letsencrypt
Improve how we disable challenge types
When creating an authorization, populate it with all challenges appropriate for that challenge type, regardless of whether those challenge types are currently "enabled" in the config. This ensures that authorizations created during a incident for which we can temporarily disabled a single challenge type can still be validated via that challenge type after the incident is over.
Also, when finalizing an order, check that the challenge type used to validation each authorization is not currently disabled. This ensures that, if we temporarily disable a single challenge due to an incident, we don't issue any more certificates using authorizations which were fulfilled using that disabled challenge.
Note that standard rolling deployment of this change is not safe if any challenges are disabled at the same time, due to the possibility of an updated RA not filtering a challenge when writing it to the database, and then a non-updated RA not filtering it when reading from the database. But if all challenges are enabled then this change is safe for normal deploy.
Fixes https://github.com/letsencrypt/boulder/issues/5913
DO NOT MERGE until https://github.com/letsencrypt/boulder/pull/7659 has been deployed
