diff --git a/install b/install index 903e63f..c357e0b 100755 --- a/install +++ b/install @@ -24,7 +24,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2023-01-24" +boulderTag="release-2023-02-13a" # Feature flags flag_skip_redis=true diff --git a/patches/boulder-va_main.patch b/patches/boulder-va_main.patch index 2fa7ad7..cc6a34e 100644 --- a/patches/boulder-va_main.patch +++ b/patches/boulder-va_main.patch @@ -1,8 +1,8 @@ diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go -index 80be1f34..ace5c03c 100644 +index cd6342bc..bb6f0074 100644 --- a/cmd/boulder-va/main.go +++ b/cmd/boulder-va/main.go -@@ -35,8 +35,10 @@ type Config struct { +@@ -33,8 +33,10 @@ type Config struct { // The number of times to try a DNS query (that has a temporary error) // before giving up. May be short-circuited by deadlines. A zero value // will be turned into 1. @@ -15,7 +15,7 @@ index 80be1f34..ace5c03c 100644 DNSTimeout string DNSAllowLoopbackAddresses bool -@@ -119,11 +121,13 @@ func main() { +@@ -102,11 +104,13 @@ func main() { clk := cmd.Clock() var servers bdns.ServerProvider diff --git a/patches/cert-checker_main.patch b/patches/cert-checker_main.patch index 2b749c1..13a8183 100644 --- a/patches/cert-checker_main.patch +++ b/patches/cert-checker_main.patch @@ -1,8 +1,8 @@ diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go -index 3fe4880a..1e1201e9 100644 +index 340c5629..0dc0389a 100644 --- a/cmd/cert-checker/main.go +++ b/cmd/cert-checker/main.go -@@ -98,6 +98,7 @@ type certChecker struct { +@@ -100,6 +100,7 @@ type certChecker struct { checkPeriod time.Duration acceptableValidityDurations map[time.Duration]bool logger blog.Logger @@ -10,7 +10,7 @@ index 3fe4880a..1e1201e9 100644 } func newChecker(saDbMap certDB, -@@ -107,6 +108,7 @@ func newChecker(saDbMap certDB, +@@ -109,6 +110,7 @@ func newChecker(saDbMap certDB, period time.Duration, avd map[time.Duration]bool, logger blog.Logger, @@ -18,7 +18,7 @@ index 3fe4880a..1e1201e9 100644 ) certChecker { return certChecker{ pa: pa, -@@ -119,6 +121,7 @@ func newChecker(saDbMap certDB, +@@ -121,6 +123,7 @@ func newChecker(saDbMap certDB, checkPeriod: period, acceptableValidityDurations: avd, logger: logger, @@ -26,7 +26,7 @@ index 3fe4880a..1e1201e9 100644 } } -@@ -309,7 +312,7 @@ func (c *certChecker) checkCert(cert core.Certificate, ignoredLints map[string]b +@@ -347,7 +350,7 @@ func (c *certChecker) checkCert(cert core.Certificate, ignoredLints map[string]b err = c.pa.WillingToIssueWildcards([]identifier.ACMEIdentifier{id}) if err != nil { problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err)) @@ -35,7 +35,7 @@ index 3fe4880a..1e1201e9 100644 // For defense-in-depth, even if the PA was willing to issue for a name // we double check it against a list of forbidden domains. This way even // if the hostnamePolicyFile malfunctions we will flag the forbidden -@@ -360,11 +363,12 @@ type Config struct { +@@ -409,11 +412,12 @@ type Config struct { DB cmd.DBConfig cmd.HostnamePolicyConfig @@ -53,7 +53,7 @@ index 3fe4880a..1e1201e9 100644 // AcceptableValidityDurations is a list of durations which are // acceptable for certificates we issue. -@@ -430,6 +434,8 @@ func main() { +@@ -479,6 +483,8 @@ func main() { acceptableValidityDurations[ninetyDays] = true } @@ -62,7 +62,7 @@ index 3fe4880a..1e1201e9 100644 // Validate PA config and set defaults if needed. cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration") -@@ -470,6 +476,7 @@ func main() { +@@ -519,6 +525,7 @@ func main() { config.CertChecker.CheckPeriod.Duration, acceptableValidityDurations, logger, diff --git a/patches/config_ocsp-responder.patch b/patches/config_ocsp-responder.patch index eb08594..26e8096 100644 --- a/patches/config_ocsp-responder.patch +++ b/patches/config_ocsp-responder.patch @@ -2,7 +2,7 @@ diff --git a/test/config/ocsp-responder.json b/test/config/ocsp-responder.json index ed874d3..a1a78f3 100644 --- a/test/config/ocsp-responder.json +++ b/test/config/ocsp-responder.json -@@ -44,9 +44,7 @@ +@@ -45,9 +45,7 @@ "path": "/", "listenAddress": "0.0.0.0:4002", "issuerCerts": [ diff --git a/patches/contact-auditor_main.patch b/patches/contact-auditor_main.patch index 26582be..ac6c751 100644 --- a/patches/contact-auditor_main.patch +++ b/patches/contact-auditor_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/contact-auditor/main.go b/cmd/contact-auditor/main.go -index 90a61d89..b1967e92 100644 +index 419182fe..d77270cd 100644 --- a/cmd/contact-auditor/main.go +++ b/cmd/contact-auditor/main.go @@ -11,6 +11,7 @@ import ( @@ -7,10 +7,10 @@ index 90a61d89..b1967e92 100644 "github.com/letsencrypt/boulder/cmd" + "github.com/letsencrypt/boulder/core" + "github.com/letsencrypt/boulder/db" blog "github.com/letsencrypt/boulder/log" "github.com/letsencrypt/boulder/policy" - "github.com/letsencrypt/boulder/sa" -@@ -48,9 +49,13 @@ func validateContacts(id int64, createdAt string, contacts []string) error { +@@ -49,9 +50,13 @@ func validateContacts(id int64, createdAt string, contacts []string) error { fmt.Fprintf(&probsBuff, "%d\t%s\tvalidation\t%q\t%q\t%q\n", id, createdAt, contact, prob, contacts) } diff --git a/patches/core_interfaces.patch b/patches/core_interfaces.patch index ee798e1..a6e8080 100644 --- a/patches/core_interfaces.patch +++ b/patches/core_interfaces.patch @@ -1,10 +1,10 @@ diff --git a/core/interfaces.go b/core/interfaces.go -index d19eb4fb8..3ae50d737 100644 +index 003329c3..c01cd881 100644 --- a/core/interfaces.go +++ b/core/interfaces.go -@@ -10,4 +10,5 @@ type PolicyAuthority interface { - WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error - ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error) - ChallengeTypeEnabled(t AcmeChallenge) bool +@@ -11,4 +11,5 @@ type PolicyAuthority interface { + ChallengesFor(identifier.ACMEIdentifier) ([]Challenge, error) + ChallengeTypeEnabled(AcmeChallenge) bool + CheckAuthz(*Authorization) error + ValidEmail(address string) error } diff --git a/patches/docker-compose-redis.patch b/patches/docker-compose-redis.patch index dbe4ff8..d43f2c7 100644 --- a/patches/docker-compose-redis.patch +++ b/patches/docker-compose-redis.patch @@ -1,5 +1,5 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 7fd47d36..db9ee964 100644 +index 4ce7c1d6..ed8da276 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -22,8 +22,6 @@ services: @@ -11,25 +11,24 @@ index 7fd47d36..db9ee964 100644 consulnet: ipv4_address: 10.55.55.55 extra_hosts: -@@ -41,7 +39,6 @@ services: +@@ -41,8 +39,6 @@ services: - 4003:4003 # OCSP depends_on: - bmysql -- - bredis_clusterer +- - bredis_1 +- - bredis_2 - bconsul entrypoint: test/entrypoint.sh working_dir: &boulder_working_dir /boulder -@@ -62,82 +59,6 @@ services: - command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON +@@ -64,24 +60,6 @@ services: logging: driver: none -- # TODO(#6517): replace all bredis_ services with those from -- # docker-compose.next.yml. + - bredis_1: - image: redis:6.2.7 - volumes: - - ./test/:/test/:cached -- command: redis-server /test/redis-cluster.config +- command: redis-server /test/redis.config - networks: - redisnet: - ipv4_address: 10.33.33.2 @@ -38,71 +37,15 @@ index 7fd47d36..db9ee964 100644 - image: redis:6.2.7 - volumes: - - ./test/:/test/:cached -- command: redis-server /test/redis-cluster.config +- command: redis-server /test/redis.config - networks: - redisnet: - ipv4_address: 10.33.33.3 - -- bredis_3: -- image: redis:6.2.7 -- volumes: -- - ./test/:/test/:cached -- command: redis-server /test/redis-cluster.config -- networks: -- redisnet: -- ipv4_address: 10.33.33.4 -- -- bredis_4: -- image: redis:6.2.7 -- volumes: -- - ./test/:/test/:cached -- command: redis-server /test/redis-cluster.config -- networks: -- redisnet: -- ipv4_address: 10.33.33.5 -- -- bredis_5: -- image: redis:6.2.7 -- volumes: -- - ./test/:/test/:cached -- command: redis-server /test/redis-cluster.config -- networks: -- redisnet: -- ipv4_address: 10.33.33.6 -- -- bredis_6: -- image: redis:6.2.7 -- volumes: -- - ./test/:/test/:cached -- command: redis-server /test/redis-cluster.config -- networks: -- redisnet: -- ipv4_address: 10.33.33.7 -- # TODO(#6517): remove bredis_clusterer. -- bredis_clusterer: -- image: redis:6.2.7 -- environment: -- BOULDER_CONFIG_DIR: *boulder_config_dir -- volumes: -- - ./test/:/test/:cached -- - ./cluster/:/cluster/:cached -- command: /test/wait-for-it.sh 10.33.33.2 4218 /test/redis-create.sh -- depends_on: -- - bredis_1 -- - bredis_2 -- - bredis_3 -- - bredis_4 -- - bredis_5 -- - bredis_6 -- networks: -- redisnet: -- ipv4_address: 10.33.33.10 -- aliases: -- - boulder-redis-clusterer - bconsul: image: hashicorp/consul:1.13.1 -@@ -175,13 +96,6 @@ networks: + volumes: +@@ -118,13 +96,6 @@ networks: config: - subnet: 10.88.88.0/24 diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch index 6cd91c1..0d140ae 100644 --- a/patches/docker-compose.patch +++ b/patches/docker-compose.patch @@ -1,9 +1,9 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index db9ee964..c932ad45 100644 +index ed8da276..9171ee2b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,7 +6,7 @@ services: - image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.19.5_2023-01-10} + image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.19.5_2023-02-02} environment: FAKE_DNS: 10.77.77.77 - BOULDER_CONFIG_DIR: &boulder_config_dir test/config diff --git a/patches/entrypoint.patch b/patches/entrypoint.patch index 2c1f59b..7ffda4d 100644 --- a/patches/entrypoint.patch +++ b/patches/entrypoint.patch @@ -2,7 +2,7 @@ diff --git a/test/entrypoint.sh b/test/entrypoint.sh index 5ca9929..f18e1d8 100755 --- a/test/entrypoint.sh +++ b/test/entrypoint.sh -@@ -17,6 +17,18 @@ wait_tcp_port boulder-mysql 3306 +@@ -16,6 +16,18 @@ wait_tcp_port boulder-mysql 3306 # create the database MYSQL_CONTAINER=1 $DIR/create_db.sh diff --git a/patches/log_log.patch b/patches/log_log.patch index 2d6edac..d734861 100644 --- a/patches/log_log.patch +++ b/patches/log_log.patch @@ -1,8 +1,8 @@ diff --git a/log/log.go b/log/log.go -index dae33eff..7fed903a 100644 +index 02368437..dc39bcdd 100644 --- a/log/log.go +++ b/log/log.go -@@ -92,6 +92,9 @@ func newStdoutWriter(level int) *stdoutWriter { +@@ -93,6 +93,9 @@ func newStdoutWriter(level int) *stdoutWriter { } prefix := fmt.Sprintf("%s %s %s[%d]:", shortHostname, datacenter, path.Base(os.Args[0]), os.Getpid()) diff --git a/patches/ocsp-responder_main.patch b/patches/ocsp-responder_main.patch index db9a03f..7b8e9bf 100644 --- a/patches/ocsp-responder_main.patch +++ b/patches/ocsp-responder_main.patch @@ -1,11 +1,11 @@ diff --git a/cmd/ocsp-responder/main.go b/cmd/ocsp-responder/main.go -index a5f91a07..940c18a9 100644 +index 983fb33a..e8a132cd 100644 --- a/cmd/ocsp-responder/main.go +++ b/cmd/ocsp-responder/main.go -@@ -178,42 +178,44 @@ as generated by Boulder's ceremony command. - dbMap, err := sa.InitWrappedDb(config.DB, scope, logger) - cmd.FailOnError(err, "While initializing dbMap") - +@@ -172,49 +172,51 @@ as generated by Boulder's ceremony command. + source, err = responder.NewMemorySourceFromFile(filename, logger) + cmd.FailOnError(err, fmt.Sprintf("Couldn't read file: %s", url.Path)) + } else { - // Set up the redis source and the combined multiplex source. - rocspRWClient, err := rocsp_config.MakeClient(&c.OCSPResponder.Redis, clk, scope) - cmd.FailOnError(err, "Could not make redis client") @@ -28,17 +28,6 @@ index a5f91a07..940c18a9 100644 - maxInflight := c.OCSPResponder.MaxInflightSignings - if maxInflight == 0 { - maxInflight = 1000 -- } -- liveSource := live.New(rac, int64(maxInflight), c.OCSPResponder.MaxSigningWaiters) -- -- rocspSource, err := redis_responder.NewRedisSource(rocspRWClient, liveSource, liveSigningPeriod, clk, scope, logger) -- cmd.FailOnError(err, "Could not create redis source") -- -- var sac sapb.StorageAuthorityReadOnlyClient -- if c.OCSPResponder.SAService != nil { -- saConn, err := bgrpc.ClientSetup(c.OCSPResponder.SAService, tlsConfig, scope, clk) -- cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA") -- sac = sapb.NewStorageAuthorityReadOnlyClient(saConn) + if c.OCSPResponder.Redis.Addrs != nil { + // Set up the redis source and the combined multiplex source. + rocspRWClient, err := rocsp_config.MakeClient(&c.OCSPResponder.Redis, clk, scope) @@ -68,15 +57,40 @@ index a5f91a07..940c18a9 100644 + rocspSource, err := redis_responder.NewRedisSource(rocspRWClient, liveSource, liveSigningPeriod, clk, scope, logger) + cmd.FailOnError(err, "Could not create redis source") + ++ var dbMap *db.WrappedMap ++ if c.OCSPResponder.DB != (cmd.DBConfig{}) { ++ dbMap, err = sa.InitWrappedDb(c.OCSPResponder.DB, scope, logger) ++ cmd.FailOnError(err, "While initializing dbMap") ++ } ++ + var sac sapb.StorageAuthorityReadOnlyClient + if c.OCSPResponder.SAService != nil { + saConn, err := bgrpc.ClientSetup(c.OCSPResponder.SAService, tlsConfig, scope, clk) + cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA") + sac = sapb.NewStorageAuthorityReadOnlyClient(saConn) + } ++ + source, err = redis_responder.NewCheckedRedisSource(rocspSource, dbMap, sac, scope, logger) + cmd.FailOnError(err, "Could not create checkedRedis source") } +- liveSource := live.New(rac, int64(maxInflight), c.OCSPResponder.MaxSigningWaiters) +- +- rocspSource, err := redis_responder.NewRedisSource(rocspRWClient, liveSource, liveSigningPeriod, clk, scope, logger) +- cmd.FailOnError(err, "Could not create redis source") +- +- var dbMap *db.WrappedMap +- if c.OCSPResponder.DB != (cmd.DBConfig{}) { +- dbMap, err = sa.InitWrappedDb(c.OCSPResponder.DB, scope, logger) +- cmd.FailOnError(err, "While initializing dbMap") +- } +- +- var sac sapb.StorageAuthorityReadOnlyClient +- if c.OCSPResponder.SAService != nil { +- saConn, err := bgrpc.ClientSetup(c.OCSPResponder.SAService, tlsConfig, scope, clk) +- cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA") +- sac = sapb.NewStorageAuthorityReadOnlyClient(saConn) +- } +- - source, err = redis_responder.NewCheckedRedisSource(rocspSource, dbMap, sac, scope, logger) - cmd.FailOnError(err, "Could not create checkedRedis source") diff --git a/patches/policy_pa.patch b/patches/policy_pa.patch index c4a9530..b89ca5c 100644 --- a/patches/policy_pa.patch +++ b/patches/policy_pa.patch @@ -1,8 +1,8 @@ diff --git a/policy/pa.go b/policy/pa.go -index bd4a28bf2..e28241d58 100644 +index 7da498f3..e24663de 100644 --- a/policy/pa.go +++ b/policy/pa.go -@@ -31,6 +31,8 @@ type AuthorityImpl struct { +@@ -32,6 +32,8 @@ type AuthorityImpl struct { blocklist map[string]bool exactBlocklist map[string]bool wildcardExactBlocklist map[string]bool @@ -11,7 +11,7 @@ index bd4a28bf2..e28241d58 100644 blocklistMu sync.RWMutex enabledChallenges map[core.AcmeChallenge]bool -@@ -71,6 +73,9 @@ type blockedNamesPolicy struct { +@@ -72,6 +74,9 @@ type blockedNamesPolicy struct { // time above and beyond the high-risk domains. Managing these entries separately // from HighRiskBlockedNames makes it easier to vet changes accurately. AdminBlockedNames []string `yaml:"AdminBlockedNames"` @@ -21,7 +21,7 @@ index bd4a28bf2..e28241d58 100644 } // SetHostnamePolicyFile will load the given policy file, returning error if it -@@ -135,10 +140,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error +@@ -136,10 +141,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error // wildcardNameMap to block issuance for `*.`+parts[1] wildcardNameMap[parts[1]] = true } @@ -42,7 +42,7 @@ index bd4a28bf2..e28241d58 100644 pa.blocklistMu.Unlock() return nil } -@@ -209,7 +224,7 @@ var ( +@@ -210,7 +225,7 @@ var ( // * exactly equal to an IANA registered TLD // // It does _not_ check that the domain isn't on any PA blocked lists. @@ -51,7 +51,7 @@ index bd4a28bf2..e28241d58 100644 if domain == "" { return errEmptyName } -@@ -285,6 +300,14 @@ func validDomain(domain string) error { +@@ -286,6 +301,14 @@ func validDomain(domain string) error { } } @@ -66,7 +66,7 @@ index bd4a28bf2..e28241d58 100644 // Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD. icannTLD, err := iana.ExtractSuffix(domain) if err != nil { -@@ -312,7 +335,7 @@ var forbiddenMailDomains = map[string]bool{ +@@ -313,7 +336,7 @@ var forbiddenMailDomains = map[string]bool{ // ValidEmail returns an error if the input doesn't parse as an email address, // the domain isn't a valid hostname in Preferred Name Syntax, or its on the // list of domains forbidden for mail (because they are often used in examples). @@ -75,7 +75,7 @@ index bd4a28bf2..e28241d58 100644 email, err := mail.ParseAddress(address) if err != nil { if len(address) > 254 { -@@ -322,7 +345,7 @@ func ValidEmail(address string) error { +@@ -323,7 +346,7 @@ func ValidEmail(address string) error { } splitEmail := strings.SplitN(email.Address, "@", -1) domain := strings.ToLower(splitEmail[len(splitEmail)-1]) @@ -84,7 +84,7 @@ index bd4a28bf2..e28241d58 100644 if err != nil { return berrors.InvalidEmailError( "contact email %q has invalid domain : %s", -@@ -362,11 +385,15 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error { +@@ -363,11 +386,15 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error { } domain := id.Value @@ -101,7 +101,7 @@ index bd4a28bf2..e28241d58 100644 // Require no match against hostname block lists err = pa.checkHostLists(domain) if err != nil { -@@ -376,6 +403,31 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error { +@@ -377,6 +404,31 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error { return nil } diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index e51f564..adeb92d 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -1,8 +1,8 @@ diff --git a/ra/ra.go b/ra/ra.go -index 5316edba..f9adff61 100644 +index b55bcd92..e15670a9 100644 --- a/ra/ra.go +++ b/ra/ra.go -@@ -32,7 +32,6 @@ import ( +@@ -39,7 +39,6 @@ import ( "github.com/letsencrypt/boulder/issuance" blog "github.com/letsencrypt/boulder/log" "github.com/letsencrypt/boulder/metrics" @@ -10,7 +10,7 @@ index 5316edba..f9adff61 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -504,7 +503,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { +@@ -526,7 +525,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { contact, ) }