boulder icon indicating copy to clipboard operation
boulder copied to clipboard

Published 20 hours ago verified publisher icon letsencrypt

Boulder-Observer: Add CRL, OCSP, and Certificate probers

Open jcjones opened this issue 2 years ago • 2 comments

To replace some additional existing infrastructure with Boulder Observer, we'd want to add three more things to probe:

  1. The validity and remaining lifetime of the CRL at a given URL
  2. The remaining lifetime of the certificate presented at a given URL
  3. The revocation status of the certificate presented at a given URL

For specific results, we would probably want to write Prometheus alerts to ensure that the lifetime of expired-isrgrootx1.l.o was negative, and that the OCSP for revoked-isrgrootx2.l.o was revoked, and of course the more normal cases.

----(tracking added by @beautifulentropy)----

  • [x] TLS validity (https://github.com/letsencrypt/boulder/pull/7120)
  • [x] CRL validity (https://github.com/letsencrypt/boulder/pull/6349)
  • [ ] Certificate Revocation Status

jcjones avatar Feb 02 '22 22:02 jcjones

What's the priority on replacing that other infrastructure? We'd love to do this but aren't sure where it falls in our priority stack atm.

aarongable avatar Feb 16 '22 18:02 aarongable