Merge branch 'main' of github.com:letsencrypt/boulder into newnewtxnb…

…uilder

.github/workflows/release.yml

@@ -48,3 +48,14 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         # https://cli.github.com/manual/gh_release_upload
         run: gh release upload "${GITHUB_REF_NAME}" boulder*.deb boulder*.tar.gz boulder*.checksums.txt
+
+      - name: Build ct-test-srv Container
+        run: docker buildx build . --build-arg "GO_VERSION=${{ matrix.GO_VERSION }}" -f test/ct-test-srv/Dockerfile -t "ghcr.io/letsencrypt/ct-test-srv:${{ github.ref_name }}"
+
+      - name: Login to ghcr.io
+        run: printenv GITHUB_TOKEN | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push ct-test-srv Container
+        run: docker push "ghcr.io/letsencrypt/ct-test-srv:${{ github.ref_name }}"

.github/workflows/try-release.yml

@@ -42,3 +42,6 @@ jobs:
       - name: Show checksums
         id: check
         run: cat boulder*.checksums.txt
+
+      - name: Build ct-test-srv Container
+        run: docker buildx build . --build-arg "GO_VERSION=${{ matrix.GO_VERSION }}" -f test/ct-test-srv/Dockerfile -t "ghcr.io/letsencrypt/ct-test-srv:${{ github.sha }}"

publisher/publisher.go

@@ -39,19 +39,28 @@ type Log struct {
 	client *ctClient.LogClient
 }
 
+// cacheKey is a comparable type for use as a key within a logCache. It holds
+// both the log URI and its log_id (base64 encoding of its pubkey), so that
+// the cache won't interfere if the RA decides that a log's URI or pubkey has
+// changed.
+type cacheKey struct {
+	uri    string
+	pubkey string
+}
+
 // logCache contains a cache of *Log's that are constructed as required by
 // `SubmitToSingleCT`
 type logCache struct {
 	sync.RWMutex
-	logs map[string]*Log
+	logs map[cacheKey]*Log
 }
 
 // AddLog adds a *Log to the cache by constructing the statName, client and
 // verifier for the given uri & base64 public key.
 func (c *logCache) AddLog(uri, b64PK, userAgent string, logger blog.Logger) (*Log, error) {
 	// Lock the mutex for reading to check the cache
 	c.RLock()
-	log, present := c.logs[b64PK]
+	log, present := c.logs[cacheKey{uri, b64PK}]
 	c.RUnlock()
 
 	// If we have already added this log, give it back
@@ -68,7 +77,7 @@ func (c *logCache) AddLog(uri, b64PK, userAgent string, logger blog.Logger) (*Lo
 	if err != nil {
 		return nil, err
 	}
-	c.logs[b64PK] = log
+	c.logs[cacheKey{uri, b64PK}] = log
 	return log, nil
 }
 
@@ -218,7 +227,7 @@ func New(
 		issuerBundles: bundles,
 		userAgent:     userAgent,
 		ctLogsCache: logCache{
-			logs: make(map[string]*Log),
+			logs: make(map[cacheKey]*Log),
 		},
 		log:     logger,
 		metrics: initMetrics(stats),

publisher/publisher_test.go

@@ -269,7 +269,7 @@ func TestTimestampVerificationPast(t *testing.T) {
 
 func TestLogCache(t *testing.T) {
 	cache := logCache{
-		logs: make(map[string]*Log),
+		logs: make(map[cacheKey]*Log),
 	}
 
 	// Adding a log with an invalid base64 public key should error

test/ct-test-srv/Dockerfile

@@ -0,0 +1,25 @@
+ARG GO_VERSION
+
+FROM golang:${GO_VERSION} AS build
+
+WORKDIR /app
+
+COPY go.mod go.sum vendor ./
+
+COPY . .
+
+RUN go build -o /bin/ct-test-srv ./test/ct-test-srv/main.go
+
+FROM ubuntu:24.04
+
+RUN useradd -r -u 10001 cttest
+
+COPY --from=build /bin/ct-test-srv /bin/ct-test-srv
+
+COPY test/ct-test-srv/ct-test-srv.json /etc/ct-test-srv.json
+
+ENTRYPOINT ["/bin/ct-test-srv"]
+
+USER cttest
+
+CMD ["-config", "/etc/ct-test-srv.json"]

test/ct-test-srv/main.go

@@ -236,8 +236,8 @@ func runPersonality(p Personality) {
 		Handler: m,
 	}
 	logID := sha256.Sum256(pubKeyBytes)
-	log.Printf("ct-test-srv on %s with pubkey %s and log ID %s", p.Addr,
-		base64.StdEncoding.EncodeToString(pubKeyBytes), base64.StdEncoding.EncodeToString(logID[:]))
+	log.Printf("ct-test-srv on %s with pubkey: %s, log ID: %s, flakiness: %d%%", p.Addr,
+		base64.StdEncoding.EncodeToString(pubKeyBytes), base64.StdEncoding.EncodeToString(logID[:]), p.FlakinessRate)
 	log.Fatal(srv.ListenAndServe())
 }
 

web/context.go

@@ -35,12 +35,7 @@ type RequestEvent struct {
 	Slug           string   `json:",omitempty"`
 	InternalErrors []string `json:",omitempty"`
 	Error          string   `json:",omitempty"`
-	// If there is an error checking the data store for our rate limits
-	// we ignore it, but attach the error to the log event for analysis.
-	// TODO(#7796): Treat errors from the rate limit system as normal
-	// errors and put them into InternalErrors.
-	IgnoredRateLimitError string `json:",omitempty"`
-	UserAgent             string `json:"ua,omitempty"`
+	UserAgent      string   `json:"ua,omitempty"`
 	// Origin is sent by the browser from XHR-based clients.
 	Origin string                 `json:",omitempty"`
 	Extra  map[string]interface{} `json:",omitempty"`

wfe2/wfe.go

@@ -798,7 +798,8 @@ func (wfe *WebFrontEndImpl) NewAccount(
 			wfe.sendError(response, logEvent, probs.RateLimited(err.Error()), err)
 			return
 		} else {
-			logEvent.IgnoredRateLimitError = err.Error()
+			wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "While checking rate limits"), err)
+			return
 		}
 	}
 
@@ -2401,14 +2402,13 @@ func (wfe *WebFrontEndImpl) NewOrder(
 	}
 
 	refundLimits, err := wfe.checkNewOrderLimits(ctx, acct.ID, names, isRenewal || isARIRenewal)
-	if err != nil {
+	if err != nil && features.Get().UseKvLimitsForNewOrder {
 		if errors.Is(err, berrors.RateLimit) {
-			if features.Get().UseKvLimitsForNewOrder {
-				wfe.sendError(response, logEvent, probs.RateLimited(err.Error()), err)
-				return
-			}
+			wfe.sendError(response, logEvent, probs.RateLimited(err.Error()), err)
+			return
 		} else {
-			logEvent.IgnoredRateLimitError = err.Error()
+			wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "While checking rate limits"), err)
+			return
 		}
 	}