boulder
boulder copied to clipboard
Boulder-Observer: Add CRL, OCSP, and Certificate probers
To replace some additional existing infrastructure with Boulder Observer, we'd want to add three more things to probe:
- The validity and remaining lifetime of the CRL at a given URL
- The remaining lifetime of the certificate presented at a given URL
- The revocation status of the certificate presented at a given URL
For specific results, we would probably want to write Prometheus alerts to ensure that the lifetime of expired-isrgrootx1.l.o
was negative, and that the OCSP for revoked-isrgrootx2.l.o
was revoked, and of course the more normal cases.
----(tracking added by @beautifulentropy)----
- [x] TLS validity (https://github.com/letsencrypt/boulder/pull/7120)
- [x] CRL validity (https://github.com/letsencrypt/boulder/pull/6349)
- [ ] Certificate Revocation Status
What's the priority on replacing that other infrastructure? We'd love to do this but aren't sure where it falls in our priority stack atm.