diff --git a/build/build.sh b/build/build.sh index c48b342..f8d71b4 100755 --- a/build/build.sh +++ b/build/build.sh @@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src} boulderDir=$TMP_DIR/src -boulderTag="release-2024-12-10" +boulderTag="release-2025-01-06" boulderUrl="https://github.com/letsencrypt/boulder/" cloneDir=$(pwd)/.. diff --git a/commander b/commander index 3426557..84f87b1 100755 --- a/commander +++ b/commander @@ -181,12 +181,12 @@ case $txt in read serial read reason cd /opt/boulder - docker compose exec boulder bin/admin -config labca/config/admin.json revoke-cert -serial $serial -reason $reason -dry-run=false 2>&1 + docker compose exec boulder bin/boulder admin -config labca/config/admin.json revoke-cert -serial $serial -reason $reason -dry-run=false 2>&1 ;; "test-email") read recipient cd /opt/boulder - docker compose exec boulder bin/mail-tester --config labca/config/expiration-mailer.json $recipient 2>&1 + docker compose exec boulder bin/boulder mail-tester --config labca/config/expiration-mailer.json $recipient 2>&1 ;; "boulder-start") cd /opt/boulder diff --git a/gui/apply-boulder b/gui/apply-boulder index 2424359..53a6ac2 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -77,8 +77,8 @@ sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_D if ([ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]) || ([ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]); then perl -i -p0e "s/(\"badResultsOnly\":[^\n]*).*?(\s+)(\"checkPeriod\":)/\1\2\"skipForbiddenDomains\": true,\2\3/igs" config/cert-checker.json - perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"w_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\3/igs" config/cert-checker.json - perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"w_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\3/igs" config/ca.json + perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"w_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\"w_sub_cert_aia_contains_internal_names\",\2\3/igs" config/cert-checker.json + perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"w_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\"w_sub_cert_aia_contains_internal_names\",\2\3/igs" config/ca.json perl -i -p0e "s/(\"SubscriberKeyUsageValidator:cabf.serverauth.subscriber_rsa_digitalsignature_and_keyencipherment_present\",).*(\])/\1\n \"GeneralNameDnsNameInternalDomainNameValidator:cabf.internal_domain_name\",\n \"GeneralNameUriInternalDomainNameValidator:cabf.internal_domain_name\",\n\2/igs" config/zlint.toml fi diff --git a/install b/install index 20cd14e..91bfd19 100755 --- a/install +++ b/install @@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2024-12-10" +boulderTag="release-2025-01-06" # Feature flags flag_skip_redis=true diff --git a/mailer b/mailer index 95bf4c4..ecd1206 100755 --- a/mailer +++ b/mailer @@ -6,4 +6,4 @@ TODAY=`date '+%Y_%m_%d'` echo "Running cron-$(basename $0) for ${TODAY}..." cd /opt/boulder -docker compose exec boulder bin/expiration-mailer --config labca/config/expiration-mailer.json 2>&1 +docker compose exec boulder bin/boulder expiration-mailer --config labca/config/expiration-mailer.json 2>&1 diff --git a/patches/db_migrations.patch b/patches/db_migrations.patch index 270822d..730fe53 100644 --- a/patches/db_migrations.patch +++ b/patches/db_migrations.patch @@ -1,5 +1,5 @@ diff --git a/sa/db/boulder_sa/20230419000000_CombinedSchema.sql b/sa/db/boulder_sa/20230419000000_CombinedSchema.sql -index ff8e54320..347f72fff 100644 +index 42c489be9..d2b1eb43b 100644 --- a/sa/db/boulder_sa/20230419000000_CombinedSchema.sql +++ b/sa/db/boulder_sa/20230419000000_CombinedSchema.sql @@ -1,7 +1,9 @@ @@ -88,7 +88,7 @@ index ff8e54320..347f72fff 100644 `id` bigint(20) UNSIGNED NOT NULL AUTO_INCREMENT, `setHash` binary(32) NOT NULL, `serial` varchar(255) NOT NULL, -@@ -91,11 +102,9 @@ CREATE TABLE `fqdnSets` ( +@@ -93,11 +104,9 @@ CREATE TABLE `fqdnSets` ( PRIMARY KEY (`id`), KEY `serial` (`serial`), KEY `setHash_issued_idx` (`setHash`,`issued`) @@ -102,7 +102,7 @@ index ff8e54320..347f72fff 100644 `id` bigint(20) UNSIGNED NOT NULL AUTO_INCREMENT, `serialTable` varchar(128) NOT NULL, `url` varchar(1024) NOT NULL, -@@ -104,7 +113,7 @@ CREATE TABLE `incidents` ( +@@ -106,7 +115,7 @@ CREATE TABLE `incidents` ( PRIMARY KEY (`id`) ) CHARSET=utf8mb4; @@ -111,7 +111,7 @@ index ff8e54320..347f72fff 100644 `id` bigint(20) NOT NULL AUTO_INCREMENT, `reversedName` varchar(640) CHARACTER SET ascii NOT NULL, `notBefore` datetime NOT NULL, -@@ -112,11 +121,9 @@ CREATE TABLE `issuedNames` ( +@@ -114,11 +123,9 @@ CREATE TABLE `issuedNames` ( `renewal` tinyint(1) NOT NULL DEFAULT 0, PRIMARY KEY (`id`), KEY `reversedName_notBefore_Idx` (`reversedName`,`notBefore`) @@ -125,7 +125,7 @@ index ff8e54320..347f72fff 100644 `id` bigint(20) NOT NULL AUTO_INCREMENT, `keyHash` binary(32) NOT NULL, `certNotAfter` datetime NOT NULL, -@@ -126,7 +133,7 @@ CREATE TABLE `keyHashToSerial` ( +@@ -128,7 +135,7 @@ CREATE TABLE `keyHashToSerial` ( KEY `keyHash_certNotAfter` (`keyHash`,`certNotAfter`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; @@ -134,7 +134,7 @@ index ff8e54320..347f72fff 100644 `id` bigint(20) NOT NULL AUTO_INCREMENT, `regID` bigint(20) NOT NULL, `time` datetime NOT NULL, -@@ -135,7 +142,7 @@ CREATE TABLE `newOrdersRL` ( +@@ -137,7 +144,7 @@ CREATE TABLE `newOrdersRL` ( UNIQUE KEY `regID_time_idx` (`regID`,`time`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; @@ -143,7 +143,7 @@ index ff8e54320..347f72fff 100644 `id` bigint(20) UNSIGNED NOT NULL AUTO_INCREMENT, `setHash` binary(32) NOT NULL, `orderID` bigint(20) NOT NULL, -@@ -145,20 +152,18 @@ CREATE TABLE `orderFqdnSets` ( +@@ -147,20 +154,18 @@ CREATE TABLE `orderFqdnSets` ( KEY `setHash_expires_idx` (`setHash`,`expires`), KEY `orderID_idx` (`orderID`), KEY `orderFqdnSets_registrationID_registrations` (`registrationID`) @@ -170,7 +170,7 @@ index ff8e54320..347f72fff 100644 `id` bigint(20) UNSIGNED NOT NULL AUTO_INCREMENT, `registrationID` bigint(20) NOT NULL, `expires` datetime NOT NULL, -@@ -169,14 +174,12 @@ CREATE TABLE `orders` ( +@@ -171,14 +176,12 @@ CREATE TABLE `orders` ( PRIMARY KEY (`id`), KEY `reg_status_expires` (`registrationID`,`expires`), KEY `regID_created_idx` (`registrationID`,`created`) @@ -187,7 +187,7 @@ index ff8e54320..347f72fff 100644 `id` bigint(20) NOT NULL AUTO_INCREMENT, `registrationID` bigint(20) NOT NULL, `serial` varchar(255) NOT NULL, -@@ -187,11 +190,11 @@ CREATE TABLE `precertificates` ( +@@ -189,11 +192,11 @@ CREATE TABLE `precertificates` ( KEY `serial` (`serial`), KEY `regId_precertificates_idx` (`registrationID`), KEY `issued_precertificates_idx` (`issued`) @@ -203,7 +203,7 @@ index ff8e54320..347f72fff 100644 `id` bigint(20) NOT NULL AUTO_INCREMENT, `jwk` mediumblob NOT NULL, `jwk_sha256` varchar(255) NOT NULL, -@@ -206,20 +209,32 @@ CREATE TABLE `registrations` ( +@@ -208,20 +211,32 @@ CREATE TABLE `registrations` ( KEY `initialIP_createdAt` (`initialIP`,`createdAt`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; @@ -241,7 +241,7 @@ index ff8e54320..347f72fff 100644 `id` bigint(20) NOT NULL AUTO_INCREMENT, `registrationID` bigint(20) NOT NULL, `serial` varchar(255) NOT NULL, -@@ -237,6 +252,18 @@ CREATE TABLE `serials` ( +@@ -239,6 +254,18 @@ CREATE TABLE `serials` ( -- First set of tables have foreign key constraints, so are dropped first. DROP TABLE `serials`; @@ -260,7 +260,7 @@ index ff8e54320..347f72fff 100644 DROP TABLE `authz2`; DROP TABLE `blockedKeys`; DROP TABLE `certificateStatus`; -@@ -247,8 +274,44 @@ DROP TABLE `issuedNames`; +@@ -249,8 +276,44 @@ DROP TABLE `issuedNames`; DROP TABLE `keyHashToSerial`; DROP TABLE `newOrdersRL`; DROP TABLE `orderFqdnSets`; diff --git a/patches/makefile.patch b/patches/makefile.patch index 49254d2..d28eafb 100644 --- a/patches/makefile.patch +++ b/patches/makefile.patch @@ -1,13 +1,13 @@ diff --git a/Makefile b/Makefile -index 6427367f..54055e74 100644 +index 9522b89a7..b5aa9d84a 100644 --- a/Makefile +++ b/Makefile -@@ -37,7 +37,7 @@ $(CMD_BINS): build_cmds +@@ -36,7 +36,7 @@ $(CMD_BINS): build_cmds build_cmds: | $(OBJDIR) echo $(OBJECTS) - GOBIN=$(OBJDIR) GO111MODULE=on go install -mod=vendor $(GO_BUILD_FLAGS) ./... + GOBIN=$(OBJDIR) GO111MODULE=on go install -mod=vendor -buildvcs=false $(GO_BUILD_FLAGS) ./... - ./link.sh - # Building an RPM requires `fpm` from https://github.com/jordansissel/fpm + # Building a .deb requires `fpm` from https://github.com/jordansissel/fpm + # which you can install with `gem install fpm`. diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index f46705f..8afefed 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -1,5 +1,5 @@ diff --git a/ra/ra.go b/ra/ra.go -index 64d494c74..7ae5bb471 100644 +index 3c0f53e22..8c245358d 100644 --- a/ra/ra.go +++ b/ra/ra.go @@ -43,7 +43,6 @@ import ( @@ -10,7 +10,7 @@ index 64d494c74..7ae5bb471 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -464,7 +463,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { +@@ -468,7 +467,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { if !core.IsASCII(contact) { return berrors.InvalidEmailError("contact email contains non-ASCII characters") } diff --git a/patches/test_certs_generate.patch b/patches/test_certs_generate.patch index a8a373e..163fbf5 100644 --- a/patches/test_certs_generate.patch +++ b/patches/test_certs_generate.patch @@ -1,17 +1,19 @@ diff --git a/test/certs/generate.sh b/test/certs/generate.sh -index 0b33f8c18..3e447f6f5 100755 +index 7386e7992..27d105017 100755 --- a/test/certs/generate.sh +++ b/test/certs/generate.sh -@@ -64,7 +64,7 @@ webpki() ( +@@ -64,8 +64,8 @@ webpki() ( # script. cd ../.. - mkdir ./test/certs/webpki + make build +- mkdir ./test/certs/webpki - go run ./test/certs/webpki.go -+ # go run ./test/certs/webpki.go ++ mkdir ./labca/certs/webpki ++ # go run ./labca/certs/webpki.go ) if ! [ -d ipki ]; then -@@ -72,6 +72,17 @@ if ! [ -d ipki ]; then +@@ -73,6 +73,17 @@ if ! [ -d ipki ]; then ipki fi diff --git a/patches/wfe2_wfe.patch b/patches/wfe2_wfe.patch index 6b32eff..4228628 100644 --- a/patches/wfe2_wfe.patch +++ b/patches/wfe2_wfe.patch @@ -1,16 +1,16 @@ diff --git a/wfe2/wfe.go b/wfe2/wfe.go -index 6b753b53d..e49164461 100644 +index a41472e54..42d2974c4 100644 --- a/wfe2/wfe.go +++ b/wfe2/wfe.go -@@ -23,6 +23,7 @@ import ( - "go.opentelemetry.io/otel/trace" +@@ -24,6 +24,7 @@ import ( + "google.golang.org/protobuf/types/known/durationpb" "google.golang.org/protobuf/types/known/emptypb" + "github.com/letsencrypt/boulder/cmd" "github.com/letsencrypt/boulder/core" corepb "github.com/letsencrypt/boulder/core/proto" berrors "github.com/letsencrypt/boulder/errors" -@@ -177,6 +178,8 @@ type WebFrontEndImpl struct { +@@ -171,6 +172,8 @@ type WebFrontEndImpl struct { // descriptions (perhaps including URLs) of those profiles. NewOrder // Requests with a profile name not present in this map will be rejected. certProfiles map[string]string @@ -19,7 +19,7 @@ index 6b753b53d..e49164461 100644 } // NewWebFrontEndImpl constructs a web service for Boulder -@@ -204,6 +207,7 @@ func NewWebFrontEndImpl( +@@ -198,6 +201,7 @@ func NewWebFrontEndImpl( unpauseSigner unpause.JWTSigner, unpauseJWTLifetime time.Duration, unpauseURL string, @@ -27,7 +27,7 @@ index 6b753b53d..e49164461 100644 ) (WebFrontEndImpl, error) { if len(issuerCertificates) == 0 { return WebFrontEndImpl{}, errors.New("must provide at least one issuer certificate") -@@ -245,6 +249,7 @@ func NewWebFrontEndImpl( +@@ -239,6 +243,7 @@ func NewWebFrontEndImpl( unpauseSigner: unpauseSigner, unpauseJWTLifetime: unpauseJWTLifetime, unpauseURL: unpauseURL, @@ -35,7 +35,7 @@ index 6b753b53d..e49164461 100644 } return wfe, nil -@@ -2374,8 +2379,25 @@ func (wfe *WebFrontEndImpl) NewOrder( +@@ -2302,8 +2307,25 @@ func (wfe *WebFrontEndImpl) NewOrder( names[i] = ident.Value }