Bump boulder version to release-2024-02-20

2026-01-27 10:19:34 +00:00 · 2024-02-23 20:18:53 +01:00
parent 98871cd6e7
commit df3d112d42
14 changed files with 75 additions and 74 deletions
--- a/build/Dockerfile-boulder
+++ b/build/Dockerfile-boulder
@@ -1,4 +1,4 @@
-FROM letsencrypt/boulder-tools:go1.21.5_2024-01-17 AS boulder-tools
+FROM letsencrypt/boulder-tools:go1.21.5_2024-02-14 AS boulder-tools

 FROM ubuntu:focal

--- a/build/build.sh
+++ b/build/build.sh
@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}

 boulderDir=$TMP_DIR/src
-boulderTag="release-2024-02-06"
+boulderTag="release-2024-02-20"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..

--- a/build/tmp.patch
+++ b/build/tmp.patch
@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index b61c84199..a0c99bed4 100644
+index 423aed0ff..e3389ca21 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
@@ -5,7 +5,7 @@ services:
@@ -25,7 +25,7 @@ index b61c84199..a0c99bed4 100644
 +      - nginx_html:/opt/wwwstatic
 +      - softhsm:/var/lib/softhsm/tokens:cached
     networks:
-       bluenet:
+       bouldernet:
         ipv4_address: 10.77.77.77
@@ -51,6 +48,7 @@ services:
     depends_on:
@@ -47,7 +47,7 @@ index b61c84199..a0c99bed4 100644
     networks:
       consulnet:
         ipv4_address: 10.55.55.10
-       bluenet:
+       bouldernet:
         ipv4_address: 10.77.77.10
 -    command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
 +    command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl"
@@ -58,7 +58,7 @@ index b61c84199..a0c99bed4 100644
 -    image: *boulder_image
 +    image: ghcr.io/hakwerk/labca-gui:${LABCA_IMAGE_VERSION:-latest}
     networks:
-       - bluenet
+       - bouldernet
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
 -      - /home/labca/admin:/go/src/labca
@@ -101,7 +101,7 @@ index b61c84199..a0c99bed4 100644
 -    image: *boulder_image
 +    image: ghcr.io/hakwerk/labca-control:${LABCA_IMAGE_VERSION:-latest}
     networks:
-       - bluenet
+       - bouldernet
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
 -      - /home/labca/admin/data:/opt/labca/data
@@ -140,4 +140,4 @@ index b61c84199..a0c99bed4 100644
 +  softhsm:
 
 networks:
-   bluenet:
+   # This network is primarily used for boulder services. It is also used by
--- a/7
+++ b/7
@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2024-02-06"
+boulderTag="release-2024-02-20"

 # Feature flags
 flag_skip_redis=true
@@ -743,9 +743,8 @@ startup() {
    fi
    msg_info "$msg (this will take a while!!)"

-    docker compose pull -q &>>$installLog
-
    export BOULDER_TOOLS_TAG=$(grep go1. .github/workflows/boulder-ci.yml | head -1 | sed -e "s/\s*- //")
+    docker compose pull -q &>>$installLog
    docker pull -q letsencrypt/boulder-tools:$BOULDER_TOOLS_TAG &>>$installLog

    # Cleanup any remaining containers with old names
@@ -787,6 +786,8 @@ startup() {

    [ -d /home/labca/control_logs ] || mkdir -p /home/labca/control_logs

+    docker network rm -f labca_bluenet &>>$installLog || true
+
    # Restore MySQL data when moving from boulder-bmysql-1 to labca-bmysql-1
    if [ -z "$(docker volume ls | grep labca_dbdata)" ] && [ ! -z "$(docker volume ls | grep boulder_dbdata)" ]; then
        docker volume create labca_dbdata &>>$installLog
--- a/patch-cfg.sh
+++ b/patch-cfg.sh
@@ -90,4 +90,14 @@ done

 sed -i -e "s/names/name\(s\)/" config/expiration-mailer.gotmpl

-rm test-ca2.pem
+if [ ! -e "test-ca.key-pkcs11.json" ]; then
+    cat > test-ca.key-pkcs11.json <<EOL
+{
+    "module": "/usr/lib/softhsm/libsofthsm2.so",
+    "tokenLabel": "intermediate signing key (rsa)",
+    "pin": "1234"
+}
+EOL
+fi
+
+rm -f test-ca2.pem
--- a/patch.sh
+++ b/patch.sh
@@ -32,6 +32,7 @@ $SUDO patch -p1 < $cloneDir/patches/db_migrations.patch
 $SUDO patch -p1 < $cloneDir/patches/db_migrations2.patch
 $SUDO patch -p1 < $cloneDir/patches/errors_errors.patch
 $SUDO patch -p1 < $cloneDir/patches/expiration-mailer_main.patch
+$SUDO patch -p1 < $cloneDir/patches/issuance_crl.patch
 $SUDO patch -p1 < $cloneDir/patches/linter_linter.patch
 $SUDO patch -p1 < $cloneDir/patches/log_prod_prefix.patch
 $SUDO patch -p1 < $cloneDir/patches/log_test_prefix.patch
--- a/patches/ca_crl.patch
+++ b/patches/ca_crl.patch
@@ -1,17 +1,8 @@
 diff --git a/ca/crl.go b/ca/crl.go
-index 3232ab419..ce6f76e36 100644
+index 35b7caff7..31d27857f 100644
 --- a/ca/crl.go
 +++ b/ca/crl.go
-@@ -117,7 +117,7 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
- 	}
- 
- 	// Add the Issuing Distribution Point extension.
-	idp, err := makeIDPExt(ci.idpBase, issuer.NameID(), shard)
-+	idp, err := makeIDPExt(ci.idpBase, issuer.NameID())
- 	if err != nil {
- 		return fmt.Errorf("creating IDP extension: %w", err)
- 	}
-@@ -146,8 +146,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
+@@ -143,8 +143,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
 				builder = strings.Builder{}
 			}
 		}
@@ -23,21 +14,4 @@ index 3232ab419..ce6f76e36 100644
 +		}
 	}
 
- 	template.RevokedCertificateEntries = rcs
-@@ -247,14 +249,14 @@ type issuingDistributionPoint struct {
- // makeIDPExt returns a critical IssuingDistributionPoint extension containing a
- // URI built from the base url, the issuer's NameID, and the shard number. It
- // also sets the OnlyContainsUserCerts boolean to true.
-func makeIDPExt(base string, issuer issuance.NameID, shardIdx int64) (*pkix.Extension, error) {
-+func makeIDPExt(base string, issuer issuance.NameID) (*pkix.Extension, error) {
- 	val := issuingDistributionPoint{
- 		DistributionPoint: distributionPointName{
- 			[]asn1.RawValue{ // GeneralNames
- 				{ // GeneralName
- 					Class: 2, // context-specific
- 					Tag:   6, // uniformResourceIdentifier, IA5String
-					Bytes: []byte(fmt.Sprintf("%s/%d/%d.crl", base, issuer, shardIdx)),
-+					Bytes: []byte(fmt.Sprintf("%s/%d.crl", base, issuer)),
- 				},
- 			},
- 		},
+ 	req.Entries = rcs
--- a/patches/docker-compose-redis.patch
+++ b/patches/docker-compose-redis.patch
@@ -1,10 +1,10 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 7fc8f8de5..2ce16d12c 100644
+index 928c11bec..0d59c1228 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
@@ -30,8 +30,6 @@ services:
         ipv4_address: 10.77.77.77
-       rednet:
+       integrationtestnet:
         ipv4_address: 10.88.88.88
 -      redisnet:
 -        ipv4_address: 10.33.33.33
@@ -65,7 +65,7 @@ index 7fc8f8de5..2ce16d12c 100644
   bconsul:
     image: hashicorp/consul:1.15.4
     volumes:
-@@ -159,13 +117,6 @@ networks:
+@@ -171,13 +129,6 @@ networks:
       config:
         - subnet: 10.88.88.0/24
 
--- a/patches/docker-compose.patch
+++ b/patches/docker-compose.patch
@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 2ce16d12c..b61c84199 100644
+index 0d59c1228..85791692b 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
@@ -1,10 +1,11 @@
@@ -67,7 +67,7 @@ index 2ce16d12c..b61c84199 100644
 +    volumes:
 +      - dbdata:/var/lib/mysql
     networks:
-       bluenet:
+       bouldernet:
         aliases:
@@ -68,22 +77,11 @@ services:
     # small.
@@ -86,7 +86,7 @@ index 2ce16d12c..b61c84199 100644
 -    depends_on:
 -      - bmysql
 -    networks:
-      bluenet:
+-      bouldernet:
 -        aliases:
 -          - boulder-proxysql
 +      driver: "json-file"
@@ -98,19 +98,15 @@ index 2ce16d12c..b61c84199 100644
   bconsul:
     image: hashicorp/consul:1.15.4
@@ -95,12 +93,73 @@ services:
-       bluenet:
+       bouldernet:
         ipv4_address: 10.77.77.10
     command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
 +    restart: always
- 
-  bjaeger:
-    image: jaegertracing/all-in-one:1.50
+
 +  gui:
 +    image: *boulder_image
-     networks:
-      bluenet:
-        ipv4_address: 10.77.77.17
-+      - bluenet
+    networks:
+      - bouldernet
 +    volumes:
 +      - /var/run/docker.sock:/var/run/docker.sock
 +      - /home/labca/admin:/go/src/labca
@@ -131,12 +127,16 @@ index 2ce16d12c..b61c84199 100644
 +        max-size: "500k"
 +        max-file: "5"
 +    restart: always
-+
+ 
+-  bjaeger:
+-    image: jaegertracing/all-in-one:1.50
 +  nginx:
 +    image: nginx:1.25.3
 +    restart: always
-+    networks:
-+      - bluenet
+     networks:
+-      bouldernet:
+-        ipv4_address: 10.77.77.17
+      - bouldernet
 +    ports:
 +      - 80:80
 +      - 443:443
@@ -148,7 +148,7 @@ index 2ce16d12c..b61c84199 100644
 +  control:
 +    image: *boulder_image
 +    networks:
-+      - bluenet
+      - bouldernet
 +    volumes:
 +      - /var/run/docker.sock:/var/run/docker.sock
 +      - /home/labca/admin/data:/opt/labca/data
@@ -174,4 +174,4 @@ index 2ce16d12c..b61c84199 100644
 +  dbdata:
 
 networks:
-   bluenet:
+   # This network is primarily used for boulder services. It is also used by
--- a/patches/issuance_crl.patch
+++ b/patches/issuance_crl.patch
@@ -0,0 +1,13 @@
+diff --git a/issuance/crl.go b/issuance/crl.go
+index 2f36d695c..c9c2a6548 100644
+--- a/issuance/crl.go
+++ b/issuance/crl.go
+@@ -90,7 +90,7 @@ func (i *Issuer) IssueCRL(prof *CRLProfile, req *CRLRequest) ([]byte, error) {
+ 	if req.DeprecatedIDPBaseURL != "" {
+ 		// TODO(#7296): Remove this fallback once CCADB and all non-expired certs
+ 		// contain the new-style CRLDP URL instead.
+-		idps = append(idps, fmt.Sprintf("%s/%d/%d.crl", req.DeprecatedIDPBaseURL, i.NameID(), req.Shard))
+		idps = append(idps, fmt.Sprintf("%s/%d.crl", req.DeprecatedIDPBaseURL, i.NameID()))
+ 	}
+ 	idp, err := makeIDPExt(idps)
+ 	if err != nil {
--- a/patches/linter_linter.patch
+++ b/patches/linter_linter.patch
@@ -1,8 +1,8 @@
 diff --git a/linter/linter.go b/linter/linter.go
-index b7a9d11d..8cdc5702 100644
+index 07ac8b029..bd0abd93e 100644
 --- a/linter/linter.go
 +++ b/linter/linter.go
-@@ -193,10 +193,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
+@@ -199,10 +199,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
 		SubjectKeyId:                realIssuer.SubjectKeyId,
 		URIs:                        realIssuer.URIs,
 		UnknownExtKeyUsage:          realIssuer.UnknownExtKeyUsage,
--- a/patches/test_config_ca.patch
+++ b/patches/test_config_ca.patch
@@ -1,11 +1,12 @@
 diff --git a/test/config/ca.json b/test/config/ca.json
-index 1233a9c95..3c4a0a3ca 100644
+index 53ae91f2d..1937e5580 100644
 --- a/test/config/ca.json
 +++ b/test/config/ca.json
-@@ -59,35 +59,13 @@
+@@ -58,36 +58,14 @@
+ 				"maxValidityBackdate": "1h5m"
 			},
 			"issuers": [
- 				{
+-				{
 -					"useForRSALeaves": false,
 -					"useForECDSALeaves": true,
 -					"issuerURL": "http://127.0.0.1:4001/aia/issuer/5214744660557630",
@@ -16,13 +17,13 @@ index 1233a9c95..3c4a0a3ca 100644
 -						"numSessions": 2
 -					}
 -				},
-				{
+ 				{
 					"useForRSALeaves": true,
 					"useForECDSALeaves": true,
 					"issuerURL": "http://127.0.0.1:4001/aia/issuer/6605440498369741",
 					"ocspURL": "http://127.0.0.1:4002/",
 					"location": {
- 						"configFile": "test/test-ca.key-pkcs11.json",
+-						"configFile": "/hierarchy/intermediate-signing-key-rsa.pkcs11.json",
 -						"certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
 -						"numSessions": 2
 -					}
@@ -33,8 +34,9 @@ index 1233a9c95..3c4a0a3ca 100644
 -					"issuerURL": "http://127.0.0.1:4001/aia/issuer/41127673797486028",
 -					"ocspURL": "http://127.0.0.1:4002/",
 -					"location": {
-						"configFile": "test/test-ca.key-pkcs11.json",
+-						"configFile": "/hierarchy/intermediate-signing-key-rsa.pkcs11.json",
 -						"certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
+						"configFile": "test/test-ca.key-pkcs11.json",
 +						"certFile": "test/test-ca.pem",
 						"numSessions": 2
 					}
--- a/patches/va_http.patch
+++ b/patches/va_http.patch
@@ -1,8 +1,8 @@
 diff --git a/va/http.go b/va/http.go
-index 8700b2a03..6583710fe 100644
+index 78df8bf42..db281855c 100644
 --- a/va/http.go
 +++ b/va/http.go
-@@ -333,7 +333,16 @@ func (va *ValidationAuthorityImpl) extractRequestTarget(req *http.Request) (stri
+@@ -332,7 +332,16 @@ func (va *ValidationAuthorityImpl) extractRequestTarget(req *http.Request) (stri
 	}
 
 	if _, err := iana.ExtractSuffix(reqHost); err != nil {
--- a/patches/va_va.patch
+++ b/patches/va_va.patch
@@ -1,8 +1,8 @@
 diff --git a/va/va.go b/va/va.go
-index 103896574..2e120ab52 100644
+index dd743b593..b74a313f0 100644
 --- a/va/va.go
 +++ b/va/va.go
-@@ -264,6 +264,7 @@ type ValidationAuthorityImpl struct {
+@@ -265,6 +265,7 @@ type ValidationAuthorityImpl struct {
 	maxRemoteFailures  int
 	accountURIPrefixes []string
 	singleDialTimeout  time.Duration
@@ -10,7 +10,7 @@ index 103896574..2e120ab52 100644
 
 	metrics *vaMetrics
 }
-@@ -279,6 +280,7 @@ func NewValidationAuthorityImpl(
+@@ -280,6 +281,7 @@ func NewValidationAuthorityImpl(
 	clk clock.Clock,
 	logger blog.Logger,
 	accountURIPrefixes []string,
@@ -18,7 +18,7 @@ index 103896574..2e120ab52 100644
 ) (*ValidationAuthorityImpl, error) {
 
 	if len(accountURIPrefixes) == 0 {
-@@ -305,6 +307,7 @@ func NewValidationAuthorityImpl(
+@@ -306,6 +308,7 @@ func NewValidationAuthorityImpl(
 		// used for the DialContext operations that take place during an
 		// HTTP-01 challenge validation.
 		singleDialTimeout: 10 * time.Second,