This integration test was removed in the early versions of
https://github.com/letsencrypt/boulder/pull/8245, because that PR had
removed all validation of contact addresses. However, later iterations
of that PR restored (most) contact validation, so this PR restores (most
of) the TestAccountEmailError integration test.
Change the WFE to stop populating the Contact field of the
NewRegistration requests it sends to the RA. Similarly change the WFE to
ignore the Contact field of any update-account requests it receives,
thereby removing all calls to the RA's UpdateRegistrationContact method.
Hoist the RA's contact validation logic into the WFE, so that we can
still return errors to clients which are presenting grossly malformed
contact fields, and have a first layer of protection against trying to
send malformed addresses to email-exporter.
A follow-up change (after a deploy cycle) will remove the deprecated RA
and SA methods.
Part of https://github.com/letsencrypt/boulder/issues/8199
Move `policy.IsReservedIP` to `iana.IsReservedAddr`.
Move `policy.IsReservedPrefix` to `iana.IsReservedPrefix`.
Embed & parse IANA's special-purpose address registries for IPv4 and
IPv6 in their original CSV format.
Fixes#8080
Bumps the aws group with 4 updates:
[github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2),
[github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2),
[github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2)
and [github.com/aws/smithy-go](https://github.com/aws/smithy-go).
Updates `github.com/aws/aws-sdk-go-v2` from 1.36.4 to 1.36.5
Updates `github.com/aws/aws-sdk-go-v2/config` from 1.29.16 to 1.29.17
Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.80.2 to 1.80.3
Updates `github.com/aws/smithy-go` from 1.22.2 to 1.22.4
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The ProtoText printing of this structure prints the binary string as
escaped
utf8 text, which is essentially gibberish for my processes.
---------
Co-authored-by: Aaron Gable <aaron@letsencrypt.org>
Currently, we check the cache only immediately before attempting to send
an email address. However, we only reach that point if the rate limiter
(used to respect the daily API quota) permits it. As a result, around
40% of sends are wasted on email addresses that are ultimately skipped
due to cache hits.
Replace the pre-send cache `Seen` check with an atomic `StoreIfAbsent`
executed before the `limiter.Wait()` so that limiter tokens are consumed
only for email addresses that actually need sending. Skip the
`limiter.Wait()` on cache hits, remove cache entries only when a send
fails, and increment metrics only on successful sends.
It can be used by tag protection rules to ensure that tags may only be
pushed if their corresponding commit was first pushed to main or a
hotfix branch.
- Configure all gRPC clients to check the overall serving status of each
endpoint via the `grpc_health_v1` service.
- Configure all gRPC servers to expose the `grpc_health_v1` service to
any client permitted to access one of the server’s services.
- Modify long-running, deep health checks to set and transition the
overall (empty string) health status of the gRPC server in addition to
the specific service they were configured for.
Fixes#8227
Hyrum’s Law strikes again: our Python integration tests were implicitly
relying on behavior that was changed upstream in Certbot’s ACME client
(see https://github.com/certbot/certbot/pull/10239). To ensure continued
coverage, replicate this test in our Go integration test suite.
Bumps the aws group with 4 updates:
[github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2),
[github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2),
[github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2)
and [github.com/aws/smithy-go](https://github.com/aws/smithy-go).
Updates `github.com/aws/aws-sdk-go-v2` from 1.32.2 to 1.36.4
<details>
<summary>Commits</summary>
<ul>
<li><a
href="983f192608"><code>983f192</code></a>
Release 2025-06-10</li>
<li><a
href="a5c1277d48"><code>a5c1277</code></a>
Regenerated Clients</li>
<li><a
href="a42991177c"><code>a429911</code></a>
Update endpoints model</li>
<li><a
href="4ea1cecfb1"><code>4ea1cec</code></a>
Update API model</li>
<li><a
href="5b11c8d01f"><code>5b11c8d</code></a>
remove changelog directions for now because of <a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/3107">#3107</a></li>
<li><a
href="79f492ceb2"><code>79f492c</code></a>
fixup changelog</li>
<li><a
href="4f82369def"><code>4f82369</code></a>
use UTC() in v4 event stream signing (<a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/3105">#3105</a>)</li>
<li><a
href="755839b2ee"><code>755839b</code></a>
Release 2025-06-09</li>
<li><a
href="ba3d22d775"><code>ba3d22d</code></a>
Regenerated Clients</li>
<li><a
href="01587c6c41"><code>01587c6</code></a>
Update endpoints model</li>
<li>Additional commits viewable in <a
href="https://github.com/aws/aws-sdk-go-v2/compare/v1.32.2...v1.36.4">compare
view</a></li>
</ul>
</details>
<br />
Updates `github.com/aws/aws-sdk-go-v2/config` from 1.27.43 to 1.29.16
<details>
<summary>Commits</summary>
<ul>
<li><a
href="983f192608"><code>983f192</code></a>
Release 2025-06-10</li>
<li><a
href="a5c1277d48"><code>a5c1277</code></a>
Regenerated Clients</li>
<li><a
href="a42991177c"><code>a429911</code></a>
Update endpoints model</li>
<li><a
href="4ea1cecfb1"><code>4ea1cec</code></a>
Update API model</li>
<li><a
href="5b11c8d01f"><code>5b11c8d</code></a>
remove changelog directions for now because of <a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/3107">#3107</a></li>
<li><a
href="79f492ceb2"><code>79f492c</code></a>
fixup changelog</li>
<li><a
href="4f82369def"><code>4f82369</code></a>
use UTC() in v4 event stream signing (<a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/3105">#3105</a>)</li>
<li><a
href="755839b2ee"><code>755839b</code></a>
Release 2025-06-09</li>
<li><a
href="ba3d22d775"><code>ba3d22d</code></a>
Regenerated Clients</li>
<li><a
href="01587c6c41"><code>01587c6</code></a>
Update endpoints model</li>
<li>Additional commits viewable in <a
href="https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.43...config/v1.29.16">compare
view</a></li>
</ul>
</details>
<br />
Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.65.3 to 1.80.2
<details>
<summary>Commits</summary>
<ul>
<li><a
href="983f192608"><code>983f192</code></a>
Release 2025-06-10</li>
<li><a
href="a5c1277d48"><code>a5c1277</code></a>
Regenerated Clients</li>
<li><a
href="a42991177c"><code>a429911</code></a>
Update endpoints model</li>
<li><a
href="4ea1cecfb1"><code>4ea1cec</code></a>
Update API model</li>
<li><a
href="5b11c8d01f"><code>5b11c8d</code></a>
remove changelog directions for now because of <a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/3107">#3107</a></li>
<li><a
href="79f492ceb2"><code>79f492c</code></a>
fixup changelog</li>
<li><a
href="4f82369def"><code>4f82369</code></a>
use UTC() in v4 event stream signing (<a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/3105">#3105</a>)</li>
<li><a
href="755839b2ee"><code>755839b</code></a>
Release 2025-06-09</li>
<li><a
href="ba3d22d775"><code>ba3d22d</code></a>
Regenerated Clients</li>
<li><a
href="01587c6c41"><code>01587c6</code></a>
Update endpoints model</li>
<li>Additional commits viewable in <a
href="https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.65.3...service/s3/v1.80.2">compare
view</a></li>
</ul>
</details>
<br />
Updates `github.com/aws/smithy-go` from 1.22.0 to 1.22.2
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/aws/smithy-go/blob/main/CHANGELOG.md">github.com/aws/smithy-go's
changelog</a>.</em></p>
<blockquote>
<h1>Release (2025-02-17)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.22.3</li>
<li><strong>Dependency Update</strong>: Bump minimum Go version to 1.22
per our language support policy.</li>
</ul>
<h1>Release (2025-01-21)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.22.2
<ul>
<li><strong>Bug Fix</strong>: Fix HTTP metrics data race.</li>
<li><strong>Bug Fix</strong>: Replace usages of deprecated ioutil
package.</li>
</ul>
</li>
</ul>
<h1>Release (2024-11-15)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.22.1
<ul>
<li><strong>Bug Fix</strong>: Fix failure to replace URI path segments
when their names overlap.</li>
</ul>
</li>
</ul>
<h1>Release (2024-10-03)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.22.0
<ul>
<li><strong>Feature</strong>: Add HTTP client metrics.</li>
</ul>
</li>
</ul>
<h1>Release (2024-09-25)</h1>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go/aws-http-auth</code>: <a
href="https://github.com/aws/smithy-go/blob/main/aws-http-auth/CHANGELOG.md#v100-2024-09-25">v1.0.0</a>
<ul>
<li><strong>Release</strong>: Initial release of module aws-http-auth,
which implements generically consumable SigV4 and SigV4a request
signing.</li>
</ul>
</li>
</ul>
<h1>Release (2024-09-19)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.21.0</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="f2ae388e50"><code>f2ae388</code></a>
Release 2025-01-21</li>
<li><a
href="d9b8ee9d55"><code>d9b8ee9</code></a>
refactor: fix deprecated for ioutil (<a
href="https://redirect.github.com/aws/smithy-go/issues/560">#560</a>)</li>
<li><a
href="ee8334e832"><code>ee8334e</code></a>
transport/http: fix metrics race condition (<a
href="https://redirect.github.com/aws/smithy-go/issues/555">#555</a>)</li>
<li><a
href="7e8149709c"><code>7e81497</code></a>
transport/http: fix go doc typo (<a
href="https://redirect.github.com/aws/smithy-go/issues/554">#554</a>)</li>
<li><a
href="a7d0f1ef5f"><code>a7d0f1e</code></a>
fix potential nil deref in waiter path matcher (<a
href="https://redirect.github.com/aws/smithy-go/issues/563">#563</a>)</li>
<li><a
href="e5c5ac3012"><code>e5c5ac3</code></a>
add changelog instructions and make recipe</li>
<li><a
href="5e16ee7648"><code>5e16ee7</code></a>
add missing waiter retry breakout on non-nil non-matched error (<a
href="https://redirect.github.com/aws/smithy-go/issues/561">#561</a>)</li>
<li><a
href="10fbeed6f8"><code>10fbeed</code></a>
Revert "Change defaults when generating a client via smithy CLI (<a
href="https://redirect.github.com/aws/smithy-go/issues/558">#558</a>)"
(<a
href="https://redirect.github.com/aws/smithy-go/issues/559">#559</a>)</li>
<li><a
href="95ba31879b"><code>95ba318</code></a>
Change defaults when generating a client via smithy CLI (<a
href="https://redirect.github.com/aws/smithy-go/issues/558">#558</a>)</li>
<li><a
href="bed421c3d7"><code>bed421c</code></a>
Release 2024-11-15</li>
<li>Additional commits viewable in <a
href="https://github.com/aws/smithy-go/compare/v1.22.0...v1.22.2">compare
view</a></li>
</ul>
</details>
<br />
<details>
<summary>Most Recent Ignore Conditions Applied to This Pull
Request</summary>
| Dependency Name | Ignore Conditions |
| --- | --- |
| github.com/aws/aws-sdk-go-v2/service/s3 | [< 1.28, > 1.27.1] |
| github.com/aws/aws-sdk-go-v2/config | [< 1.18, > 1.17.1] |
| github.com/aws/aws-sdk-go-v2/service/s3 | [< 1.31, > 1.30.5] |
</details>
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Deprecate the IgnoreAccountContacts feature flag. This causes the SA to
never query the contact column when reading registrations from the
database, and to never write a value for the contact column when
creating a new registration.
This requires updating or disabling several tests. These tests could be
deleted now, but I felt it was more appropriate for them to be fully
deleted when their corresponding services (e.g. expiration-mailer) are
also deleted.
Fixes https://github.com/letsencrypt/boulder/issues/8176
Remove `ToDNSSlice`, `FromProtoWithDefault`, and
`FromProtoSliceWithDefault` now that all their callers are gone. All
protobufs but one have migrated from DnsNames to Identifiers.
Remove TODOs for the exception, `ValidationRecord`, where an identifier
type isn't appropriate and it really only needs a string.
Rename `corepb.ValidationRecord.DnsName` to `Hostname` for clarity, to
match the corresponding PB's field name.
Improve various comments and docs re: IP address identifiers.
Depends on #8221 (which removes the last callers)
Fixes#8023
Change most functions in `ratelimits` to use full ACMEIdentifier(s) as
arguments, instead of using their values as strings. This makes the
plumbing from other packages more consistent, and allows us to:
Rename `FQDNsToETLDsPlusOne` to `coveringIdentifiers` and handle IP
identifiers, parsing IPv6 addresses into their covering /64 prefixes for
CertificatesPerDomain[PerAccount] bucket keys.
Port improved IP/CIDR validation logic to NewRegistrationsPerIPAddress &
PerIPv6Range.
Rename `domain` parts of bucket keys to either `identValue` or
`domainOrCIDR`.
Rename other internal functions to clarify that they now handle
identifier values, not just domains.
Add the new reserved IPv6 address range from RFC 9780.
For deployability, don't (yet) rename rate limits themselves; and
because it remains the name of the database table, preserve the term
`fqdnSets`.
Fixes#8223
Part of #7311
Simplify the main logic loop to simply revoke certs as soon as they're
identified, rather than jumping through hoops to identify and
deduplicate the associated accounts and emails. Make the Mailer portion
of the config optional for deployability.
Part of https://github.com/letsencrypt/boulder/issues/8199
Go 1.24.4 is a security release containing fixes to net/http,
os.OpenFile, and x509.Certificate.Verify, all of which we use. We appear
to be unaffected by the specific vulnerabilities described, however. See
the announcement here:
https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A
If a finalize CSR contains a SAN which looks like an IP address, don't
actually include that CN in our IssuanceRequest, and don't promote any
other SAN to be the CN either. This is similar to how we ignore the
CSR's CN when it is too long.
The golangci-lint project has released a v2, which is noticeably faster,
splits linters and formatters into separate categories, has greatly
improved support for staticcheck, and has an incompatible config file
format. Update our boulder-tools version of golangci-lint to v2, remove
our standalone staticcheck, and update our config file to match.
All of the identifiers being passed into the bucket construction helpers
have already passed through policy.WellFormedIdentifiers in the WFE. We
can trust that function, and our own ability to construct bucket keys,
to reduce the amount of revalidation we do before sending bucket keys to
redis.
The validateIdForName function is still used to validate override bucket
keys loaded from yaml.
This partially reverts https://github.com/letsencrypt/boulder/pull/8203,
which was landed as commit dea81c7381.
It leaves all of the boulder integration test environment changes in
place, while restoring the DNSAllowLoopbackAddresses config key and its
ability to influence the VA's behavior.
Remove static IPs from services that can be reached by their service
name. Remove consulnet and redisnet, and have the services which
connected to those network connect directly to bouldernet instead.
Instruct docker-compose to only dynamically allocate IPs from the upper
half of the bouldernet subset, to avoid clashing with the few static IPs
we still specify.
We no longer need a code path to resolve reserved IP addresses during
integration tests.
Move to a public IP for the remaining tests, after #8187 did so for many
of them.
Depends on #8187
Move usage of `sa.ReverseName` to a new `sa.EncodeIssuedName`, which
detects IP addresses and exempts them from being reversed. Retain
`reverseName` as an internal helper function.
Update `id-exporter`, `reversed-hostname-checker`, and tests to use the
new function and handle IP addresses.
Part of #7311
Move `IsReservedIP` and its supporting vars from `bdns` to `policy`.
Rewrite `IsReservedIP` to:
* Use `netip` because `netip.Prefix` can be used as a map key, allowing
us to define prefix lists more elegantly. This will enable future work
to import prefix lists from IANA's primary source data.
* Return an error including the reserved network's name.
Refactor `IsReservedIP` tests to be table-based.
Fixes#8040
Permit all valid identifier types in `wfe.NewOrder` and `csr.VerifyCSR`.
Permit certs with just IP address identifiers to skip
`sa.addIssuedNames`.
Check that URI SANs are empty in `csr.VerifyCSR`, which was previously
missed.
Use a real (Let's Encrypt) IP address range in integration testing, to
let challtestsrv satisfy IP address challenges.
Fixes#8192
Depends on #8154
If the IgnoreAccountContacts flag is set, don't bother writing the new
contacts to the database and instead just return the account object as
it stands. This does not require any test changes because
https://github.com/letsencrypt/boulder/pull/8198 already changed
registrationModelToPb to omit whatever contacts were retrieved from the
database before responding to the RA.
Part of https://github.com/letsencrypt/boulder/issues/8176
It appears that, in the past, we wanted id-exporter's "tell me all the
accounts with unexpired certificates" functionality to limit itself to
account that have contact info. The reasons for this limitation are
unclear, and are quickly becoming obsolete as we remove contact info
from the registrations table.
Remove this layer of filtering, so that id-exporter will retrieve all
accounts with active certificates, and not care whether the contact
column exists or not.
Part of https://github.com/letsencrypt/boulder/issues/8199
Alter the "registrations" table so that the "contact" column has a
default value of the JSON empty list "[]". This, once deployed to all
production environments, will allow Boulder to stop writing to and
reading from this column, in turn allowing it to be eventually wholly
dropped from the database.
IN-11365 tracks the corresponding production database changes
Part of https://github.com/letsencrypt/boulder/issues/8176
Samantha
Aaron Gable
James Renken
dependabot[bot]
Matthew McPherrin
Jacob Hoffman-Andrews