boulder issues

ocsp-responder: optional emit stream of not-found responses

We should have a way to absorb the list of items we should have responses for, but don't.

ocsp-updater: find work by scanning the ROCSP keyspace

This should be in addition to the approach where we find work by scanning the DB. The goal should be that we find most of our work by scanning ROCSP,...

jsha

Improve ocsp-responder caching logic

2

Currently, ocsp-responder has two pieces of code related to setting the cache properties of ocsp responses it serves: https://github.com/letsencrypt/boulder/blob/52c865f621236d9770445fd6a2ab5bbef7a7e53f/cmd/ocsp-responder/main.go#L224-L226 https://github.com/letsencrypt/boulder/blob/52c865f621236d9770445fd6a2ab5bbef7a7e53f/ocsp/responder.go#L388-L403 * The second code snippet should actually use the config...

aarongable

Add gauge metric for CA's orphaned certificates queue

We should monitor the current length of the queue in addition to the entry/exit rate.

jsha

Add lints and metrics to show that linting works

1

We can add a custom lint which, for example, rejects all certs for "lintreject.radianttest.org". Then we can have our automated issuance testing try to issue for that name, and confirm...

aarongable

Improve retrieval efficiency for pending and valid authzs

1

When you create a new order, Boulder first checks the authz2 table to see if there are any pending or valid authzs for the names you asked for, so it...

jsha

Improve database efficiency of cert-checker

1

Right now cert-checker uses this query to find work: ``` "WHERE id > :id AND issued >= :issued AND expires >= :now ORDER BY id LIMIT :limit" ``` We know...

jsha

Review ceremony tool's validation with reference to Bugzilla ticket

DigiCert listed a set of checks their ceremony tool performs: https://bugzilla.mozilla.org/show_bug.cgi?id=1654967#c1. We should review our own ceremony tool and ensure it performs similar checks, where appropriate.

jsha

Creating an "overarching" configurable ceremony type

4

Captured from a conversation that @aarongable and I had: Create a new ceremony config which acts as a meta-config, saying "process these config files in this order, sending the outputs...

beautifulentropy

Better Expiry Email System

7

In the community there has been relatively steady demand for a better expiry email system. Here are two of the latest instances of confusion caused by the current system: https://community.letsencrypt.org/t/unable-to-unsubscribe-from-email/148547...

GriffinSoftware

boulder
boulder copied to clipboard

Metadata

ocsp-responder: optional emit stream of not-found responses

ocsp-updater: find work by scanning the ROCSP keyspace

Improve ocsp-responder caching logic

Add gauge metric for CA's orphaned certificates queue

Add lints and metrics to show that linting works

Improve retrieval efficiency for pending and valid authzs

Improve database efficiency of cert-checker

Review ceremony tool's validation with reference to Bugzilla ticket

Creating an "overarching" configurable ceremony type

Better Expiry Email System

← Metadata

Owner

Metadata

boulder boulder copied to clipboard

Metadata

← Metadata

Owner

Metadata

boulder
boulder copied to clipboard