letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
6,931 Commits 89 Branches 416 Tags 101 MiB
Commit Graph

8 Commits

Author SHA1 Message Date
James Renken f6c748c1c3
WFE/nonce: Remove deprecated NoncePrefixKey field (#7825) 
Remove the deprecated WFE & nonce config field `NoncePrefixKey`, which
has been replaced by `NonceHMACKey`.

<del>DO NOT MERGE until:</del>
- <del>#7793 (in `release-2024-11-18`) has been deployed, AND:</del>
- <del>`NoncePrefixKey` has been removed from all running configs.</del>

Fixes #7632
 2025-02-06 15:32:49 -08:00
James Renken 0a27cba9f4
WFE/nonce: Add NonceHMACKey field (#7793) 
Add a new WFE & nonce config field, `NonceHMACKey`, which uses the new
`cmd.HMACKeyConfig` type. Deprecate the `NoncePrefixKey` config field.

Generalize the error message when validating `HMACKeyConfig` in
`config`.

Remove the deprecated `UseDerivablePrefix` config field, which is no
longer used anywhere.

Part of #7632
 2024-11-13 10:31:28 -05:00
Aaron Gable 6ae6aa8e90
Dynamically generate grpc-creds at integration test startup (#7477) 
The summary here is:
- Move test/cert-ceremonies to test/certs
- Move .hierarchy (generated by the above) to test/certs/webpki
- Remove our mapping of .hierarchy to /hierarchy inside docker
- Move test/grpc-creds to test/certs/ipki
- Unify the generation of both test/certs/webpki and test/certs/ipki
into a single script at test/certs/generate.sh
- Make that script the entrypoint of a new docker compose service
- Have t.sh and tn.sh invoke that service to ensure keys and certs are
created before tests run

No production changes are necessary, the config changes here are just
for testing purposes.

Part of https://github.com/letsencrypt/boulder/issues/7476
 2024-05-15 11:31:23 -04:00
Jacob Hoffman-Andrews cd3bbf91ad
test: move SRV stanzas from config-next to config (#7243) 
Service discovery via SRV records is now deployed in prod.
 2024-01-10 10:31:23 -08:00
Samantha c453ca0571
grpc: Deprecate clientNames field (#6870) 
- SRE removed in IN-8755

Fixes #6698
 2023-05-08 14:49:27 -04:00
Matthew McPherrin 49851d7afd
Remove Beeline configuration (#6765) 
In a previous PR, #6733, this configuration was marked deprecated
pending removal.  Here is that removal.
 2023-03-23 16:58:36 -04:00
Matthew McPherrin 05c9106eba
lints: Consistently format JSON configuration files (#6755) 
- Consistently format existing test JSON config files
- Add a small Python script which loads and dumps JSON files
- Add CI JSON lint test to CI

---------

Co-authored-by: Aaron Gable <aaron@aarongable.com>
 2023-03-20 18:11:19 -04:00
Samantha d73125d8f6
WFE: Add custom balancer implementation which routes nonce redemption RPCs by prefix (#6618) 
Assign nonce prefixes for each nonce-service by taking the first eight
characters of the the base64url encoded HMAC-SHA256 hash of the RPC
listening address using a provided key. The provided key must be same
across all boulder-wfe and nonce-service instances.
- Add a custom `grpc-go` load balancer implementation (`nonce`) which
can route nonce redemption RPC messages by matching the prefix to the
derived prefix of the nonce-service instance which created it.
- Modify the RPC client constructor to allow the operator to override
the default load balancer implementation (`round_robin`).
- Modify the `srv` RPC resolver to accept a comma separated list of
targets to be resolved.
- Remove unused nonce-service `-prefix` flag.

Fixes #6404
 2023-02-03 17:52:18 -05:00