65443f8657
There are various technical requirements on the maximum age of an OCSP response. Although ocsp-updater has mechanisms to ensure that all certificates have responses which are sufficiently recent, there is the possibility of a bug which results in some OCSP responses escaping its notice. This change adds a historgram metric to ocsp-responder which collects the ages (i.e. now minus the `thisUpdate` timestamp) of the OCSP respones which it serves. The histogram has equal buckets in 12-hour increments. During normal operation, the first 7 such buckets (representing ages 0 to 3.5 days) should have roughly equal counts, while the latter 7 buckets (3.5 to 7 days) should be empty. Fixes #5080 |
||
|---|---|---|
| .. | ||
| testdata | ||
| responder.go | ||
| responder_test.go | ||