Merge remote-tracking branch 'origin/main' into add-dns-persist-support

Author: beautifulentropy

.github/workflows/boulder-ci.yml

@@ -36,8 +36,7 @@ jobs:
       matrix:
         # Add additional docker image tags here and all tests will be run with the additional image.
         BOULDER_TOOLS_TAG:
-          - go1.25.5_2025-12-03
-          - go1.25.7_2026-02-04
+          - go1.26.1_2026-03-09
         # Tests command definitions. Use the entire "docker compose" command you want to run.
         tests:
           # Run ./test.sh --help for a description of each of the flags.
@@ -67,7 +66,7 @@ jobs:
       # use in tests. It will be set appropriately for each tag in the list
       # defined in the matrix.
       BOULDER_TOOLS_TAG: ${{ matrix.BOULDER_TOOLS_TAG }}
-      BOULDER_VTCOMBOSERVER_TAG: vitessv23.0.0_2026-01-28
+      BOULDER_VTCOMBOSERVER_TAG: vitessv23.0.0_2026-03-05
 
     # Sequence of tasks that will be executed as part of the job.
     steps:
@@ -130,7 +129,7 @@ jobs:
       # When set to true, GitHub cancels all in-progress jobs if any matrix job fails. Default: true
       fail-fast: false
       matrix:
-        go-version: [ '1.25.7' ]
+        go-version: [ '1.26.1' ]
 
     steps:
       # Checks out your repository under $GITHUB_WORKSPACE, so your job can access it

.github/workflows/release.yml

@@ -35,7 +35,7 @@ jobs:
       fail-fast: false
       matrix:
         GO_VERSION:
-          - "1.25.5"
+          - "1.26.1"
     runs-on: ubuntu-24.04
     permissions:
       contents: write

.github/workflows/try-release.yml

@@ -20,7 +20,7 @@ jobs:
       fail-fast: false
       matrix:
         GO_VERSION:
-          - "1.25.5"
+          - "1.26.1"
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v6

cmd/boulder-observer/README.md

@@ -31,6 +31,9 @@ Prometheus.
       * [TLS](#tls)
         * [Schema](#schema-6)
         * [Example](#example-6)
+      * [CCADB](#ccadb)
+        * [Schema](#schema-7)
+        * [Example](#example-7)
   * [Metrics](#metrics)
     * [Global Metrics](#global-metrics)
       * [obs_monitors](#obs_monitors)
@@ -255,6 +258,38 @@ monitors:
       response: valid
 ```
 
+#### CCADB
+
+##### Schema
+
+`allCertificatesCSVURL`: URL of the "V4 All Certificate Information (root and
+  intermediate) in CCADB (CSV)" report from https://www.ccadb.org/resources.
+  Default value works.
+
+`certificatePEMsURL`: Base URL of the "All Certificate PEMs" report from
+  https://www.ccadb.org/resources (i.e. without the "NotBeforeDecade"
+  parameter). Default value works.
+
+`caOwner`: The value of the "CA Owner" field to filter on in the "All
+  Certificate Information" report. Default value works for ISRG.
+
+`crlAgeLimit`: Error when a CRL is older than this.
+
+`crlRegexp`: A regexp that matches our CRL URLs. Prevents fetching arbitrary
+  URLs. At a minimum this should have strict matching on the origin part of the
+  URL. Default value works.
+
+##### Example
+
+```yaml
+monitors:
+  -
+    period: 1h
+    kind: CCADB
+    settings:
+      crlAgeLimit: 2h
+```
+
 ## Metrics
 
 Observer provides the following metrics.
@@ -442,4 +477,4 @@ prometheus --config.file=boulder/test/prometheus/prometheus.yml
 ### Viewing metrics locally
 
 When developing with a local Prometheus instance you can use this link
-to view metrics: [link](http://0.0.0.0:9090)
+to view metrics: [link](http://0.0.0.0:9090)

cmd/boulder-observer/main.go

@@ -13,6 +13,8 @@ import (
 )
 
 func main() {
+	defer cmd.AuditPanic()
+
 	debugAddr := flag.String("debug-addr", "", "Debug server address override")
 	configPath := flag.String(
 		"config", "config.yml", "Path to boulder-observer configuration file")

core/objects.go

@@ -197,10 +197,7 @@ func (ch Challenge) RecordsSane() bool {
 	switch ch.Type {
 	case ChallengeTypeHTTP01:
 		for _, rec := range ch.ValidationRecord {
-			// TODO(#7140): Add a check for ResolverAddress == "" only after the
-			// core.proto change has been deployed.
-			if rec.URL == "" || rec.Hostname == "" || rec.Port == "" || (rec.AddressUsed == netip.Addr{}) ||
-				len(rec.AddressesResolved) == 0 {
+			if rec.URL == "" || rec.Hostname == "" || rec.Port == "" || (rec.AddressUsed == netip.Addr{}) || len(rec.AddressesResolved) == 0 {
 				return false
 			}
 		}
@@ -211,18 +208,13 @@ func (ch Challenge) RecordsSane() bool {
 		if ch.ValidationRecord[0].URL != "" {
 			return false
 		}
-		// TODO(#7140): Add a check for ResolverAddress == "" only after the
-		// core.proto change has been deployed.
-		if ch.ValidationRecord[0].Hostname == "" || ch.ValidationRecord[0].Port == "" ||
-			(ch.ValidationRecord[0].AddressUsed == netip.Addr{}) || len(ch.ValidationRecord[0].AddressesResolved) == 0 {
+		if ch.ValidationRecord[0].Hostname == "" || ch.ValidationRecord[0].Port == "" || (ch.ValidationRecord[0].AddressUsed == netip.Addr{}) || len(ch.ValidationRecord[0].AddressesResolved) == 0 {
 			return false
 		}
 	case ChallengeTypeDNS01, ChallengeTypeDNSAccount01, ChallengeTypeDNSPersist01:
 		if len(ch.ValidationRecord) > 1 {
 			return false
 		}
-		// TODO(#7140): Add a check for ResolverAddress == "" only after the
-		// core.proto change has been deployed.
 		if ch.ValidationRecord[0].Hostname == "" {
 			return false
 		}

docker-compose.yml

@@ -8,7 +8,7 @@ services:
       context: test/boulder-tools/
       # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh.
       args:
-        GO_VERSION: 1.25.7
+        GO_VERSION: 1.26.1
     environment:
       # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS
       # to the IP address where your ACME client's solver is listening. This is
@@ -78,6 +78,8 @@ services:
 
   bmariadb:
     image: mariadb:10.11.13
+    volumes:
+      - ./sa/db:/docker-entrypoint-initdb.d
     networks:
       bouldernet:
         aliases:
@@ -145,11 +147,13 @@ services:
     image: letsencrypt/boulder-vtcomboserver:${BOULDER_VTCOMBOSERVER_TAG:-latest}
     build:
       context: test/vtcomboserver/
+    volumes:
+      - ./:/boulder/
     environment:
       # By specifying KEYSPACES vttestserver will create the corresponding
       # databases on startup.
-      KEYSPACES: boulder_sa,incidents_sa
-      NUM_SHARDS: 1,1
+      KEYSPACES: boulder_sa,incidents_sa,boulder_sa_next,incidents_sa_next
+      NUM_SHARDS: 1,1,1,1
     networks:
       bouldernet:
         aliases:

features/features.go

@@ -78,7 +78,7 @@ type Config struct {
 	// DNSAccount01Enabled controls support for the dns-account-01 challenge
 	// type. When enabled, the server can offer and validate this challenge
 	// during certificate issuance. This flag must be set to true in the
-	// RA, VA, and WFE2 services for full functionality.
+	// RA and VA services for full functionality.
 	DNSAccount01Enabled bool
 
 	// DNSPersist01Enabled controls support for the dns-persist-01 challenge

go.mod

@@ -1,6 +1,6 @@
 module github.com/letsencrypt/boulder
 
-go 1.25.0
+go 1.25
 
 require (
 	github.com/aws/aws-sdk-go-v2 v1.41.0

mocks/sa.go

@@ -311,10 +311,6 @@ func (sa *StorageAuthorityReadOnly) GetOrderForNames(_ context.Context, _ *sapb.
 	return nil, nil
 }
 
-func (sa *StorageAuthorityReadOnly) CountPendingAuthorizations2(ctx context.Context, req *sapb.RegistrationID, _ ...grpc.CallOption) (*sapb.Count, error) {
-	return &sapb.Count{}, nil
-}
-
 func (sa *StorageAuthorityReadOnly) GetValidOrderAuthorizations2(ctx context.Context, req *sapb.GetOrderAuthorizationsRequest, _ ...grpc.CallOption) (*sapb.Authorizations, error) {
 	return nil, nil
 }
@@ -323,10 +319,6 @@ func (sa *StorageAuthorityReadOnly) GetOrderAuthorizations(ctx context.Context,
 	return nil, nil
 }
 
-func (sa *StorageAuthorityReadOnly) CountInvalidAuthorizations2(ctx context.Context, req *sapb.CountInvalidAuthorizationsRequest, _ ...grpc.CallOption) (*sapb.Count, error) {
-	return &sapb.Count{}, nil
-}
-
 func (sa *StorageAuthorityReadOnly) GetValidAuthorizations2(ctx context.Context, req *sapb.GetValidAuthorizationsRequest, _ ...grpc.CallOption) (*sapb.Authorizations, error) {
 	if req.RegistrationID != 1 && req.RegistrationID != 5 && req.RegistrationID != 4 {
 		return &sapb.Authorizations{}, nil