I forgot: if Pebble doesn't know the certificate, or can't parse the serial as hex, it will return a 404 with no content.

Looks promising!

One interesting thing to get also (to build a complete OCSP responder for instance) would be the date since when the certificate has been revoked on Pebble side. It could be retrieved as a fourth parameter in the JSON response, if the status is Revoked.

I think it is doable to store this date in the revokedCertificatesById map from ca.db.

What do you think of that @felixfontein?

Yes, that should be doable. I would include a full timestamp and not just a date, though. And also the revocation code used. I'm trying it now...

Now revocation timestamp and reason are stored with the revoked certificate, and returned by the endpoint (the reason only when available):

$ curl -ki https://127.0.0.1:15000/cert-status-by-serial/7811e0b42b98cc1c
HTTP/2 200 
cache-control: public, max-age=0, no-cache
content-type: application/json; charset=utf-8
link: <https://127.0.0.1:15000/dir>;rel="index"
content-length: 1728
date: Fri, 12 Jul 2019 22:14:17 GMT

{
   "Certificate": "-----BEGIN CERTIFICATE-----\nMIIEVz...tcw=\n-----END CERTIFICATE-----\n",
   "RevokedAt": "2019-07-13T00:14:13.719654003+02:00",
   "Serial": "7811e0b42b98cc1c",
   "Status": "Revoked"
}

$ curl -ki https://127.0.0.1:15000/cert-status-by-serial/66317d2e02f5d3d6
HTTP/2 200 
cache-control: public, max-age=0, no-cache
content-type: application/json; charset=utf-8
link: <https://127.0.0.1:15000/dir>;rel="index"
content-length: 1740
date: Fri, 12 Jul 2019 22:14:21 GMT

{
   "Certificate": "-----BEGIN CERTIFICATE-----\nMIIEVz...tcw=\n-----END CERTIFICATE-----\n",
   "Reason": 4,
   "RevokedAt": "2019-07-13T00:13:20.418489956+02:00",
   "Serial": "66317d2e02f5d3d6",
   "Status": "Revoked"
}

I changed it a little so that the timestamp is returned in UTC:

    "RevokedAt": "2019-07-12T22:21:05.392675552Z",

BTW (and unrelated): all requests to the management interface have a Link header for the directory included, but with the wrong port (that of the management interface).

BTW (and unrelated): all requests to the management interface have a Link header for the directory

@felixfontein Good catch! #253

I'll try to review this PR in the next couple of days.

Rebased to remove conflicts with #254.

@cpu thanks for your feedback! I hope I've adjusted everything correctly. At least it still works in my tests :)

Thanks again @felixfontein. My goal is to cut a new Pebble release that will have this commit and some of the other new work next week (hopefully Monday).

@cpu thanks again for reviewing and merging! :)

My goal is to cut a new Pebble release that will have this commit and some of the other new work next week (hopefully Monday).

https://github.com/letsencrypt/pebble/releases/tag/v2.2.1 🎉