Skip to content

Commit

Permalink
Bump boulder version to release-2023-10-30
Browse files Browse the repository at this point in the history
  • Loading branch information
hakwerk committed Nov 3, 2023
1 parent 1030dfd commit c32f653
Show file tree
Hide file tree
Showing 14 changed files with 38 additions and 72 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
fail-fast: false
matrix:
GO_VERSION:
- 1.21.1
- 1.21.3

steps:
- name: Checkout
Expand Down
2 changes: 1 addition & 1 deletion build/Dockerfile-boulder
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM letsencrypt/boulder-tools:go1.21.1_2023-09-07 AS boulder-tools
FROM letsencrypt/boulder-tools:go1.21.3_2023-10-12 AS boulder-tools

FROM ubuntu:focal

Expand Down
2 changes: 1 addition & 1 deletion build/build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}

boulderDir=$TMP_DIR/src
boulderTag="release-2023-10-04"
boulderTag="release-2023-10-30"
boulderUrl="https://github.com/letsencrypt/boulder/"
cloneDir=$(pwd)/..

Expand Down
4 changes: 2 additions & 2 deletions build/tmp.patch
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index d52dfc3e..7d9fb59c 100644
index 06ee3b61f..7d9fb59c6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,7 +3,7 @@ name: labca
services:
boulder:
# Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh.
- image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.21.1_2023-09-07}
- image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.21.3_2023-10-12}
+ image: ghcr.io/hakwerk/labca-boulder:${LABCA_IMAGE_VERSION:-latest}
environment:
# To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS
Expand Down
3 changes: 1 addition & 2 deletions install
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"

labcaUrl="https://github.com/hakwerk/labca/"
boulderUrl="https://github.com/letsencrypt/boulder/"
boulderTag="release-2023-10-04"
boulderTag="release-2023-10-30"

# Feature flags
flag_skip_redis=true
Expand Down Expand Up @@ -622,7 +622,6 @@ config_boulder() {
cp core/interfaces.go "$boulderLabCADir/.backup/"
cp policy/pa.go "$boulderLabCADir/.backup/"
cp ra/ra.go "$boulderLabCADir/.backup/"
cp reloader/reloader.go "$boulderLabCADir/.backup/"
cp mail/mailer.go "$boulderLabCADir/.backup/"
cp cmd/expiration-mailer/main.go "$boulderLabCADir/.backup/"
cp cmd/notify-mailer/main.go "$boulderLabCADir/.backup/"
Expand Down
1 change: 0 additions & 1 deletion patch.sh
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ $SUDO patch -p1 < $cloneDir/patches/policy_pa.patch
$SUDO patch -p1 < $cloneDir/patches/ra_ra.patch
$SUDO patch -p1 < $cloneDir/patches/ratelimit_rate-limits.patch
$SUDO patch -p1 < $cloneDir/patches/ratelimits_names.patch
$SUDO patch -p1 < $cloneDir/patches/reloader_reloader.patch
$SUDO patch -p1 < $cloneDir/patches/startservers.patch
if [ "$SUDO" == "" ]; then
# TODO: should include this into startservers.patch
Expand Down
4 changes: 2 additions & 2 deletions patches/docker-compose-redis.patch
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index 5be626d6..4c28fe96 100644
index 3c174f334..4020f447d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -22,8 +22,6 @@ services:
Expand Down Expand Up @@ -65,7 +65,7 @@ index 5be626d6..4c28fe96 100644
bconsul:
image: hashicorp/consul:1.15.4
volumes:
@@ -168,13 +126,6 @@ networks:
@@ -166,13 +124,6 @@ networks:
config:
- subnet: 10.88.88.0/24

Expand Down
22 changes: 10 additions & 12 deletions patches/docker-compose.patch
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index 4c28fe96..df62bf8b 100644
index 4020f447d..8d9819d01 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,4 +1,5 @@
Expand Down Expand Up @@ -89,7 +89,7 @@ index 4c28fe96..df62bf8b 100644

bconsul:
image: hashicorp/consul:1.15.4
@@ -89,27 +87,73 @@ services:
@@ -89,25 +87,73 @@ services:
rednet:
ipv4_address: 10.88.88.10
command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
Expand Down Expand Up @@ -127,11 +127,15 @@ index 4c28fe96..df62bf8b 100644
+ max-size: "500k"
+ max-file: "5"
+ restart: always
+

- bjaeger:
- image: jaegertracing/all-in-one:1.50
+ nginx:
+ image: nginx:1.25.3
+ restart: always
+ networks:
networks:
- bluenet:
- ipv4_address: 10.77.77.17
+ - bluenet
+ ports:
+ - 80:80
Expand All @@ -140,16 +144,10 @@ index 4c28fe96..df62bf8b 100644
+ - /home/labca/nginx_data/conf.d:/etc/nginx/conf.d
+ - /home/labca/nginx_data/ssl:/etc/nginx/ssl
+ - /home/labca/nginx_data/static:/var/www/html

- bjaeger:
- image: jaegertracing/all-in-one:1.44
- environment:
- COLLECTOR_OTLP_ENABLED: "true"
+
+ control:
+ image: *boulder_image
networks:
- bluenet:
- ipv4_address: 10.77.77.17
+ networks:
+ - bluenet
+ volumes:
+ - /var/run/docker.sock:/var/run/docker.sock
Expand Down
2 changes: 1 addition & 1 deletion patches/notify-mailer_main.patch
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ index a05366c3..da9d78c8 100644
+ logger := cmd.NewLogger(cmd.SyslogConfig{StdoutLevel: 7})
+ pa, err := policy.New(cfg.PA.Challenges, logger)
+ cmd.FailOnError(err, "Failed to create PA")
+ err = pa.SetHostnamePolicyFile(cfg.NotifyMailer.HostnamePolicyFile)
+ err = pa.LoadHostnamePolicyFile(cfg.NotifyMailer.HostnamePolicyFile)
+ cmd.FailOnError(err, "Failed to load HostnamePolicyFile")
+
var mailClient bmail.Mailer
Expand Down
18 changes: 9 additions & 9 deletions patches/policy_pa.patch
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
diff --git a/policy/pa.go b/policy/pa.go
index ff497a240..c21af1b23 100644
index 86f79703d..59d42879a 100644
--- a/policy/pa.go
+++ b/policy/pa.go
@@ -32,6 +32,8 @@ type AuthorityImpl struct {
Expand All @@ -20,8 +20,8 @@ index ff497a240..c21af1b23 100644
+ Lockdown []string `yaml:"Lockdown"`
}

// SetHostnamePolicyFile will load the given policy file, returning error if it
@@ -136,10 +141,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error
// LoadHostnamePolicyFile will load the given policy file, returning an error if
@@ -131,10 +136,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error
// wildcardNameMap to block issuance for `*.`+parts[1]
wildcardNameMap[parts[1]] = true
}
Expand All @@ -42,7 +42,7 @@ index ff497a240..c21af1b23 100644
pa.blocklistMu.Unlock()
return nil
}
@@ -210,7 +225,7 @@ var (
@@ -205,7 +220,7 @@ var (
// * exactly equal to an IANA registered TLD
//
// It does _not_ check that the domain isn't on any PA blocked lists.
Expand All @@ -51,7 +51,7 @@ index ff497a240..c21af1b23 100644
if domain == "" {
return errEmptyName
}
@@ -286,6 +301,14 @@ func ValidDomain(domain string) error {
@@ -281,6 +296,14 @@ func ValidDomain(domain string) error {
}
}

Expand All @@ -66,7 +66,7 @@ index ff497a240..c21af1b23 100644
// Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD.
icannTLD, err := iana.ExtractSuffix(domain)
if err != nil {
@@ -313,7 +336,7 @@ var forbiddenMailDomains = map[string]bool{
@@ -308,7 +331,7 @@ var forbiddenMailDomains = map[string]bool{
// ValidEmail returns an error if the input doesn't parse as an email address,
// the domain isn't a valid hostname in Preferred Name Syntax, or its on the
// list of domains forbidden for mail (because they are often used in examples).
Expand All @@ -75,7 +75,7 @@ index ff497a240..c21af1b23 100644
email, err := mail.ParseAddress(address)
if err != nil {
if len(address) > 254 {
@@ -323,7 +346,7 @@ func ValidEmail(address string) error {
@@ -318,7 +341,7 @@ func ValidEmail(address string) error {
}
splitEmail := strings.SplitN(email.Address, "@", -1)
domain := strings.ToLower(splitEmail[len(splitEmail)-1])
Expand All @@ -84,7 +84,7 @@ index ff497a240..c21af1b23 100644
if err != nil {
return berrors.InvalidEmailError(
"contact email %q has invalid domain : %s",
@@ -363,11 +386,15 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error {
@@ -358,11 +381,15 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error {
}
domain := id.Value

Expand All @@ -101,7 +101,7 @@ index ff497a240..c21af1b23 100644
// Require no match against hostname block lists
err = pa.checkHostLists(domain)
if err != nil {
@@ -377,6 +404,31 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error {
@@ -372,6 +399,31 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error {
return nil
}

Expand Down
6 changes: 3 additions & 3 deletions patches/ra_ra.patch
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
diff --git a/ra/ra.go b/ra/ra.go
index 8000e6ad..ef136c00 100644
index 3dd269aad..22b43a30d 100644
--- a/ra/ra.go
+++ b/ra/ra.go
@@ -41,7 +41,6 @@ import (
@@ -44,7 +44,6 @@ import (
"github.com/letsencrypt/boulder/issuance"
blog "github.com/letsencrypt/boulder/log"
"github.com/letsencrypt/boulder/metrics"
- "github.com/letsencrypt/boulder/policy"
"github.com/letsencrypt/boulder/probs"
pubpb "github.com/letsencrypt/boulder/publisher/proto"
rapb "github.com/letsencrypt/boulder/ra/proto"
@@ -555,7 +554,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
@@ -563,7 +562,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
contact,
)
}
Expand Down
12 changes: 5 additions & 7 deletions patches/ratelimit_rate-limits.patch
Original file line number Diff line number Diff line change
@@ -1,32 +1,30 @@
diff --git a/ratelimit/rate-limits.go b/ratelimit/rate-limits.go
index 0d52801d..bd451521 100644
index 3c6bd75d0..ad849a4a5 100644
--- a/ratelimit/rate-limits.go
+++ b/ratelimit/rate-limits.go
@@ -57,6 +57,7 @@ type Limits interface {
@@ -56,6 +56,7 @@ type Limits interface {
CertificatesPerFQDNSetFast() RateLimitPolicy
NewOrdersPerAccount() RateLimitPolicy
LoadPolicies(contents []byte) error
+ RateLimitsURL() string
}

// limitsImpl is an unexported implementation of the Limits interface. It acts
@@ -140,6 +141,15 @@ func (r *limitsImpl) NewOrdersPerAccount() RateLimitPolicy {
@@ -120,6 +121,13 @@ func (r *limitsImpl) NewOrdersPerAccount() RateLimitPolicy {
return r.rlPolicy.NewOrdersPerAccount
}

+func (r *limitsImpl) RateLimitsURL() string {
+ r.RLock()
+ defer r.RUnlock()
+ if r.rlPolicy == nil {
+ return ""
+ }
+ return r.rlPolicy.RateLimitsURL
+}
+
// LoadPolicies loads various rate limiting policies from a byte array of
// YAML configuration (typically read from disk by a reloader)
// YAML configuration.
func (r *limitsImpl) LoadPolicies(contents []byte) error {
@@ -194,6 +204,8 @@ type rateLimitConfig struct {
@@ -171,6 +179,8 @@ type rateLimitConfig struct {
// lower threshold and smaller window), so that clients don't have to wait
// a long time after a small burst of accidental duplicate issuance.
CertificatesPerFQDNSetFast RateLimitPolicy `yaml:"certificatesPerFQDNSetFast"`
Expand Down
28 changes: 0 additions & 28 deletions patches/reloader_reloader.patch

This file was deleted.

4 changes: 2 additions & 2 deletions patches/updater_updater.patch
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
diff --git a/crl/updater/updater.go b/crl/updater/updater.go
index 47e03490..faffb1cd 100644
index b7f4d4d6e..0d2f0c282 100644
--- a/crl/updater/updater.go
+++ b/crl/updater/updater.go
@@ -231,7 +231,7 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN
@@ -234,7 +234,7 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN
crlEntries = append(crlEntries, entry)
}

Expand Down

0 comments on commit c32f653

Please sign in to comment.