Jacob Hoffman-Andrews
Jacob Hoffman-Andrews
We actually need to do a little more here. Right now we submit to five logs: - Google Xenon, Google Argon - Sectigo Mammoth, Cloudflare Nimbus, Let's Encrypt Oak We...
When these happen across RPC boundaries, they get wrapped in a gRPC error message (with `code = `, `rpc = ` etc). So this may be mainly an issue with...
One specific heuristic we want: Only notify if account A issued for Z twice or more (since there are a handful of setups that throw away the account key after...
A couple of alternatives: - The container ecosystem seems to prefer collecting logs on stdout/stderr. Maybe we should switch to that style of logs collection? Boulder is already happy to...
As part of this, let's add a Prometheus counter in ocsp-responder for the various cases that can result in NotFound: - DB returns NoRows - IsExpired - OCSPLastUpdated is zero...
Also worth noting: In term of translation into ACME, it probably makes sense for the authorizations to be for a different identifier type (e.g. `onion`) since it's not verified using...
I had thought the max-age = time until nextUpdate was [specified in RFC 5019, but nope](https://datatracker.ietf.org/doc/html/rfc5019#section-6.2): > cache-control Contains a number of caching directives. > * max-age= -where n is...
This is the main improvement I want to make, which I think should fix about 90% of these cases: https://github.com/letsencrypt/boulder/issues/4702 Secondarily, https://github.com/letsencrypt/boulder/issues/2475 and https://github.com/letsencrypt/boulder/issues/4695
> it compares byte-for-byte that the responses are the same. To clarify, this actually does a comparison of the statuses - so the ocsp-responder won't serve a `good` response from...
Definitely yep to both.