7d..ef29cb60e 100644
  	blocklistMu            sync.RWMutex
  
  	enabledChallenges map[core.AcmeChallenge]bool
-@@ -72,6 +75,10 @@ type blockedNamesPolicy struct {
+@@ -64,6 +67,10 @@ type blockedNamesPolicy struct {
  	// time above and beyond the high-risk domains. Managing these entries separately
  	// from HighRiskBlockedNames makes it easier to vet changes accurately.
  	AdminBlockedNames []string `yaml:"AdminBlockedNames"`
@@ -23,7 +23,7 @@ index ce7857a7d..ef29cb60e 100644
  }
  
  // LoadHostnamePolicyFile will load the given policy file, returning an error if
-@@ -131,10 +138,21 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error
+@@ -123,10 +130,21 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error
  		// wildcardNameMap to block issuance for `*.`+parts[1]
  		wildcardNameMap[parts[1]] = true
  	}
@@ -45,7 +45,7 @@ index ce7857a7d..ef29cb60e 100644
  	pa.blocklistMu.Unlock()
  	return nil
  }
-@@ -203,7 +221,7 @@ var (
+@@ -195,7 +213,7 @@ var (
  //   - exactly equal to an IANA registered TLD
  //
  // It does NOT ensure that the domain is absent from any PA blocked lists.
@@ -54,7 +54,7 @@ index ce7857a7d..ef29cb60e 100644
  	if domain == "" {
  		return errEmptyName
  	}
-@@ -235,7 +253,9 @@ func validNonWildcardDomain(domain string) error {
+@@ -227,7 +245,9 @@ func validNonWildcardDomain(domain string) error {
  		return errTooManyLabels
  	}
  	if len(labels) < 2 {
@@ -65,7 +65,7 @@ index ce7857a7d..ef29cb60e 100644
  	}
  	for _, label := range labels {
  		// Check that this is a valid LDH Label: "A string consisting of ASCII
-@@ -279,6 +299,14 @@ func validNonWildcardDomain(domain string) error {
+@@ -271,6 +291,14 @@ func validNonWildcardDomain(domain string) error {
  		}
  	}
  
@@ -80,7 +80,7 @@ index ce7857a7d..ef29cb60e 100644
  	// Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD.
  	icannTLD, err := iana.ExtractSuffix(domain)
  	if err != nil {
-@@ -294,9 +322,9 @@ func validNonWildcardDomain(domain string) error {
+@@ -286,9 +314,9 @@ func validNonWildcardDomain(domain string) error {
  // ValidDomain checks that a domain is valid and that it doesn't contain any
  // invalid wildcard characters. It does NOT ensure that the domain is absent
  // from any PA blocked lists.
@@ -92,7 +92,7 @@ index ce7857a7d..ef29cb60e 100644
  	}
  
  	// Names containing more than one wildcard are invalid.
-@@ -315,7 +343,7 @@ func ValidDomain(domain string) error {
+@@ -307,7 +335,7 @@ func ValidDomain(domain string) error {
  
  	// Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD.
  	icannTLD, err := iana.ExtractSuffix(baseDomain)
@@ -101,7 +101,7 @@ index ce7857a7d..ef29cb60e 100644
  		return errNonPublic
  	}
  	// Names must have a non-wildcard label immediately adjacent to the ICANN
-@@ -323,7 +351,7 @@ func ValidDomain(domain string) error {
+@@ -315,7 +343,7 @@ func ValidDomain(domain string) error {
  	if baseDomain == icannTLD {
  		return errICANNTLDWildcard
  	}
@@ -110,7 +110,7 @@ index ce7857a7d..ef29cb60e 100644
  }
  
  // forbiddenMailDomains is a map of domain names we do not allow after the
-@@ -341,7 +369,7 @@ var forbiddenMailDomains = map[string]bool{
+@@ -333,7 +361,7 @@ var forbiddenMailDomains = map[string]bool{
  // ValidEmail returns an error if the input doesn't parse as an email address,
  // the domain isn't a valid hostname in Preferred Name Syntax, or its on the
  // list of domains forbidden for mail (because they are often used in examples).
@@ -119,7 +119,7 @@ index ce7857a7d..ef29cb60e 100644
  	email, err := mail.ParseAddress(address)
  	if err != nil {
  		if len(address) > 254 {
-@@ -351,7 +379,7 @@ func ValidEmail(address string) error {
+@@ -343,7 +371,7 @@ func ValidEmail(address string) error {
  	}
  	splitEmail := strings.SplitN(email.Address, "@", -1)
  	domain := strings.ToLower(splitEmail[len(splitEmail)-1])
@@ -128,7 +128,7 @@ index ce7857a7d..ef29cb60e 100644
  	if err != nil {
  		return berrors.InvalidEmailError(
  			"contact email %q has invalid domain : %s",
-@@ -395,7 +423,7 @@ func subError(name string, err error) berrors.SubBoulderError {
+@@ -387,7 +415,7 @@ func subError(name string, err error) berrors.SubBoulderError {
  //
  // Precondition: all input domain names must be in lowercase.
  func (pa *AuthorityImpl) WillingToIssue(domains []string) error {
@@ -137,7 +137,7 @@ index ce7857a7d..ef29cb60e 100644
  	if err != nil {
  		return err
  	}
-@@ -414,6 +442,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error {
+@@ -406,6 +434,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error {
  			}
  		}
  
@@ -148,7 +148,7 @@ index ce7857a7d..ef29cb60e 100644
  		// For both wildcard and non-wildcard domains, check whether any parent domain
  		// name is on the regular blocklist.
  		err := pa.checkHostLists(domain)
-@@ -447,10 +479,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error {
+@@ -439,10 +471,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error {
  //
  // If multiple domains are invalid, the error will contain suberrors specific to
  // each domain.
@@ -161,7 +161,7 @@ index ce7857a7d..ef29cb60e 100644
  		if err != nil {
  			subErrors = append(subErrors, subError(domain, err))
  		}
-@@ -484,6 +516,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error {
+@@ -476,6 +508,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error {
  	return nil
  }
  
@@ -196,7 +196,7 @@ index ce7857a7d..ef29cb60e 100644
  // checkWildcardHostList checks the wildcardExactBlocklist for a given domain.
  // If the domain is not present on the list nil is returned, otherwise
  // errPolicyForbidden is returned.
-@@ -513,6 +573,9 @@ func (pa *AuthorityImpl) checkHostLists(domain string) error {
+@@ -505,6 +565,9 @@ func (pa *AuthorityImpl) checkHostLists(domain string) error {
  	labels := strings.Split(domain, ".")
  	for i := range labels {
  		joined := strings.Join(labels[i:], ".")

patches/ra_ra.patch

@@ -1,5 +1,5 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index bfd2386ef..40c49834f 100644
+index 513f2d444..006de7f4f 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
 @@ -44,7 +44,6 @@ import (
@@ -10,7 +10,7 @@ index bfd2386ef..40c49834f 100644
  	"github.com/letsencrypt/boulder/probs"
  	pubpb "github.com/letsencrypt/boulder/publisher/proto"
  	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -571,7 +570,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
+@@ -574,7 +573,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
  				contact,
  			)
  		}

patches/ratelimits_names.patch

@@ -1,8 +1,8 @@
 diff --git a/ratelimits/names.go b/ratelimits/names.go
-index fdfd8e81e..636720bf2 100644
+index c70f39536..b0e14209c 100644
 --- a/ratelimits/names.go
 +++ b/ratelimits/names.go
-@@ -150,7 +150,11 @@ func validateRegId(id string) error {
+@@ -151,7 +151,11 @@ func validateRegId(id string) error {
  // validateDomain validates that the provided string is formatted 'domain',
  // where domain is a domain name.
  func validateDomain(id string) error {
@@ -15,7 +15,7 @@ index fdfd8e81e..636720bf2 100644
  	if err != nil {
  		return fmt.Errorf("invalid domain, %q must be formatted 'domain': %w", id, err)
  	}
-@@ -171,7 +175,11 @@ func validateRegIdDomain(id string) error {
+@@ -172,7 +176,11 @@ func validateRegIdDomain(id string) error {
  		return fmt.Errorf(
  			"invalid regId, %q must be formatted 'regId:domain'", id)
  	}
@@ -28,7 +28,7 @@ index fdfd8e81e..636720bf2 100644
  	if err != nil {
  		return fmt.Errorf(
  			"invalid domain, %q must be formatted 'regId:domain': %w", id, err)
-@@ -187,7 +195,11 @@ func validateFQDNSet(id string) error {
+@@ -188,7 +196,11 @@ func validateFQDNSet(id string) error {
  		return fmt.Errorf(
  			"invalid fqdnSet, %q must be formatted 'fqdnSet'", id)
  	}

patches/sfe_templates_layout.patch

@@ -1,12 +1,12 @@
 diff --git a/sfe/templates/layout.html b/sfe/templates/layout.html
-index 30f947aac..2511e9e13 100644
+index 15d5e88d9..2511e9e13 100644
 --- a/sfe/templates/layout.html
 +++ b/sfe/templates/layout.html
 @@ -4,8 +4,8 @@
  <head>
      <meta charset="UTF-8">
      <meta name="viewport" content="width=device-width, initial-scale=1.0">
--    <title>Let's Encrypt - Self-Service Portal</title>
+-    <title>Let's Encrypt - Portal</title>
 -    <link rel="icon" type="image/x-icon" href="/static/favicon.ico">
 +    <title>Self-Service Portal | LabCA</title>
 +    <link rel="icon" type="image/png" href="/img/fav-public.png">

patches/updater_continuous.patch

@@ -1,11 +1,11 @@
 diff --git a/crl/updater/continuous.go b/crl/updater/continuous.go
-index e4552f68f..7aaef33c0 100644
+index 4597fd60a..5ee00d765 100644
 --- a/crl/updater/continuous.go
 +++ b/crl/updater/continuous.go
 @@ -3,6 +3,7 @@ package updater
  import (
  	"context"
- 	"math/rand"
+ 	"math/rand/v2"
 +	"os"
  	"sync"
  	"time"

patches/wfe2_wfe.patch

@@ -1,8 +1,8 @@
 diff --git a/wfe2/wfe.go b/wfe2/wfe.go
-index 59b33dd32..760babc29 100644
+index 7620954e7..c7cae65d5 100644
 --- a/wfe2/wfe.go
 +++ b/wfe2/wfe.go
-@@ -24,6 +24,7 @@ import (
+@@ -25,6 +25,7 @@ import (
  	"golang.org/x/exp/maps"
  	"google.golang.org/protobuf/types/known/emptypb"
  
@@ -10,7 +10,7 @@ index 59b33dd32..760babc29 100644
  	"github.com/letsencrypt/boulder/core"
  	corepb "github.com/letsencrypt/boulder/core/proto"
  	berrors "github.com/letsencrypt/boulder/errors"
-@@ -173,6 +174,8 @@ type WebFrontEndImpl struct {
+@@ -174,6 +175,8 @@ type WebFrontEndImpl struct {
  	// descriptions (perhaps including URLs) of those profiles. NewOrder
  	// Requests with a profile name not present in this map will be rejected.
  	certProfiles map[string]string
@@ -19,7 +19,7 @@ index 59b33dd32..760babc29 100644
  }
  
  // NewWebFrontEndImpl constructs a web service for Boulder
-@@ -200,6 +203,7 @@ func NewWebFrontEndImpl(
+@@ -201,6 +204,7 @@ func NewWebFrontEndImpl(
  	unpauseSigner unpause.JWTSigner,
  	unpauseJWTLifetime time.Duration,
  	unpauseURL string,
@@ -27,7 +27,7 @@ index 59b33dd32..760babc29 100644
  ) (WebFrontEndImpl, error) {
  	if len(issuerCertificates) == 0 {
  		return WebFrontEndImpl{}, errors.New("must provide at least one issuer certificate")
-@@ -241,6 +245,7 @@ func NewWebFrontEndImpl(
+@@ -242,6 +246,7 @@ func NewWebFrontEndImpl(
  		unpauseSigner:                unpauseSigner,
  		unpauseJWTLifetime:           unpauseJWTLifetime,
  		unpauseURL:                   unpauseURL,
@@ -35,7 +35,7 @@ index 59b33dd32..760babc29 100644
  	}
  
  	return wfe, nil
-@@ -2305,8 +2310,25 @@ func (wfe *WebFrontEndImpl) NewOrder(
+@@ -2311,8 +2316,25 @@ func (wfe *WebFrontEndImpl) NewOrder(
  		names[i] = ident.Value
  	}