Commit Graph

12 Commits

Author SHA1 Message Date
Jacob Hoffman-Andrews c9e9918b80
ocsp-responder(redis): sample logs at configured rate (#7102)
In #6478, we stopped passing through Redis errors to the top-level
Responder object, preferring instead to live-sign. As part of that
change, we logged the Redis errors so they wouldn't disappear. However,
the sample rate for those errors was hard coded to 1-in-1000, instead of
following the LogSampleRate configured in the JSON.

This adds a field to redisSource for logSampleRate, and passes it
through from the JSON config in ocsp-responder/main.go.

Part of #7091
2023-10-02 17:02:24 -07:00
Aaron Gable 98fa0f07b4
Re-enable errcheck linter (#6819)
Enable the errcheck linter. Update the way we express exclusions to use
the new, non-deprecated, non-regex-based format. Fix all places where we
began accidentally violating errcheck while it was disabled.
2023-04-14 15:41:12 -04:00
Samantha 5c49231ea6
ROCSP: Remove support for Redis Cluster (#6645)
Fixes #6517
2023-02-09 17:14:37 -05:00
Samantha 6c6da76400
ROCSP: Replace Redis Cluster with a consistently sharded all-primary nodes (#6516) 2022-12-19 15:06:47 -05:00
Jacob Hoffman-Andrews b86113e208
rocsp: when Redis lookup fails, live sign (#6478)
Fixes #6455
2022-11-02 10:45:38 -07:00
Aaron Gable f246ca10ba
ROCSP: Catch correct live-signing NotFound error (#6467)
Previously, the live-signing routine was lookking for
`rocsp.ErrRedisNotFound` errors in order to increment the
`certificate_not_found` metrics. But this was a bug, copy-pasted from
code higher in the file that does a similar check. The live-signing code
actually returns `responder.ErrNotFound`. Check for that error instead,
to properly increment our metrics.
2022-10-27 16:38:20 -07:00
Jacob Hoffman-Andrews 97daf9f94f
ocsp: fix handling of expired certificates (#6372)
In live.Source, translate berrors.NotFound (returned by RA when the
certificate is expired) into responder.NotFound (which causes an
Unauthorized response rather than a 5xx).

In the Redis source, remove the special case that will return a stale
response if live signing fails, and simply pass through the error from
the live source.

Before this fix, if we found a stale response in Redis, tried to get a
fresh response, and found that the certificate was expired, we would
have served the stale response rather than our usual 404 for expired
certificates. Since that messes with our metrics, we don't want to do
it.

Also, fix an incorrect use of `%w` in log.Warningf.
2022-09-12 11:32:40 -07:00
Jacob Hoffman-Andrews 89cd4efb5a
redis_source: improve metrics (#6348)
Give less confusing names to the metrics in checked_redis_source, e.g.
"revocation_re_sign_success" instead of "sign_and_save_success".

Also use a new enum type as the `cause` parameter to signAndSave, to
make it clear what should be passed.

Finally, in redis_source, split `counter` into two separate Prometheus
counters: one for requests in general, and a separate one for
signAndSave. The counter for signAndSave has two labels: cause and
result.

Fixes #6339
2022-09-02 17:15:59 -07:00
Jacob Hoffman-Andrews e7bf6383d8
rocsp: improve stats (#6257)
For multiSource, split out checkSecondary's metrics into their own
counter. Treat NotFound as a separate error type (so we can more
clearly distinguish the half-hourly pattern of fetches for expired
certificates).

In redisSource, add a histogram for the ages of responses fetched from
cache (regardless of whether they are served or not). This parallels
ocsp_respond_ages in ocsp/responder.go, but may show ages beyond the
compliance limit, even under normal operations, because it is checked
before signAndServe is called.
2022-07-28 21:49:38 -07:00
Jacob Hoffman-Andrews d988c39123
ocsp/responder/redis: serve stale responses if live signing fails (#6243) 2022-07-21 12:08:53 -07:00
Jacob Hoffman-Andrews 3b09571e70
ocsp-responder: add LiveSigningPeriod (#6237)
Previously we used "ExpectedFreshness" to control how frequently the
Redis source would request re-signing of stale entries. But that field
also controls whether multi_source is willing to serve a MariaDB
response. It's better to split these into two values.
2022-07-20 15:36:38 -07:00
Jacob Hoffman-Andrews 29724cb0b7
ocsp/responder: update Redis source to use live signing (#6207)
This enables ocsp-responder to talk to the RA and request freshly signed
OCSP responses.

ocsp/responder/redis_source is moved to ocsp/responder/redis/redis_source.go
and significantly modified. Instead of assuming a response is always available
in Redis, it wraps a live-signing source. When a response is not available,
it attempts a live signing.

If live signing succeeds, the Redis responder returns the result right away
and attempts to write a copy to Redis on a goroutine using a background
context.

To make things more efficient, I eliminate an unneeded ocsp.ParseResponse
from the storage path. And I factored out a FakeResponse helper to make
the unittests more manageable.

Commits should be reviewable one-by-one.

Fixes #6191
2022-07-18 10:47:14 -07:00