From c32f653adbd75a4912eed24ae0dfab758aaf2fdb Mon Sep 17 00:00:00 2001 From: Arjan H Date: Fri, 3 Nov 2023 20:09:56 +0100 Subject: [PATCH] Bump boulder version to release-2023-10-30 --- .github/workflows/release.yml | 2 +- build/Dockerfile-boulder | 2 +- build/build.sh | 2 +- build/tmp.patch | 4 ++-- install | 3 +-- patch.sh | 1 - patches/docker-compose-redis.patch | 4 ++-- patches/docker-compose.patch | 22 ++++++++++------------ patches/notify-mailer_main.patch | 2 +- patches/policy_pa.patch | 18 +++++++++--------- patches/ra_ra.patch | 6 +++--- patches/ratelimit_rate-limits.patch | 12 +++++------- patches/reloader_reloader.patch | 28 ---------------------------- patches/updater_updater.patch | 4 ++-- 14 files changed, 38 insertions(+), 72 deletions(-) delete mode 100644 patches/reloader_reloader.patch diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ac5ca92..596642c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: fail-fast: false matrix: GO_VERSION: - - 1.21.1 + - 1.21.3 steps: - name: Checkout diff --git a/build/Dockerfile-boulder b/build/Dockerfile-boulder index fa35740..5bf4f9f 100644 --- a/build/Dockerfile-boulder +++ b/build/Dockerfile-boulder @@ -1,4 +1,4 @@ -FROM letsencrypt/boulder-tools:go1.21.1_2023-09-07 AS boulder-tools +FROM letsencrypt/boulder-tools:go1.21.3_2023-10-12 AS boulder-tools FROM ubuntu:focal diff --git a/build/build.sh b/build/build.sh index 6eb35c2..645eb61 100755 --- a/build/build.sh +++ b/build/build.sh @@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src} boulderDir=$TMP_DIR/src -boulderTag="release-2023-10-04" +boulderTag="release-2023-10-30" boulderUrl="https://github.com/letsencrypt/boulder/" cloneDir=$(pwd)/.. diff --git a/build/tmp.patch b/build/tmp.patch index 7262330..9e2af03 100644 --- a/build/tmp.patch +++ b/build/tmp.patch @@ -1,12 +1,12 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index d52dfc3e..7d9fb59c 100644 +index 06ee3b61f..7d9fb59c6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,7 +3,7 @@ name: labca services: boulder: # Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh. -- image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.21.1_2023-09-07} +- image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.21.3_2023-10-12} + image: ghcr.io/hakwerk/labca-boulder:${LABCA_IMAGE_VERSION:-latest} environment: # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS diff --git a/install b/install index 8ed2651..3fff82d 100755 --- a/install +++ b/install @@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2023-10-04" +boulderTag="release-2023-10-30" # Feature flags flag_skip_redis=true @@ -622,7 +622,6 @@ config_boulder() { cp core/interfaces.go "$boulderLabCADir/.backup/" cp policy/pa.go "$boulderLabCADir/.backup/" cp ra/ra.go "$boulderLabCADir/.backup/" - cp reloader/reloader.go "$boulderLabCADir/.backup/" cp mail/mailer.go "$boulderLabCADir/.backup/" cp cmd/expiration-mailer/main.go "$boulderLabCADir/.backup/" cp cmd/notify-mailer/main.go "$boulderLabCADir/.backup/" diff --git a/patch.sh b/patch.sh index 86f5bee..58a0040 100755 --- a/patch.sh +++ b/patch.sh @@ -43,7 +43,6 @@ $SUDO patch -p1 < $cloneDir/patches/policy_pa.patch $SUDO patch -p1 < $cloneDir/patches/ra_ra.patch $SUDO patch -p1 < $cloneDir/patches/ratelimit_rate-limits.patch $SUDO patch -p1 < $cloneDir/patches/ratelimits_names.patch -$SUDO patch -p1 < $cloneDir/patches/reloader_reloader.patch $SUDO patch -p1 < $cloneDir/patches/startservers.patch if [ "$SUDO" == "" ]; then # TODO: should include this into startservers.patch diff --git a/patches/docker-compose-redis.patch b/patches/docker-compose-redis.patch index 7108a9f..45db218 100644 --- a/patches/docker-compose-redis.patch +++ b/patches/docker-compose-redis.patch @@ -1,5 +1,5 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 5be626d6..4c28fe96 100644 +index 3c174f334..4020f447d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -22,8 +22,6 @@ services: @@ -65,7 +65,7 @@ index 5be626d6..4c28fe96 100644 bconsul: image: hashicorp/consul:1.15.4 volumes: -@@ -168,13 +126,6 @@ networks: +@@ -166,13 +124,6 @@ networks: config: - subnet: 10.88.88.0/24 diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch index dafdbf3..339d146 100644 --- a/patches/docker-compose.patch +++ b/patches/docker-compose.patch @@ -1,5 +1,5 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 4c28fe96..df62bf8b 100644 +index 4020f447d..8d9819d01 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,4 +1,5 @@ @@ -89,7 +89,7 @@ index 4c28fe96..df62bf8b 100644 bconsul: image: hashicorp/consul:1.15.4 -@@ -89,27 +87,73 @@ services: +@@ -89,25 +87,73 @@ services: rednet: ipv4_address: 10.88.88.10 command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl" @@ -127,11 +127,15 @@ index 4c28fe96..df62bf8b 100644 + max-size: "500k" + max-file: "5" + restart: always -+ + +- bjaeger: +- image: jaegertracing/all-in-one:1.50 + nginx: + image: nginx:1.25.3 + restart: always -+ networks: + networks: +- bluenet: +- ipv4_address: 10.77.77.17 + - bluenet + ports: + - 80:80 @@ -140,16 +144,10 @@ index 4c28fe96..df62bf8b 100644 + - /home/labca/nginx_data/conf.d:/etc/nginx/conf.d + - /home/labca/nginx_data/ssl:/etc/nginx/ssl + - /home/labca/nginx_data/static:/var/www/html - -- bjaeger: -- image: jaegertracing/all-in-one:1.44 -- environment: -- COLLECTOR_OTLP_ENABLED: "true" ++ + control: + image: *boulder_image - networks: -- bluenet: -- ipv4_address: 10.77.77.17 ++ networks: + - bluenet + volumes: + - /var/run/docker.sock:/var/run/docker.sock diff --git a/patches/notify-mailer_main.patch b/patches/notify-mailer_main.patch index 7b2d3ba..a257bd1 100644 --- a/patches/notify-mailer_main.patch +++ b/patches/notify-mailer_main.patch @@ -39,7 +39,7 @@ index a05366c3..da9d78c8 100644 + logger := cmd.NewLogger(cmd.SyslogConfig{StdoutLevel: 7}) + pa, err := policy.New(cfg.PA.Challenges, logger) + cmd.FailOnError(err, "Failed to create PA") -+ err = pa.SetHostnamePolicyFile(cfg.NotifyMailer.HostnamePolicyFile) ++ err = pa.LoadHostnamePolicyFile(cfg.NotifyMailer.HostnamePolicyFile) + cmd.FailOnError(err, "Failed to load HostnamePolicyFile") + var mailClient bmail.Mailer diff --git a/patches/policy_pa.patch b/patches/policy_pa.patch index fdad6fc..f0f58f6 100644 --- a/patches/policy_pa.patch +++ b/patches/policy_pa.patch @@ -1,5 +1,5 @@ diff --git a/policy/pa.go b/policy/pa.go -index ff497a240..c21af1b23 100644 +index 86f79703d..59d42879a 100644 --- a/policy/pa.go +++ b/policy/pa.go @@ -32,6 +32,8 @@ type AuthorityImpl struct { @@ -20,8 +20,8 @@ index ff497a240..c21af1b23 100644 + Lockdown []string `yaml:"Lockdown"` } - // SetHostnamePolicyFile will load the given policy file, returning error if it -@@ -136,10 +141,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error + // LoadHostnamePolicyFile will load the given policy file, returning an error if +@@ -131,10 +136,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error // wildcardNameMap to block issuance for `*.`+parts[1] wildcardNameMap[parts[1]] = true } @@ -42,7 +42,7 @@ index ff497a240..c21af1b23 100644 pa.blocklistMu.Unlock() return nil } -@@ -210,7 +225,7 @@ var ( +@@ -205,7 +220,7 @@ var ( // * exactly equal to an IANA registered TLD // // It does _not_ check that the domain isn't on any PA blocked lists. @@ -51,7 +51,7 @@ index ff497a240..c21af1b23 100644 if domain == "" { return errEmptyName } -@@ -286,6 +301,14 @@ func ValidDomain(domain string) error { +@@ -281,6 +296,14 @@ func ValidDomain(domain string) error { } } @@ -66,7 +66,7 @@ index ff497a240..c21af1b23 100644 // Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD. icannTLD, err := iana.ExtractSuffix(domain) if err != nil { -@@ -313,7 +336,7 @@ var forbiddenMailDomains = map[string]bool{ +@@ -308,7 +331,7 @@ var forbiddenMailDomains = map[string]bool{ // ValidEmail returns an error if the input doesn't parse as an email address, // the domain isn't a valid hostname in Preferred Name Syntax, or its on the // list of domains forbidden for mail (because they are often used in examples). @@ -75,7 +75,7 @@ index ff497a240..c21af1b23 100644 email, err := mail.ParseAddress(address) if err != nil { if len(address) > 254 { -@@ -323,7 +346,7 @@ func ValidEmail(address string) error { +@@ -318,7 +341,7 @@ func ValidEmail(address string) error { } splitEmail := strings.SplitN(email.Address, "@", -1) domain := strings.ToLower(splitEmail[len(splitEmail)-1]) @@ -84,7 +84,7 @@ index ff497a240..c21af1b23 100644 if err != nil { return berrors.InvalidEmailError( "contact email %q has invalid domain : %s", -@@ -363,11 +386,15 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error { +@@ -358,11 +381,15 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error { } domain := id.Value @@ -101,7 +101,7 @@ index ff497a240..c21af1b23 100644 // Require no match against hostname block lists err = pa.checkHostLists(domain) if err != nil { -@@ -377,6 +404,31 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error { +@@ -372,6 +399,31 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error { return nil } diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index fdcea1d..4e02a26 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -1,8 +1,8 @@ diff --git a/ra/ra.go b/ra/ra.go -index 8000e6ad..ef136c00 100644 +index 3dd269aad..22b43a30d 100644 --- a/ra/ra.go +++ b/ra/ra.go -@@ -41,7 +41,6 @@ import ( +@@ -44,7 +44,6 @@ import ( "github.com/letsencrypt/boulder/issuance" blog "github.com/letsencrypt/boulder/log" "github.com/letsencrypt/boulder/metrics" @@ -10,7 +10,7 @@ index 8000e6ad..ef136c00 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -555,7 +554,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { +@@ -563,7 +562,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { contact, ) } diff --git a/patches/ratelimit_rate-limits.patch b/patches/ratelimit_rate-limits.patch index 190596e..9c0a9ec 100644 --- a/patches/ratelimit_rate-limits.patch +++ b/patches/ratelimit_rate-limits.patch @@ -1,8 +1,8 @@ diff --git a/ratelimit/rate-limits.go b/ratelimit/rate-limits.go -index 0d52801d..bd451521 100644 +index 3c6bd75d0..ad849a4a5 100644 --- a/ratelimit/rate-limits.go +++ b/ratelimit/rate-limits.go -@@ -57,6 +57,7 @@ type Limits interface { +@@ -56,6 +56,7 @@ type Limits interface { CertificatesPerFQDNSetFast() RateLimitPolicy NewOrdersPerAccount() RateLimitPolicy LoadPolicies(contents []byte) error @@ -10,13 +10,11 @@ index 0d52801d..bd451521 100644 } // limitsImpl is an unexported implementation of the Limits interface. It acts -@@ -140,6 +141,15 @@ func (r *limitsImpl) NewOrdersPerAccount() RateLimitPolicy { +@@ -120,6 +121,13 @@ func (r *limitsImpl) NewOrdersPerAccount() RateLimitPolicy { return r.rlPolicy.NewOrdersPerAccount } +func (r *limitsImpl) RateLimitsURL() string { -+ r.RLock() -+ defer r.RUnlock() + if r.rlPolicy == nil { + return "" + } @@ -24,9 +22,9 @@ index 0d52801d..bd451521 100644 +} + // LoadPolicies loads various rate limiting policies from a byte array of - // YAML configuration (typically read from disk by a reloader) + // YAML configuration. func (r *limitsImpl) LoadPolicies(contents []byte) error { -@@ -194,6 +204,8 @@ type rateLimitConfig struct { +@@ -171,6 +179,8 @@ type rateLimitConfig struct { // lower threshold and smaller window), so that clients don't have to wait // a long time after a small burst of accidental duplicate issuance. CertificatesPerFQDNSetFast RateLimitPolicy `yaml:"certificatesPerFQDNSetFast"` diff --git a/patches/reloader_reloader.patch b/patches/reloader_reloader.patch deleted file mode 100644 index 752619b..0000000 --- a/patches/reloader_reloader.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff --git a/reloader/reloader.go b/reloader/reloader.go -index 7200d707a..989db0eec 100644 ---- a/reloader/reloader.go -+++ b/reloader/reloader.go -@@ -12,7 +12,7 @@ import ( - - // Wrap time.Tick so we can override it in tests. - var makeTicker = func() (func(), <-chan time.Time) { -- t := time.NewTicker(1 * time.Second) -+ t := time.NewTicker(30 * time.Second) - return t.Stop, t.C - } - -@@ -56,8 +56,12 @@ func New(filename string, dataCallback func([]byte) error, logger blog.Logger) ( - case <-tickChan: - currentFileInfo, err := statFile(filename) - if err != nil { -- logger.Errf("statting %s: %s", filename, err) -- continue -+ time.Sleep(10 * time.Second) -+ currentFileInfo, err = statFile(filename) -+ if err != nil { -+ logger.Errf("statting %s: %s", filename, err) -+ continue -+ } - } - if !currentFileInfo.ModTime().After(fileInfo.ModTime()) { - continue diff --git a/patches/updater_updater.patch b/patches/updater_updater.patch index c30b95e..8ce1fa5 100644 --- a/patches/updater_updater.patch +++ b/patches/updater_updater.patch @@ -1,8 +1,8 @@ diff --git a/crl/updater/updater.go b/crl/updater/updater.go -index 47e03490..faffb1cd 100644 +index b7f4d4d6e..0d2f0c282 100644 --- a/crl/updater/updater.go +++ b/crl/updater/updater.go -@@ -231,7 +231,7 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN +@@ -234,7 +234,7 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN crlEntries = append(crlEntries, entry) }