97828d82db
Add a new config field for profiles which causes the profile to omit the AIA OCSP URI. It can only be omitted if the CRLDP extension is configured to be included instead. Enable this flag in config-next. When a certificate is revoked, if it does not have an AIA OCSP URI, don't bother with an Akamai OCSP purge. Builds on #8089 Most of the changes in this PR relate to tests. Different from #8089, I chose to keep testing of OCSP in the config-next world. This is because we intend to keep operating OCSP even after we have stopped including it in new certificates. So we should test it in as many environments as possible. Adds a WithURLFallback option to ocsp_helper. When `ocsp_helper.ReqDer()` is called for a certificate with no OCSP URI, it will query the fallback URL instead. As before, if the certificate has an OCSP URI ocsp_helper will use that. Use that for all places in the integration tests that call ocsp_helper. |
||
|---|---|---|
| .. | ||
| checkari | ||
| checkocsp | ||
| helper | ||
| ocsp_forever | ||
| README.md | ||
README.md
This directory contains two utilities for checking ocsp.
"checkocsp" is a command-line tool to check the OCSP response for a certificate or a list of certificates.
"ocsp_forever" is a similar tool that runs as a daemon and continually checks OCSP for a list of certificates, and exports Prometheus stats.
Both of these are useful for monitoring a Boulder instance. "checkocsp" is also useful for debugging.