letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

crl-updater: UpdatePeriod safety check (#8131) 

The current requirement is that CRLs must be published within 24 hours
after revoking a certificate.

Fixes #8110
This commit is contained in:
Jacob Hoffman-Andrews 2025-04-21 13:54:14 -07:00 committed by GitHub
parent 967d722cf4
commit c95ab5c75f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
cmd/crl-updater/main.go
View File

@ -57,10 +57,9 @@ type Config struct {
LookbackPeriod config.Duration `validate:"-"`
// UpdatePeriod controls how frequently the crl-updater runs and publishes
// new versions of every CRL shard. The Baseline Requirements, Section 4.9.7
// state that this MUST NOT be more than 7 days. We believe that future
// updates may require that this not be more than 24 hours, and currently
// recommend an UpdatePeriod of 6 hours.
// new versions of every CRL shard. The Baseline Requirements, Section 4.9.7:
// "MUST update and publish a new CRL within twentyfour (24) hours after
// recording a Certificate as revoked."
UpdatePeriod config.Duration
// UpdateTimeout controls how long a single CRL shard is allowed to attempt

4
crl/updater/updater.go
View File

@ -80,8 +80,8 @@ func NewUpdater(
return nil, fmt.Errorf("must have positive number of shards, got: %d", numShards)
}
if updatePeriod >= 7*24*time.Hour {
return nil, fmt.Errorf("must update CRLs at least every 7 days, got: %s", updatePeriod)
if updatePeriod >= 24*time.Hour {
return nil, fmt.Errorf("must update CRLs at least every 24 hours, got: %s", updatePeriod)
}
if updateTimeout >= updatePeriod {