From cab022a4c8ae8fa12b793c083225c4ef2962d1d6 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Sat, 31 Aug 2024 16:04:55 +0200 Subject: [PATCH] Bump boulder version to release-2024-08-30a --- build/Dockerfile-boulder | 2 +- build/build.sh | 2 +- build/docker-compose.yml | 2 +- install | 2 +- patch.sh | 3 +++ patches/ca_ca.patch | 4 ++-- patches/core_interfaces.patch | 6 +++--- patches/db_migrations3.patch | 13 ++++++++++++ patches/db_migrations4.patch | 13 ++++++++++++ patches/policy_pa.patch | 34 +++++++++++++++--------------- patches/ra_ra.patch | 4 ++-- patches/ratelimits_names.patch | 8 +++---- patches/sfe_templates_layout.patch | 4 ++-- patches/updater_continuous.patch | 4 ++-- patches/wfe2_wfe.patch | 12 +++++------ 15 files changed, 71 insertions(+), 42 deletions(-) create mode 100644 patches/db_migrations3.patch create mode 100644 patches/db_migrations4.patch diff --git a/build/Dockerfile-boulder b/build/Dockerfile-boulder index 61fbd56..63d0fd3 100644 --- a/build/Dockerfile-boulder +++ b/build/Dockerfile-boulder @@ -1,4 +1,4 @@ -FROM letsencrypt/boulder-tools:go1.22.5_2024-07-03 AS boulder-tools +FROM letsencrypt/boulder-tools:go1.22.5_2024-08-13 AS boulder-tools FROM ubuntu:focal diff --git a/build/build.sh b/build/build.sh index 23b4842..b578a7f 100755 --- a/build/build.sh +++ b/build/build.sh @@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src} boulderDir=$TMP_DIR/src -boulderTag="release-2024-07-29" +boulderTag="release-2024-08-30a" boulderUrl="https://github.com/letsencrypt/boulder/" cloneDir=$(pwd)/.. diff --git a/build/docker-compose.yml b/build/docker-compose.yml index f7c56d9..cdd5eb3 100644 --- a/build/docker-compose.yml +++ b/build/docker-compose.yml @@ -9,7 +9,7 @@ services: context: test/boulder-tools/ # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh. args: - GO_VERSION: 1.22.5 + GO_VERSION: 1.23.0 environment: # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS # to the IP address where your ACME client's solver is listening. diff --git a/install b/install index d9c3f83..2edcbba 100755 --- a/install +++ b/install @@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2024-07-29" +boulderTag="release-2024-08-30a" # Feature flags flag_skip_redis=true diff --git a/patch.sh b/patch.sh index af6de84..6dca3a0 100755 --- a/patch.sh +++ b/patch.sh @@ -31,6 +31,8 @@ $SUDO patch -p1 < $cloneDir/patches/core_interfaces.patch $SUDO patch -p1 < $cloneDir/patches/crl-storer_main.patch $SUDO patch -p1 < $cloneDir/patches/db_migrations.patch $SUDO patch -p1 < $cloneDir/patches/db_migrations2.patch +$SUDO patch -p1 < $cloneDir/patches/db_migrations3.patch +$SUDO patch -p1 < $cloneDir/patches/db_migrations4.patch $SUDO patch -p1 < $cloneDir/patches/errors_errors.patch $SUDO patch -p1 < $cloneDir/patches/expiration-mailer_main.patch $SUDO patch -p1 < $cloneDir/patches/issuance_crl.patch @@ -64,6 +66,7 @@ $SUDO patch -p1 < $cloneDir/patches/wfe2_wfe.patch sed -i -e "s|./test|./labca|" start.py sed -i -e "s/berrors.RateLimitError(/berrors.RateLimitError(ra.rlPolicies.RateLimitsURL(), /g" ra/ra.go +sed -i -e "s/berrors.RateLimitError(/berrors.RateLimitError(\"\", /g" ratelimits/limiter.go sed -i -e "s/proxysql:6033/mysql:3306/" sa/db/dbconfig.yml diff --git a/patches/ca_ca.patch b/patches/ca_ca.patch index 1c0823f..56d1b1e 100644 --- a/patches/ca_ca.patch +++ b/patches/ca_ca.patch @@ -1,8 +1,8 @@ diff --git a/ca/ca.go b/ca/ca.go -index b99fe702f..ddd5ebfe3 100644 +index e55b2d665..1d4ba7242 100644 --- a/ca/ca.go +++ b/ca/ca.go -@@ -154,10 +154,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { +@@ -153,10 +153,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { } } if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 { diff --git a/patches/core_interfaces.patch b/patches/core_interfaces.patch index a6e8080..aca2593 100644 --- a/patches/core_interfaces.patch +++ b/patches/core_interfaces.patch @@ -1,10 +1,10 @@ diff --git a/core/interfaces.go b/core/interfaces.go -index 003329c3..c01cd881 100644 +index 35ebf3896..61d2510e3 100644 --- a/core/interfaces.go +++ b/core/interfaces.go @@ -11,4 +11,5 @@ type PolicyAuthority interface { - ChallengesFor(identifier.ACMEIdentifier) ([]Challenge, error) + ChallengeTypesFor(identifier.ACMEIdentifier) ([]AcmeChallenge, error) ChallengeTypeEnabled(AcmeChallenge) bool - CheckAuthz(*Authorization) error + CheckAuthzChallenges(*Authorization) error + ValidEmail(address string) error } diff --git a/patches/db_migrations3.patch b/patches/db_migrations3.patch new file mode 100644 index 0000000..b758225 --- /dev/null +++ b/patches/db_migrations3.patch @@ -0,0 +1,13 @@ +diff --git a/sa/db/boulder_sa/20230919000000_RevokedCertificates.sql b/sa/db/boulder_sa/20230919000000_RevokedCertificates.sql +index fe86aa71b..f47feb9fb 100644 +--- a/sa/db/boulder_sa/20230919000000_RevokedCertificates.sql ++++ b/sa/db/boulder_sa/20230919000000_RevokedCertificates.sql +@@ -1,7 +1,7 @@ + -- +migrate Up + -- SQL in section 'Up' is executed when this migration is applied + +-CREATE TABLE `revokedCertificates` ( ++CREATE TABLE IF NOT EXISTS `revokedCertificates` ( + `id` bigint(20) NOT NULL AUTO_INCREMENT, + `issuerID` bigint(20) NOT NULL, + `serial` varchar(255) NOT NULL, diff --git a/patches/db_migrations4.patch b/patches/db_migrations4.patch new file mode 100644 index 0000000..ca24114 --- /dev/null +++ b/patches/db_migrations4.patch @@ -0,0 +1,13 @@ +diff --git a/sa/db/boulder_sa/20240119000000_ReplacementOrders.sql b/sa/db/boulder_sa/20240119000000_ReplacementOrders.sql +index c2bc65f9c..d331ca4fd 100644 +--- a/sa/db/boulder_sa/20240119000000_ReplacementOrders.sql ++++ b/sa/db/boulder_sa/20240119000000_ReplacementOrders.sql +@@ -1,7 +1,7 @@ + -- +migrate Up + -- SQL in section 'Up' is executed when this migration is applied + +-CREATE TABLE `replacementOrders` ( ++CREATE TABLE IF NOT EXISTS `replacementOrders` ( + `id` bigint(20) NOT NULL AUTO_INCREMENT, + `serial` varchar(255) NOT NULL, + `orderID` bigint(20) NOT NULL, diff --git a/patches/policy_pa.patch b/patches/policy_pa.patch index 476484a..3912a93 100644 --- a/patches/policy_pa.patch +++ b/patches/policy_pa.patch @@ -1,8 +1,8 @@ diff --git a/policy/pa.go b/policy/pa.go -index ce7857a7d..ef29cb60e 100644 +index 26edbdbdf..177fddba2 100644 --- a/policy/pa.go +++ b/policy/pa.go -@@ -32,6 +32,9 @@ type AuthorityImpl struct { +@@ -31,6 +31,9 @@ type AuthorityImpl struct { blocklist map[string]bool exactBlocklist map[string]bool wildcardExactBlocklist map[string]bool @@ -12,7 +12,7 @@ index ce7857a7d..ef29cb60e 100644 blocklistMu sync.RWMutex enabledChallenges map[core.AcmeChallenge]bool -@@ -72,6 +75,10 @@ type blockedNamesPolicy struct { +@@ -64,6 +67,10 @@ type blockedNamesPolicy struct { // time above and beyond the high-risk domains. Managing these entries separately // from HighRiskBlockedNames makes it easier to vet changes accurately. AdminBlockedNames []string `yaml:"AdminBlockedNames"` @@ -23,7 +23,7 @@ index ce7857a7d..ef29cb60e 100644 } // LoadHostnamePolicyFile will load the given policy file, returning an error if -@@ -131,10 +138,21 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error +@@ -123,10 +130,21 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error // wildcardNameMap to block issuance for `*.`+parts[1] wildcardNameMap[parts[1]] = true } @@ -45,7 +45,7 @@ index ce7857a7d..ef29cb60e 100644 pa.blocklistMu.Unlock() return nil } -@@ -203,7 +221,7 @@ var ( +@@ -195,7 +213,7 @@ var ( // - exactly equal to an IANA registered TLD // // It does NOT ensure that the domain is absent from any PA blocked lists. @@ -54,7 +54,7 @@ index ce7857a7d..ef29cb60e 100644 if domain == "" { return errEmptyName } -@@ -235,7 +253,9 @@ func validNonWildcardDomain(domain string) error { +@@ -227,7 +245,9 @@ func validNonWildcardDomain(domain string) error { return errTooManyLabels } if len(labels) < 2 { @@ -65,7 +65,7 @@ index ce7857a7d..ef29cb60e 100644 } for _, label := range labels { // Check that this is a valid LDH Label: "A string consisting of ASCII -@@ -279,6 +299,14 @@ func validNonWildcardDomain(domain string) error { +@@ -271,6 +291,14 @@ func validNonWildcardDomain(domain string) error { } } @@ -80,7 +80,7 @@ index ce7857a7d..ef29cb60e 100644 // Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD. icannTLD, err := iana.ExtractSuffix(domain) if err != nil { -@@ -294,9 +322,9 @@ func validNonWildcardDomain(domain string) error { +@@ -286,9 +314,9 @@ func validNonWildcardDomain(domain string) error { // ValidDomain checks that a domain is valid and that it doesn't contain any // invalid wildcard characters. It does NOT ensure that the domain is absent // from any PA blocked lists. @@ -92,7 +92,7 @@ index ce7857a7d..ef29cb60e 100644 } // Names containing more than one wildcard are invalid. -@@ -315,7 +343,7 @@ func ValidDomain(domain string) error { +@@ -307,7 +335,7 @@ func ValidDomain(domain string) error { // Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD. icannTLD, err := iana.ExtractSuffix(baseDomain) @@ -101,7 +101,7 @@ index ce7857a7d..ef29cb60e 100644 return errNonPublic } // Names must have a non-wildcard label immediately adjacent to the ICANN -@@ -323,7 +351,7 @@ func ValidDomain(domain string) error { +@@ -315,7 +343,7 @@ func ValidDomain(domain string) error { if baseDomain == icannTLD { return errICANNTLDWildcard } @@ -110,7 +110,7 @@ index ce7857a7d..ef29cb60e 100644 } // forbiddenMailDomains is a map of domain names we do not allow after the -@@ -341,7 +369,7 @@ var forbiddenMailDomains = map[string]bool{ +@@ -333,7 +361,7 @@ var forbiddenMailDomains = map[string]bool{ // ValidEmail returns an error if the input doesn't parse as an email address, // the domain isn't a valid hostname in Preferred Name Syntax, or its on the // list of domains forbidden for mail (because they are often used in examples). @@ -119,7 +119,7 @@ index ce7857a7d..ef29cb60e 100644 email, err := mail.ParseAddress(address) if err != nil { if len(address) > 254 { -@@ -351,7 +379,7 @@ func ValidEmail(address string) error { +@@ -343,7 +371,7 @@ func ValidEmail(address string) error { } splitEmail := strings.SplitN(email.Address, "@", -1) domain := strings.ToLower(splitEmail[len(splitEmail)-1]) @@ -128,7 +128,7 @@ index ce7857a7d..ef29cb60e 100644 if err != nil { return berrors.InvalidEmailError( "contact email %q has invalid domain : %s", -@@ -395,7 +423,7 @@ func subError(name string, err error) berrors.SubBoulderError { +@@ -387,7 +415,7 @@ func subError(name string, err error) berrors.SubBoulderError { // // Precondition: all input domain names must be in lowercase. func (pa *AuthorityImpl) WillingToIssue(domains []string) error { @@ -137,7 +137,7 @@ index ce7857a7d..ef29cb60e 100644 if err != nil { return err } -@@ -414,6 +442,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error { +@@ -406,6 +434,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error { } } @@ -148,7 +148,7 @@ index ce7857a7d..ef29cb60e 100644 // For both wildcard and non-wildcard domains, check whether any parent domain // name is on the regular blocklist. err := pa.checkHostLists(domain) -@@ -447,10 +479,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error { +@@ -439,10 +471,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error { // // If multiple domains are invalid, the error will contain suberrors specific to // each domain. @@ -161,7 +161,7 @@ index ce7857a7d..ef29cb60e 100644 if err != nil { subErrors = append(subErrors, subError(domain, err)) } -@@ -484,6 +516,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error { +@@ -476,6 +508,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error { return nil } @@ -196,7 +196,7 @@ index ce7857a7d..ef29cb60e 100644 // checkWildcardHostList checks the wildcardExactBlocklist for a given domain. // If the domain is not present on the list nil is returned, otherwise // errPolicyForbidden is returned. -@@ -513,6 +573,9 @@ func (pa *AuthorityImpl) checkHostLists(domain string) error { +@@ -505,6 +565,9 @@ func (pa *AuthorityImpl) checkHostLists(domain string) error { labels := strings.Split(domain, ".") for i := range labels { joined := strings.Join(labels[i:], ".") diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index 8758ace..84a04f1 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -1,5 +1,5 @@ diff --git a/ra/ra.go b/ra/ra.go -index bfd2386ef..40c49834f 100644 +index 513f2d444..006de7f4f 100644 --- a/ra/ra.go +++ b/ra/ra.go @@ -44,7 +44,6 @@ import ( @@ -10,7 +10,7 @@ index bfd2386ef..40c49834f 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -571,7 +570,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { +@@ -574,7 +573,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { contact, ) } diff --git a/patches/ratelimits_names.patch b/patches/ratelimits_names.patch index 1a3b619..5de84ec 100644 --- a/patches/ratelimits_names.patch +++ b/patches/ratelimits_names.patch @@ -1,8 +1,8 @@ diff --git a/ratelimits/names.go b/ratelimits/names.go -index fdfd8e81e..636720bf2 100644 +index c70f39536..b0e14209c 100644 --- a/ratelimits/names.go +++ b/ratelimits/names.go -@@ -150,7 +150,11 @@ func validateRegId(id string) error { +@@ -151,7 +151,11 @@ func validateRegId(id string) error { // validateDomain validates that the provided string is formatted 'domain', // where domain is a domain name. func validateDomain(id string) error { @@ -15,7 +15,7 @@ index fdfd8e81e..636720bf2 100644 if err != nil { return fmt.Errorf("invalid domain, %q must be formatted 'domain': %w", id, err) } -@@ -171,7 +175,11 @@ func validateRegIdDomain(id string) error { +@@ -172,7 +176,11 @@ func validateRegIdDomain(id string) error { return fmt.Errorf( "invalid regId, %q must be formatted 'regId:domain'", id) } @@ -28,7 +28,7 @@ index fdfd8e81e..636720bf2 100644 if err != nil { return fmt.Errorf( "invalid domain, %q must be formatted 'regId:domain': %w", id, err) -@@ -187,7 +195,11 @@ func validateFQDNSet(id string) error { +@@ -188,7 +196,11 @@ func validateFQDNSet(id string) error { return fmt.Errorf( "invalid fqdnSet, %q must be formatted 'fqdnSet'", id) } diff --git a/patches/sfe_templates_layout.patch b/patches/sfe_templates_layout.patch index d280628..2e186b7 100644 --- a/patches/sfe_templates_layout.patch +++ b/patches/sfe_templates_layout.patch @@ -1,12 +1,12 @@ diff --git a/sfe/templates/layout.html b/sfe/templates/layout.html -index 30f947aac..2511e9e13 100644 +index 15d5e88d9..2511e9e13 100644 --- a/sfe/templates/layout.html +++ b/sfe/templates/layout.html @@ -4,8 +4,8 @@ -- Let's Encrypt - Self-Service Portal +- Let's Encrypt - Portal - + Self-Service Portal | LabCA + diff --git a/patches/updater_continuous.patch b/patches/updater_continuous.patch index 170bfd6..95931b8 100644 --- a/patches/updater_continuous.patch +++ b/patches/updater_continuous.patch @@ -1,11 +1,11 @@ diff --git a/crl/updater/continuous.go b/crl/updater/continuous.go -index e4552f68f..7aaef33c0 100644 +index 4597fd60a..5ee00d765 100644 --- a/crl/updater/continuous.go +++ b/crl/updater/continuous.go @@ -3,6 +3,7 @@ package updater import ( "context" - "math/rand" + "math/rand/v2" + "os" "sync" "time" diff --git a/patches/wfe2_wfe.patch b/patches/wfe2_wfe.patch index 891f0b8..72e0750 100644 --- a/patches/wfe2_wfe.patch +++ b/patches/wfe2_wfe.patch @@ -1,8 +1,8 @@ diff --git a/wfe2/wfe.go b/wfe2/wfe.go -index 59b33dd32..760babc29 100644 +index 7620954e7..c7cae65d5 100644 --- a/wfe2/wfe.go +++ b/wfe2/wfe.go -@@ -24,6 +24,7 @@ import ( +@@ -25,6 +25,7 @@ import ( "golang.org/x/exp/maps" "google.golang.org/protobuf/types/known/emptypb" @@ -10,7 +10,7 @@ index 59b33dd32..760babc29 100644 "github.com/letsencrypt/boulder/core" corepb "github.com/letsencrypt/boulder/core/proto" berrors "github.com/letsencrypt/boulder/errors" -@@ -173,6 +174,8 @@ type WebFrontEndImpl struct { +@@ -174,6 +175,8 @@ type WebFrontEndImpl struct { // descriptions (perhaps including URLs) of those profiles. NewOrder // Requests with a profile name not present in this map will be rejected. certProfiles map[string]string @@ -19,7 +19,7 @@ index 59b33dd32..760babc29 100644 } // NewWebFrontEndImpl constructs a web service for Boulder -@@ -200,6 +203,7 @@ func NewWebFrontEndImpl( +@@ -201,6 +204,7 @@ func NewWebFrontEndImpl( unpauseSigner unpause.JWTSigner, unpauseJWTLifetime time.Duration, unpauseURL string, @@ -27,7 +27,7 @@ index 59b33dd32..760babc29 100644 ) (WebFrontEndImpl, error) { if len(issuerCertificates) == 0 { return WebFrontEndImpl{}, errors.New("must provide at least one issuer certificate") -@@ -241,6 +245,7 @@ func NewWebFrontEndImpl( +@@ -242,6 +246,7 @@ func NewWebFrontEndImpl( unpauseSigner: unpauseSigner, unpauseJWTLifetime: unpauseJWTLifetime, unpauseURL: unpauseURL, @@ -35,7 +35,7 @@ index 59b33dd32..760babc29 100644 } return wfe, nil -@@ -2305,8 +2310,25 @@ func (wfe *WebFrontEndImpl) NewOrder( +@@ -2311,8 +2316,25 @@ func (wfe *WebFrontEndImpl) NewOrder( names[i] = ident.Value }