add overriding of ARI response #501
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aarongable
reviewed
Jun 5, 2025
aarongable
approved these changes
Jun 5, 2025
ohemorange
pushed a commit
to certbot/certbot
that referenced
this pull request
Jun 6, 2025
This depends on a pending Pebble pull request and so will fail integration tests until/unless that lands: letsencrypt/pebble#501 However, I'd appreciate some eyes on this PR in this regard: is the interface we're using in Pebble useful and appropriate? If not, we can adjust the Pebble PR. Inspired based on conversation on #10307, but note that this just tests the general case; it does not test the "default server differs from lineage server" case yet; when I try adding that I get some bugs that may reflect a problem in #10307 I need to fix (or may reflect that I need to inhibit the `--server` flag rather than trying to override it late in the command line).
jsha
added a commit
that referenced
this pull request
Jun 9, 2025
This worked previously but was broken in #501 by changing how the database stores revoked certificates.
jsha
added a commit
that referenced
this pull request
Jun 9, 2025
This worked previously but was broken in #501 by changing how the database stores revoked certificates.
kwatson
added a commit
to kwatson/letsencrypt-pebble
that referenced
this pull request
Jun 9, 2025
* 'main' of https://github.com/letsencrypt/pebble: (35 commits) add overriding of ARI response (letsencrypt#501) wfe: fix a race in `orderForDisplay` (letsencrypt#500) Bump golang.org/x/ dependencies (letsencrypt#499) currectly triggers BadSignatureAlgorithmProblem at JWS parse time (letsencrypt#492) use newer validation subdomain for dns-account-01 (fix CI eggsampler/acme error) (letsencrypt#498) Orders don't have a "deactivated" status. (letsencrypt#301) Update golangci-lint (letsencrypt#488) build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (letsencrypt#487) Truncate ARI timestamps to millisecond resolution (letsencrypt#485) return logical and compliant ARI windows for expiring certs (letsencrypt#484) Update dependencies (letsencrypt#481) docs: rm mention of subproblems being unimpl'd (letsencrypt#479) Fix(NOISSUE): Fix docker compose file example in README.md (letsencrypt#475) Add support for ACME Profiles (letsencrypt#473) Simplify KU, EKU, and SKID fields of issued certs (letsencrypt#472) Update golangci-lint to 1.60.2 (letsencrypt#474) Update /x/net for compatibility with go1.23 (letsencrypt#470) Reject extra command line args and fix README invocation (letsencrypt#467) Document exposing API and management ports when not using docker-compose.yaml (letsencrypt#465) Implement latest draft-ietf-acme-ari spec (letsencrypt#461) ...
jsha
added a commit
that referenced
this pull request
Jun 9, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #486
This moves the GetCertificateBySerial call earlier, which means that call needs to succeed even for revoked certificates. So this also follows up on #252 by keeping revoked certs in the primary certificatesByID map (while still adding them to the revokedCertificatesByID map).