From 373d08bb80ccef46ad5d85ae34b721c1390be14c Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Thu, 30 Mar 2023 13:28:10 -0700 Subject: [PATCH] CertsPerName limit: only check renewal exemption once (#6784) We used to check the CertificatesPerName "renewal exemption" after checking to see if the rate limit was going to kick in at all. But checking the rate limit is rather expensive, so #4174 introduced a feature flag and a new block of code so that we'd check the renewal exemption first, and short-circuit out of the whole function if it was met. But when #4771 deprecated the feature flag, it left both blocks of code in, instead of deleting the old location. Remove the redundant exemption check. --- ra/ra.go | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/ra/ra.go b/ra/ra.go index cc082bc48..c1e2b163b 100644 --- a/ra/ra.go +++ b/ra/ra.go @@ -1420,18 +1420,6 @@ func (ra *RegistrationAuthorityImpl) checkCertificatesPerNameLimit(ctx context.C } if len(namesOutOfLimit) > 0 { - // check if there is already an existing certificate for - // the exact name set we are issuing for. If so bypass the - // the certificatesPerName limit. - exists, err := ra.SA.FQDNSetExists(ctx, &sapb.FQDNSetExistsRequest{Domains: names}) - if err != nil { - return fmt.Errorf("checking renewal exemption for %q: %s", names, err) - } - if exists.Exists { - ra.rateLimitCounter.WithLabelValues("certificates_for_domain", "FQDN set bypass").Inc() - return nil - } - // Determine the amount of time until the earliest event would fall out // of the window. retryAfter := earliest.Add(limit.Window.Duration).Sub(ra.clk.Now())