boulder

boulder copied to clipboard

Today we're enforcing that these implementations satisfy the grpc.checker interface conventionally, which places the onus on the reviewer. It would be much easier to have the compiler check this at...

beautifulentropy

Add AlreadyRevoked handling to revokedCertificates table inserts

1

Within `sa.addRevokedCertificate`, detect if the insert failed due to a duplicate primary key, and return `berrors.AlreadyRevoked` in that case. This matches the behavior of `sa.RevokeCertificate` when an update to the...

aarongable

This is a reland of https://github.com/letsencrypt/boulder/pull/8402 This is a revert of https://github.com/letsencrypt/boulder/pull/8426 In the SA, change the implementation of GetRevocationStatus to read from the revokedCertificates table instead of reading from...

aarongable

When we look up TXT records for dns-01 and dns-account-01 validation, copy the Authenticated Data (AD) bit into the ValidationRecord that we log and store in the database. Similarly, when...

aarongable

Investigate dropping the certificateStatus table

4

This table was primarily used for OCSP; our CRL systems instead use the revokedCertificates table. With OCSP shutting down, let's identify all other code which uses the certificateStatus table, and...

aarongable

Add multi-architecture (amd64 & arm64) builds

8

### Changes **Build System** - `tools/container-build.sh`: Removed forced amd64 cross-compilation on ARM hosts. Builds now run natively for host architecture (amd64 or arm64). Override with `DOCKER_DEFAULT_PLATFORM`. - `tools/make-deb.sh`: Package architecture...

sheurich

Remove maxNames from top-level RA and CA configs

3

This is a cleanup / followup to https://github.com/letsencrypt/boulder/issues/7993 The max names per cert is now enforced at the per-profile level in the RA. The config change has been deployed (IN-11055)...

aarongable

An intermediate ceremony config file currently starts like: ```yaml ceremony-type: intermediate pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so pin: 1234 signing-key-slot: 1307844626 signing-key-label: Root YE ``` However, that module path differs on dev machines...

aarongable

We have a bunch of scaffolding to support the transition from temporally-sharded to explicitly-sharded CRLs. That transition was done on March 12 2025, so the last temporally-sharded certificate expired in...

aarongable

ARI is standardized as RFC 9773, and we have no intention of turning this feature off.

aarongable