Bump boulder version to release-2024-07-29

2026-01-27 10:19:34 +00:00 · 2024-08-30 16:31:07 +02:00
parent 1040efe373
commit cab563d1d7
20 changed files with 111 additions and 94 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,7 +13,7 @@ jobs:
      fail-fast: false
      matrix:
        GO_VERSION:
-          - 1.22.3
+          - 1.22.5

    steps:
      - name: Checkout
--- a/build/Dockerfile-boulder
+++ b/build/Dockerfile-boulder
@@ -1,4 +1,4 @@
-FROM letsencrypt/boulder-tools:go1.22.3_2024-05-22 AS boulder-tools
+FROM letsencrypt/boulder-tools:go1.22.5_2024-07-03 AS boulder-tools

 FROM ubuntu:focal

--- a/build/Dockerfile-control
+++ b/build/Dockerfile-control
@@ -50,7 +50,6 @@ COPY tmp/commander /opt/labca/
 COPY tmp/control.sh /opt/labca/
 COPY tmp/cron_d /opt/labca/
 COPY tmp/mailer /opt/labca/
-COPY tmp/nameidtool /opt/labca/
 COPY tmp/renew /opt/labca/
 COPY tmp/restore /opt/labca/
 COPY tmp/utils.sh /opt/labca/
--- a/build/Dockerfile-gui
+++ b/build/Dockerfile-gui
@@ -40,7 +40,6 @@ COPY --from=builder /usr/bin/docker /usr/bin/docker
 COPY --from=builder /usr/libexec/docker/cli-plugins/docker-compose /usr/libexec/docker/cli-plugins/docker-compose

 COPY tmp/labca-gui /opt/labca/bin/
-COPY tmp/nameidtool /opt/labca/
 COPY tmp/admin/setup.sh /opt/labca/
 COPY tmp/admin/apply /opt/labca/
 COPY tmp/admin/apply-boulder /opt/labca/
--- a/build/build.sh
+++ b/build/build.sh
@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}

 boulderDir=$TMP_DIR/src
-boulderTag="release-2024-07-10"
+boulderTag="release-2024-07-29"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..

@@ -44,7 +44,6 @@ docker run -v $boulderDir:$BASEDIR:cached -v $TMP_DIR/bin:$BASEDIR/bin -w $BASED

 cp $cloneDir/nginx.conf $TMP_DIR/
 cp $cloneDir/proxy.inc $TMP_DIR/
-cp $cloneDir/utils/nameidtool.go $TMP_DIR/
 cp -rp $cloneDir/gui/* $TMP_DIR/admin/
 head -13 $cloneDir/gui/setup.sh > $TMP_DIR/admin/setup.sh
 sed -i '/^$/d' $TMP_DIR/admin/setup.sh
@@ -52,7 +51,6 @@ sed -i '/^$/d' $TMP_DIR/admin/setup.sh
 echo
 BASEDIR=/go/src/labca
 docker run -v $TMP_DIR/admin:$BASEDIR:cached -v $TMP_DIR:$BASEDIR/bin -w $BASEDIR -e GIT_VERSION=$GIT_VERSION $BUILD_IMAGE ./setup.sh
-docker run -v $TMP_DIR:/utils -w /utils $BUILD_IMAGE go build nameidtool.go

 cp -rp $cloneDir/gui/setup.sh $TMP_DIR/admin/
 cp -rp $cloneDir/acme_tiny.py $TMP_DIR/
--- a/dev/versions
+++ b/dev/versions
@@ -65,6 +65,18 @@ colorGoVersion() {
    echo "$fileName:$res"
 }

+colorGoVersion2() {
+    local fileName="$1"
+    local expectVersion="$2"
+
+    if [ ! -z "$(grep GO_VERSION $fileName | sed -e "s/\s*GO_VERSION: //" | grep $expectVersion || echo "")" ]; then
+        res=$(grep GO_VERSION $fileName | sed -e "s/\s*GO_VERSION: /    /" | sed -e "s/$expectVersion/${COL_LIGHT_GREEN}$expectVersion${COL_NC}/")
+    else
+        res=$(grep GO_VERSION $fileName | sed -e "s/\s*GO_VERSION: /    /" | sed -e "s/\([0-9\.]*\)/${COL_LIGHT_RED}\1${COL_NC}/g")
+    fi
+    echo "$fileName:$res"
+}
+
 echo

 cd ../boulder
@@ -93,3 +105,9 @@ grep GO_VERSION -A 3 ../boulder/.github/workflows/release.yml | egrep "\- [\"0-9
 colorGoVersion .github/workflows/release.yml $goversion
 echo

+goversion=$(grep GO_VERSION ../boulder/docker-compose.yml | sed -e "s/\s*GO_VERSION://")
+echo -n "../boulder/docker-compose.yml"
+grep GO_VERSION ../boulder/docker-compose.yml | sed -e "s/\s*GO_VERSION:/    /"
+colorGoVersion2 build/docker-compose.yml $goversion
+echo
+
--- a/gui/apply-boulder
+++ b/gui/apply-boulder
@@ -18,7 +18,7 @@ PKI_ROOT_CERT_BASE="$dataDir/root-ca"
 PKI_INT_CERT_BASE="$dataDir/issuer/ca-int"
 PKI_ISSUER_NAME_ID=$(grep issuer_name_id $dataDir/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/,//g' | sed -e 's/\"//g')
 if [ -z "$PKI_ISSUER_NAME_ID" ] && [ -e "$PKI_INT_CERT_BASE.pem" ]; then
-    nmid=$($baseDir/nameidtool $PKI_INT_CERT_BASE.pem)
+    nmid=$(/opt/boulder/bin/nameid -s $PKI_INT_CERT_BASE.pem)
    if [ $? == 0 ]; then
        PKI_ISSUER_NAME_ID=$nmid
        sed -i -e "s/\(^\s*\)\(\"keys\": {\)/\1\"issuer_name_id\": $PKI_ISSUER_NAME_ID,\n\1\2/g" $dataDir/config.json
--- a/gui/apply-nginx
+++ b/gui/apply-nginx
@@ -13,7 +13,7 @@ PKI_ROOT_CERT_BASE="$dataDir/root-ca"
 PKI_INT_CERT_BASE="$dataDir/issuer/ca-int"
 PKI_ISSUER_NAME_ID=$(grep issuer_name_id $dataDir/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/,//g' | sed -e 's/\"//g')
 if [ -z "$PKI_ISSUER_NAME_ID" ] && [ -e "$PKI_INT_CERT_BASE.pem" ]; then
-    nmid=$($baseDir/nameidtool $PKI_INT_CERT_BASE.pem)
+    nmid=$(/opt/boulder/bin/nameid -s $PKI_INT_CERT_BASE.pem)
    if [ $? == 0 ]; then
        PKI_ISSUER_NAME_ID=$nmid
        sed -i -e "s/\(^\s*\)\(\"keys\": {\)/\1\"issuer_name_id\": $PKI_ISSUER_NAME_ID,\n\1\2/g" $dataDir/config.json
@@ -93,3 +93,7 @@ sed -i -e "s|<\!-- BEGIN PKI_COMPANY_NAME -->.*<\!-- END PKI_COMPANY_NAME -->|<\
 sed -i -e "s|<title>.*</title>|<title>Terms \| $PKI_WEB_TITLE</title>|g" terms/v1.html
 sed -i -e "s|<\!-- BEGIN WEBTITLE -->.*<\!-- END WEBTITLE -->|<\!-- BEGIN WEBTITLE -->$PKI_WEB_TITLE<\!-- END WEBTITLE -->|g" terms/v1.html

+if [ -e /opt/boulder/sfe/templates/layout.html ]; then
+    # TODO: move the SFE pages to nginx static files ?
+    sed -i -e "s|<\!-- BEGIN WEBTITLE -->.*<\!-- END WEBTITLE -->|<\!-- BEGIN WEBTITLE -->$PKI_WEB_TITLE<\!-- END WEBTITLE -->|g" /opt/boulder/sfe/templates/layout.html
+fi
--- a/2
+++ b/2
@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2024-07-10"
+boulderTag="release-2024-07-29"

 # Feature flags
 flag_skip_redis=true
--- a/nginx.conf
+++ b/nginx.conf
@@ -34,6 +34,10 @@ server {
        proxy_pass http://boulder:4002/;
    }

+    location /sfe {
+        return 301 https://$host$request_uri;
+    }
+
    location /rate-limits {
        try_files $uri $uri.html $uri/ =404;
    }
@@ -106,6 +110,11 @@ server {
        proxy_pass http://boulder:4002/;
    }

+    location /sfe {
+        include conf.d/proxy.inc;
+        proxy_pass http://boulder:4003/;
+    }
+
    location /rate-limits {
        try_files $uri $uri.html $uri/ =404;
    }
--- a/patch-cfg.sh
+++ b/patch-cfg.sh
@@ -83,6 +83,8 @@ sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/remoteva-a.json
 sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/remoteva-b.json
 sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/va-remote-a.json
 sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/va-remote-b.json
+sed -i -e "s/\"endpoint\": \".*\"/\"endpoint\": \"\"/" config/sfe.json
+sed -i -e "s/sleep 1/sleep 5/g" wait-for-it.sh

 sed -i -e "s|test/certs|/opt/boulder/labca/certs|" consul/config.hcl

--- a/patch.sh
+++ b/patch.sh
@@ -51,6 +51,7 @@ if [ "$SUDO" == "" ]; then
    # TODO: should include this into startservers.patch
    $SUDO patch -p1 < $cloneDir/build/tmp2.patch
 fi
+$SUDO patch -p1 < $cloneDir/patches/sfe_templates_layout.patch
 $SUDO patch -p1 < $cloneDir/patches/storer_storer.patch
 $SUDO patch -p1 < $cloneDir/patches/test_health-checker_main.patch
 $SUDO patch -p1 < $cloneDir/patches/updater_updater.patch
@@ -69,3 +70,8 @@ sed -i -e "s/proxysql:6033/mysql:3306/" sa/db/dbconfig.yml
 mkdir -p "cmd/mail-tester"
 cp $cloneDir/mail-tester.go cmd/mail-tester/main.go
 perl -i -p0e "s/(\n\t\"github.com\/letsencrypt\/boulder\/cmd\")/\t_ \"github.com\/letsencrypt\/boulder\/cmd\/mail-tester\"\n\1/igs"  cmd/boulder/main.go
+
+perl -i -p0e "s/If you continue to encounter.*for troubleshooting and advice.//igs" sfe/pages/index.html
+perl -i -p0e "s/<b>Note:<\/b> If you encounter.*troubleshooting and advice.//igs" sfe/pages/unpause-form.html
+perl -i -p0e "s/If you continue to encounter.*for troubleshooting and advice.//igs" sfe/pages/unpause-invalid-request.html
+perl -i -p0e "s/ If you face continued.*for troubleshooting and advice.//igs" sfe/pages/unpause-status.html
--- a/patches/ca_ca.patch
+++ b/patches/ca_ca.patch
@@ -1,8 +1,8 @@
 diff --git a/ca/ca.go b/ca/ca.go
-index d38f7e2e5..f8364d1d6 100644
+index b99fe702f..ddd5ebfe3 100644
 --- a/ca/ca.go
 +++ b/ca/ca.go
-@@ -156,10 +156,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
+@@ -154,10 +154,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
 		}
 	}
 	if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {
--- a/patches/docker-compose.patch
+++ b/patches/docker-compose.patch
@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 79ed8c4e4..3562b8fb8 100644
+index e931382ed..18ca6c9e7 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
@@ -1,3 +1,4 @@
@@ -27,7 +27,7 @@ index 79ed8c4e4..3562b8fb8 100644
       bouldernet:
         ipv4_address: 10.77.77.77
@@ -48,20 +51,25 @@ services:
-       - 4003:4003 # OCSP
+       - 4003:4003 # SFE
     depends_on:
       - bmysql
 -      - bproxysql
--- a/patches/mail_mailer.patch
+++ b/patches/mail_mailer.patch
@@ -1,12 +1,16 @@
 diff --git a/mail/mailer.go b/mail/mailer.go
-index 4249108e..ee8b6fb4 100644
+index 31ebd40b1..d8ab68969 100644
 --- a/mail/mailer.go
 +++ b/mail/mailer.go
-@@ -21,10 +21,14 @@ import (
- 	"time"
+@@ -2,6 +2,7 @@ package mail
 
- 	"github.com/jmhodges/clock"
-+	"golang.org/x/net/context"
+ import (
+ 	"bytes"
+	"context"
+ 	"crypto/rand"
+ 	"crypto/tls"
+ 	"crypto/x509"
+@@ -24,7 +25,10 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 
 	"github.com/letsencrypt/boulder/core"
--- a/patches/ra_ra.patch
+++ b/patches/ra_ra.patch
@@ -1,8 +1,8 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index a873276f5..b984a9731 100644
+index bfd2386ef..40c49834f 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
-@@ -46,7 +46,6 @@ import (
+@@ -44,7 +44,6 @@ import (
 	"github.com/letsencrypt/boulder/issuance"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
@@ -10,7 +10,7 @@ index a873276f5..b984a9731 100644
 	"github.com/letsencrypt/boulder/probs"
 	pubpb "github.com/letsencrypt/boulder/publisher/proto"
 	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -581,7 +580,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
+@@ -571,7 +570,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
 				contact,
 			)
 		}
--- a/patches/sfe_templates_layout.patch
+++ b/patches/sfe_templates_layout.patch
@@ -0,0 +1,24 @@
+diff --git a/sfe/templates/layout.html b/sfe/templates/layout.html
+index 30f947aac..2511e9e13 100644
+--- a/sfe/templates/layout.html
+++ b/sfe/templates/layout.html
+@@ -4,8 +4,8 @@
+ <head>
+     <meta charset="UTF-8">
+     <meta name="viewport" content="width=device-width, initial-scale=1.0">
+-    <title>Let's Encrypt - Self-Service Portal</title>
+-    <link rel="icon" type="image/x-icon" href="/static/favicon.ico">
+    <title>Self-Service Portal | LabCA</title>
+    <link rel="icon" type="image/png" href="/img/fav-public.png">
+     <style>
+         * {
+             font-family: system-ui, sans-serif;
+@@ -99,7 +99,7 @@
+ <body>
+     <div class="header">
+         <div class="container">
+-            <img src="/static/logo.svg" alt="Let's Encrypt" style="height: 50px;">
+             <a class="navbar-brand" href="/" style="text-decoration: none;color:  #777;font-size: 18px;font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif;padding: 10px 20px;"><!-- BEGIN WEBTITLE -->LabCA<!-- END WEBTITLE --></a>
+         </div>
+     </div>
+ {{ end }}
--- a/patches/wfe2_main.patch
+++ b/patches/wfe2_main.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go
-index 90ad22417..ad57a1ae3 100644
+index 61698d16c..0bebc2d4b 100644
 --- a/cmd/boulder-wfe2/main.go
 +++ b/cmd/boulder-wfe2/main.go
-@@ -92,7 +92,7 @@ type Config struct {
+@@ -95,7 +95,7 @@ type Config struct {
 		// DirectoryCAAIdentity is used for the /directory response's "meta"
 		// element's "caaIdentities" field. It should match the VA's "issuerDomain"
 		// configuration value (this value is the one used to enforce CAA)
@@ -11,19 +11,19 @@ index 90ad22417..ad57a1ae3 100644
 		// DirectoryWebsite is used for the /directory response's "meta" element's
 		// "website" field.
 		DirectoryWebsite string `validate:"required,url"`
-@@ -160,6 +160,8 @@ type Config struct {
- 		// list will be rejected. This field is optional; if unset, no profile
- 		// names are accepted.
- 		CertificateProfileNames []string `validate:"omitempty,dive,alphanum,min=1,max=32"`
+@@ -182,6 +182,8 @@ type Config struct {
+ 			// to enable the pausing feature.
+ 			URL string `validate:"omitempty,required_with=HMACKey JWTLifetime,url,startswith=https://,endsnotwith=/"`
+ 		}
 +
 +		cmd.HostnamePolicyConfig
 	}
 
 	Syslog        cmd.SyslogConfig
-@@ -356,6 +358,7 @@ func main() {
- 		txnBuilder,
- 		maxNames,
- 		c.WFE.CertificateProfileNames,
+@@ -387,6 +389,7 @@ func main() {
+ 		unpauseSigner,
+ 		c.WFE.Unpause.JWTLifetime.Duration,
+ 		c.WFE.Unpause.URL,
 +		c.WFE.HostnamePolicyFile,
 	)
 	cmd.FailOnError(err, "Unable to create WFE")
--- a/patches/wfe2_wfe.patch
+++ b/patches/wfe2_wfe.patch
@@ -1,41 +1,41 @@
 diff --git a/wfe2/wfe.go b/wfe2/wfe.go
-index 708fbad94..6b7235659 100644
+index 59b33dd32..760babc29 100644
 --- a/wfe2/wfe.go
 +++ b/wfe2/wfe.go
-@@ -23,6 +23,7 @@ import (
- 	"go.opentelemetry.io/otel/trace"
+@@ -24,6 +24,7 @@ import (
+ 	"golang.org/x/exp/maps"
 	"google.golang.org/protobuf/types/known/emptypb"
 
 +	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/core"
 	corepb "github.com/letsencrypt/boulder/core/proto"
 	berrors "github.com/letsencrypt/boulder/errors"
-@@ -169,6 +170,8 @@ type WebFrontEndImpl struct {
- 	// passed to the newOrder endpoint. If a profile name is not in this list,
- 	// the request will be rejected as malformed.
- 	certificateProfileNames []string
+@@ -173,6 +174,8 @@ type WebFrontEndImpl struct {
+ 	// descriptions (perhaps including URLs) of those profiles. NewOrder
+ 	// Requests with a profile name not present in this map will be rejected.
+ 	certProfiles map[string]string
 +
 +	hostnamePolicyFile string
 }
 
 // NewWebFrontEndImpl constructs a web service for Boulder
-@@ -193,6 +196,7 @@ func NewWebFrontEndImpl(
- 	txnBuilder *ratelimits.TransactionBuilder,
- 	maxNames int,
- 	certificateProfileNames []string,
+@@ -200,6 +203,7 @@ func NewWebFrontEndImpl(
+ 	unpauseSigner unpause.JWTSigner,
+ 	unpauseJWTLifetime time.Duration,
+ 	unpauseURL string,
 +	hostnamePolicyFile string,
 ) (WebFrontEndImpl, error) {
 	if len(issuerCertificates) == 0 {
 		return WebFrontEndImpl{}, errors.New("must provide at least one issuer certificate")
-@@ -231,6 +235,7 @@ func NewWebFrontEndImpl(
- 		txnBuilder:                   txnBuilder,
- 		maxNames:                     maxNames,
- 		certificateProfileNames:      certificateProfileNames,
+@@ -241,6 +245,7 @@ func NewWebFrontEndImpl(
+ 		unpauseSigner:                unpauseSigner,
+ 		unpauseJWTLifetime:           unpauseJWTLifetime,
+ 		unpauseURL:                   unpauseURL,
 +		hostnamePolicyFile:           hostnamePolicyFile,
 	}
 
 	return wfe, nil
-@@ -2260,8 +2265,25 @@ func (wfe *WebFrontEndImpl) NewOrder(
+@@ -2305,8 +2310,25 @@ func (wfe *WebFrontEndImpl) NewOrder(
 		names[i] = ident.Value
 	}
 
--- a/utils/nameidtool.go
+++ b/utils/nameidtool.go
@@ -1,46 +0,0 @@
-package main
-
-import (
-	"crypto"
-	"crypto/x509"
-	"encoding/pem"
-	"fmt"
-	"io/ioutil"
-	"math/big"
-	"os"
-)
-
-func issuerNameID(certfile string) (int64, error) {
-	cf, err := ioutil.ReadFile(certfile)
-	if err != nil {
-		fmt.Printf("issuerNameID: could not read cert file: %v", err)
-		return 0, err
-	}
-
-	cpb, _ := pem.Decode(cf)
-	crt, err := x509.ParseCertificate(cpb.Bytes)
-	if err != nil {
-		fmt.Printf("issuerNameID: could not parse x509 file: %v", err)
-		return 0, err
-	}
-
-	// From issuance/issuance.go : func truncatedHash
-	h := crypto.SHA1.New()
-	h.Write(crt.RawSubject)
-	s := h.Sum(nil)
-	return int64(big.NewInt(0).SetBytes(s[:7]).Int64()), nil
-}
-
-func main() {
-	if len(os.Args[1:]) < 1 {
-		fmt.Printf("Usage:\n  %s <certificate.pem>\n", os.Args[0])
-		os.Exit(1)
-	}
-	nameID, err := issuerNameID(os.Args[1])
-	if err != nil {
-		fmt.Printf("Error: %v\n", err)
-		os.Exit(1)
-	}
-
-	fmt.Println(nameID)
-}