Skip to content

Add AlreadyRevoked handling to revokedCertificates table inserts #8408

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

Add AlreadyRevoked handling to revokedCertificates table inserts #8408

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
11a6549
Add AlreadyRevoked handling to revokedCertificates table inserts
aarongable Sep 24, 2025
61f1b5c
Merge branch main into already-revoked
aarongable Oct 2, 2025
b0a65bd
Replace IsDuplicate with an explicit SELECT-then-INSERT
aarongable Oct 3, 2025
880055e
FOR UPDATE
aarongable Oct 20, 2025
d444864
Use a unique index and duplicate detection
aarongable Oct 22, 2025
cdc7630
Simplify error message
aarongable Oct 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions sa/sa.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -835,6 +835,12 @@ func addRevokedCertificate(ctx context.Context, tx db.Executor, req *sapb.Revoke
NotAfterHour: serial.Expires.Add(time.Hour).Truncate(time.Hour),
})
if err != nil {
if db.IsDuplicate(err) {
// An attempted duplicate insert means that this certificate was already
// revoked. The RA has special logic for that case, so use the specific
// error for it.
return berrors.AlreadyRevokedError("certificate with serial %s already in revokedCertificates table", req.Serial)
}
return fmt.Errorf("inserting revoked certificate row: %w", err)
}

Expand Down