In live.Source, translate berrors.NotFound (returned by RA when the
certificate is expired) into responder.NotFound (which causes an
Unauthorized response rather than a 5xx).
In the Redis source, remove the special case that will return a stale
response if live signing fails, and simply pass through the error from
the live source.
Before this fix, if we found a stale response in Redis, tried to get a
fresh response, and found that the certificate was expired, we would
have served the stale response rather than our usual 404 for expired
certificates. Since that messes with our metrics, we don't want to do
it.
Also, fix an incorrect use of `%w` in log.Warningf.
This enables ocsp-responder to talk to the RA and request freshly signed
OCSP responses.
ocsp/responder/redis_source is moved to ocsp/responder/redis/redis_source.go
and significantly modified. Instead of assuming a response is always available
in Redis, it wraps a live-signing source. When a response is not available,
it attempts a live signing.
If live signing succeeds, the Redis responder returns the result right away
and attempts to write a copy to Redis on a goroutine using a background
context.
To make things more efficient, I eliminate an unneeded ocsp.ParseResponse
from the storage path. And I factored out a FakeResponse helper to make
the unittests more manageable.
Commits should be reviewable one-by-one.
Fixes#6191
Jacob Hoffman-Andrews