Proto commits in letsencrypt/boulder

These commits are when the Protocol Buffers files have changed: (only the last 100 relevant commits are shown)

Commit:a4ec1e6
Author:Kiel C

Address review feedback: Update retrybackoff usage of authz revocation tests to 1) retry more quickly in the test expecting change, but 2) retry over a longer period of time in the test expecting stability to try to extend beyond the custom context timeout of the RA function. Rename SA gRPC methods to be consistently plural, reflecting their capability.

Commit:50c0271
Author:Kiel C
Committer:GitHub

Correct va proto field reservation comment. Co-authored-by: Samantha Frank <hello@entropy.cat>

Commit:c228681
Author:Aaron Gable

Prevent parallel validation attempts

Commit:a4f47e2
Author:Kiel C
Committer:GitHub

Rename RevokeAuthorizationFor to RevokeAuthorizationsFor Because it can revoke multiple authorizations. Co-authored-by: Aaron Gable <aaron@letsencrypt.org>

Commit:11d39f3
Author:Kiel C
Committer:Kiel C

Remove all string IDs fields for Authzs.

Commit:2d9af66
Author:Kiel C

Add RevokeAuthzsUponRevokeCert feature to RA.

Commit:7edfb14
Author:Kiel C

Add RevokeAuthorizations func to the SA gRPC service.

Commit:187b602
Author:Kiel C
Committer:GitHub

Add int-type Authz ID proto fields alongside any string-type proto fields (#8754) This is stage one of normalizing Authz ID to be consistently int64-type (#8722). --------- Co-authored-by: Aaron Gable <aaron@letsencrypt.org>

The documentation is generated from this commit.

Commit:e4f4650
Author:Jacob Hoffman-Andrews
Committer:GitHub

add boulder-mtca service (#8776) Includes a proto file with a service definition, an entry in startservers.py and consul.hcl, and configs in test/config and test/config-next (since startservers doesn't currently have a nice way for services to start only in config-next, particularly once boulder-ra starts depending on boulder-mtca in CI). Also, fix a problem from #8764: the newly added field in `orders` was `mtcaID` but should have been `mtcLogID`.

Commit:4e28035
Author:Samantha Frank
Committer:GitHub

sfe/salesforce: Remove donation call-to-action and Cases support (#8751) Also, obviate the need to complete the proto changes in TODO #8410. These changes, documented in IN-12087, have not yet been applied in Staging or Production. Fixes #8744

Commit:491e1e9
Author:Jacob Hoffman-Andrews
Committer:GitHub

sa: getAuthorizationStatuses checks results (#8726) If this function gets fewer responses than expected, that means some of the authorizations were deleted before their containing order expired (or were never written due to a bug). Error out. Fix a test that fails with this extra check in place.

Commit:5f894a9
Author:Samantha Frank
Committer:GitHub

admin: Support creating incidents and adding serials (#8740) Add a StorageAuthorityAdmin gRPC service and four admin subcommands that move incident management into the `admin` tool. Register the service only for the admin client and write through a new `incidents_sa_admin` MySQL user; the existing `incidents_sa` user stays SELECT-only. Incidents can impact tens to hundreds of millions of certificates, and operators may load serials from multiple overlapping time spans during the affected window. `admin load-incident-serials` reads serials from a file, fans them out across N workers (default 10), and streams them to the SA in batches of 10,000. The server re-batches at the same threshold and uses `INSERT IGNORE` on insertion, so overlapping bulk loads and within-batch duplicates are idempotent. The remaining subcommands cover CRUD on the incidents table: - `admin create-incident` adds a row and creates the per-incident serials table. - `admin list-incidents` prints each incident's name, enabled state, renewBy, and URL. - `admin update-incident` changes any subset of url, renewBy, and enabled on an incident by name. Fixes #6943

Commit:89eb46b
Author:Jacob Hoffman-Andrews

wip6

Commit:dffd6e1
Author:Jacob Hoffman-Andrews

wip5

Commit:b45657a
Author:Jacob Hoffman-Andrews
Committer:GitHub

Update sa/proto/sa.proto Co-authored-by: Aaron Gable <aaron@letsencrypt.org>

Commit:a564c0e
Author:Jacob Hoffman-Andrews

sa: add RegistrationID to FinalizeAuthorization For now this is just passed in and ignored. In the future it will help fill the reusableAuthorizations table.

Commit:84b88da
Author:Aaron Gable
Committer:GitHub

Remove sa.Count[Pending|Invalid]Authorizations2 (#8669) These methods were part of the old rate limits system, and therefore no longer have any callers.

Commit:ab67cd5
Author:Samantha Frank
Committer:GitHub

sfe/ra/sa/admin: Prevent lower override requests from reducing limits (#8613) Today, an approved rate‑limit override request that is lower than an existing override would silently replace the stored override, allowing mistaken or malicious requests to reduce limits. The SA now detects lower overrides, skips the update, and returns the existing override in the response. The RA and SFE surface that signal so auto‑approval creates a Zendesk ticket with a private comment describing the existing override, and attempts to import a ticket with a lower override will result in a similar private comment and the ticket being moved to pending. Boulder will not attempt to import approved tickets with a pending status. The admin CLI commands for importing and adding/updating overrides gain a --force flag to override an existing higher limit, and now report “lower than existing” as an error by default. Fixes #8602

Commit:3ce346c
Author:Jacob Hoffman-Andrews
Committer:GitHub

sa: Add GetOrderAuthorizations (#8605) This is a synonym for GetValidOrderAuthorizations2, which was a misnomer (it now returns _all_ authorizations for an order). Fixes #8603

Commit:33cbdfb
Author:Samantha Frank
Committer:GitHub

salesforce: Rename email package and pardot-test-srv (#8523) - Rename email to salesforce - Rename pardot-test-srv to salesforce-test-srv - Continue building pardot-test-srv by copying salesforce-test-srv - Rename email.Exporter gRPC service to salesforce.Exporter - Register and listen for both salesforce.Exporter and legacy email.Exporter services - Allow salesforce.Exporter impl to answer email.Exporter service via an interface adapter/shim Part of #8410

Commit:978877a
Author:Jacob Hoffman-Andrews
Committer:GitHub

Store authzIDs directly in order table (#8460) The `orders` table gets a new column `authzs`, containing a protobuf-encoded list of authorization IDs as int64s. Storing this data directly in the `orders` table will allow us to get rid of the `orderToAuthz2` table, which is large (#8451). There's a new feature flag, `StoreAuthzsInOrders`, which controls whether the SA expects the new column to exist. The SA gracefully handles the case where the new column is NULL, by querying the `orderToAuthz2` table. Eventually all valid orders will have a non-NULL `authzs` column and we can remove the fallback. I removed `orderToModel` because it had only one call site, and that call site only used a subset of fields. This avoids having to update `orderToModel` to know about encoding authzs, only to have that code actually go unused in practice.

Commit:abafa0a
Author:Samantha Frank
Committer:GitHub

sfe: Create Salesforce Case at override request form submission time (#8438)

Commit:c056257
Author:Samantha

Merge remote-tracking branch 'origin/main' into salesforce-rest-api-client

Commit:c4fb84c
Author:Jacob Hoffman-Andrews
Committer:Samantha

sa: NewOrderAndAuthzs checks that nonzero authzs were provided (#8464) Also document the relevant fields.

Commit:cb7786b
Author:Jacob Hoffman-Andrews
Committer:GitHub

Deprecate NoPendingAuthzReuse flag (#8458)

Commit:1d86023
Author:Jacob Hoffman-Andrews
Committer:GitHub

sa: NewOrderAndAuthzs checks that nonzero authzs were provided (#8464) Also document the relevant fields.

Commit:f2e3e8d
Author:Jacob Hoffman-Andrews
Committer:Jacob Hoffman-Andrews

sa: document properties of NewOrderAndAuthzs And add a check that some authzs were provided.

Commit:b63f567
Author:Jacob Hoffman-Andrews

Revert unnecessary diff

Commit:a62c3a5
Author:Jacob Hoffman-Andrews

Cleanups from self review

Commit:bb5d560
Author:Jacob Hoffman-Andrews

Remove RA involvement

Commit:78c7f47
Author:Jacob Hoffman-Andrews
Committer:Jacob Hoffman-Andrews

The Authzs Are In The Order

Commit:1dcc6b1
Author:Jacob Hoffman-Andrews
Committer:Jacob Hoffman-Andrews

Deprecate NoPendingAuthzReuse flag

Commit:c1af7fc
Author:Aaron Gable
Committer:GitHub

Delete sa.GetMaxExpiration and sa.GetRevokedCerts (#8401) These two SA methods were used only by the crl-updater's temporal (notAfter-based) sharding code. We now exclusively use explicit (CRLDP-based) sharding, and these methods have no callers. Fixes https://github.com/letsencrypt/boulder/issues/8399 Part of https://github.com/letsencrypt/boulder/issues/8322

Commit:6c6e5e9
Author:Samantha

Merge branch 'main' into salesforce-rest-api-client

Commit:d551663
Author:Samantha
Committer:Samantha

email-exporter: Add Salesforce Cases support

Commit:e5992b0
Author:Samantha
Committer:Samantha

email-exporter: Add Salesforce Cases support

Commit:da7c172
Author:Samantha

WIP

Commit:d1422d2
Author:Aaron Gable
Committer:GitHub

Reland "SA: Stop supporting OCSP status NotReady" (#8430) Reverts https://github.com/letsencrypt/boulder/pull/8429 Relands https://github.com/letsencrypt/boulder/pull/8395 Remove support for the "ocspNotReady" argument in AddPrecertificate requests, and delete the SetCertificateStatusReady gRPC method. All users of this field and method were removed in https://github.com/letsencrypt/boulder/pull/8394. Fixes https://github.com/letsencrypt/boulder/issues/8343

Commit:fec4c6e
Author:Aaron Gable
Committer:GitHub

Revert "Revert "SA: Stop supporting OCSP status NotReady" (#8429)" This reverts commit 30197ca49b6e7ebfdf8a969bd045110e0d859276.

Commit:30197ca
Author:Aaron Gable
Committer:GitHub

Revert "SA: Stop supporting OCSP status NotReady" (#8429) Reverts https://github.com/letsencrypt/boulder/pull/8395 The reverted change needed to land one release behind https://github.com/letsencrypt/boulder/pull/8394. Unfortunately, the first release which contained 8394 also contained a bug, and had to be rolled back. The next release would contain both 8394 and 8395, which would lead to availability issues during a deploy when non-updated CA instances try to communicate with updated SA instances. Revert 8395 so that the next release can contain only 8394. This change will be followed by a re-land of 8395, after 8394 has been fully and successfully deployed. Part of https://github.com/letsencrypt/boulder/issues/8343

Commit:5ec02bc
Author:Aaron Gable

Merge branch main into rm-sa-methods

Commit:36426f8
Author:Aaron Gable
Committer:GitHub

SA: Stop supporting OCSP status NotReady (#8395) Remove support for the "ocspNotReady" argument in AddPrecertificate requests, and delete the SetCertificateStatusReady gRPC method. All users of this field and method were removed in https://github.com/letsencrypt/boulder/pull/8394. Fixes https://github.com/letsencrypt/boulder/issues/8343

Commit:5b28bb6
Author:Aaron Gable
Committer:Aaron Gable

Delete sa.GetMaxExpiration

Commit:3197d3a
Author:Aaron Gable
Committer:Aaron Gable

SA: Stop supporting OCSP status NotReady

Commit:fc6dd8f
Author:Aaron Gable

Delete sa.GetMaxExpiration

Commit:88e8811
Author:Aaron Gable
Committer:Aaron Gable

SA: Stop supporting OCSP status NotReady

Commit:9cd7954
Author:Aaron Gable
Committer:GitHub

Delete akamai-purger (#8352) The akamai-purger service no longer has any callers. Remove the code implementing this service, the tests which cover the service, and the akamai-test-srv API fake. Fixes https://github.com/letsencrypt/boulder/issues/8346

Commit:513e113
Author:Aaron Gable
Committer:GitHub

CA: delete GenerateOCSP method (#8351) Remove the CA.GenerateOCSP method, and all code related to signing OCSP responses. Fixes https://github.com/letsencrypt/boulder/issues/8349

Commit:6e1615a
Author:Aaron Gable
Committer:GitHub

RA: delete GenerateOCSP method (#8350) Remove the RA.GenerateOCSP gRPC method. This must be completed (and the corresponding production config changes made) before we can remove the underlying CA.GenerateOCSP method. Fixes https://github.com/letsencrypt/boulder/issues/8348

Commit:af627a0
Author:Aaron Gable
Committer:Aaron Gable

Delete akamai-purger

Commit:b504c58
Author:Aaron Gable
Committer:Aaron Gable

Remove ca.GenerateOCSP

Commit:0b3cd48
Author:Aaron Gable
Committer:Aaron Gable

RA: delete GenerateOCSP method

Commit:caa980f
Author:Samantha Frank
Committer:GitHub

sa: Change a return type for GetEnabledRateLimitOverrides (#8280) These methods have no callers. Part of https://github.com/letsencrypt/boulder/issues/8165

Commit:a1fe727
Author:Samantha
Committer:Samantha

sa/proto: Return full override response

Commit:d7e4ed1
Author:Aaron Gable
Committer:GitHub

Remove the last vestiges of account contacts (#8247) Remove the concept of an account contact from all of boulder except the WFE. Specifically: - Delete the UpdateRegistrationContact methods from the RA and SA - Remove all understanding of the Contact field from the RA and SA's NewRegistration methods - Remove the Contact field from corepb.Registration to ensure it can never be communicated anywhere Note that this does not remove the Contact field from core.Registration, as that represents an ACME API type, and we're still willing to parse the Contact field from incoming new-account requests. Fixes https://github.com/letsencrypt/boulder/issues/8199

Commit:1ca19f1
Author:Samantha

sa/proto: Return full override response

Commit:632b971
Author:Aaron Gable
Committer:Aaron Gable

Remove all registration contact code paths

Commit:9070d82
Author:Samantha

Merge remote-tracking branch 'origin/main' into admin-overrides-in-database

Commit:2919d4c
Author:Aaron Gable
Committer:Aaron Gable

Remove all registration contact code paths

Commit:7214b28
Author:James Renken
Committer:GitHub

identifier: Remove helper funcs from PB identifiers migration (#8236) Remove `ToDNSSlice`, `FromProtoWithDefault`, and `FromProtoSliceWithDefault` now that all their callers are gone. All protobufs but one have migrated from DnsNames to Identifiers. Remove TODOs for the exception, `ValidationRecord`, where an identifier type isn't appropriate and it really only needs a string. Rename `corepb.ValidationRecord.DnsName` to `Hostname` for clarity, to match the corresponding PB's field name. Improve various comments and docs re: IP address identifiers. Depends on #8221 (which removes the last callers) Fixes #8023

Commit:0c3eed9
Author:James Renken

identifier: Remove helper funcs from PB identifiers migration Remove `ToDNSSlice`, `FromProtoWithDefault`, and `FromProtoSliceWithDefault` now that all their callers are gone. All protobufs have migrated from DnsNames to Identifiers. Remove TODOs for the exception, `ValidationRecord`, where an identifier type isn't appropriate and it really only needs a string. Depends on #8221 (which removes the last callers) Fixes #8023

Commit:69ba857
Author:Samantha Frank
Committer:GitHub

ra: Allow rate limit overrides to be added/updated (#8218) #8217

Commit:2426751
Author:Samantha
Committer:Samantha

ra: Allow rate limit overrides to be added/updated

Commit:3b6f3f7
Author:Samantha
Committer:Samantha

sa/proto: Return full override response

Commit:ac68828
Author:James Renken
Committer:GitHub

Replace most uses of net.IP with netip.Addr (#8205) Retain `net.IP` only where we directly work with `x509.Certificate` and friends. Fixes #5925 Depends on #8196

Commit:7fc93b7
Author:Samantha

sa/proto: Return full override response

Commit:6cc61b0
Author:James Renken

Replace most uses of net.IP with netip.Addr Retain `net.IP` only where we directly work with `x509.Certificate` and friends. Fixes #5925 Depends on #8196

Commit:aaaf623
Author:James Renken
Committer:GitHub

va: Remove deprecated Domain from vapb.IsCAAValidRequest (#8193) Part of #8023

Commit:0362f1c
Author:James Renken
Committer:James Renken

Remove deprecated Domain from vapb.IsCAAValidRequest Part of #8023

Commit:e625ff3
Author:Samantha Frank
Committer:GitHub

sa: Store and manage rate limit overrides in the database (#8142) Add support for managing and querying rate limit overrides in the database. - Add `sa.AddRateLimitOverride` to insert or update a rate limit override. This will be used during Rate Limit Override Portal to commit approved overrides to the database. - Add `sa.DisableRateLimitOverride` and `sa.EnableRateLimitOverride` to toggle override state. These will be used by the `admin` tool. - Add `sa.GetRateLimitOverride` to retrieve a single override by limit enum and bucket key. This will be used by the Rate Limit Portal to prevent duplicate or downgrade requests but allow upgrade requests. - Add `sa.GetEnabledRateLimitOverrides` to stream all currently enabled overrides. This will be used by the rate limit consumers (`wfe` and `ra`) to refresh the overrides in-memory. - Implement test coverage for all new methods.

Commit:650c269
Author:James Renken
Committer:GitHub

ra, va: Bypass CAA for IP identifiers & use Identifier in IsCAAValidRequest (#8153) In `vapb.IsCAAValidRequest`, even though CAA is only for DNS names, deprecate `Domain` in favour of `Identifier` for consistency. In `va.DoCAA`, reject attempts to validate CAA for non-DNS identifiers. Rename `identifier` to `ident` inside some VA functions, also for consistency. In `ra.checkDCVAndCAA` & `ra.checkAuthorizationsCAA`, bypass CAA checks for IP address identifiers. Part of #7995

Commit:8e7eaa9
Author:James Renken
Committer:James Renken

va: Use Identifier in IsCAAValidRequest Even though CAA is only for DNS names, deprecate `Domain` in favour of `Identifier` for consistency. In `DoCAA`, reject attempts to validate CAA for non-DNS identifiers. Rename `identifier` to `ident` inside some VA functions, also for consistency.

Commit:52615d9
Author:James Renken
Committer:GitHub

ra: Fully support identifiers in NewOrder, PerformValidation & RevokeCertByApplicant (#8139) In `ra.NewOrder`, improve safety of authz reuse logic by making it explicit that only DNS identifiers might be wildcards. Also, now that the conditional statements need to be more complicated, collapse them for brevity. In `vapb.PerformValidationRequest`, remove `DnsName`. In `ra.PerformValidation`, pass an `Identifier` instead of a `DnsName`. In `ra.RevokeCertByApplicant`, check that the requester controls identifiers of all types (not just DNS). Fixes #7995 (the RA now fully supports IP address identifiers, except for rate limits) Fixes #7647 Part of #8023

Commit:bf37683
Author:Samantha
Committer:Samantha

Addressing comments.

Commit:4b701c6
Author:James Renken
Committer:James Renken

Remove DnsName from vapb.PerformValidationRequest

Commit:8a4d0cc
Author:James Renken
Committer:James Renken

va: Use Identifier in IsCAAValidRequest Even though CAA is only for DNS names, deprecate `Domain` in favour of `Identifier` for consistency. In `DoCAA`, reject attempts to validate CAA for non-DNS identifiers. Rename `identifier` to `ident` inside some VA functions, also for consistency.

Commit:884441e
Author:James Renken

va: Use Identifier in IsCAAValidRequest Even though CAA is only for DNS names, deprecate `Domain` in favour of `Identifier` for consistency. In `DoCAA`, reject attempts to validate CAA for non-DNS identifiers. Rename `identifier` to `ident` inside some VA functions, also for consistency.

Commit:86687d2
Author:James Renken

Remove DnsName from vapb.PerformValidationRequest

Commit:d3e0156
Author:Samantha
Committer:Samantha

sa: Rate limit overrides in the database

Commit:712495e
Author:Samantha
Committer:Samantha

sa: Rate limit overrides in the database

Commit:e8eddc0
Author:Jacob Hoffman-Andrews
Committer:GitHub

ca: remove capb.IssueCertificateForPrecertificateRequest (#8127) Fixes #8039

Commit:0503782
Author:Jacob Hoffman-Andrews
Committer:Jacob Hoffman-Andrews

Remove capb.IssueCertificateForPrecertificateRequest

Commit:d800055
Author:Jacob Hoffman-Andrews
Committer:GitHub

ca: Remove IssuePrecertificateResponse (#8115) Instead, simply return DER bytes from `issuePrecertificate`, and accept regular parameters to `issueCertificateForPrecertificate` (instead of a proto message). Also, move the lookup of the certificate profile up to `IssueCertificate`, and pass the selected `*certProfileWithId` to both `issuePrecertificate` and `issueCertificateForPrecertificate`. Also, change `issueCertificateForPrecertificate` to just return DER, not a `*corepb.Certificate` (of which most fields were already being ignored).

Commit:722f7c5
Author:James Renken
Committer:GitHub

sa: Support new identifier types in authz getting funcs (#8104) Refactor `GetAuthorizations2`, `GetValidAuthorizations2` and `GetValidOrderAuthorizations2` to support non-DNS identifier types. Remove the deprecated `DnsNames` field from the `GetAuthorizationsRequest` and `GetValidAuthorizationsRequest` structs. All users of these structs use `Identifier` instead. Fixes #7922 Part of #7311

Commit:ff9e59d
Author:James Renken
Committer:GitHub

core: Remove DnsNames from Order (#8108) Remove the deprecated `DnsNames` field from the `corepb.Order` proto message. All users of this struct use `Identifiers` instead. This unblocks future changes that will require `Order` users to handle different identifier types. Part of #7311

Commit:9b53c34
Author:James Renken
Committer:GitHub

sa: Remove DnsNames from more request protos (#8105) Remove the deprecated `DnsNames` field from the `CountFQDNSetsRequest`, `FQDNSetExistsRequest`, and `GetOrderForNamesRequest` structs. All users of these structs use `Identifier` instead. Part of #7311

Commit:c426fc7
Author:James Renken
Committer:GitHub

sa: Remove DnsNames from NewOrderRequest (#8101) Remove the deprecated `DnsNames` field from the `NewOrderRequest` struct. All users of this struct use `Identifier` instead. Part of #7311

Commit:38a7197
Author:James Renken
Committer:GitHub

sa: Support IP identifiers in CountInvalidAuthorizations2 (#8098) Remove the deprecated `DnsName` field from the `CountInvalidAuthorizationsRequest` struct. All users of this struct use `Identifier` instead. Part of #7311

Commit:1e00ee5
Author:James Renken
Committer:GitHub

ra: Remove DnsNames from NewOrderRequest (#8100) Remove the deprecated `DnsNames` field from the `NewOrderRequest` struct. All users of this struct use `Identifier` instead. Part of #7311

Commit:767abc7
Author:James Renken
Committer:GitHub

core: Remove DnsName from Authorization (#8097) Remove the deprecated `DnsName` field from the core `Authorization` struct. All users of this struct use `Identifier` instead. This unblocks future changes that will require `Authorization` users to handle different identifier types. Part of #7311

Commit:76de5bf
Author:Jacob Hoffman-Andrews
Committer:GitHub

ca: unexport IssuePrecertificate and IssueCertificateForPrecertificate (#8092) These methods are still preserved as-is for now, and still take proto messages as arguments. But they are not exported as RPCs. Refactoring the arguments will be a followup PR. Part of #8039

Commit:3f879ed
Author:James Renken
Committer:GitHub

Add Identifiers to Authorization & Order structs (#7961) Add `identifier` fields, which will soon replace the `dnsName` fields, to: - `corepb.Authorization` - `corepb.Order` - `rapb.NewOrderRequest` - `sapb.CountFQDNSetsRequest` - `sapb.CountInvalidAuthorizationsRequest` - `sapb.FQDNSetExistsRequest` - `sapb.GetAuthorizationsRequest` - `sapb.GetOrderForNamesRequest` - `sapb.GetValidAuthorizationsRequest` - `sapb.NewOrderRequest` Populate these `identifier` fields in every function that creates instances of these structs. Use these `identifier` fields instead of `dnsName` fields (at least preferentially) in every function that uses these structs. When crossing component boundaries, don't assume they'll be present, for deployability's sake. Deployability note: Mismatched `cert-checker` and `sa` versions will be incompatible because of a type change in the arguments to `sa.SelectAuthzsMatchingIssuance`. Part of #7311

Commit:ebf232c
Author:Aaron Gable
Committer:GitHub

Return updated account object on DeactivateRegistration path (#8060) Update the SA to re-query the database for the updated account after deactivating it, and return this to the RA. Update the RA to pass this value through to the WFE. Update the WFE to return this value, rather than locally modifying the pre-deactivation account object, if it gets one (for deployability). Also remove the RA's requirement that the request object specify its current status so that the request can be trimmed down to just an ID. This proto change is backwards-compatible because the new DeactivateRegistrationRequest's registrationID field has the same type (int64) and field number (1) as corepb.Registration's id field. Part of https://github.com/letsencrypt/boulder/issues/5554

Commit:428fcb3
Author:Samantha Frank
Committer:GitHub

ARI: Store and reflect optional "replaces" value for Orders (#8056) - Plumb the "replaces" value from the WFE through to the SA via the RA - Store validated "replaces" value for new orders in the orders table - Reflect the stored "replaces" value to subscribers in the order object - Reorder CertificateProfileName before Replaces/ReplacesSerial in RA and SA protos for consistency Fixes #8034

Commit:3e6a8e2
Author:James Renken
Committer:GitHub

va: Support IP address identifiers (#8020) Add an `identifier` field to the `va.PerformValidationRequest` proto, which will soon replace its `dnsName` field. Accept and prefer the `identifier` field in every VA function that uses this struct. Don't (yet) assume it will be present. Throughout the VA, accept and handle the IP address identifier type. Handling is similar to DNS names, except that `getAddrs` is not called, and consider that: - IPs are represented in a different field in the `x509.Certificate` struct. - IPs must be presented as reverse DNS (`.arpa`) names in SNI for [TLS-ALPN-01 challenge requests](https://datatracker.ietf.org/doc/html/rfc8738#name-tls-with-application-layer-). - IPv6 addresses are enclosed in square brackets when composing or parsing URLs. For HTTP-01 challenges, accept redirects to bare IP addresses, which were previously rejected. Fixes #2706 Part of #7311

Commit:6b85b34
Author:Samantha Frank
Committer:GitHub

email/exporter: Add email.Exporter gRPC service (#8017) Initial implementation of the email.Exporter gRPC service to be used by the new cmd/email-exporter. Part of #7966

Commit:e6c812a
Author:Samantha Frank
Committer:GitHub

va/ra: Deprecate EnforceMultiCAA and EnforceMPIC (#8025) Replace DCV and CAA checks (PerformValidation and IsCAAValid) in va/va.go and va/caa.go with their MPIC compliant counterparts (DoDCV and DoCAA) in va/vampic.go. Deprecate EnforceMultiCAA and EnforceMPIC and default code paths as though they are both true. Require that RIR and Perspective be set for primary and remote VAs. Fixes #7965 Fixes #7819

Commit:692bd53
Author:Jacob Hoffman-Andrews
Committer:GitHub

ca: unsplit issuance flow (#8014) Add a new RPC to the CA: `IssueCertificate` covers issuance of both the precertificate and the final certificate. In between, it calls out to the RA's new method `GetSCTs`. The RA calls the new `CA.IssueCertificate` if the `UnsplitIssuance` feature flag is true. The RA had a metric that counted certificates by profile name and hash. Since the RA doesn't receive a profile hash in the new flow, simply record the total number of issuances. Fixes https://github.com/letsencrypt/boulder/issues/7983

Commit:badc330
Author:Samantha
Committer:Samantha

Prospect(s) -> Contact(s)

Commit:30c983b
Author:Samantha

Merge remote-tracking branch 'origin/main' into add-email-exporter