From e808b18d2ae6ef1e17aff26645885b56c8d50f96 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Sun, 9 Nov 2025 17:03:16 +0100 Subject: [PATCH] Bump boulder version to v0.20251021.0 --- .github/workflows/build-standalone.yml | 2 +- .github/workflows/golangci-lint.yml | 2 +- .github/workflows/release.yml | 2 +- build/Dockerfile-boulder | 2 +- build/Dockerfile-control | 2 +- build/build.sh | 2 +- build/docker-compose.yml | 4 ++-- build/tmp2.patch | 4 ++-- gui/apply-boulder | 2 -- install | 2 +- patch-cfg.sh | 1 - patches/ca_ca.patch | 4 ++-- patches/ca_ca_keytype_hack.patch | 4 ++-- patches/ceremony_main.patch | 4 ++-- patches/config_akamai-purger.patch | 21 ----------------- patches/config_ra.patch | 4 ++-- patches/issuance_issuer.patch | 14 +++++------ patches/log_validator_validator.patch | 9 ++++---- patches/policy_pa.patch | 32 +++++++++++++------------- patches/ra_ra.patch | 8 +++---- patches/sfe_overrides.patch | 8 +++---- patches/test_startservers.patch | 4 ++-- patches/updater_updater.patch | 20 ++++++++-------- patches/va_va.patch | 8 +++---- 24 files changed, 71 insertions(+), 94 deletions(-) delete mode 100644 patches/config_akamai-purger.patch diff --git a/.github/workflows/build-standalone.yml b/.github/workflows/build-standalone.yml index d578e20..2bdfbef 100644 --- a/.github/workflows/build-standalone.yml +++ b/.github/workflows/build-standalone.yml @@ -17,7 +17,7 @@ jobs: fail-fast: false matrix: GO_VERSION: - - 1.25.0 + - 1.25.2 steps: - name: Checkout diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 23944b7..baf712a 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -20,7 +20,7 @@ jobs: fail-fast: false matrix: GO_VERSION: - - 1.25.0 + - 1.25.2 steps: - uses: actions/checkout@v5 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c2853d3..3ee49aa 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: fail-fast: false matrix: GO_VERSION: - - 1.25.0 + - 1.25.2 steps: - name: Checkout diff --git a/build/Dockerfile-boulder b/build/Dockerfile-boulder index 1e20814..feb604d 100644 --- a/build/Dockerfile-boulder +++ b/build/Dockerfile-boulder @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:1 -FROM letsencrypt/boulder-tools:go1.25.0_2025-08-15 AS boulder-tools +FROM letsencrypt/boulder-tools:go1.25.2_2025-10-07 AS boulder-tools FROM ubuntu:noble diff --git a/build/Dockerfile-control b/build/Dockerfile-control index 14e45fe..19ba89b 100644 --- a/build/Dockerfile-control +++ b/build/Dockerfile-control @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:1 -FROM letsencrypt/boulder-tools:go1.25.0_2025-08-15 AS boulder-tools +FROM letsencrypt/boulder-tools:go1.25.2_2025-10-07 AS boulder-tools FROM ubuntu:noble AS builder diff --git a/build/build.sh b/build/build.sh index fd4296e..97db010 100755 --- a/build/build.sh +++ b/build/build.sh @@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src} boulderDir=$TMP_DIR/src -boulderTag="v0.20250908.0" +boulderTag="v0.20251021.0" boulderUrl="https://github.com/letsencrypt/boulder/" cloneDir=$(pwd)/.. diff --git a/build/docker-compose.yml b/build/docker-compose.yml index fd9a67f..c916a19 100644 --- a/build/docker-compose.yml +++ b/build/docker-compose.yml @@ -9,7 +9,7 @@ services: context: test/boulder-tools/ # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh. args: - GO_VERSION: 1.25.0 + GO_VERSION: 1.25.2 environment: # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS # to the IP address where your ACME client's solver is listening. This is @@ -222,7 +222,7 @@ networks: # validate and issue for it. It is used by challtestsrv, which binds to # 64.112.117.122:80 and :443 for its HTTP-01 challenge responder. # - # TODO(#8215): Put akamai-test-srv and s3-test-srv on this network. + # TODO(#8215): Put s3-test-srv on this network. publicnet: driver: bridge ipam: diff --git a/build/tmp2.patch b/build/tmp2.patch index 1db1968..518d179 100644 --- a/build/tmp2.patch +++ b/build/tmp2.patch @@ -1,8 +1,8 @@ diff --git a/test/startservers.py b/test/startservers.py -index df82abbf8..08720c37e 100644 +index b1e7253a2..7df345767 100644 --- a/test/startservers.py +++ b/test/startservers.py -@@ -186,6 +186,9 @@ processes = [] +@@ -179,6 +179,9 @@ processes = [] challSrvProcess = None def install(race_detection, coverage=False): diff --git a/gui/apply-boulder b/gui/apply-boulder index a2d3374..8ca8ea4 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -177,8 +177,6 @@ else fi sed -i -e "s/\"timeout\": \"1s\"/\"timeout\": \"5s\"/" config/health-checker.json -sed -i -e "s/\"purgeInterval\": \".*\"/\"purgeInterval\": \"1s\"/" config/akamai-purger.json - for fl in $(grep -Rl maxOpenConns config/); do set +e m=$(grep "connMaxIdleTime" $fl) diff --git a/install b/install index c4ba4fc..e1c7e61 100755 --- a/install +++ b/install @@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="v0.20250908.0" +boulderTag="v0.20251021.0" # # Color configuration diff --git a/patch-cfg.sh b/patch-cfg.sh index 8dedf32..f7c29a9 100755 --- a/patch-cfg.sh +++ b/patch-cfg.sh @@ -21,7 +21,6 @@ $SUDO patch -p1 -o "$boulderLabCADir/config/crl-storer.json" < $cloneDir/patches $SUDO patch -p1 -o "$boulderLabCADir/config/crl-updater.json" < $cloneDir/patches/config_crl-updater.patch $SUDO patch -p1 -o "$boulderLabCADir/config/ca.json" < $cloneDir/patches/test_config_ca.patch $SUDO patch -p1 -o "$boulderLabCADir/config/ra.json" < $cloneDir/patches/config_ra.patch -$SUDO patch -p1 -o "$boulderLabCADir/config/akamai-purger.json" < $cloneDir/patches/config_akamai-purger.patch $SUDO patch -p1 -o "$boulderLabCADir/certs/generate.sh" < $cloneDir/patches/test_certs_generate.patch chmod +x $boulderLabCADir/certs/generate.sh diff --git a/patches/ca_ca.patch b/patches/ca_ca.patch index 5c60545..56e39dc 100644 --- a/patches/ca_ca.patch +++ b/patches/ca_ca.patch @@ -1,8 +1,8 @@ diff --git a/ca/ca.go b/ca/ca.go -index 4f5c863e0..8e4d57233 100644 +index 3b33991eb..b63f6a143 100644 --- a/ca/ca.go +++ b/ca/ca.go -@@ -170,10 +170,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { +@@ -164,10 +164,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { } } if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 { diff --git a/patches/ca_ca_keytype_hack.patch b/patches/ca_ca_keytype_hack.patch index 672f861..508edca 100644 --- a/patches/ca_ca_keytype_hack.patch +++ b/patches/ca_ca_keytype_hack.patch @@ -1,8 +1,8 @@ diff --git a/ca/ca.go b/ca/ca.go -index 8e4d57233..8a95367ac 100644 +index b63f6a143..2ab73db94 100644 --- a/ca/ca.go +++ b/ca/ca.go -@@ -170,10 +170,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { +@@ -164,10 +164,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) { } } if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 { diff --git a/patches/ceremony_main.patch b/patches/ceremony_main.patch index 67c5b2a..841ab04 100644 --- a/patches/ceremony_main.patch +++ b/patches/ceremony_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/ceremony/main.go b/cmd/ceremony/main.go -index 1a2cde645..193d7e325 100644 +index c075c6615..9f51130b0 100644 --- a/cmd/ceremony/main.go +++ b/cmd/ceremony/main.go @@ -98,6 +98,7 @@ type keyGenConfig struct { @@ -33,7 +33,7 @@ index 1a2cde645..193d7e325 100644 } err = checkOutputFile(rc.Outputs.CertificatePath, "certificate-path") if err != nil { -@@ -630,23 +634,42 @@ func rootCeremony(configBytes []byte) error { +@@ -577,23 +581,42 @@ func rootCeremony(configBytes []byte) error { return fmt.Errorf("failed to setup session and PKCS#11 context for slot %d: %s", config.PKCS11.StoreSlot, err) } log.Printf("Opened PKCS#11 session for slot %d\n", config.PKCS11.StoreSlot) diff --git a/patches/config_akamai-purger.patch b/patches/config_akamai-purger.patch deleted file mode 100644 index 8f1acc8..0000000 --- a/patches/config_akamai-purger.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff --git a/test/config/akamai-purger.json b/test/config/akamai-purger.json -index 62c5b4cc9..2c39d70cb 100644 ---- a/test/config/akamai-purger.json -+++ b/test/config/akamai-purger.json -@@ -9,9 +9,13 @@ - "accessToken": "idk-how-this-is-different-from-client-token-but-okay", - "v3Network": "staging", - "tls": { -- "caCertfile": "test/certs/ipki/minica.pem", -- "certFile": "test/certs/ipki/akamai-purger.boulder/cert.pem", -- "keyFile": "test/certs/ipki/akamai-purger.boulder/key.pem" -+ "caCertfile": "labca/certs/ipki/minica.pem", -+ "certFile": "labca/certs/ipki/akamai-purger.boulder/cert.pem", -+ "keyFile": "labca/certs/ipki/akamai-purger.boulder/key.pem" -+ }, -+ "throughput": { -+ "queueEntriesPerBatch": 5, -+ "purgeBatchInterval": "5m" - }, - "grpc": { - "address": ":9099", diff --git a/patches/config_ra.patch b/patches/config_ra.patch index 99aba30..9d25885 100644 --- a/patches/config_ra.patch +++ b/patches/config_ra.patch @@ -1,5 +1,5 @@ diff --git a/test/config/ra.json b/test/config/ra.json -index 1cecd4772..39b9f6284 100644 +index b2dcd15eb..3e8d5af59 100644 --- a/test/config/ra.json +++ b/test/config/ra.json @@ -3,7 +3,8 @@ @@ -58,7 +58,7 @@ index 1cecd4772..39b9f6284 100644 }, "vaService": { "dnsAuthority": "consul.service.consul", -@@ -153,7 +149,7 @@ +@@ -143,7 +139,7 @@ }, "ctLogs": { "stagger": "500ms", diff --git a/patches/issuance_issuer.patch b/patches/issuance_issuer.patch index 0d81f08..f9f2355 100644 --- a/patches/issuance_issuer.patch +++ b/patches/issuance_issuer.patch @@ -1,5 +1,5 @@ diff --git a/issuance/issuer.go b/issuance/issuer.go -index e89143ea0..f0015706e 100644 +index 1c8b7ed1f..c21910db2 100644 --- a/issuance/issuer.go +++ b/issuance/issuer.go @@ -128,8 +128,8 @@ func LoadChain(certFiles []string) ([]*Certificate, error) { @@ -13,8 +13,8 @@ index e89143ea0..f0015706e 100644 lastCert.Subject, certFiles[len(certFiles)-1], err) } -@@ -149,7 +149,7 @@ type IssuerConfig struct { - Active bool +@@ -154,7 +154,7 @@ type IssuerConfig struct { + Profiles []string `validate:"omitempty,dive,alphanum,min=1,max=32"` IssuerURL string `validate:"required,url"` - CRLURLBase string `validate:"required,url,startswith=http://,endswith=/"` @@ -22,13 +22,13 @@ index e89143ea0..f0015706e 100644 // TODO(#8177): Remove this. OCSPURL string `validate:"omitempty,url"` -@@ -236,9 +236,6 @@ func newIssuer(config IssuerConfig, cert *Certificate, signer crypto.Signer, clk +@@ -239,9 +239,6 @@ func newIssuer(config IssuerConfig, cert *Certificate, signer crypto.Signer, clk if !strings.HasPrefix(config.CRLURLBase, "http://") { return nil, fmt.Errorf("crlURLBase must use HTTP scheme, got %q", config.CRLURLBase) } - if !strings.HasSuffix(config.CRLURLBase, "/") { - return nil, fmt.Errorf("crlURLBase must end with exactly one forward slash, got %q", config.CRLURLBase) - } - - // We require that all of our issuers be capable of both issuing certs and - // providing revocation information. + if config.CRLShards <= 0 { + return nil, errors.New("Number of CRL shards is required") + } diff --git a/patches/log_validator_validator.patch b/patches/log_validator_validator.patch index 224bef9..b33d44e 100644 --- a/patches/log_validator_validator.patch +++ b/patches/log_validator_validator.patch @@ -1,15 +1,16 @@ diff --git a/log/validator/validator.go b/log/validator/validator.go -index a73330cb3..a5a752063 100644 +index 6b02f83ae..4b066b44a 100644 --- a/log/validator/validator.go +++ b/log/validator/validator.go -@@ -203,8 +203,8 @@ func lineValid(text string) error { +@@ -203,9 +203,9 @@ func lineValid(text string) error { if strings.Contains(text, errorPrefix) { return nil } - // Check the extracted checksum against the computed checksum -- if computedChecksum := log.LogLineChecksum(line); checksum != computedChecksum { + // Check the extracted checksum against the computed checksum, but ignore "message repeated X times" lines -+ if computedChecksum := log.LogLineChecksum(line); checksum != computedChecksum && checksum != "message" { + computedChecksum := log.LogLineChecksum(line) +- if checksum != computedChecksum { ++ if checksum != computedChecksum && checksum != "message" { return fmt.Errorf("%s invalid checksum (expected %q, got %q)", errorPrefix, computedChecksum, checksum) } return nil diff --git a/patches/policy_pa.patch b/patches/policy_pa.patch index 4fcb580..9ceb77e 100644 --- a/patches/policy_pa.patch +++ b/patches/policy_pa.patch @@ -1,8 +1,8 @@ diff --git a/policy/pa.go b/policy/pa.go -index 961b67cb6..4e0ea33f6 100644 +index ab17bd89d..52866ef83 100644 --- a/policy/pa.go +++ b/policy/pa.go -@@ -31,6 +31,9 @@ type AuthorityImpl struct { +@@ -32,6 +32,9 @@ type AuthorityImpl struct { domainBlocklist map[string]bool fqdnBlocklist map[string]bool wildcardFqdnBlocklist map[string]bool @@ -12,7 +12,7 @@ index 961b67cb6..4e0ea33f6 100644 ipPrefixBlocklist []netip.Prefix blocklistMu sync.RWMutex -@@ -72,6 +75,10 @@ type blockedIdentsPolicy struct { +@@ -73,6 +76,10 @@ type blockedIdentsPolicy struct { // AdminBlockedPrefixes is a list of IP address prefixes. All IP addresses // contained within the prefix are blocked. AdminBlockedPrefixes []string `yaml:"AdminBlockedPrefixes"` @@ -23,7 +23,7 @@ index 961b67cb6..4e0ea33f6 100644 } // LoadIdentPolicyFile will load the given policy file, returning an error if it -@@ -143,11 +150,23 @@ func (pa *AuthorityImpl) processIdentPolicy(policy blockedIdentsPolicy) error { +@@ -144,11 +151,23 @@ func (pa *AuthorityImpl) processIdentPolicy(policy blockedIdentsPolicy) error { prefixes = append(prefixes, prefix) } @@ -47,7 +47,7 @@ index 961b67cb6..4e0ea33f6 100644 pa.blocklistMu.Unlock() return nil } -@@ -218,7 +237,7 @@ var ( +@@ -219,7 +238,7 @@ var ( // - exactly equal to an IANA registered TLD // // It does NOT ensure that the domain is absent from any PA blocked lists. @@ -56,7 +56,7 @@ index 961b67cb6..4e0ea33f6 100644 if domain == "" { return errEmptyIdentifier } -@@ -251,7 +270,9 @@ func validNonWildcardDomain(domain string) error { +@@ -252,7 +271,9 @@ func validNonWildcardDomain(domain string) error { return errTooManyLabels } if len(labels) < 2 { @@ -67,7 +67,7 @@ index 961b67cb6..4e0ea33f6 100644 } for _, label := range labels { // Check that this is a valid LDH Label: "A string consisting of ASCII -@@ -295,12 +316,17 @@ func validNonWildcardDomain(domain string) error { +@@ -296,12 +317,17 @@ func validNonWildcardDomain(domain string) error { } } @@ -89,7 +89,7 @@ index 961b67cb6..4e0ea33f6 100644 return errICANNTLD } -@@ -310,9 +336,9 @@ func validNonWildcardDomain(domain string) error { +@@ -311,9 +337,9 @@ func validNonWildcardDomain(domain string) error { // ValidDomain checks that a domain is valid and that it doesn't contain any // invalid wildcard characters. It does NOT ensure that the domain is absent // from any PA blocked lists. @@ -101,7 +101,7 @@ index 961b67cb6..4e0ea33f6 100644 } // Names containing more than one wildcard are invalid. -@@ -331,7 +357,7 @@ func ValidDomain(domain string) error { +@@ -332,7 +358,7 @@ func ValidDomain(domain string) error { // Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD. icannTLD, err := iana.ExtractSuffix(baseDomain) @@ -110,7 +110,7 @@ index 961b67cb6..4e0ea33f6 100644 return errNonPublic } // Names must have a non-wildcard label immediately adjacent to the ICANN -@@ -339,7 +365,7 @@ func ValidDomain(domain string) error { +@@ -340,7 +366,7 @@ func ValidDomain(domain string) error { if baseDomain == icannTLD { return errICANNTLDWildcard } @@ -119,7 +119,7 @@ index 961b67cb6..4e0ea33f6 100644 } // ValidIP checks that an IP address: -@@ -382,14 +408,14 @@ var forbiddenMailDomains = map[string]bool{ +@@ -383,14 +409,14 @@ var forbiddenMailDomains = map[string]bool{ // ValidEmail returns an error if the input doesn't parse as an email address, // the domain isn't a valid hostname in Preferred Name Syntax, or its on the // list of domains forbidden for mail (because they are often used in examples). @@ -136,7 +136,7 @@ index 961b67cb6..4e0ea33f6 100644 if err != nil { return berrors.InvalidEmailError("contact email has invalid domain: %s", err) } -@@ -431,7 +457,7 @@ func subError(ident identifier.ACMEIdentifier, err error) berrors.SubBoulderErro +@@ -432,7 +458,7 @@ func subError(ident identifier.ACMEIdentifier, err error) berrors.SubBoulderErro // // Precondition: all input identifier values must be in lowercase. func (pa *AuthorityImpl) WillingToIssue(idents identifier.ACMEIdentifiers) error { @@ -145,7 +145,7 @@ index 961b67cb6..4e0ea33f6 100644 if err != nil { return err } -@@ -448,6 +474,10 @@ func (pa *AuthorityImpl) WillingToIssue(idents identifier.ACMEIdentifiers) error +@@ -449,6 +475,10 @@ func (pa *AuthorityImpl) WillingToIssue(idents identifier.ACMEIdentifiers) error // The base domain is the wildcard request with the `*.` prefix removed baseDomain := strings.TrimPrefix(ident.Value, "*.") @@ -156,7 +156,7 @@ index 961b67cb6..4e0ea33f6 100644 // The base domain can't be in the wildcard exact blocklist err = pa.checkWildcardBlocklist(baseDomain) if err != nil { -@@ -496,12 +526,12 @@ func (pa *AuthorityImpl) WillingToIssue(idents identifier.ACMEIdentifiers) error +@@ -497,12 +527,12 @@ func (pa *AuthorityImpl) WillingToIssue(idents identifier.ACMEIdentifiers) error // // If multiple identifiers are invalid, the error will contain suberrors // specific to each identifier. @@ -171,7 +171,7 @@ index 961b67cb6..4e0ea33f6 100644 if err != nil { subErrors = append(subErrors, subError(ident, err)) } -@@ -543,6 +573,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error { +@@ -544,6 +574,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error { return nil } @@ -206,7 +206,7 @@ index 961b67cb6..4e0ea33f6 100644 // checkWildcardBlocklist checks the wildcardExactBlocklist for a given domain. // If the domain is not present on the list nil is returned, otherwise // errPolicyForbidden is returned. -@@ -574,6 +632,9 @@ func (pa *AuthorityImpl) checkBlocklists(ident identifier.ACMEIdentifier) error +@@ -575,6 +633,9 @@ func (pa *AuthorityImpl) checkBlocklists(ident identifier.ACMEIdentifier) error labels := strings.Split(ident.Value, ".") for i := range labels { joined := strings.Join(labels[i:], ".") diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index bfcb965..7b4b0a2 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -1,8 +1,8 @@ diff --git a/ra/ra.go b/ra/ra.go -index ad3c496de..b676be83a 100644 +index 54e51cce5..af96bb245 100644 --- a/ra/ra.go +++ b/ra/ra.go -@@ -42,7 +42,6 @@ import ( +@@ -41,7 +41,6 @@ import ( "github.com/letsencrypt/boulder/issuance" blog "github.com/letsencrypt/boulder/log" "github.com/letsencrypt/boulder/metrics" @@ -10,7 +10,7 @@ index ad3c496de..b676be83a 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -568,7 +567,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { +@@ -567,7 +566,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { if !core.IsASCII(contact) { return berrors.InvalidEmailError("contact email contains non-ASCII characters") } @@ -19,7 +19,7 @@ index ad3c496de..b676be83a 100644 if err != nil { return err } -@@ -1854,6 +1853,9 @@ func crlShard(cert *x509.Certificate) (int64, error) { +@@ -1850,6 +1849,9 @@ func crlShard(cert *x509.Certificate) (int64, error) { return 0, fmt.Errorf("malformed CRLDistributionPoint %q", url) } shardStr := url[lastIndex+1:] diff --git a/patches/sfe_overrides.patch b/patches/sfe_overrides.patch index ce5e0cd..f5840a0 100644 --- a/patches/sfe_overrides.patch +++ b/patches/sfe_overrides.patch @@ -1,8 +1,8 @@ diff --git a/sfe/overrides.go b/sfe/overrides.go -index e48c087a9..644371825 100644 +index e313f27b7..28b024373 100644 --- a/sfe/overrides.go +++ b/sfe/overrides.go -@@ -14,6 +14,7 @@ import ( +@@ -15,6 +15,7 @@ import ( emailpb "github.com/letsencrypt/boulder/email/proto" berrors "github.com/letsencrypt/boulder/errors" "github.com/letsencrypt/boulder/iana" @@ -10,7 +10,7 @@ index e48c087a9..644371825 100644 "github.com/letsencrypt/boulder/policy" rl "github.com/letsencrypt/boulder/ratelimits" "github.com/letsencrypt/boulder/sfe/forms" -@@ -362,7 +363,11 @@ func validateOverrideRequestField(fieldName, fieldValue, rateLimit string) error +@@ -346,7 +347,11 @@ func validateOverrideRequestField(fieldName, fieldValue, rateLimit string) error return nil case emailAddressFieldName: @@ -23,7 +23,7 @@ index e48c087a9..644371825 100644 if err == nil { return nil } -@@ -388,7 +393,11 @@ func validateOverrideRequestField(fieldName, fieldValue, rateLimit string) error +@@ -372,7 +377,11 @@ func validateOverrideRequestField(fieldName, fieldValue, rateLimit string) error return fmt.Errorf("IP address is invalid") case RegisteredDomainFieldName: diff --git a/patches/test_startservers.patch b/patches/test_startservers.patch index 3d3e1f8..25f45d8 100644 --- a/patches/test_startservers.patch +++ b/patches/test_startservers.patch @@ -1,8 +1,8 @@ diff --git a/test/startservers.py b/test/startservers.py -index 9a46c7db2..df82abbf8 100644 +index c045ff280..b1e7253a2 100644 --- a/test/startservers.py +++ b/test/startservers.py -@@ -77,6 +77,10 @@ SERVICES = ( +@@ -69,6 +69,10 @@ SERVICES = ( 9667, None, None, ('./bin/boulder', 'crl-storer', '--config', os.path.join(config_dir, 'crl-storer.json'), '--addr', ':9309', '--debug-addr', ':9667'), ('s3-test-srv',)), diff --git a/patches/updater_updater.patch b/patches/updater_updater.patch index 9fd8321..01f85a6 100644 --- a/patches/updater_updater.patch +++ b/patches/updater_updater.patch @@ -1,8 +1,8 @@ diff --git a/crl/updater/updater.go b/crl/updater/updater.go -index 600b17f22..bef3305b3 100644 +index 9020c6c62..09b31f88a 100644 --- a/crl/updater/updater.go +++ b/crl/updater/updater.go -@@ -80,7 +80,7 @@ func NewUpdater( +@@ -72,7 +72,7 @@ func NewUpdater( return nil, fmt.Errorf("must have positive number of shards, got: %d", numShards) } @@ -11,12 +11,12 @@ index 600b17f22..bef3305b3 100644 return nil, fmt.Errorf("must update CRLs at least every 24 hours, got: %s", updatePeriod) } -@@ -307,7 +307,7 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN - return fmt.Errorf("streaming GetRevokedCerts: %w", err) - } - -- cu.log.Infof( -+ cu.log.Debugf( - "Queried SA for CRL shard: id=[%s] expiresAfter=[%s] expiresBefore=[%s] numEntries=[%d]", - crlID, chunk.start, chunk.end, n) +@@ -229,7 +229,7 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN + crlEntries = append(crlEntries, entry) } + +- cu.log.Infof("Queried SA for CRL shard: id=[%s] shardIdx=[%d] numEntries=[%d]", crlID, shardIdx, len(crlEntries)) ++ cu.log.Debugf("Queried SA for CRL shard: id=[%s] shardIdx=[%d] numEntries=[%d]", crlID, shardIdx, len(crlEntries)) + + // Send the full list of CRL Entries to the CA. + caStream, err := cu.ca.GenerateCRL(ctx) diff --git a/patches/va_va.patch b/patches/va_va.patch index fe43612..2f44cbb 100644 --- a/patches/va_va.patch +++ b/patches/va_va.patch @@ -1,8 +1,8 @@ diff --git a/va/va.go b/va/va.go -index 4307e57b4..c63b2dea8 100644 +index 4993aec36..161cbacda 100644 --- a/va/va.go +++ b/va/va.go -@@ -218,6 +218,7 @@ type ValidationAuthorityImpl struct { +@@ -219,6 +219,7 @@ type ValidationAuthorityImpl struct { perspective string rir string isReservedIPFunc func(netip.Addr) error @@ -10,7 +10,7 @@ index 4307e57b4..c63b2dea8 100644 metrics *vaMetrics } -@@ -238,6 +239,7 @@ func NewValidationAuthorityImpl( +@@ -239,6 +240,7 @@ func NewValidationAuthorityImpl( perspective string, rir string, reservedIPChecker func(netip.Addr) error, @@ -18,7 +18,7 @@ index 4307e57b4..c63b2dea8 100644 ) (*ValidationAuthorityImpl, error) { if len(accountURIPrefixes) == 0 { -@@ -275,6 +277,7 @@ func NewValidationAuthorityImpl( +@@ -276,6 +278,7 @@ func NewValidationAuthorityImpl( perspective: perspective, rir: rir, isReservedIPFunc: reservedIPChecker,