Add AIA certificate prober to boulder-observer#8594
Conversation
|
@copilot test failure " main_test.go:68: Failed to validate config file "observer.yml": Key: 'ObsConf.MonConfs[11].Kind' Error:Field validation for 'Kind' failed on the 'oneof' tag" |
Fixed in e9291c5. Added "AIA" to the Kind validation tag in |
|
@copilot Add a config field, ExpectCommonName, which the prober checks if the received certificate matches, to ensure the correct certificate was served. Check the recieved certificate is also a CA Cert |
Implemented in 1cad83f. Added:
|
|
@copilot Don't make ExpectCommonName optional. It must be provided and checked. Add log messages to the different failure cases in probing for debugging why something is gone wrong |
Implemented in 7202d58:
|
aarongable
left a comment
aarongable
left a comment
There was a problem hiding this comment.
Also please update the PR description to be something a human would like to read in the git log.
Co-authored-by: mcpherrinm <47425+mcpherrinm@users.noreply.github.com>
Co-authored-by: mcpherrinm <47425+mcpherrinm@users.noreply.github.com>
Co-authored-by: mcpherrinm <47425+mcpherrinm@users.noreply.github.com>
Co-authored-by: mcpherrinm <47425+mcpherrinm@users.noreply.github.com>
Fixes test failure where AIA kind was not recognized in the oneof validation tag. Co-authored-by: mcpherrinm <47425+mcpherrinm@users.noreply.github.com>
- Add optional ExpectCommonName config field to verify certificate CN - Validate that received certificate is a CA certificate (IsCA=true) - Update tests to use CA certificates and test new validations - Update documentation with new config field and examples Co-authored-by: mcpherrinm <47425+mcpherrinm@users.noreply.github.com>
- Make ExpectCommonName a required field with validation - Add log messages for all failure cases in probe: - HTTP request creation failure - Certificate fetch failure - Incorrect Content-Type - Response body read failure - Certificate parsing failure - Non-CA certificate - CommonName mismatch - Update tests to always include ExpectCommonName - Update documentation to reflect ExpectCommonName is required Co-authored-by: mcpherrinm <47425+mcpherrinm@users.noreply.github.com>
Use AssertMetricWithLabelEquals instead of a test registry
aarongable
force-pushed
the
copilot/add-aia-certificate-prober
branch
from
9251c86 to
b069f1c
Compare
|
Apologies for the force-push, I've updated this PR to be based on top of #8619 to take advantage of the simpler Prober interface and to allow the tests to assert that the correct errors are being returned. |
|
nice! new prober interface looks great :) |
Add an AIA certificate prober to Boulder-observer, so we can verify the served certificates have the right Common Name (preventing mixups), content type and encoding. We export the certificate notBefore and notAfter for expiry monitoring purposes. This PR was largely written by Copilot under Matthew's supervision, and is modelled after the CRL Prober. Re-land of #8594, which was accidentally merged to a feature branch (due to branch stacking). Fixes #8593 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Matthew McPherrin <git@mcpherrin.ca> Co-authored-by: Aaron Gable <aaron@letsencrypt.org>
Add an AIA certificate prober to Boulder-observer, so we can verify the served certificates have the right Common Name (preventing mixups), content type and encoding. We export the certificate notBefore and notAfter for expiry monitoring purposes.
This PR was largely written by Copilot under my supervision, and is modelled after the CRL Prober.
Fixes #8593