letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make authz reuse expiry cutoff proportional to authz lifetime (#8000) 

Continue to use a 24-hour cutoff for authzs with "long" lifetimes, so
that our behavior is unchanged for authzs created with no profile
specified. Use a 1-hour cutoff for authzs with "short" (less than
24-hour) lifetimes, so that we can reuse authzs created with modern
profiles. Use linear interpolation between those values.

Fixes https://github.com/letsencrypt/boulder/issues/7994
This commit is contained in:
Aaron Gable 2025-02-11 08:41:21 -08:00 committed by GitHub
parent 64f4aabbf3
commit 0efb2a026d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ra/ra.go
View File

@ -2366,9 +2366,15 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
// `sa.GetAuthorizations` returned an authorization that was very close to
// expiry. The resulting pending order that references it would itself end up
// expiring very soon.
// To prevent this we only return authorizations that are at least 1 day away
// from expiring.
authzExpiryCutoff := ra.clk.Now().AddDate(0, 0, 1)
// What is considered "very soon" scales with the associated order's lifetime,
// up to a point.
minTimeToExpiry := profile.orderLifetime / 8
if minTimeToExpiry < time.Hour {
minTimeToExpiry = time.Hour
} else if minTimeToExpiry > 24*time.Hour {
minTimeToExpiry = 24 * time.Hour
}
authzExpiryCutoff := ra.clk.Now().Add(minTimeToExpiry)
var existingAuthz *sapb.Authorizations
if features.Get().NoPendingAuthzReuse {