Since we now sync caaChecks logs daily instead of continuously,
caa-log-checker can no longer assume that the validation logs it is
checking cover the exact same span of time as the issuance logs. This
commit adds -earliest and -latest parameters so that the script
that drives this tool can restrict verification to a timespan where we
know the data is valid.
Also adds a -debug flag to caa-log-checker to enable debug logs. At the
moment this makes the tool write to stderr how many issuance messages
were evaluated and how many were skipped due to -earliest and
-latest parameters.
Explicitly initializes the logger. Previously it ended up using the
auto-initialized logging config which logged everything to "test". Added two
flags stdout-level and syslog-level to control the logging filters in lieu of a
config file.
This flag adds a tolerance window after the issuance time, where CAA
checks will still be considered applicable, even though they appear to
have happened after issuance.
This happens usually when a CAA check happens during issuance (because no
cached one exists). There is no guarantee that logs from different hosts
will follow a strict causal ordering (due clock desync or buffering in
the log system), and so sometimes the CAA check log line will have a
timestamp ordered after the issuance line.
Adds a productionized version of our internal tooling to the tree. The
major differences are: it doesn't skip certs with only one name, it
doesn't read in all the va logs in parallel, it only supports reading
one ra log at a time, and it adds unit tests.
Probably it should include a integration test, but that requires
capturing logs on the docker container, which I don't think we currently
do? Probably would make for a good follow-up issue.
Fixes#4698.
Roland Bracewell Shoemaker