boulder

History

Daniel McCarney ddfc620c44 va: exempt multi-va enforcement by domain/acct ID. (#4458 ) In order to move multi perspective validation forward we need to support policy in Boulder configuration that can relax multi-va requirements temporarily. A similar mechanism was used in support of the gradual deprecation of the TLS-SNI-01 challenge type and with the introduction of CAA enforcement and has shown to be a helpful tool to have available when introducing changes that are expected to break sites. When the VA "multiVAPolicyFile" is specified it is assumed to be a YAML file containing two lists: 1. disabledNames - a list of domain names that are exempt from multi VA enforcement. 2. disabledAccounts - a list of account IDs that are exempt from multi VA enforcement. When a hostname or account ID is added to the policy we'll begin communication with the related ACME account contact to establish that this is a temporary measure and the root problem will need to be addressed before an eventual cut-off date. Resolves https://github.com/letsencrypt/boulder/issues/4455	2019-10-07 16:43:11 -04:00
..
rate-limits.go	ratelimit: use larger of regID/key overrides in GetThreshold. (#4076 )	2019-02-21 11:01:18 -08:00
rate-limits_test.go	va: exempt multi-va enforcement by domain/acct ID. (#4458 )	2019-10-07 16:43:11 -04:00

va: exempt multi-va enforcement by domain/acct ID. (#4458 )

In order to move multi perspective validation forward we need to support policy
in Boulder configuration that can relax multi-va requirements temporarily.

A similar mechanism was used in support of the gradual deprecation of the
TLS-SNI-01 challenge type and with the introduction of CAA enforcement and has
shown to be a helpful tool to have available when introducing changes that are
expected to break sites.

When the VA "multiVAPolicyFile" is specified it is assumed to be a YAML file
containing two lists:

1. disabledNames - a list of domain names that are exempt from multi VA
   enforcement.
2. disabledAccounts - a list of account IDs that are exempt from multi VA
   enforcement.

When a hostname or account ID is added to the policy we'll begin communication
with the related ACME account contact to establish that this is a temporary
measure and the root problem will need to be addressed before an eventual
cut-off date.

Resolves https://github.com/letsencrypt/boulder/issues/4455

2019-10-07 16:43:11 -04:00

rate-limits.go

ratelimit: use larger of regID/key overrides in GetThreshold. (#4076 )

2019-02-21 11:01:18 -08:00

rate-limits_test.go

va: exempt multi-va enforcement by domain/acct ID. (#4458 )

2019-10-07 16:43:11 -04:00