wfe2: Enforce at least one issuer provided (#5364)

Check at construction time that at least one issuerCertificate and
at least one certificateChain have been provided. All of our configs
populate these fields, and not populating them just results in other
errors later on, so catch missing configuration early.

wfe2/wfe.go

@@ -145,6 +145,14 @@ func NewWebFrontEndImpl(
 	authorizationLifetime time.Duration,
 	pendingAuthorizationLifetime time.Duration,
 ) (WebFrontEndImpl, error) {
+	if issuerCertificates == nil || len(issuerCertificates) == 0 {
+		return WebFrontEndImpl{}, errors.New("must provide at least one issuer certificate")
+	}
+
+	if certificateChains == nil || len(certificateChains) == 0 {
+		return WebFrontEndImpl{}, errors.New("must provide at least one certificate chain")
+	}
+
 	wfe := WebFrontEndImpl{
 		log:                          logger,
 		clk:                          clk,
@@ -731,12 +739,6 @@ func (wfe *WebFrontEndImpl) processRevocation(
 	serial := core.SerialToString(providedCert.SerialNumber)
 	logEvent.Extra["ProvidedCertificateSerial"] = serial
 
-	// If no issuerCertificates are initialized, return a server internal error
-	// rather than fail open.
-	if len(wfe.issuerCertificates) == 0 {
-		return probs.ServerInternal(
-			"unable to verify provided certificate, empty issuerCertificates")
-	}
 	// Try to validate the signature on the provided cert using its corresponding
 	// issuer certificate.
 	issuerNameID := issuance.GetIssuerNameID(providedCert)
@@ -1579,11 +1581,6 @@ func (wfe *WebFrontEndImpl) Certificate(ctx context.Context, logEvent *web.Reque
 			Bytes: cert.DER,
 		})
 
-		// If we don't have any certificateChains configured, just return the cert.
-		if len(wfe.certificateChains) == 0 {
-			return leafPEM, nil
-		}
-
 		parsedCert, err := x509.ParseCertificate(cert.DER)
 		if err != nil {
 			// If we can't parse one of our own certs there's a serious problem