letsencrypt
SFE: Implement self-service frontend for account pausing/unpausing
Adds a new boulder component named sfe aka the Self-service FrontEnd which is dedicated to non-ACME related Subscriber functions. This change implements one such function which is a web interface and handlers for account unpausing.
When paused, an ACME client receives a log line URL with a JWT parameter from the WFE. For the observant Subscriber, manually clicking the link opens their web browser and displays a page with a pre-filled HTML form. Upon clicking the form button, the SFE sends an HTTP POST back to itself and either validates the JWT and issues an RA gRPC request to unpause the account, or returns an HTML error page.
The SFE and WFE should share a 32 byte seed value e.g. the output of openssl rand -hex 16 which will be used to derive an Ed25519 keypair. The WFE will use the private key to generate the JWT while the SFE uses the public key to validate it. The SFE will check various RFC 7519 claims on the JWT such as the iss, aud, nbf, exp, iat, and a custom apiVersion claim.
The SFE should not yet be relied upon or deployed to staging/production environments. It is very much a work in progress, but this change is big enough as-is.
Related to https://github.com/letsencrypt/boulder/issues/7406 Part of https://github.com/letsencrypt/boulder/issues/7499
@pgporada, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
The sfe and as a result the config changes are not yet ready to be deployed so I will not be filing that ticket.