These commits are when the Protocol Buffers files have changed: (only the last 100 relevant commits are shown)
| Commit: | a4ec1e6 | |
|---|---|---|
| Author: | Kiel C | |
Address review feedback: Update retrybackoff usage of authz revocation tests to 1) retry more quickly in the test expecting change, but 2) retry over a longer period of time in the test expecting stability to try to extend beyond the custom context timeout of the RA function. Rename SA gRPC methods to be consistently plural, reflecting their capability.
| Commit: | 50c0271 | |
|---|---|---|
| Author: | Kiel C | |
| Committer: | GitHub | |
Correct va proto field reservation comment. Co-authored-by: Samantha Frank <hello@entropy.cat>
| Commit: | c228681 | |
|---|---|---|
| Author: | Aaron Gable | |
Prevent parallel validation attempts
| Commit: | a4f47e2 | |
|---|---|---|
| Author: | Kiel C | |
| Committer: | GitHub | |
Rename RevokeAuthorizationFor to RevokeAuthorizationsFor Because it can revoke multiple authorizations. Co-authored-by: Aaron Gable <aaron@letsencrypt.org>
| Commit: | 11d39f3 | |
|---|---|---|
| Author: | Kiel C | |
| Committer: | Kiel C | |
Remove all string IDs fields for Authzs.
| Commit: | 2d9af66 | |
|---|---|---|
| Author: | Kiel C | |
Add RevokeAuthzsUponRevokeCert feature to RA.
| Commit: | 7edfb14 | |
|---|---|---|
| Author: | Kiel C | |
Add RevokeAuthorizations func to the SA gRPC service.
| Commit: | 187b602 | |
|---|---|---|
| Author: | Kiel C | |
| Committer: | GitHub | |
Add int-type Authz ID proto fields alongside any string-type proto fields (#8754) This is stage one of normalizing Authz ID to be consistently int64-type (#8722). --------- Co-authored-by: Aaron Gable <aaron@letsencrypt.org>
The documentation is generated from this commit.
| Commit: | e4f4650 | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
| Committer: | GitHub | |
add boulder-mtca service (#8776) Includes a proto file with a service definition, an entry in startservers.py and consul.hcl, and configs in test/config and test/config-next (since startservers doesn't currently have a nice way for services to start only in config-next, particularly once boulder-ra starts depending on boulder-mtca in CI). Also, fix a problem from #8764: the newly added field in `orders` was `mtcaID` but should have been `mtcLogID`.
| Commit: | 4e28035 | |
|---|---|---|
| Author: | Samantha Frank | |
| Committer: | GitHub | |
sfe/salesforce: Remove donation call-to-action and Cases support (#8751) Also, obviate the need to complete the proto changes in TODO #8410. These changes, documented in IN-12087, have not yet been applied in Staging or Production. Fixes #8744
| Commit: | 491e1e9 | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
| Committer: | GitHub | |
sa: getAuthorizationStatuses checks results (#8726) If this function gets fewer responses than expected, that means some of the authorizations were deleted before their containing order expired (or were never written due to a bug). Error out. Fix a test that fails with this extra check in place.
| Commit: | 5f894a9 | |
|---|---|---|
| Author: | Samantha Frank | |
| Committer: | GitHub | |
admin: Support creating incidents and adding serials (#8740) Add a StorageAuthorityAdmin gRPC service and four admin subcommands that move incident management into the `admin` tool. Register the service only for the admin client and write through a new `incidents_sa_admin` MySQL user; the existing `incidents_sa` user stays SELECT-only. Incidents can impact tens to hundreds of millions of certificates, and operators may load serials from multiple overlapping time spans during the affected window. `admin load-incident-serials` reads serials from a file, fans them out across N workers (default 10), and streams them to the SA in batches of 10,000. The server re-batches at the same threshold and uses `INSERT IGNORE` on insertion, so overlapping bulk loads and within-batch duplicates are idempotent. The remaining subcommands cover CRUD on the incidents table: - `admin create-incident` adds a row and creates the per-incident serials table. - `admin list-incidents` prints each incident's name, enabled state, renewBy, and URL. - `admin update-incident` changes any subset of url, renewBy, and enabled on an incident by name. Fixes #6943
| Commit: | 89eb46b | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
wip6
| Commit: | dffd6e1 | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
wip5
| Commit: | b45657a | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
| Committer: | GitHub | |
Update sa/proto/sa.proto Co-authored-by: Aaron Gable <aaron@letsencrypt.org>
| Commit: | a564c0e | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
sa: add RegistrationID to FinalizeAuthorization For now this is just passed in and ignored. In the future it will help fill the reusableAuthorizations table.
| Commit: | 84b88da | |
|---|---|---|
| Author: | Aaron Gable | |
| Committer: | GitHub | |
Remove sa.Count[Pending|Invalid]Authorizations2 (#8669) These methods were part of the old rate limits system, and therefore no longer have any callers.
| Commit: | ab67cd5 | |
|---|---|---|
| Author: | Samantha Frank | |
| Committer: | GitHub | |
sfe/ra/sa/admin: Prevent lower override requests from reducing limits (#8613) Today, an approved rate‑limit override request that is lower than an existing override would silently replace the stored override, allowing mistaken or malicious requests to reduce limits. The SA now detects lower overrides, skips the update, and returns the existing override in the response. The RA and SFE surface that signal so auto‑approval creates a Zendesk ticket with a private comment describing the existing override, and attempts to import a ticket with a lower override will result in a similar private comment and the ticket being moved to pending. Boulder will not attempt to import approved tickets with a pending status. The admin CLI commands for importing and adding/updating overrides gain a --force flag to override an existing higher limit, and now report “lower than existing” as an error by default. Fixes #8602
| Commit: | 3ce346c | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
| Committer: | GitHub | |
sa: Add GetOrderAuthorizations (#8605) This is a synonym for GetValidOrderAuthorizations2, which was a misnomer (it now returns _all_ authorizations for an order). Fixes #8603
| Commit: | 33cbdfb | |
|---|---|---|
| Author: | Samantha Frank | |
| Committer: | GitHub | |
salesforce: Rename email package and pardot-test-srv (#8523) - Rename email to salesforce - Rename pardot-test-srv to salesforce-test-srv - Continue building pardot-test-srv by copying salesforce-test-srv - Rename email.Exporter gRPC service to salesforce.Exporter - Register and listen for both salesforce.Exporter and legacy email.Exporter services - Allow salesforce.Exporter impl to answer email.Exporter service via an interface adapter/shim Part of #8410
| Commit: | 978877a | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
| Committer: | GitHub | |
Store authzIDs directly in order table (#8460) The `orders` table gets a new column `authzs`, containing a protobuf-encoded list of authorization IDs as int64s. Storing this data directly in the `orders` table will allow us to get rid of the `orderToAuthz2` table, which is large (#8451). There's a new feature flag, `StoreAuthzsInOrders`, which controls whether the SA expects the new column to exist. The SA gracefully handles the case where the new column is NULL, by querying the `orderToAuthz2` table. Eventually all valid orders will have a non-NULL `authzs` column and we can remove the fallback. I removed `orderToModel` because it had only one call site, and that call site only used a subset of fields. This avoids having to update `orderToModel` to know about encoding authzs, only to have that code actually go unused in practice.
| Commit: | abafa0a | |
|---|---|---|
| Author: | Samantha Frank | |
| Committer: | GitHub | |
sfe: Create Salesforce Case at override request form submission time (#8438)
| Commit: | c056257 | |
|---|---|---|
| Author: | Samantha | |
Merge remote-tracking branch 'origin/main' into salesforce-rest-api-client
| Commit: | c4fb84c | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
| Committer: | Samantha | |
sa: NewOrderAndAuthzs checks that nonzero authzs were provided (#8464) Also document the relevant fields.
| Commit: | cb7786b | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
| Committer: | GitHub | |
Deprecate NoPendingAuthzReuse flag (#8458)
| Commit: | 1d86023 | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
| Committer: | GitHub | |
sa: NewOrderAndAuthzs checks that nonzero authzs were provided (#8464) Also document the relevant fields.
| Commit: | f2e3e8d | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
| Committer: | Jacob Hoffman-Andrews | |
sa: document properties of NewOrderAndAuthzs And add a check that some authzs were provided.
| Commit: | b63f567 | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
Revert unnecessary diff
| Commit: | a62c3a5 | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
Cleanups from self review
| Commit: | bb5d560 | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
Remove RA involvement
| Commit: | 78c7f47 | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
| Committer: | Jacob Hoffman-Andrews | |
The Authzs Are In The Order
| Commit: | 1dcc6b1 | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
| Committer: | Jacob Hoffman-Andrews | |
Deprecate NoPendingAuthzReuse flag
| Commit: | c1af7fc | |
|---|---|---|
| Author: | Aaron Gable | |
| Committer: | GitHub | |
Delete sa.GetMaxExpiration and sa.GetRevokedCerts (#8401) These two SA methods were used only by the crl-updater's temporal (notAfter-based) sharding code. We now exclusively use explicit (CRLDP-based) sharding, and these methods have no callers. Fixes https://github.com/letsencrypt/boulder/issues/8399 Part of https://github.com/letsencrypt/boulder/issues/8322
| Commit: | 6c6e5e9 | |
|---|---|---|
| Author: | Samantha | |
Merge branch 'main' into salesforce-rest-api-client
| Commit: | d551663 | |
|---|---|---|
| Author: | Samantha | |
| Committer: | Samantha | |
email-exporter: Add Salesforce Cases support
| Commit: | e5992b0 | |
|---|---|---|
| Author: | Samantha | |
| Committer: | Samantha | |
email-exporter: Add Salesforce Cases support
| Commit: | da7c172 | |
|---|---|---|
| Author: | Samantha | |
WIP
| Commit: | d1422d2 | |
|---|---|---|
| Author: | Aaron Gable | |
| Committer: | GitHub | |
Reland "SA: Stop supporting OCSP status NotReady" (#8430) Reverts https://github.com/letsencrypt/boulder/pull/8429 Relands https://github.com/letsencrypt/boulder/pull/8395 Remove support for the "ocspNotReady" argument in AddPrecertificate requests, and delete the SetCertificateStatusReady gRPC method. All users of this field and method were removed in https://github.com/letsencrypt/boulder/pull/8394. Fixes https://github.com/letsencrypt/boulder/issues/8343
| Commit: | fec4c6e | |
|---|---|---|
| Author: | Aaron Gable | |
| Committer: | GitHub | |
Revert "Revert "SA: Stop supporting OCSP status NotReady" (#8429)" This reverts commit 30197ca49b6e7ebfdf8a969bd045110e0d859276.
| Commit: | 30197ca | |
|---|---|---|
| Author: | Aaron Gable | |
| Committer: | GitHub | |
Revert "SA: Stop supporting OCSP status NotReady" (#8429) Reverts https://github.com/letsencrypt/boulder/pull/8395 The reverted change needed to land one release behind https://github.com/letsencrypt/boulder/pull/8394. Unfortunately, the first release which contained 8394 also contained a bug, and had to be rolled back. The next release would contain both 8394 and 8395, which would lead to availability issues during a deploy when non-updated CA instances try to communicate with updated SA instances. Revert 8395 so that the next release can contain only 8394. This change will be followed by a re-land of 8395, after 8394 has been fully and successfully deployed. Part of https://github.com/letsencrypt/boulder/issues/8343
| Commit: | 5ec02bc | |
|---|---|---|
| Author: | Aaron Gable | |
Merge branch main into rm-sa-methods
| Commit: | 36426f8 | |
|---|---|---|
| Author: | Aaron Gable | |
| Committer: | GitHub | |
SA: Stop supporting OCSP status NotReady (#8395) Remove support for the "ocspNotReady" argument in AddPrecertificate requests, and delete the SetCertificateStatusReady gRPC method. All users of this field and method were removed in https://github.com/letsencrypt/boulder/pull/8394. Fixes https://github.com/letsencrypt/boulder/issues/8343
| Commit: | 5b28bb6 | |
|---|---|---|
| Author: | Aaron Gable | |
| Committer: | Aaron Gable | |
Delete sa.GetMaxExpiration
| Commit: | 3197d3a | |
|---|---|---|
| Author: | Aaron Gable | |
| Committer: | Aaron Gable | |
SA: Stop supporting OCSP status NotReady
| Commit: | fc6dd8f | |
|---|---|---|
| Author: | Aaron Gable | |
Delete sa.GetMaxExpiration
| Commit: | 88e8811 | |
|---|---|---|
| Author: | Aaron Gable | |
| Committer: | Aaron Gable | |
SA: Stop supporting OCSP status NotReady
| Commit: | 9cd7954 | |
|---|---|---|
| Author: | Aaron Gable | |
| Committer: | GitHub | |
Delete akamai-purger (#8352) The akamai-purger service no longer has any callers. Remove the code implementing this service, the tests which cover the service, and the akamai-test-srv API fake. Fixes https://github.com/letsencrypt/boulder/issues/8346
| Commit: | 513e113 | |
|---|---|---|
| Author: | Aaron Gable | |
| Committer: | GitHub | |
CA: delete GenerateOCSP method (#8351) Remove the CA.GenerateOCSP method, and all code related to signing OCSP responses. Fixes https://github.com/letsencrypt/boulder/issues/8349
| Commit: | 6e1615a | |
|---|---|---|
| Author: | Aaron Gable | |
| Committer: | GitHub | |
RA: delete GenerateOCSP method (#8350) Remove the RA.GenerateOCSP gRPC method. This must be completed (and the corresponding production config changes made) before we can remove the underlying CA.GenerateOCSP method. Fixes https://github.com/letsencrypt/boulder/issues/8348
| Commit: | af627a0 | |
|---|---|---|
| Author: | Aaron Gable | |
| Committer: | Aaron Gable | |
Delete akamai-purger
| Commit: | b504c58 | |
|---|---|---|
| Author: | Aaron Gable | |
| Committer: | Aaron Gable | |
Remove ca.GenerateOCSP
| Commit: | 0b3cd48 | |
|---|---|---|
| Author: | Aaron Gable | |
| Committer: | Aaron Gable | |
RA: delete GenerateOCSP method
| Commit: | caa980f | |
|---|---|---|
| Author: | Samantha Frank | |
| Committer: | GitHub | |
sa: Change a return type for GetEnabledRateLimitOverrides (#8280) These methods have no callers. Part of https://github.com/letsencrypt/boulder/issues/8165
| Commit: | a1fe727 | |
|---|---|---|
| Author: | Samantha | |
| Committer: | Samantha | |
sa/proto: Return full override response
| Commit: | d7e4ed1 | |
|---|---|---|
| Author: | Aaron Gable | |
| Committer: | GitHub | |
Remove the last vestiges of account contacts (#8247) Remove the concept of an account contact from all of boulder except the WFE. Specifically: - Delete the UpdateRegistrationContact methods from the RA and SA - Remove all understanding of the Contact field from the RA and SA's NewRegistration methods - Remove the Contact field from corepb.Registration to ensure it can never be communicated anywhere Note that this does not remove the Contact field from core.Registration, as that represents an ACME API type, and we're still willing to parse the Contact field from incoming new-account requests. Fixes https://github.com/letsencrypt/boulder/issues/8199
| Commit: | 1ca19f1 | |
|---|---|---|
| Author: | Samantha | |
sa/proto: Return full override response
| Commit: | 632b971 | |
|---|---|---|
| Author: | Aaron Gable | |
| Committer: | Aaron Gable | |
Remove all registration contact code paths
| Commit: | 9070d82 | |
|---|---|---|
| Author: | Samantha | |
Merge remote-tracking branch 'origin/main' into admin-overrides-in-database
| Commit: | 2919d4c | |
|---|---|---|
| Author: | Aaron Gable | |
| Committer: | Aaron Gable | |
Remove all registration contact code paths
| Commit: | 7214b28 | |
|---|---|---|
| Author: | James Renken | |
| Committer: | GitHub | |
identifier: Remove helper funcs from PB identifiers migration (#8236) Remove `ToDNSSlice`, `FromProtoWithDefault`, and `FromProtoSliceWithDefault` now that all their callers are gone. All protobufs but one have migrated from DnsNames to Identifiers. Remove TODOs for the exception, `ValidationRecord`, where an identifier type isn't appropriate and it really only needs a string. Rename `corepb.ValidationRecord.DnsName` to `Hostname` for clarity, to match the corresponding PB's field name. Improve various comments and docs re: IP address identifiers. Depends on #8221 (which removes the last callers) Fixes #8023
| Commit: | 0c3eed9 | |
|---|---|---|
| Author: | James Renken | |
identifier: Remove helper funcs from PB identifiers migration Remove `ToDNSSlice`, `FromProtoWithDefault`, and `FromProtoSliceWithDefault` now that all their callers are gone. All protobufs have migrated from DnsNames to Identifiers. Remove TODOs for the exception, `ValidationRecord`, where an identifier type isn't appropriate and it really only needs a string. Depends on #8221 (which removes the last callers) Fixes #8023
| Commit: | 69ba857 | |
|---|---|---|
| Author: | Samantha Frank | |
| Committer: | GitHub | |
ra: Allow rate limit overrides to be added/updated (#8218) #8217
| Commit: | 2426751 | |
|---|---|---|
| Author: | Samantha | |
| Committer: | Samantha | |
ra: Allow rate limit overrides to be added/updated
| Commit: | 3b6f3f7 | |
|---|---|---|
| Author: | Samantha | |
| Committer: | Samantha | |
sa/proto: Return full override response
| Commit: | ac68828 | |
|---|---|---|
| Author: | James Renken | |
| Committer: | GitHub | |
Replace most uses of net.IP with netip.Addr (#8205) Retain `net.IP` only where we directly work with `x509.Certificate` and friends. Fixes #5925 Depends on #8196
| Commit: | 7fc93b7 | |
|---|---|---|
| Author: | Samantha | |
sa/proto: Return full override response
| Commit: | 6cc61b0 | |
|---|---|---|
| Author: | James Renken | |
Replace most uses of net.IP with netip.Addr Retain `net.IP` only where we directly work with `x509.Certificate` and friends. Fixes #5925 Depends on #8196
| Commit: | aaaf623 | |
|---|---|---|
| Author: | James Renken | |
| Committer: | GitHub | |
va: Remove deprecated Domain from vapb.IsCAAValidRequest (#8193) Part of #8023
| Commit: | 0362f1c | |
|---|---|---|
| Author: | James Renken | |
| Committer: | James Renken | |
Remove deprecated Domain from vapb.IsCAAValidRequest Part of #8023
| Commit: | e625ff3 | |
|---|---|---|
| Author: | Samantha Frank | |
| Committer: | GitHub | |
sa: Store and manage rate limit overrides in the database (#8142) Add support for managing and querying rate limit overrides in the database. - Add `sa.AddRateLimitOverride` to insert or update a rate limit override. This will be used during Rate Limit Override Portal to commit approved overrides to the database. - Add `sa.DisableRateLimitOverride` and `sa.EnableRateLimitOverride` to toggle override state. These will be used by the `admin` tool. - Add `sa.GetRateLimitOverride` to retrieve a single override by limit enum and bucket key. This will be used by the Rate Limit Portal to prevent duplicate or downgrade requests but allow upgrade requests. - Add `sa.GetEnabledRateLimitOverrides` to stream all currently enabled overrides. This will be used by the rate limit consumers (`wfe` and `ra`) to refresh the overrides in-memory. - Implement test coverage for all new methods.
| Commit: | 650c269 | |
|---|---|---|
| Author: | James Renken | |
| Committer: | GitHub | |
ra, va: Bypass CAA for IP identifiers & use Identifier in IsCAAValidRequest (#8153) In `vapb.IsCAAValidRequest`, even though CAA is only for DNS names, deprecate `Domain` in favour of `Identifier` for consistency. In `va.DoCAA`, reject attempts to validate CAA for non-DNS identifiers. Rename `identifier` to `ident` inside some VA functions, also for consistency. In `ra.checkDCVAndCAA` & `ra.checkAuthorizationsCAA`, bypass CAA checks for IP address identifiers. Part of #7995
| Commit: | 8e7eaa9 | |
|---|---|---|
| Author: | James Renken | |
| Committer: | James Renken | |
va: Use Identifier in IsCAAValidRequest Even though CAA is only for DNS names, deprecate `Domain` in favour of `Identifier` for consistency. In `DoCAA`, reject attempts to validate CAA for non-DNS identifiers. Rename `identifier` to `ident` inside some VA functions, also for consistency.
| Commit: | 52615d9 | |
|---|---|---|
| Author: | James Renken | |
| Committer: | GitHub | |
ra: Fully support identifiers in NewOrder, PerformValidation & RevokeCertByApplicant (#8139) In `ra.NewOrder`, improve safety of authz reuse logic by making it explicit that only DNS identifiers might be wildcards. Also, now that the conditional statements need to be more complicated, collapse them for brevity. In `vapb.PerformValidationRequest`, remove `DnsName`. In `ra.PerformValidation`, pass an `Identifier` instead of a `DnsName`. In `ra.RevokeCertByApplicant`, check that the requester controls identifiers of all types (not just DNS). Fixes #7995 (the RA now fully supports IP address identifiers, except for rate limits) Fixes #7647 Part of #8023
| Commit: | bf37683 | |
|---|---|---|
| Author: | Samantha | |
| Committer: | Samantha | |
Addressing comments.
| Commit: | 4b701c6 | |
|---|---|---|
| Author: | James Renken | |
| Committer: | James Renken | |
Remove DnsName from vapb.PerformValidationRequest
| Commit: | 8a4d0cc | |
|---|---|---|
| Author: | James Renken | |
| Committer: | James Renken | |
va: Use Identifier in IsCAAValidRequest Even though CAA is only for DNS names, deprecate `Domain` in favour of `Identifier` for consistency. In `DoCAA`, reject attempts to validate CAA for non-DNS identifiers. Rename `identifier` to `ident` inside some VA functions, also for consistency.
| Commit: | 884441e | |
|---|---|---|
| Author: | James Renken | |
va: Use Identifier in IsCAAValidRequest Even though CAA is only for DNS names, deprecate `Domain` in favour of `Identifier` for consistency. In `DoCAA`, reject attempts to validate CAA for non-DNS identifiers. Rename `identifier` to `ident` inside some VA functions, also for consistency.
| Commit: | 86687d2 | |
|---|---|---|
| Author: | James Renken | |
Remove DnsName from vapb.PerformValidationRequest
| Commit: | d3e0156 | |
|---|---|---|
| Author: | Samantha | |
| Committer: | Samantha | |
sa: Rate limit overrides in the database
| Commit: | 712495e | |
|---|---|---|
| Author: | Samantha | |
| Committer: | Samantha | |
sa: Rate limit overrides in the database
| Commit: | e8eddc0 | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
| Committer: | GitHub | |
ca: remove capb.IssueCertificateForPrecertificateRequest (#8127) Fixes #8039
| Commit: | 0503782 | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
| Committer: | Jacob Hoffman-Andrews | |
Remove capb.IssueCertificateForPrecertificateRequest
| Commit: | d800055 | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
| Committer: | GitHub | |
ca: Remove IssuePrecertificateResponse (#8115) Instead, simply return DER bytes from `issuePrecertificate`, and accept regular parameters to `issueCertificateForPrecertificate` (instead of a proto message). Also, move the lookup of the certificate profile up to `IssueCertificate`, and pass the selected `*certProfileWithId` to both `issuePrecertificate` and `issueCertificateForPrecertificate`. Also, change `issueCertificateForPrecertificate` to just return DER, not a `*corepb.Certificate` (of which most fields were already being ignored).
| Commit: | 722f7c5 | |
|---|---|---|
| Author: | James Renken | |
| Committer: | GitHub | |
sa: Support new identifier types in authz getting funcs (#8104) Refactor `GetAuthorizations2`, `GetValidAuthorizations2` and `GetValidOrderAuthorizations2` to support non-DNS identifier types. Remove the deprecated `DnsNames` field from the `GetAuthorizationsRequest` and `GetValidAuthorizationsRequest` structs. All users of these structs use `Identifier` instead. Fixes #7922 Part of #7311
| Commit: | ff9e59d | |
|---|---|---|
| Author: | James Renken | |
| Committer: | GitHub | |
core: Remove DnsNames from Order (#8108) Remove the deprecated `DnsNames` field from the `corepb.Order` proto message. All users of this struct use `Identifiers` instead. This unblocks future changes that will require `Order` users to handle different identifier types. Part of #7311
| Commit: | 9b53c34 | |
|---|---|---|
| Author: | James Renken | |
| Committer: | GitHub | |
sa: Remove DnsNames from more request protos (#8105) Remove the deprecated `DnsNames` field from the `CountFQDNSetsRequest`, `FQDNSetExistsRequest`, and `GetOrderForNamesRequest` structs. All users of these structs use `Identifier` instead. Part of #7311
| Commit: | c426fc7 | |
|---|---|---|
| Author: | James Renken | |
| Committer: | GitHub | |
sa: Remove DnsNames from NewOrderRequest (#8101) Remove the deprecated `DnsNames` field from the `NewOrderRequest` struct. All users of this struct use `Identifier` instead. Part of #7311
| Commit: | 38a7197 | |
|---|---|---|
| Author: | James Renken | |
| Committer: | GitHub | |
sa: Support IP identifiers in CountInvalidAuthorizations2 (#8098) Remove the deprecated `DnsName` field from the `CountInvalidAuthorizationsRequest` struct. All users of this struct use `Identifier` instead. Part of #7311
| Commit: | 1e00ee5 | |
|---|---|---|
| Author: | James Renken | |
| Committer: | GitHub | |
ra: Remove DnsNames from NewOrderRequest (#8100) Remove the deprecated `DnsNames` field from the `NewOrderRequest` struct. All users of this struct use `Identifier` instead. Part of #7311
| Commit: | 767abc7 | |
|---|---|---|
| Author: | James Renken | |
| Committer: | GitHub | |
core: Remove DnsName from Authorization (#8097) Remove the deprecated `DnsName` field from the core `Authorization` struct. All users of this struct use `Identifier` instead. This unblocks future changes that will require `Authorization` users to handle different identifier types. Part of #7311
| Commit: | 76de5bf | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
| Committer: | GitHub | |
ca: unexport IssuePrecertificate and IssueCertificateForPrecertificate (#8092) These methods are still preserved as-is for now, and still take proto messages as arguments. But they are not exported as RPCs. Refactoring the arguments will be a followup PR. Part of #8039
| Commit: | 3f879ed | |
|---|---|---|
| Author: | James Renken | |
| Committer: | GitHub | |
Add Identifiers to Authorization & Order structs (#7961) Add `identifier` fields, which will soon replace the `dnsName` fields, to: - `corepb.Authorization` - `corepb.Order` - `rapb.NewOrderRequest` - `sapb.CountFQDNSetsRequest` - `sapb.CountInvalidAuthorizationsRequest` - `sapb.FQDNSetExistsRequest` - `sapb.GetAuthorizationsRequest` - `sapb.GetOrderForNamesRequest` - `sapb.GetValidAuthorizationsRequest` - `sapb.NewOrderRequest` Populate these `identifier` fields in every function that creates instances of these structs. Use these `identifier` fields instead of `dnsName` fields (at least preferentially) in every function that uses these structs. When crossing component boundaries, don't assume they'll be present, for deployability's sake. Deployability note: Mismatched `cert-checker` and `sa` versions will be incompatible because of a type change in the arguments to `sa.SelectAuthzsMatchingIssuance`. Part of #7311
| Commit: | ebf232c | |
|---|---|---|
| Author: | Aaron Gable | |
| Committer: | GitHub | |
Return updated account object on DeactivateRegistration path (#8060) Update the SA to re-query the database for the updated account after deactivating it, and return this to the RA. Update the RA to pass this value through to the WFE. Update the WFE to return this value, rather than locally modifying the pre-deactivation account object, if it gets one (for deployability). Also remove the RA's requirement that the request object specify its current status so that the request can be trimmed down to just an ID. This proto change is backwards-compatible because the new DeactivateRegistrationRequest's registrationID field has the same type (int64) and field number (1) as corepb.Registration's id field. Part of https://github.com/letsencrypt/boulder/issues/5554
| Commit: | 428fcb3 | |
|---|---|---|
| Author: | Samantha Frank | |
| Committer: | GitHub | |
ARI: Store and reflect optional "replaces" value for Orders (#8056) - Plumb the "replaces" value from the WFE through to the SA via the RA - Store validated "replaces" value for new orders in the orders table - Reflect the stored "replaces" value to subscribers in the order object - Reorder CertificateProfileName before Replaces/ReplacesSerial in RA and SA protos for consistency Fixes #8034
| Commit: | 3e6a8e2 | |
|---|---|---|
| Author: | James Renken | |
| Committer: | GitHub | |
va: Support IP address identifiers (#8020) Add an `identifier` field to the `va.PerformValidationRequest` proto, which will soon replace its `dnsName` field. Accept and prefer the `identifier` field in every VA function that uses this struct. Don't (yet) assume it will be present. Throughout the VA, accept and handle the IP address identifier type. Handling is similar to DNS names, except that `getAddrs` is not called, and consider that: - IPs are represented in a different field in the `x509.Certificate` struct. - IPs must be presented as reverse DNS (`.arpa`) names in SNI for [TLS-ALPN-01 challenge requests](https://datatracker.ietf.org/doc/html/rfc8738#name-tls-with-application-layer-). - IPv6 addresses are enclosed in square brackets when composing or parsing URLs. For HTTP-01 challenges, accept redirects to bare IP addresses, which were previously rejected. Fixes #2706 Part of #7311
| Commit: | 6b85b34 | |
|---|---|---|
| Author: | Samantha Frank | |
| Committer: | GitHub | |
email/exporter: Add email.Exporter gRPC service (#8017) Initial implementation of the email.Exporter gRPC service to be used by the new cmd/email-exporter. Part of #7966
| Commit: | e6c812a | |
|---|---|---|
| Author: | Samantha Frank | |
| Committer: | GitHub | |
va/ra: Deprecate EnforceMultiCAA and EnforceMPIC (#8025) Replace DCV and CAA checks (PerformValidation and IsCAAValid) in va/va.go and va/caa.go with their MPIC compliant counterparts (DoDCV and DoCAA) in va/vampic.go. Deprecate EnforceMultiCAA and EnforceMPIC and default code paths as though they are both true. Require that RIR and Perspective be set for primary and remote VAs. Fixes #7965 Fixes #7819
| Commit: | 692bd53 | |
|---|---|---|
| Author: | Jacob Hoffman-Andrews | |
| Committer: | GitHub | |
ca: unsplit issuance flow (#8014) Add a new RPC to the CA: `IssueCertificate` covers issuance of both the precertificate and the final certificate. In between, it calls out to the RA's new method `GetSCTs`. The RA calls the new `CA.IssueCertificate` if the `UnsplitIssuance` feature flag is true. The RA had a metric that counted certificates by profile name and hash. Since the RA doesn't receive a profile hash in the new flow, simply record the total number of issuances. Fixes https://github.com/letsencrypt/boulder/issues/7983
| Commit: | badc330 | |
|---|---|---|
| Author: | Samantha | |
| Committer: | Samantha | |
Prospect(s) -> Contact(s)
| Commit: | 30c983b | |
|---|---|---|
| Author: | Samantha | |
Merge remote-tracking branch 'origin/main' into add-email-exporter