Turn CT failures into hard failures in RA. (#3496)
When we originally deployed the inline CT submission code, we wanted to be conservative in case it increased our issuance error rate. However, we've established that the success rate is quite good, so we'll remove some complexity and make things more realistic by removing the code that avoids returning errors when CT submission fails.
This commit is contained in:
Jacob Hoffman-Andrews
Roland Bracewell Shoemaker
parent
6b8b6a37c0
commit
3568ad29ea
21
ra/ra.go
21
ra/ra.go
|
|
@ -1089,27 +1089,8 @@ func (ra *RegistrationAuthorityImpl) issueCertificate(
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ra *RegistrationAuthorityImpl) getSCTs(ctx context.Context, cert []byte) {
|
func (ra *RegistrationAuthorityImpl) getSCTs(ctx context.Context, cert []byte) {
|
||||||
var ctCtx context.Context
|
|
||||||
var cancel func()
|
|
||||||
currentDeadline, ok := ctx.Deadline()
|
|
||||||
if !ok {
|
|
||||||
// Current context doesn't have a deadline, this should
|
|
||||||
// never happen so it's a internal server error... but
|
|
||||||
// we already issued the cert so we can't fail out now.
|
|
||||||
// Just use a background context with a 30s timeout added.
|
|
||||||
ctCtx, cancel = context.WithTimeout(context.Background(), time.Second*30)
|
|
||||||
} else {
|
|
||||||
// NOTE: We want to check how putting the SCT submission/collection
|
|
||||||
// affects calls to IssueCertificate so we take the current context
|
|
||||||
// and allocate 80% of the remaining time to calling CTPolicy.GetSCTs.
|
|
||||||
// This way if we exceed the child context we won't time out the
|
|
||||||
// parent call and can still return the cert to the user.
|
|
||||||
until := time.Until(currentDeadline)
|
|
||||||
ctCtx, cancel = context.WithTimeout(ctx, time.Duration(float64(until)*0.8))
|
|
||||||
}
|
|
||||||
defer cancel()
|
|
||||||
started := ra.clk.Now()
|
started := ra.clk.Now()
|
||||||
_, err := ra.ctpolicy.GetSCTs(ctCtx, cert)
|
_, err := ra.ctpolicy.GetSCTs(ctx, cert)
|
||||||
took := ra.clk.Since(started)
|
took := ra.clk.Since(started)
|
||||||
// The final cert has already been issued so actually return it to the
|
// The final cert has already been issued so actually return it to the
|
||||||
// user even if this fails since we aren't actually doing anything with
|
// user even if this fails since we aren't actually doing anything with
|
||||||
|
|
|
||||||
|
|
@ -22,11 +22,11 @@
|
||||||
2,
|
2,
|
||||||
0.0,
|
0.0,
|
||||||
0.0,
|
0.0,
|
||||||
20,
|
2,
|
||||||
0.2,
|
0.2,
|
||||||
0.3,
|
0.3,
|
||||||
0.2,
|
0.2,
|
||||||
70,
|
5,
|
||||||
0.1
|
0.1
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
|
@ -39,11 +39,11 @@
|
||||||
2,
|
2,
|
||||||
0.0,
|
0.0,
|
||||||
0.0,
|
0.0,
|
||||||
20,
|
2,
|
||||||
0.2,
|
0.2,
|
||||||
0.3,
|
0.3,
|
||||||
0.2,
|
0.2,
|
||||||
70,
|
7,
|
||||||
0.1
|
0.1
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue