CA: Stop using OCSP status NotReady (#8394)

Stop setting "OcspNotReady: true" when asking the SA to store a linting
precertificate, and stop calling SetCertificateStatusReady after
precertificate issuance has succeeded. Because these two calls are
always made in sequence by the same CA instance, this change will not
leave any database entries permanently hanging in the "NotReady" state
(unless an error occurs between the two calls, as is the case today).

A follow-up change will remove the corresponding support on the SA side.

Part of #8343

Author: aarongable

ca/ca.go

@@ -82,8 +82,7 @@ type certProfileWithID struct {
 	profile *issuance.Profile
 }
 
-// caMetrics holds various metrics which are shared between caImpl, ocspImpl,
-// and crlImpl.
+// caMetrics holds various metrics which are shared between caImpl and crlImpl.
 type caMetrics struct {
 	signatureCount *prometheus.CounterVec
 	signErrorCount *prometheus.CounterVec
@@ -132,7 +131,6 @@ func (m *caMetrics) noteSignError(err error) {
 }
 
 // certificateAuthorityImpl represents a CA that signs certificates.
-// It can sign OCSP responses as well, but only via delegation to an ocspImpl.
 type certificateAuthorityImpl struct {
 	capb.UnsafeCertificateAuthorityServer
 	sa           sapb.StorageAuthorityCertificateClient
@@ -155,7 +153,7 @@ var _ capb.CertificateAuthorityServer = (*certificateAuthorityImpl)(nil)
 
 // makeIssuerMaps processes a list of issuers into a set of maps for easy
 // lookup either by key algorithm (useful for picking an issuer for a precert)
-// or by unique ID (useful for final certs, OCSP, and CRLs). If two issuers with
+// or by unique ID (useful for final certs and CRLs). If two issuers with
 // the same unique ID are encountered, an error is returned.
 func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
 	issuersByAlg := make(map[x509.PublicKeyAlgorithm][]*issuance.Issuer, 2)
@@ -203,8 +201,7 @@ func makeCertificateProfilesMap(profiles map[string]*issuance.ProfileConfig) (ma
 }
 
 // NewCertificateAuthorityImpl creates a CA instance that can sign certificates
-// from any number of issuance.Issuers according to their profiles, and can sign
-// OCSP (via delegation to an ocspImpl and its issuers).
+// from any number of issuance.Issuers and for any number of profiles.
 func NewCertificateAuthorityImpl(
 	sa sapb.StorageAuthorityCertificateClient,
 	sctService rapb.SCTProviderClient,
@@ -294,11 +291,6 @@ func (ca *certificateAuthorityImpl) issuePrecertificate(ctx context.Context, cer
 		return nil, err
 	}
 
-	_, err = ca.sa.SetCertificateStatusReady(ctx, &sapb.Serial{Serial: serialHex})
-	if err != nil {
-		return nil, err
-	}
-
 	return precertDER, nil
 }
 
@@ -572,7 +564,6 @@ func (ca *certificateAuthorityImpl) issuePrecertificateInner(ctx context.Context
 		RegID:        issueReq.RegistrationID,
 		Issued:       timestamppb.New(ca.clk.Now()),
 		IssuerNameID: int64(issuer.NameID()),
-		OcspNotReady: true,
 	})
 	if err != nil {
 		return nil, nil, err

test/integration/cert_storage_failed_test.go

@@ -60,9 +60,8 @@ func getPrecertByName(db *sql.DB, reversedName string) (*x509.Certificate, error
 
 // TestIssuanceCertStorageFailed tests what happens when a storage RPC fails
 // during issuance. Specifically, it tests that case where we successfully
-// prepared and stored a linting certificate plus metadata, but after
-// issuing the precertificate we failed to mark the certificate as "ready"
-// to serve an OCSP "good" response.
+// prepared and stored a linting certificate plus metadata, but failed to store
+// the corresponding final certificate after issuance completed.
 //
 // To do this, we need to mess with the database, because we want to cause
 // a failure in one specific query, without control ever returning to the
@@ -83,28 +82,26 @@ func TestIssuanceCertStorageFailed(t *testing.T) {
 	_, err = db.ExecContext(ctx, `DROP TRIGGER IF EXISTS fail_ready`)
 	test.AssertNotError(t, err, "failed to drop trigger")
 
-	// Make a specific update to certificateStatus fail, for this test but not others.
+	// Make a specific insert into certificates fail, for this test but not others.
 	// To limit the effect to this one test, we make the trigger aware of a specific
-	// hostname used in this test. Since the UPDATE to the certificateStatus table
+	// hostname used in this test. Since the INSERT to the certificates table
 	// doesn't include the hostname, we look it up in the issuedNames table, keyed
-	// off of the serial being updated.
-	// We limit this to UPDATEs that set the status to "good" because otherwise we
-	// would fail to revoke the certificate later.
+	// off of the serial.
 	// NOTE: CREATE and DROP TRIGGER do not work in prepared statements. Go's
 	// database/sql will automatically try to use a prepared statement if you pass
 	// any arguments to Exec besides the query itself, so don't do that.
 	_, err = db.ExecContext(ctx, `
 		CREATE TRIGGER fail_ready
-		BEFORE UPDATE ON certificateStatus
+		BEFORE INSERT ON certificates
 		FOR EACH ROW BEGIN
 		DECLARE reversedName1 VARCHAR(255);
 		SELECT reversedName
 		    INTO reversedName1
 			FROM issuedNames
 			WHERE serial = NEW.serial
 			    AND reversedName LIKE "com.wantserror.%";
-		IF NEW.status = "good" AND reversedName1 != "" THEN
-			SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'Pretend there was an error updating the certificateStatus';
+		IF reversedName1 != "" THEN
+			SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'Pretend there was an error inserting into certificates';
 		END IF;
 		END
 	`)
@@ -117,7 +114,7 @@ func TestIssuanceCertStorageFailed(t *testing.T) {
 
 	// ---- Test revocation by serial ----
 	revokeMeDomain := "revokeme.wantserror.com"
-	// This should fail because the trigger prevented setting the certificate status to "ready"
+	// This should fail because the trigger prevented storing the final certificate.
 	_, err = authAndIssue(nil, certKey, []acme.Identifier{{Type: "dns", Value: revokeMeDomain}}, true, "")
 	test.AssertError(t, err, "expected authAndIssue to fail")
 
@@ -140,7 +137,7 @@ func TestIssuanceCertStorageFailed(t *testing.T) {
 
 	// ---- Test revocation by key ----
 	blockMyKeyDomain := "blockmykey.wantserror.com"
-	// This should fail because the trigger prevented setting the certificate status to "ready"
+	// This should fail because the trigger prevented storing the final certificate.
 	_, err = authAndIssue(nil, certKey, []acme.Identifier{{Type: "dns", Value: blockMyKeyDomain}}, true, "")
 	test.AssertError(t, err, "expected authAndIssue to fail")