Bump boulder version to release-2025-01-06

build/build.sh

@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}
 
 boulderDir=$TMP_DIR/src
-boulderTag="release-2024-12-10"
+boulderTag="release-2025-01-06"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..
 

commander

@@ -181,12 +181,12 @@ case $txt in
     read serial
     read reason
     cd /opt/boulder
-    docker compose exec boulder bin/admin -config labca/config/admin.json revoke-cert -serial $serial -reason $reason -dry-run=false 2>&1
+    docker compose exec boulder bin/boulder admin -config labca/config/admin.json revoke-cert -serial $serial -reason $reason -dry-run=false 2>&1
     ;;
 "test-email")
     read recipient
     cd /opt/boulder
-    docker compose exec boulder bin/mail-tester --config labca/config/expiration-mailer.json $recipient 2>&1
+    docker compose exec boulder bin/boulder mail-tester --config labca/config/expiration-mailer.json $recipient 2>&1
     ;;
 "boulder-start")
     cd /opt/boulder

gui/apply-boulder

@@ -77,8 +77,8 @@ sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_D
 
 if ([ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]) || ([ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]); then
     perl -i -p0e "s/(\"badResultsOnly\":[^\n]*).*?(\s+)(\"checkPeriod\":)/\1\2\"skipForbiddenDomains\": true,\2\3/igs" config/cert-checker.json
-    perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"w_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\3/igs" config/cert-checker.json
-    perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"w_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\3/igs" config/ca.json
+    perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"w_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\"w_sub_cert_aia_contains_internal_names\",\2\3/igs" config/cert-checker.json
+    perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"w_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\"w_sub_cert_aia_contains_internal_names\",\2\3/igs" config/ca.json
 
     perl -i -p0e "s/(\"SubscriberKeyUsageValidator:cabf.serverauth.subscriber_rsa_digitalsignature_and_keyencipherment_present\",).*(\])/\1\n  \"GeneralNameDnsNameInternalDomainNameValidator:cabf.internal_domain_name\",\n  \"GeneralNameUriInternalDomainNameValidator:cabf.internal_domain_name\",\n\2/igs" config/zlint.toml
 fi

install

@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"
 
 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2024-12-10"
+boulderTag="release-2025-01-06"
 
 # Feature flags
 flag_skip_redis=true

mailer

@@ -6,4 +6,4 @@ TODAY=`date '+%Y_%m_%d'`
 echo "Running cron-$(basename $0) for ${TODAY}..."
 
 cd /opt/boulder
-docker compose exec boulder bin/expiration-mailer --config labca/config/expiration-mailer.json 2>&1
+docker compose exec boulder bin/boulder expiration-mailer --config labca/config/expiration-mailer.json 2>&1

patches/db_migrations.patch

@@ -1,5 +1,5 @@
 diff --git a/sa/db/boulder_sa/20230419000000_CombinedSchema.sql b/sa/db/boulder_sa/20230419000000_CombinedSchema.sql
-index ff8e54320..347f72fff 100644
+index 42c489be9..d2b1eb43b 100644
 --- a/sa/db/boulder_sa/20230419000000_CombinedSchema.sql
 +++ b/sa/db/boulder_sa/20230419000000_CombinedSchema.sql
 @@ -1,7 +1,9 @@
@@ -88,7 +88,7 @@ index ff8e54320..347f72fff 100644
    `id` bigint(20) UNSIGNED NOT NULL AUTO_INCREMENT,
    `setHash` binary(32) NOT NULL,
    `serial` varchar(255) NOT NULL,
-@@ -91,11 +102,9 @@ CREATE TABLE `fqdnSets` (
+@@ -93,11 +104,9 @@ CREATE TABLE `fqdnSets` (
    PRIMARY KEY (`id`),
    KEY `serial` (`serial`),
    KEY `setHash_issued_idx` (`setHash`,`issued`)
@@ -102,7 +102,7 @@ index ff8e54320..347f72fff 100644
    `id` bigint(20) UNSIGNED NOT NULL AUTO_INCREMENT,
    `serialTable` varchar(128) NOT NULL,
    `url` varchar(1024) NOT NULL,
-@@ -104,7 +113,7 @@ CREATE TABLE `incidents` (
+@@ -106,7 +115,7 @@ CREATE TABLE `incidents` (
    PRIMARY KEY (`id`)
  ) CHARSET=utf8mb4;
 
@@ -111,7 +111,7 @@ index ff8e54320..347f72fff 100644
    `id` bigint(20) NOT NULL AUTO_INCREMENT,
    `reversedName` varchar(640) CHARACTER SET ascii NOT NULL,
    `notBefore` datetime NOT NULL,
-@@ -112,11 +121,9 @@ CREATE TABLE `issuedNames` (
+@@ -114,11 +123,9 @@ CREATE TABLE `issuedNames` (
    `renewal` tinyint(1) NOT NULL DEFAULT 0,
    PRIMARY KEY (`id`),
    KEY `reversedName_notBefore_Idx` (`reversedName`,`notBefore`)
@@ -125,7 +125,7 @@ index ff8e54320..347f72fff 100644
    `id` bigint(20) NOT NULL AUTO_INCREMENT,
    `keyHash` binary(32) NOT NULL,
    `certNotAfter` datetime NOT NULL,
-@@ -126,7 +133,7 @@ CREATE TABLE `keyHashToSerial` (
+@@ -128,7 +135,7 @@ CREATE TABLE `keyHashToSerial` (
    KEY `keyHash_certNotAfter` (`keyHash`,`certNotAfter`)
  ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
 
@@ -134,7 +134,7 @@ index ff8e54320..347f72fff 100644
    `id` bigint(20) NOT NULL AUTO_INCREMENT,
    `regID` bigint(20) NOT NULL,
    `time` datetime NOT NULL,
-@@ -135,7 +142,7 @@ CREATE TABLE `newOrdersRL` (
+@@ -137,7 +144,7 @@ CREATE TABLE `newOrdersRL` (
    UNIQUE KEY `regID_time_idx` (`regID`,`time`)
  ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
 
@@ -143,7 +143,7 @@ index ff8e54320..347f72fff 100644
    `id` bigint(20) UNSIGNED NOT NULL AUTO_INCREMENT,
    `setHash` binary(32) NOT NULL,
    `orderID` bigint(20) NOT NULL,
-@@ -145,20 +152,18 @@ CREATE TABLE `orderFqdnSets` (
+@@ -147,20 +154,18 @@ CREATE TABLE `orderFqdnSets` (
    KEY `setHash_expires_idx` (`setHash`,`expires`),
    KEY `orderID_idx` (`orderID`),
    KEY `orderFqdnSets_registrationID_registrations` (`registrationID`)
@@ -170,7 +170,7 @@ index ff8e54320..347f72fff 100644
    `id` bigint(20) UNSIGNED NOT NULL AUTO_INCREMENT,
    `registrationID` bigint(20) NOT NULL,
    `expires` datetime NOT NULL,
-@@ -169,14 +174,12 @@ CREATE TABLE `orders` (
+@@ -171,14 +176,12 @@ CREATE TABLE `orders` (
    PRIMARY KEY (`id`),
    KEY `reg_status_expires` (`registrationID`,`expires`),
    KEY `regID_created_idx` (`registrationID`,`created`)
@@ -187,7 +187,7 @@ index ff8e54320..347f72fff 100644
    `id` bigint(20) NOT NULL AUTO_INCREMENT,
    `registrationID` bigint(20) NOT NULL,
    `serial` varchar(255) NOT NULL,
-@@ -187,11 +190,11 @@ CREATE TABLE `precertificates` (
+@@ -189,11 +192,11 @@ CREATE TABLE `precertificates` (
    KEY `serial` (`serial`),
    KEY `regId_precertificates_idx` (`registrationID`),
    KEY `issued_precertificates_idx` (`issued`)
@@ -203,7 +203,7 @@ index ff8e54320..347f72fff 100644
    `id` bigint(20) NOT NULL AUTO_INCREMENT,
    `jwk` mediumblob NOT NULL,
    `jwk_sha256` varchar(255) NOT NULL,
-@@ -206,20 +209,32 @@ CREATE TABLE `registrations` (
+@@ -208,20 +211,32 @@ CREATE TABLE `registrations` (
    KEY `initialIP_createdAt` (`initialIP`,`createdAt`)
  ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
 
@@ -241,7 +241,7 @@ index ff8e54320..347f72fff 100644
    `id` bigint(20) NOT NULL AUTO_INCREMENT,
    `registrationID` bigint(20) NOT NULL,
    `serial` varchar(255) NOT NULL,
-@@ -237,6 +252,18 @@ CREATE TABLE `serials` (
+@@ -239,6 +254,18 @@ CREATE TABLE `serials` (
  -- First set of tables have foreign key constraints, so are dropped first.
  DROP TABLE `serials`;
 
@@ -260,7 +260,7 @@ index ff8e54320..347f72fff 100644
  DROP TABLE `authz2`;
  DROP TABLE `blockedKeys`;
  DROP TABLE `certificateStatus`;
-@@ -247,8 +274,44 @@ DROP TABLE `issuedNames`;
+@@ -249,8 +276,44 @@ DROP TABLE `issuedNames`;
  DROP TABLE `keyHashToSerial`;
  DROP TABLE `newOrdersRL`;
  DROP TABLE `orderFqdnSets`;

patches/makefile.patch

@@ -1,13 +1,13 @@
 diff --git a/Makefile b/Makefile
-index 6427367f..54055e74 100644
+index 9522b89a7..b5aa9d84a 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -37,7 +37,7 @@ $(CMD_BINS): build_cmds
+@@ -36,7 +36,7 @@ $(CMD_BINS): build_cmds
 
  build_cmds: | $(OBJDIR)
  	echo $(OBJECTS)
 -	GOBIN=$(OBJDIR) GO111MODULE=on go install -mod=vendor $(GO_BUILD_FLAGS) ./...
 +	GOBIN=$(OBJDIR) GO111MODULE=on go install -mod=vendor -buildvcs=false $(GO_BUILD_FLAGS) ./...
- 	./link.sh
 
- # Building an RPM requires `fpm` from https://github.com/jordansissel/fpm
+ # Building a .deb requires `fpm` from https://github.com/jordansissel/fpm
+ # which you can install with `gem install fpm`.

patches/ra_ra.patch

@@ -1,5 +1,5 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index 64d494c74..7ae5bb471 100644
+index 3c0f53e22..8c245358d 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
 @@ -43,7 +43,6 @@ import (
@@ -10,7 +10,7 @@ index 64d494c74..7ae5bb471 100644
  	"github.com/letsencrypt/boulder/probs"
  	pubpb "github.com/letsencrypt/boulder/publisher/proto"
  	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -464,7 +463,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
+@@ -468,7 +467,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
  		if !core.IsASCII(contact) {
  			return berrors.InvalidEmailError("contact email contains non-ASCII characters")
  		}

patches/test_certs_generate.patch

@@ -1,17 +1,19 @@
 diff --git a/test/certs/generate.sh b/test/certs/generate.sh
-index 0b33f8c18..3e447f6f5 100755
+index 7386e7992..27d105017 100755
 --- a/test/certs/generate.sh
 +++ b/test/certs/generate.sh
-@@ -64,7 +64,7 @@ webpki() (
+@@ -64,8 +64,8 @@ webpki() (
    # script.
    cd ../..
-   mkdir ./test/certs/webpki
+   make build
+-  mkdir ./test/certs/webpki
 -  go run ./test/certs/webpki.go
-+  # go run ./test/certs/webpki.go
++  mkdir ./labca/certs/webpki
++  # go run ./labca/certs/webpki.go
  )
 
  if ! [ -d ipki ]; then
-@@ -72,6 +72,17 @@ if ! [ -d ipki ]; then
+@@ -73,6 +73,17 @@ if ! [ -d ipki ]; then
    ipki
  fi
 

patches/wfe2_wfe.patch

@@ -1,16 +1,16 @@
 diff --git a/wfe2/wfe.go b/wfe2/wfe.go
-index 6b753b53d..e49164461 100644
+index a41472e54..42d2974c4 100644
 --- a/wfe2/wfe.go
 +++ b/wfe2/wfe.go
-@@ -23,6 +23,7 @@ import (
- 	"go.opentelemetry.io/otel/trace"
+@@ -24,6 +24,7 @@ import (
+ 	"google.golang.org/protobuf/types/known/durationpb"
  	"google.golang.org/protobuf/types/known/emptypb"
 
 +	"github.com/letsencrypt/boulder/cmd"
  	"github.com/letsencrypt/boulder/core"
  	corepb "github.com/letsencrypt/boulder/core/proto"
  	berrors "github.com/letsencrypt/boulder/errors"
-@@ -177,6 +178,8 @@ type WebFrontEndImpl struct {
+@@ -171,6 +172,8 @@ type WebFrontEndImpl struct {
  	// descriptions (perhaps including URLs) of those profiles. NewOrder
  	// Requests with a profile name not present in this map will be rejected.
  	certProfiles map[string]string
@@ -19,23 +19,23 @@ index 6b753b53d..e49164461 100644
  }
 
  // NewWebFrontEndImpl constructs a web service for Boulder
-@@ -204,6 +207,7 @@ func NewWebFrontEndImpl(
+@@ -198,6 +201,7 @@ func NewWebFrontEndImpl(
  	unpauseSigner unpause.JWTSigner,
  	unpauseJWTLifetime time.Duration,
  	unpauseURL string,
 +	hostnamePolicyFile string,
  ) (WebFrontEndImpl, error) {
  	if len(issuerCertificates) == 0 {
  		return WebFrontEndImpl{}, errors.New("must provide at least one issuer certificate")
-@@ -245,6 +249,7 @@ func NewWebFrontEndImpl(
+@@ -239,6 +243,7 @@ func NewWebFrontEndImpl(
  		unpauseSigner:                unpauseSigner,
  		unpauseJWTLifetime:           unpauseJWTLifetime,
  		unpauseURL:                   unpauseURL,
 +		hostnamePolicyFile:           hostnamePolicyFile,
  	}
 
  	return wfe, nil
-@@ -2374,8 +2379,25 @@ func (wfe *WebFrontEndImpl) NewOrder(
+@@ -2302,8 +2307,25 @@ func (wfe *WebFrontEndImpl) NewOrder(
  		names[i] = ident.Value
  	}