Clean up dangling OCSP configs (#8461)

Fixes #8345
Part of #8177

Author: jenhagg

ca/ca_test.go

@@ -134,21 +134,19 @@ func newCAArgs(t *testing.T) *caArgs {
 	test.AssertNotError(t, err, "Couldn't set identifier policy")
 
 	legacy, err := issuance.NewProfile(issuance.ProfileConfig{
-		IncludeCRLDistributionPoints: true,
-		MaxValidityPeriod:            config.Duration{Duration: time.Hour * 24 * 90},
-		MaxValidityBackdate:          config.Duration{Duration: time.Hour},
-		IgnoredLints:                 []string{"w_subject_common_name_included"},
+		MaxValidityPeriod:   config.Duration{Duration: time.Hour * 24 * 90},
+		MaxValidityBackdate: config.Duration{Duration: time.Hour},
+		IgnoredLints:        []string{"w_subject_common_name_included"},
 	})
 	test.AssertNotError(t, err, "Loading test profile")
 	modern, err := issuance.NewProfile(issuance.ProfileConfig{
-		OmitCommonName:               true,
-		OmitKeyEncipherment:          true,
-		OmitClientAuth:               true,
-		OmitSKID:                     true,
-		IncludeCRLDistributionPoints: true,
-		MaxValidityPeriod:            config.Duration{Duration: time.Hour * 24 * 6},
-		MaxValidityBackdate:          config.Duration{Duration: time.Hour},
-		IgnoredLints:                 []string{"w_ext_subject_key_identifier_missing_sub_cert"},
+		OmitCommonName:      true,
+		OmitKeyEncipherment: true,
+		OmitClientAuth:      true,
+		OmitSKID:            true,
+		MaxValidityPeriod:   config.Duration{Duration: time.Hour * 24 * 6},
+		MaxValidityBackdate: config.Duration{Duration: time.Hour},
+		IgnoredLints:        []string{"w_ext_subject_key_identifier_missing_sub_cert"},
 	})
 	test.AssertNotError(t, err, "Loading test profile")
 	profiles := map[string]*issuance.Profile{
@@ -161,7 +159,6 @@ func newCAArgs(t *testing.T) *caArgs {
 		issuers[i], err = issuance.LoadIssuer(issuance.IssuerConfig{
 			Active:     true,
 			IssuerURL:  fmt.Sprintf("http://not-example.com/i/%s", name),
-			OCSPURL:    "http://not-example.com/o",
 			CRLURLBase: fmt.Sprintf("http://not-example.com/c/%s/", name),
 			CRLShards:  10,
 			Location: issuance.IssuerLoc{
@@ -886,7 +883,6 @@ func TestPickIssuer_Inactive(t *testing.T) {
 		issuer, err := issuance.LoadIssuer(issuance.IssuerConfig{
 			Active:     i%2 == 0,
 			IssuerURL:  fmt.Sprintf("http://not-example.com/i/%s", name),
-			OCSPURL:    "http://not-example.com/o",
 			CRLURLBase: fmt.Sprintf("http://not-example.com/c/%s/", name),
 			CRLShards:  10,
 			Location: issuance.IssuerLoc{

cmd/boulder-ca/main.go

@@ -12,7 +12,6 @@ import (
 	"github.com/letsencrypt/boulder/ca"
 	capb "github.com/letsencrypt/boulder/ca/proto"
 	"github.com/letsencrypt/boulder/cmd"
-	"github.com/letsencrypt/boulder/config"
 	"github.com/letsencrypt/boulder/ctpolicy/loglist"
 	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/goodkey"
@@ -75,12 +74,6 @@ type Config struct {
 		// configurations.
 		MaxNames int `validate:"required,min=1,max=100"`
 
-		// LifespanOCSP is how long OCSP responses are valid for. Per the BRs,
-		// Section 4.9.10, it MUST NOT be more than 10 days. Default 96h.
-		//
-		// Deprecated: TODO(#8345): Remove this.
-		LifespanOCSP config.Duration
-
 		// GoodKey is an embedded config stanza for the goodkey library.
 		GoodKey goodkey.Config
 
@@ -89,17 +82,6 @@ type Config struct {
 		// OCSP and CRL audit log emission. Recommended to be around 4000.
 		OCSPLogMaxLength int
 
-		// Maximum period (in Go duration format) to wait to accumulate a max-length
-		// OCSP audit log line. We will emit a log line at least once per period,
-		// if there is anything to be logged. Keeping this low minimizes the risk
-		// of losing logs during a catastrophic failure. Making it too high
-		// means logging more often than necessary, which is inefficient in terms
-		// of bytes and log system resources.
-		// Recommended to be around 500ms.
-		//
-		// Deprecated: TODO(#8345): Remove this.
-		OCSPLogPeriod config.Duration
-
 		// CTLogListFile is the path to a JSON file on disk containing the set of
 		// all logs trusted by Chrome. The file must match the v3 log list schema:
 		// https://www.gstatic.com/ct/log_list/v3/log_list_schema.json
@@ -108,11 +90,7 @@ type Config struct {
 		// DisableCertService causes the CertificateAuthority gRPC service to not
 		// start, preventing any certificates or precertificates from being issued.
 		DisableCertService bool
-		// DisableOCSPService causes the OCSPGenerator gRPC service to not start,
-		// preventing any OCSP responses from being issued.
-		//
-		// Deprecated: TODO(#8345): Remove this.
-		DisableOCSPService bool
+
 		// DisableCRLService causes the CRLGenerator gRPC service to not start,
 		// preventing any CRLs from being issued.
 		DisableCRLService bool

cmd/boulder-ra/main.go

@@ -45,9 +45,6 @@ type Config struct {
 		CAService        *cmd.GRPCClientConfig
 		PublisherService *cmd.GRPCClientConfig
 
-		// Deprecated: TODO(#8345): Remove this.
-		AkamaiPurgerService *cmd.GRPCClientConfig
-
 		// Deprecated: TODO(#8349): Remove this when removing the corresponding
 		// service from the CA.
 		OCSPService *cmd.GRPCClientConfig
@@ -105,15 +102,6 @@ type Config struct {
 		// default.
 		DefaultProfileName string `validate:"required"`
 
-		// MustStapleAllowList specified the path to a YAML file containing a
-		// list of account IDs permitted to request certificates with the OCSP
-		// Must-Staple extension.
-		//
-		// Deprecated: This field no longer has any effect, all Must-Staple requests
-		// are rejected.
-		// TODO(#8345): Remove this field.
-		MustStapleAllowList string `validate:"omitempty"`
-
 		// GoodKey is an embedded config stanza for the goodkey library.
 		GoodKey goodkey.Config
 

cmd/crl-updater/main.go

@@ -72,21 +72,6 @@ type Config struct {
 		// of magnitude greater than our p99 update latency.
 		UpdateTimeout config.Duration `validate:"-"`
 
-		// TemporallyShardedSerialPrefixes is a list of prefixes that were used to
-		// issue certificates with no CRLDistributionPoints extension, and which are
-		// therefore temporally sharded. If it's non-empty, the CRL Updater will
-		// require matching serials when querying by temporal shard. When querying
-		// by explicit shard, any prefix is allowed.
-		//
-		// This should be set to the current set of serial prefixes in production.
-		// When deploying explicit sharding (i.e. the CRLDistributionPoints extension),
-		// the CAs should be configured with a new set of serial prefixes that haven't
-		// been used before.
-		//
-		// Deprecated: The updater no longer supports temporal sharding.
-		// TODO(#8345): Remove this.
-		TemporallyShardedSerialPrefixes []string
-
 		// MaxParallelism controls how many workers may be running in parallel.
 		// A higher value reduces the total time necessary to update all CRL shards
 		// that this updater is responsible for, but also increases the memory used

issuance/cert.go

@@ -31,13 +31,6 @@ import (
 
 // ProfileConfig describes the certificate issuance constraints for all issuers.
 type ProfileConfig struct {
-	// AllowMustStaple, when false, causes all IssuanceRequests which specify the
-	// OCSP Must Staple extension to be rejected.
-	//
-	// Deprecated: This has no effect, Must Staple is always omitted.
-	// TODO(#8177): Remove this.
-	AllowMustStaple bool
-
 	// OmitCommonName causes the CN field to be excluded from the resulting
 	// certificate, regardless of its inclusion in the IssuanceRequest.
 	OmitCommonName bool
@@ -49,20 +42,6 @@ type ProfileConfig struct {
 	OmitClientAuth bool
 	// OmitSKID causes the Subject Key Identifier extension to be omitted.
 	OmitSKID bool
-	// OmitOCSP causes the OCSP URI field to be omitted from the Authority
-	// Information Access extension. This cannot be true unless
-	// IncludeCRLDistributionPoints is also true, to ensure that every
-	// certificate has at least one revocation mechanism included.
-	//
-	// Deprecated: This has no effect; OCSP is always omitted.
-	// TODO(#8177): Remove this.
-	OmitOCSP bool
-	// IncludeCRLDistributionPoints causes the CRLDistributionPoints extension to
-	// be added to all certificates issued by this profile.
-	//
-	// Deprecated: This has no effect; CRLDP is always included.
-	// TODO(#8177): Remove this.
-	IncludeCRLDistributionPoints bool
 
 	MaxValidityPeriod   config.Duration
 	MaxValidityBackdate config.Duration

issuance/cert_test.go

@@ -920,9 +920,8 @@ func TestNewProfile(t *testing.T) {
 		{
 			name: "happy path",
 			config: ProfileConfig{
-				MaxValidityBackdate:          config.Duration{Duration: 1 * time.Hour},
-				MaxValidityPeriod:            config.Duration{Duration: 90 * 24 * time.Hour},
-				IncludeCRLDistributionPoints: true,
+				MaxValidityBackdate: config.Duration{Duration: 1 * time.Hour},
+				MaxValidityPeriod:   config.Duration{Duration: 90 * 24 * time.Hour},
 			},
 		},
 		{

issuance/issuer.go

@@ -158,9 +158,6 @@ type IssuerConfig struct {
 	IssuerURL  string `validate:"required,url"`
 	CRLURLBase string `validate:"required,url,startswith=http://,endswith=/"`
 
-	// TODO(#8177): Remove this.
-	OCSPURL string `validate:"omitempty,url"`
-
 	// Number of CRL shards. Must be positive, but can be 1 for no sharding.
 	CRLShards int `validate:"required,min=1"`
 

issuance/issuer_test.go

@@ -24,10 +24,8 @@ import (
 
 func defaultProfileConfig() ProfileConfig {
 	return ProfileConfig{
-		AllowMustStaple:              true,
-		IncludeCRLDistributionPoints: true,
-		MaxValidityPeriod:            config.Duration{Duration: time.Hour},
-		MaxValidityBackdate:          config.Duration{Duration: time.Hour},
+		MaxValidityPeriod:   config.Duration{Duration: time.Hour},
+		MaxValidityBackdate: config.Duration{Duration: time.Hour},
 		IgnoredLints: []string{
 			// Ignore the two SCT lints because these tests don't get SCTs.
 			"w_ct_sct_policy_count_unsatisfied",

ra/ra.go

@@ -104,9 +104,6 @@ type RegistrationAuthorityImpl struct {
 	inflightFinalizes       prometheus.Gauge
 	certCSRMismatch         prometheus.Counter
 	pauseCounter            *prometheus.CounterVec
-	// TODO(#8177): Remove once the rate of requests failing to finalize due to
-	// requesting Must-Staple has diminished.
-	mustStapleRequestsCounter *prometheus.CounterVec
 }
 
 var _ rapb.RegistrationAuthorityServer = (*RegistrationAuthorityImpl)(nil)
@@ -225,42 +222,35 @@ func NewRegistrationAuthorityImpl(
 	}, []string{"paused", "repaused", "grace"})
 	stats.MustRegister(pauseCounter)
 
-	mustStapleRequestsCounter := prometheus.NewCounterVec(prometheus.CounterOpts{
-		Name: "must_staple_requests",
-		Help: "Number of times a must-staple request is made, labeled by allowlist=[allowed|denied]",
-	}, []string{"allowlist"})
-	stats.MustRegister(mustStapleRequestsCounter)
-
 	issuersByNameID := make(map[issuance.NameID]*issuance.Certificate)
 	for _, issuer := range issuers {
 		issuersByNameID[issuer.NameID()] = issuer
 	}
 
 	ra := &RegistrationAuthorityImpl{
-		clk:                       clk,
-		log:                       logger,
-		profiles:                  profiles,
-		maxContactsPerReg:         maxContactsPerReg,
-		keyPolicy:                 keyPolicy,
-		limiter:                   limiter,
-		txnBuilder:                txnBuilder,
-		started:                   clk.Now(),
-		publisher:                 pubc,
-		finalizeTimeout:           finalizeTimeout,
-		ctpolicy:                  ctp,
-		ctpolicyResults:           ctpolicyResults,
-		issuersByNameID:           issuersByNameID,
-		namesPerCert:              namesPerCert,
-		newRegCounter:             newRegCounter,
-		recheckCAACounter:         recheckCAACounter,
-		newCertCounter:            newCertCounter,
-		revocationReasonCounter:   revocationReasonCounter,
-		authzAges:                 authzAges,
-		orderAges:                 orderAges,
-		inflightFinalizes:         inflightFinalizes,
-		certCSRMismatch:           certCSRMismatch,
-		pauseCounter:              pauseCounter,
-		mustStapleRequestsCounter: mustStapleRequestsCounter,
+		clk:                     clk,
+		log:                     logger,
+		profiles:                profiles,
+		maxContactsPerReg:       maxContactsPerReg,
+		keyPolicy:               keyPolicy,
+		limiter:                 limiter,
+		txnBuilder:              txnBuilder,
+		started:                 clk.Now(),
+		publisher:               pubc,
+		finalizeTimeout:         finalizeTimeout,
+		ctpolicy:                ctp,
+		ctpolicyResults:         ctpolicyResults,
+		issuersByNameID:         issuersByNameID,
+		namesPerCert:            namesPerCert,
+		newRegCounter:           newRegCounter,
+		recheckCAACounter:       recheckCAACounter,
+		newCertCounter:          newCertCounter,
+		revocationReasonCounter: revocationReasonCounter,
+		authzAges:               authzAges,
+		orderAges:               orderAges,
+		inflightFinalizes:       inflightFinalizes,
+		certCSRMismatch:         certCSRMismatch,
+		pauseCounter:            pauseCounter,
 	}
 	return ra
 }
@@ -1091,7 +1081,6 @@ func (ra *RegistrationAuthorityImpl) validateFinalizeRequest(
 	}
 
 	if containsMustStaple(csr.Extensions) {
-		ra.mustStapleRequestsCounter.WithLabelValues("denied").Inc()
 		return nil, berrors.UnauthorizedError(
 			"OCSP must-staple extension is no longer available: see https://letsencrypt.org/2024/12/05/ending-ocsp",
 		)
@@ -1504,7 +1493,6 @@ func (ra *RegistrationAuthorityImpl) checkDCVAndCAA(ctx context.Context, dcvReq
 func (ra *RegistrationAuthorityImpl) PerformValidation(
 	ctx context.Context,
 	req *rapb.PerformValidationRequest) (*corepb.Authorization, error) {
-
 	// Clock for start of PerformValidation.
 	vStart := ra.clk.Now()
 

ra/ra_test.go

@@ -2940,7 +2940,6 @@ func TestFinalizeWithMustStaple(t *testing.T) {
 	})
 	test.AssertError(t, err, "finalization should fail")
 	test.AssertContains(t, err.Error(), "no longer available")
-	test.AssertMetricWithLabelsEquals(t, ra.mustStapleRequestsCounter, prometheus.Labels{"allowlist": "denied"}, 1)
 }
 
 func TestIssueCertificateAuditLog(t *testing.T) {