- Configure all gRPC clients to check the overall serving status of each
endpoint via the `grpc_health_v1` service.
- Configure all gRPC servers to expose the `grpc_health_v1` service to
any client permitted to access one of the server’s services.
- Modify long-running, deep health checks to set and transition the
overall (empty string) health status of the gRPC server in addition to
the specific service they were configured for.
Fixes#8227
Hyrum’s Law strikes again: our Python integration tests were implicitly
relying on behavior that was changed upstream in Certbot’s ACME client
(see https://github.com/certbot/certbot/pull/10239). To ensure continued
coverage, replicate this test in our Go integration test suite.
Bumps the aws group with 4 updates:
[github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2),
[github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2),
[github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2)
and [github.com/aws/smithy-go](https://github.com/aws/smithy-go).
Updates `github.com/aws/aws-sdk-go-v2` from 1.32.2 to 1.36.4
<details>
<summary>Commits</summary>
<ul>
<li><a
href="983f192608"><code>983f192</code></a>
Release 2025-06-10</li>
<li><a
href="a5c1277d48"><code>a5c1277</code></a>
Regenerated Clients</li>
<li><a
href="a42991177c"><code>a429911</code></a>
Update endpoints model</li>
<li><a
href="4ea1cecfb1"><code>4ea1cec</code></a>
Update API model</li>
<li><a
href="5b11c8d01f"><code>5b11c8d</code></a>
remove changelog directions for now because of <a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/3107">#3107</a></li>
<li><a
href="79f492ceb2"><code>79f492c</code></a>
fixup changelog</li>
<li><a
href="4f82369def"><code>4f82369</code></a>
use UTC() in v4 event stream signing (<a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/3105">#3105</a>)</li>
<li><a
href="755839b2ee"><code>755839b</code></a>
Release 2025-06-09</li>
<li><a
href="ba3d22d775"><code>ba3d22d</code></a>
Regenerated Clients</li>
<li><a
href="01587c6c41"><code>01587c6</code></a>
Update endpoints model</li>
<li>Additional commits viewable in <a
href="https://github.com/aws/aws-sdk-go-v2/compare/v1.32.2...v1.36.4">compare
view</a></li>
</ul>
</details>
<br />
Updates `github.com/aws/aws-sdk-go-v2/config` from 1.27.43 to 1.29.16
<details>
<summary>Commits</summary>
<ul>
<li><a
href="983f192608"><code>983f192</code></a>
Release 2025-06-10</li>
<li><a
href="a5c1277d48"><code>a5c1277</code></a>
Regenerated Clients</li>
<li><a
href="a42991177c"><code>a429911</code></a>
Update endpoints model</li>
<li><a
href="4ea1cecfb1"><code>4ea1cec</code></a>
Update API model</li>
<li><a
href="5b11c8d01f"><code>5b11c8d</code></a>
remove changelog directions for now because of <a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/3107">#3107</a></li>
<li><a
href="79f492ceb2"><code>79f492c</code></a>
fixup changelog</li>
<li><a
href="4f82369def"><code>4f82369</code></a>
use UTC() in v4 event stream signing (<a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/3105">#3105</a>)</li>
<li><a
href="755839b2ee"><code>755839b</code></a>
Release 2025-06-09</li>
<li><a
href="ba3d22d775"><code>ba3d22d</code></a>
Regenerated Clients</li>
<li><a
href="01587c6c41"><code>01587c6</code></a>
Update endpoints model</li>
<li>Additional commits viewable in <a
href="https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.43...config/v1.29.16">compare
view</a></li>
</ul>
</details>
<br />
Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.65.3 to 1.80.2
<details>
<summary>Commits</summary>
<ul>
<li><a
href="983f192608"><code>983f192</code></a>
Release 2025-06-10</li>
<li><a
href="a5c1277d48"><code>a5c1277</code></a>
Regenerated Clients</li>
<li><a
href="a42991177c"><code>a429911</code></a>
Update endpoints model</li>
<li><a
href="4ea1cecfb1"><code>4ea1cec</code></a>
Update API model</li>
<li><a
href="5b11c8d01f"><code>5b11c8d</code></a>
remove changelog directions for now because of <a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/3107">#3107</a></li>
<li><a
href="79f492ceb2"><code>79f492c</code></a>
fixup changelog</li>
<li><a
href="4f82369def"><code>4f82369</code></a>
use UTC() in v4 event stream signing (<a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/3105">#3105</a>)</li>
<li><a
href="755839b2ee"><code>755839b</code></a>
Release 2025-06-09</li>
<li><a
href="ba3d22d775"><code>ba3d22d</code></a>
Regenerated Clients</li>
<li><a
href="01587c6c41"><code>01587c6</code></a>
Update endpoints model</li>
<li>Additional commits viewable in <a
href="https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.65.3...service/s3/v1.80.2">compare
view</a></li>
</ul>
</details>
<br />
Updates `github.com/aws/smithy-go` from 1.22.0 to 1.22.2
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/aws/smithy-go/blob/main/CHANGELOG.md">github.com/aws/smithy-go's
changelog</a>.</em></p>
<blockquote>
<h1>Release (2025-02-17)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.22.3</li>
<li><strong>Dependency Update</strong>: Bump minimum Go version to 1.22
per our language support policy.</li>
</ul>
<h1>Release (2025-01-21)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.22.2
<ul>
<li><strong>Bug Fix</strong>: Fix HTTP metrics data race.</li>
<li><strong>Bug Fix</strong>: Replace usages of deprecated ioutil
package.</li>
</ul>
</li>
</ul>
<h1>Release (2024-11-15)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.22.1
<ul>
<li><strong>Bug Fix</strong>: Fix failure to replace URI path segments
when their names overlap.</li>
</ul>
</li>
</ul>
<h1>Release (2024-10-03)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.22.0
<ul>
<li><strong>Feature</strong>: Add HTTP client metrics.</li>
</ul>
</li>
</ul>
<h1>Release (2024-09-25)</h1>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go/aws-http-auth</code>: <a
href="https://github.com/aws/smithy-go/blob/main/aws-http-auth/CHANGELOG.md#v100-2024-09-25">v1.0.0</a>
<ul>
<li><strong>Release</strong>: Initial release of module aws-http-auth,
which implements generically consumable SigV4 and SigV4a request
signing.</li>
</ul>
</li>
</ul>
<h1>Release (2024-09-19)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.21.0</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="f2ae388e50"><code>f2ae388</code></a>
Release 2025-01-21</li>
<li><a
href="d9b8ee9d55"><code>d9b8ee9</code></a>
refactor: fix deprecated for ioutil (<a
href="https://redirect.github.com/aws/smithy-go/issues/560">#560</a>)</li>
<li><a
href="ee8334e832"><code>ee8334e</code></a>
transport/http: fix metrics race condition (<a
href="https://redirect.github.com/aws/smithy-go/issues/555">#555</a>)</li>
<li><a
href="7e8149709c"><code>7e81497</code></a>
transport/http: fix go doc typo (<a
href="https://redirect.github.com/aws/smithy-go/issues/554">#554</a>)</li>
<li><a
href="a7d0f1ef5f"><code>a7d0f1e</code></a>
fix potential nil deref in waiter path matcher (<a
href="https://redirect.github.com/aws/smithy-go/issues/563">#563</a>)</li>
<li><a
href="e5c5ac3012"><code>e5c5ac3</code></a>
add changelog instructions and make recipe</li>
<li><a
href="5e16ee7648"><code>5e16ee7</code></a>
add missing waiter retry breakout on non-nil non-matched error (<a
href="https://redirect.github.com/aws/smithy-go/issues/561">#561</a>)</li>
<li><a
href="10fbeed6f8"><code>10fbeed</code></a>
Revert "Change defaults when generating a client via smithy CLI (<a
href="https://redirect.github.com/aws/smithy-go/issues/558">#558</a>)"
(<a
href="https://redirect.github.com/aws/smithy-go/issues/559">#559</a>)</li>
<li><a
href="95ba31879b"><code>95ba318</code></a>
Change defaults when generating a client via smithy CLI (<a
href="https://redirect.github.com/aws/smithy-go/issues/558">#558</a>)</li>
<li><a
href="bed421c3d7"><code>bed421c</code></a>
Release 2024-11-15</li>
<li>Additional commits viewable in <a
href="https://github.com/aws/smithy-go/compare/v1.22.0...v1.22.2">compare
view</a></li>
</ul>
</details>
<br />
<details>
<summary>Most Recent Ignore Conditions Applied to This Pull
Request</summary>
| Dependency Name | Ignore Conditions |
| --- | --- |
| github.com/aws/aws-sdk-go-v2/service/s3 | [< 1.28, > 1.27.1] |
| github.com/aws/aws-sdk-go-v2/config | [< 1.18, > 1.17.1] |
| github.com/aws/aws-sdk-go-v2/service/s3 | [< 1.31, > 1.30.5] |
</details>
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Deprecate the IgnoreAccountContacts feature flag. This causes the SA to
never query the contact column when reading registrations from the
database, and to never write a value for the contact column when
creating a new registration.
This requires updating or disabling several tests. These tests could be
deleted now, but I felt it was more appropriate for them to be fully
deleted when their corresponding services (e.g. expiration-mailer) are
also deleted.
Fixes https://github.com/letsencrypt/boulder/issues/8176
Remove `ToDNSSlice`, `FromProtoWithDefault`, and
`FromProtoSliceWithDefault` now that all their callers are gone. All
protobufs but one have migrated from DnsNames to Identifiers.
Remove TODOs for the exception, `ValidationRecord`, where an identifier
type isn't appropriate and it really only needs a string.
Rename `corepb.ValidationRecord.DnsName` to `Hostname` for clarity, to
match the corresponding PB's field name.
Improve various comments and docs re: IP address identifiers.
Depends on #8221 (which removes the last callers)
Fixes#8023
Change most functions in `ratelimits` to use full ACMEIdentifier(s) as
arguments, instead of using their values as strings. This makes the
plumbing from other packages more consistent, and allows us to:
Rename `FQDNsToETLDsPlusOne` to `coveringIdentifiers` and handle IP
identifiers, parsing IPv6 addresses into their covering /64 prefixes for
CertificatesPerDomain[PerAccount] bucket keys.
Port improved IP/CIDR validation logic to NewRegistrationsPerIPAddress &
PerIPv6Range.
Rename `domain` parts of bucket keys to either `identValue` or
`domainOrCIDR`.
Rename other internal functions to clarify that they now handle
identifier values, not just domains.
Add the new reserved IPv6 address range from RFC 9780.
For deployability, don't (yet) rename rate limits themselves; and
because it remains the name of the database table, preserve the term
`fqdnSets`.
Fixes#8223
Part of #7311
Simplify the main logic loop to simply revoke certs as soon as they're
identified, rather than jumping through hoops to identify and
deduplicate the associated accounts and emails. Make the Mailer portion
of the config optional for deployability.
Part of https://github.com/letsencrypt/boulder/issues/8199
Go 1.24.4 is a security release containing fixes to net/http,
os.OpenFile, and x509.Certificate.Verify, all of which we use. We appear
to be unaffected by the specific vulnerabilities described, however. See
the announcement here:
https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A
If a finalize CSR contains a SAN which looks like an IP address, don't
actually include that CN in our IssuanceRequest, and don't promote any
other SAN to be the CN either. This is similar to how we ignore the
CSR's CN when it is too long.
The golangci-lint project has released a v2, which is noticeably faster,
splits linters and formatters into separate categories, has greatly
improved support for staticcheck, and has an incompatible config file
format. Update our boulder-tools version of golangci-lint to v2, remove
our standalone staticcheck, and update our config file to match.
All of the identifiers being passed into the bucket construction helpers
have already passed through policy.WellFormedIdentifiers in the WFE. We
can trust that function, and our own ability to construct bucket keys,
to reduce the amount of revalidation we do before sending bucket keys to
redis.
The validateIdForName function is still used to validate override bucket
keys loaded from yaml.
This partially reverts https://github.com/letsencrypt/boulder/pull/8203,
which was landed as commit dea81c7381.
It leaves all of the boulder integration test environment changes in
place, while restoring the DNSAllowLoopbackAddresses config key and its
ability to influence the VA's behavior.
Remove static IPs from services that can be reached by their service
name. Remove consulnet and redisnet, and have the services which
connected to those network connect directly to bouldernet instead.
Instruct docker-compose to only dynamically allocate IPs from the upper
half of the bouldernet subset, to avoid clashing with the few static IPs
we still specify.
We no longer need a code path to resolve reserved IP addresses during
integration tests.
Move to a public IP for the remaining tests, after #8187 did so for many
of them.
Depends on #8187
Move usage of `sa.ReverseName` to a new `sa.EncodeIssuedName`, which
detects IP addresses and exempts them from being reversed. Retain
`reverseName` as an internal helper function.
Update `id-exporter`, `reversed-hostname-checker`, and tests to use the
new function and handle IP addresses.
Part of #7311
Move `IsReservedIP` and its supporting vars from `bdns` to `policy`.
Rewrite `IsReservedIP` to:
* Use `netip` because `netip.Prefix` can be used as a map key, allowing
us to define prefix lists more elegantly. This will enable future work
to import prefix lists from IANA's primary source data.
* Return an error including the reserved network's name.
Refactor `IsReservedIP` tests to be table-based.
Fixes#8040
Permit all valid identifier types in `wfe.NewOrder` and `csr.VerifyCSR`.
Permit certs with just IP address identifiers to skip
`sa.addIssuedNames`.
Check that URI SANs are empty in `csr.VerifyCSR`, which was previously
missed.
Use a real (Let's Encrypt) IP address range in integration testing, to
let challtestsrv satisfy IP address challenges.
Fixes#8192
Depends on #8154
If the IgnoreAccountContacts flag is set, don't bother writing the new
contacts to the database and instead just return the account object as
it stands. This does not require any test changes because
https://github.com/letsencrypt/boulder/pull/8198 already changed
registrationModelToPb to omit whatever contacts were retrieved from the
database before responding to the RA.
Part of https://github.com/letsencrypt/boulder/issues/8176
It appears that, in the past, we wanted id-exporter's "tell me all the
accounts with unexpired certificates" functionality to limit itself to
account that have contact info. The reasons for this limitation are
unclear, and are quickly becoming obsolete as we remove contact info
from the registrations table.
Remove this layer of filtering, so that id-exporter will retrieve all
accounts with active certificates, and not care whether the contact
column exists or not.
Part of https://github.com/letsencrypt/boulder/issues/8199
Alter the "registrations" table so that the "contact" column has a
default value of the JSON empty list "[]". This, once deployed to all
production environments, will allow Boulder to stop writing to and
reading from this column, in turn allowing it to be eventually wholly
dropped from the database.
IN-11365 tracks the corresponding production database changes
Part of https://github.com/letsencrypt/boulder/issues/8176
Add a feature flag "IgnoreAccountContacts" which has two effects in the
SA:
- When a new account is created, don't insert any contacts provided; and
- When an account is retrieved, ignore any contacts already present.
This causes boulder to act as though all accounts have no associated
contacts, and is the first step towards being able to drop the contacts
from the database entirely.
Part of https://github.com/letsencrypt/boulder/issues/8176
In cert-checker, inspect both the DNS Names and the IP Addresses
contained within the certificate being examined. Also add a check that
no other kinds of SANs exist in the certificate.
Fixes https://github.com/letsencrypt/boulder/issues/8183
Aaron Gable
Samantha Frank
Jacob Hoffman-Andrews
James Renken
dependabot[bot]
Phil Porada