Bump boulder version to release-2023-02-13a

2026-01-27 10:19:34 +00:00 · 2023-02-14 08:33:31 +01:00
parent 22403b78bf
commit e56524b6fd
13 changed files with 79 additions and 122 deletions
--- a/2
+++ b/2
@@ -24,7 +24,7 @@ dockerComposeVersion="v2.5.0"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2023-01-24"
+boulderTag="release-2023-02-13a"

 # Feature flags
 flag_skip_redis=true
--- a/patches/boulder-va_main.patch
+++ b/patches/boulder-va_main.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
-index 80be1f34..ace5c03c 100644
+index cd6342bc..bb6f0074 100644
 --- a/cmd/boulder-va/main.go
 +++ b/cmd/boulder-va/main.go
-@@ -35,8 +35,10 @@ type Config struct {
+@@ -33,8 +33,10 @@ type Config struct {
 		// The number of times to try a DNS query (that has a temporary error)
 		// before giving up. May be short-circuited by deadlines. A zero value
 		// will be turned into 1.
@@ -15,7 +15,7 @@ index 80be1f34..ace5c03c 100644
 		DNSTimeout                string
 		DNSAllowLoopbackAddresses bool
 
-@@ -119,11 +121,13 @@ func main() {
+@@ -102,11 +104,13 @@ func main() {
 	clk := cmd.Clock()
 
 	var servers bdns.ServerProvider
--- a/patches/cert-checker_main.patch
+++ b/patches/cert-checker_main.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
-index 3fe4880a..1e1201e9 100644
+index 340c5629..0dc0389a 100644
 --- a/cmd/cert-checker/main.go
 +++ b/cmd/cert-checker/main.go
-@@ -98,6 +98,7 @@ type certChecker struct {
+@@ -100,6 +100,7 @@ type certChecker struct {
 	checkPeriod                 time.Duration
 	acceptableValidityDurations map[time.Duration]bool
 	logger                      blog.Logger
@@ -10,7 +10,7 @@ index 3fe4880a..1e1201e9 100644
 }
 
 func newChecker(saDbMap certDB,
-@@ -107,6 +108,7 @@ func newChecker(saDbMap certDB,
+@@ -109,6 +110,7 @@ func newChecker(saDbMap certDB,
 	period time.Duration,
 	avd map[time.Duration]bool,
 	logger blog.Logger,
@@ -18,7 +18,7 @@ index 3fe4880a..1e1201e9 100644
 ) certChecker {
 	return certChecker{
 		pa:                          pa,
-@@ -119,6 +121,7 @@ func newChecker(saDbMap certDB,
+@@ -121,6 +123,7 @@ func newChecker(saDbMap certDB,
 		checkPeriod:                 period,
 		acceptableValidityDurations: avd,
 		logger:                      logger,
@@ -26,7 +26,7 @@ index 3fe4880a..1e1201e9 100644
 	}
 }
 
-@@ -309,7 +312,7 @@ func (c *certChecker) checkCert(cert core.Certificate, ignoredLints map[string]b
+@@ -347,7 +350,7 @@ func (c *certChecker) checkCert(cert core.Certificate, ignoredLints map[string]b
 			err = c.pa.WillingToIssueWildcards([]identifier.ACMEIdentifier{id})
 			if err != nil {
 				problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err))
@@ -35,7 +35,7 @@ index 3fe4880a..1e1201e9 100644
 				// For defense-in-depth, even if the PA was willing to issue for a name
 				// we double check it against a list of forbidden domains. This way even
 				// if the hostnamePolicyFile malfunctions we will flag the forbidden
-@@ -360,11 +363,12 @@ type Config struct {
+@@ -409,11 +412,12 @@ type Config struct {
 		DB cmd.DBConfig
 		cmd.HostnamePolicyConfig
 
@@ -53,7 +53,7 @@ index 3fe4880a..1e1201e9 100644
 
 		// AcceptableValidityDurations is a list of durations which are
 		// acceptable for certificates we issue.
-@@ -430,6 +434,8 @@ func main() {
+@@ -479,6 +483,8 @@ func main() {
 		acceptableValidityDurations[ninetyDays] = true
 	}
 
@@ -62,7 +62,7 @@ index 3fe4880a..1e1201e9 100644
 	// Validate PA config and set defaults if needed.
 	cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
 
-@@ -470,6 +476,7 @@ func main() {
+@@ -519,6 +525,7 @@ func main() {
 		config.CertChecker.CheckPeriod.Duration,
 		acceptableValidityDurations,
 		logger,
--- a/patches/config_ocsp-responder.patch
+++ b/patches/config_ocsp-responder.patch
@@ -2,7 +2,7 @@ diff --git a/test/config/ocsp-responder.json b/test/config/ocsp-responder.json
 index ed874d3..a1a78f3 100644
 --- a/test/config/ocsp-responder.json
 +++ b/test/config/ocsp-responder.json
-@@ -44,9 +44,7 @@
+@@ -45,9 +45,7 @@
     "path": "/",
     "listenAddress": "0.0.0.0:4002",
     "issuerCerts": [
--- a/patches/contact-auditor_main.patch
+++ b/patches/contact-auditor_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/contact-auditor/main.go b/cmd/contact-auditor/main.go
-index 90a61d89..b1967e92 100644
+index 419182fe..d77270cd 100644
 --- a/cmd/contact-auditor/main.go
 +++ b/cmd/contact-auditor/main.go
@@ -11,6 +11,7 @@ import (
@@ -7,10 +7,10 @@ index 90a61d89..b1967e92 100644
 
 	"github.com/letsencrypt/boulder/cmd"
 +	"github.com/letsencrypt/boulder/core"
+ 	"github.com/letsencrypt/boulder/db"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/policy"
- 	"github.com/letsencrypt/boulder/sa"
-@@ -48,9 +49,13 @@ func validateContacts(id int64, createdAt string, contacts []string) error {
+@@ -49,9 +50,13 @@ func validateContacts(id int64, createdAt string, contacts []string) error {
 		fmt.Fprintf(&probsBuff, "%d\t%s\tvalidation\t%q\t%q\t%q\n", id, createdAt, contact, prob, contacts)
 	}
 
--- a/patches/core_interfaces.patch
+++ b/patches/core_interfaces.patch
@@ -1,10 +1,10 @@
 diff --git a/core/interfaces.go b/core/interfaces.go
-index d19eb4fb8..3ae50d737 100644
+index 003329c3..c01cd881 100644
 --- a/core/interfaces.go
 +++ b/core/interfaces.go
-@@ -10,4 +10,5 @@ type PolicyAuthority interface {
- 	WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error
- 	ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error)
- 	ChallengeTypeEnabled(t AcmeChallenge) bool
+@@ -11,4 +11,5 @@ type PolicyAuthority interface {
+ 	ChallengesFor(identifier.ACMEIdentifier) ([]Challenge, error)
+ 	ChallengeTypeEnabled(AcmeChallenge) bool
+ 	CheckAuthz(*Authorization) error
 +	ValidEmail(address string) error
 }
--- a/patches/docker-compose-redis.patch
+++ b/patches/docker-compose-redis.patch
@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 7fd47d36..db9ee964 100644
+index 4ce7c1d6..ed8da276 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
@@ -22,8 +22,6 @@ services:
@@ -11,25 +11,24 @@ index 7fd47d36..db9ee964 100644
       consulnet:
         ipv4_address: 10.55.55.55
     extra_hosts:
-@@ -41,7 +39,6 @@ services:
+@@ -41,8 +39,6 @@ services:
       - 4003:4003 # OCSP
     depends_on:
       - bmysql
-      - bredis_clusterer
+-      - bredis_1
+-      - bredis_2
       - bconsul
     entrypoint: test/entrypoint.sh
     working_dir: &boulder_working_dir /boulder
-@@ -62,82 +59,6 @@ services:
-     command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
+@@ -64,24 +60,6 @@ services:
     logging:
       driver: none
-  # TODO(#6517): replace all bredis_ services with those from
-  # docker-compose.next.yml.
+ 
 -  bredis_1:
 -    image: redis:6.2.7
 -    volumes:
 -      - ./test/:/test/:cached
-    command: redis-server /test/redis-cluster.config
+-    command: redis-server /test/redis.config
 -    networks:
 -      redisnet:
 -        ipv4_address: 10.33.33.2
@@ -38,71 +37,15 @@ index 7fd47d36..db9ee964 100644
 -    image: redis:6.2.7
 -    volumes:
 -      - ./test/:/test/:cached
-    command: redis-server /test/redis-cluster.config
+-    command: redis-server /test/redis.config
 -    networks:
 -      redisnet:
 -        ipv4_address: 10.33.33.3
 -
-  bredis_3:
-    image: redis:6.2.7
-    volumes:
-      - ./test/:/test/:cached
-    command: redis-server /test/redis-cluster.config
-    networks:
-      redisnet:
-        ipv4_address: 10.33.33.4
-
-  bredis_4:
-    image: redis:6.2.7
-    volumes:
-      - ./test/:/test/:cached
-    command: redis-server /test/redis-cluster.config
-    networks:
-      redisnet:
-        ipv4_address: 10.33.33.5
-
-  bredis_5:
-    image: redis:6.2.7
-    volumes:
-      - ./test/:/test/:cached
-    command: redis-server /test/redis-cluster.config
-    networks:
-      redisnet:
-        ipv4_address: 10.33.33.6
-
-  bredis_6:
-    image: redis:6.2.7
-    volumes:
-      - ./test/:/test/:cached
-    command: redis-server /test/redis-cluster.config
-    networks:
-      redisnet:
-        ipv4_address: 10.33.33.7
-  # TODO(#6517): remove bredis_clusterer.
-  bredis_clusterer:
-    image: redis:6.2.7
-    environment:
-      BOULDER_CONFIG_DIR: *boulder_config_dir
-    volumes:
-      - ./test/:/test/:cached
-      - ./cluster/:/cluster/:cached
-    command: /test/wait-for-it.sh 10.33.33.2 4218 /test/redis-create.sh
-    depends_on:
-      - bredis_1
-      - bredis_2
-      - bredis_3
-      - bredis_4
-      - bredis_5
-      - bredis_6
-    networks:
-      redisnet:
-        ipv4_address: 10.33.33.10
-        aliases:
-          - boulder-redis-clusterer
- 
   bconsul:
     image: hashicorp/consul:1.13.1
-@@ -175,13 +96,6 @@ networks:
+     volumes:
+@@ -118,13 +96,6 @@ networks:
       config:
         - subnet: 10.88.88.0/24
 
--- a/patches/docker-compose.patch
+++ b/patches/docker-compose.patch
@@ -1,9 +1,9 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index db9ee964..c932ad45 100644
+index ed8da276..9171ee2b 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
@@ -6,7 +6,7 @@ services:
-     image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.19.5_2023-01-10}
+     image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.19.5_2023-02-02}
     environment:
       FAKE_DNS: 10.77.77.77
 -      BOULDER_CONFIG_DIR: &boulder_config_dir test/config
--- a/patches/entrypoint.patch
+++ b/patches/entrypoint.patch
@@ -2,7 +2,7 @@ diff --git a/test/entrypoint.sh b/test/entrypoint.sh
 index 5ca9929..f18e1d8 100755
 --- a/test/entrypoint.sh
 +++ b/test/entrypoint.sh
-@@ -17,6 +17,18 @@ wait_tcp_port boulder-mysql 3306
+@@ -16,6 +16,18 @@ wait_tcp_port boulder-mysql 3306
 # create the database
 MYSQL_CONTAINER=1 $DIR/create_db.sh

--- a/patches/log_log.patch
+++ b/patches/log_log.patch
@@ -1,8 +1,8 @@
 diff --git a/log/log.go b/log/log.go
-index dae33eff..7fed903a 100644
+index 02368437..dc39bcdd 100644
 --- a/log/log.go
 +++ b/log/log.go
-@@ -92,6 +92,9 @@ func newStdoutWriter(level int) *stdoutWriter {
+@@ -93,6 +93,9 @@ func newStdoutWriter(level int) *stdoutWriter {
 	}
 
 	prefix := fmt.Sprintf("%s %s %s[%d]:", shortHostname, datacenter, path.Base(os.Args[0]), os.Getpid())
--- a/patches/ocsp-responder_main.patch
+++ b/patches/ocsp-responder_main.patch
@@ -1,11 +1,11 @@
 diff --git a/cmd/ocsp-responder/main.go b/cmd/ocsp-responder/main.go
-index a5f91a07..940c18a9 100644
+index 983fb33a..e8a132cd 100644
 --- a/cmd/ocsp-responder/main.go
 +++ b/cmd/ocsp-responder/main.go
-@@ -178,42 +178,44 @@ as generated by Boulder's ceremony command.
- 		dbMap, err := sa.InitWrappedDb(config.DB, scope, logger)
- 		cmd.FailOnError(err, "While initializing dbMap")
- 
+@@ -172,49 +172,51 @@ as generated by Boulder's ceremony command.
+ 		source, err = responder.NewMemorySourceFromFile(filename, logger)
+ 		cmd.FailOnError(err, fmt.Sprintf("Couldn't read file: %s", url.Path))
+ 	} else {
 -		// Set up the redis source and the combined multiplex source.
 -		rocspRWClient, err := rocsp_config.MakeClient(&c.OCSPResponder.Redis, clk, scope)
 -		cmd.FailOnError(err, "Could not make redis client")
@@ -28,17 +28,6 @@ index a5f91a07..940c18a9 100644
 -		maxInflight := c.OCSPResponder.MaxInflightSignings
 -		if maxInflight == 0 {
 -			maxInflight = 1000
-		}
-		liveSource := live.New(rac, int64(maxInflight), c.OCSPResponder.MaxSigningWaiters)
-
-		rocspSource, err := redis_responder.NewRedisSource(rocspRWClient, liveSource, liveSigningPeriod, clk, scope, logger)
-		cmd.FailOnError(err, "Could not create redis source")
-
-		var sac sapb.StorageAuthorityReadOnlyClient
-		if c.OCSPResponder.SAService != nil {
-			saConn, err := bgrpc.ClientSetup(c.OCSPResponder.SAService, tlsConfig, scope, clk)
-			cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
-			sac = sapb.NewStorageAuthorityReadOnlyClient(saConn)
 +		if c.OCSPResponder.Redis.Addrs != nil {
 +			// Set up the redis source and the combined multiplex source.
 +			rocspRWClient, err := rocsp_config.MakeClient(&c.OCSPResponder.Redis, clk, scope)
@@ -68,15 +57,40 @@ index a5f91a07..940c18a9 100644
 +			rocspSource, err := redis_responder.NewRedisSource(rocspRWClient, liveSource, liveSigningPeriod, clk, scope, logger)
 +			cmd.FailOnError(err, "Could not create redis source")
 +
+			var dbMap *db.WrappedMap
+			if c.OCSPResponder.DB != (cmd.DBConfig{}) {
+				dbMap, err = sa.InitWrappedDb(c.OCSPResponder.DB, scope, logger)
+				cmd.FailOnError(err, "While initializing dbMap")
+			}
+
 +			var sac sapb.StorageAuthorityReadOnlyClient
 +			if c.OCSPResponder.SAService != nil {
 +				saConn, err := bgrpc.ClientSetup(c.OCSPResponder.SAService, tlsConfig, scope, clk)
 +				cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
 +				sac = sapb.NewStorageAuthorityReadOnlyClient(saConn)
 +			}
+
 +			source, err = redis_responder.NewCheckedRedisSource(rocspSource, dbMap, sac, scope, logger)
 +			cmd.FailOnError(err, "Could not create checkedRedis source")
 		}
+-		liveSource := live.New(rac, int64(maxInflight), c.OCSPResponder.MaxSigningWaiters)
+-
+-		rocspSource, err := redis_responder.NewRedisSource(rocspRWClient, liveSource, liveSigningPeriod, clk, scope, logger)
+-		cmd.FailOnError(err, "Could not create redis source")
+-
+-		var dbMap *db.WrappedMap
+-		if c.OCSPResponder.DB != (cmd.DBConfig{}) {
+-			dbMap, err = sa.InitWrappedDb(c.OCSPResponder.DB, scope, logger)
+-			cmd.FailOnError(err, "While initializing dbMap")
+-		}
+-
+-		var sac sapb.StorageAuthorityReadOnlyClient
+-		if c.OCSPResponder.SAService != nil {
+-			saConn, err := bgrpc.ClientSetup(c.OCSPResponder.SAService, tlsConfig, scope, clk)
+-			cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
+-			sac = sapb.NewStorageAuthorityReadOnlyClient(saConn)
+-		}
+-
 -		source, err = redis_responder.NewCheckedRedisSource(rocspSource, dbMap, sac, scope, logger)
 -		cmd.FailOnError(err, "Could not create checkedRedis source")
 
--- a/patches/policy_pa.patch
+++ b/patches/policy_pa.patch
@@ -1,8 +1,8 @@
 diff --git a/policy/pa.go b/policy/pa.go
-index bd4a28bf2..e28241d58 100644
+index 7da498f3..e24663de 100644
 --- a/policy/pa.go
 +++ b/policy/pa.go
-@@ -31,6 +31,8 @@ type AuthorityImpl struct {
+@@ -32,6 +32,8 @@ type AuthorityImpl struct {
 	blocklist              map[string]bool
 	exactBlocklist         map[string]bool
 	wildcardExactBlocklist map[string]bool
@@ -11,7 +11,7 @@ index bd4a28bf2..e28241d58 100644
 	blocklistMu            sync.RWMutex
 
 	enabledChallenges map[core.AcmeChallenge]bool
-@@ -71,6 +73,9 @@ type blockedNamesPolicy struct {
+@@ -72,6 +74,9 @@ type blockedNamesPolicy struct {
 	// time above and beyond the high-risk domains. Managing these entries separately
 	// from HighRiskBlockedNames makes it easier to vet changes accurately.
 	AdminBlockedNames []string `yaml:"AdminBlockedNames"`
@@ -21,7 +21,7 @@ index bd4a28bf2..e28241d58 100644
 }
 
 // SetHostnamePolicyFile will load the given policy file, returning error if it
-@@ -135,10 +140,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error
+@@ -136,10 +141,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error
 		// wildcardNameMap to block issuance for `*.`+parts[1]
 		wildcardNameMap[parts[1]] = true
 	}
@@ -42,7 +42,7 @@ index bd4a28bf2..e28241d58 100644
 	pa.blocklistMu.Unlock()
 	return nil
 }
-@@ -209,7 +224,7 @@ var (
+@@ -210,7 +225,7 @@ var (
 // * exactly equal to an IANA registered TLD
 //
 // It does _not_ check that the domain isn't on any PA blocked lists.
@@ -51,7 +51,7 @@ index bd4a28bf2..e28241d58 100644
 	if domain == "" {
 		return errEmptyName
 	}
-@@ -285,6 +300,14 @@ func validDomain(domain string) error {
+@@ -286,6 +301,14 @@ func validDomain(domain string) error {
 		}
 	}
 
@@ -66,7 +66,7 @@ index bd4a28bf2..e28241d58 100644
 	// Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD.
 	icannTLD, err := iana.ExtractSuffix(domain)
 	if err != nil {
-@@ -312,7 +335,7 @@ var forbiddenMailDomains = map[string]bool{
+@@ -313,7 +336,7 @@ var forbiddenMailDomains = map[string]bool{
 // ValidEmail returns an error if the input doesn't parse as an email address,
 // the domain isn't a valid hostname in Preferred Name Syntax, or its on the
 // list of domains forbidden for mail (because they are often used in examples).
@@ -75,7 +75,7 @@ index bd4a28bf2..e28241d58 100644
 	email, err := mail.ParseAddress(address)
 	if err != nil {
 		if len(address) > 254 {
-@@ -322,7 +345,7 @@ func ValidEmail(address string) error {
+@@ -323,7 +346,7 @@ func ValidEmail(address string) error {
 	}
 	splitEmail := strings.SplitN(email.Address, "@", -1)
 	domain := strings.ToLower(splitEmail[len(splitEmail)-1])
@@ -84,7 +84,7 @@ index bd4a28bf2..e28241d58 100644
 	if err != nil {
 		return berrors.InvalidEmailError(
 			"contact email %q has invalid domain : %s",
-@@ -362,11 +385,15 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error {
+@@ -363,11 +386,15 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error {
 	}
 	domain := id.Value
 
@@ -101,7 +101,7 @@ index bd4a28bf2..e28241d58 100644
 	// Require no match against hostname block lists
 	err = pa.checkHostLists(domain)
 	if err != nil {
-@@ -376,6 +403,31 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error {
+@@ -377,6 +404,31 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error {
 	return nil
 }
 
--- a/patches/ra_ra.patch
+++ b/patches/ra_ra.patch
@@ -1,8 +1,8 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index 5316edba..f9adff61 100644
+index b55bcd92..e15670a9 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
-@@ -32,7 +32,6 @@ import (
+@@ -39,7 +39,6 @@ import (
 	"github.com/letsencrypt/boulder/issuance"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
@@ -10,7 +10,7 @@ index 5316edba..f9adff61 100644
 	"github.com/letsencrypt/boulder/probs"
 	pubpb "github.com/letsencrypt/boulder/publisher/proto"
 	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -504,7 +503,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
+@@ -526,7 +525,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
 				contact,
 			)
 		}