Jacob Hoffman-Andrews
Jacob Hoffman-Andrews
Right now checked_redis_source uses sa.SelectCertificateStatus to get a status to check against. However, it only needs a few fields: status, revokedReason, and revokedAt. We can make our query only touch...
We have OCSP implemented. According to our CPS we don't need to sign CRLs for leaf certificates, only for our intermediate. However, Firefox and Chrome each have a non-OCSP mechanism...
On Feb 17, we observed two VA instances killed by the OOM killer. Stats show that memory usage grew rapidly before the OOM kill, but goroutine count did not. Circumstantially,...
SMTP mail submission is somewhat annoying to scale because it is inherently connection oriented and offers a limited palette of error codes. Also we suspect most providers have a more...
Right now, the `wastedassign` lint in golangci-lint gives this error: ``` WARN [linters context] wastedassign is disabled because of go1.18. You can track the evolution of the go1.18 support by...
This will make it easier to add and remove backends, and will also allow gRPC backends on varying ports.
In findUnrevoked, we should use rows.Scan to stream rows rather than reading them all in one go. We should also remove the ORDER BY and LIMIT. Instead of those, we...
We often have very short-lived load spikes at 00:00 UTC. When these happen, performance degrades. One of the bottlenecks is database capacity. During a spike, we often spin up a...
Right now, the expiration-mailer's loop is like this: - Query certificateStatus for all certificates expiring in a given time range where lastNagSent is sufficiently in the past. - For each...