Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RA: Audit log and track cert profile names and hashes #7433

Merged
merged 5 commits into from
Apr 23, 2024
Merged

RA: Audit log and track cert profile names and hashes #7433

merged 5 commits into from
Apr 23, 2024

Conversation

pgporada
Copy link
Member

@pgporada pgporada commented Apr 16, 2024
edited
Loading

  • Adds CertProfileName to the CAs capb.IssuePrecertificateResponse so the RA can receive the CAs configured default profile name for audit logging/metrics. This is useful for when the RA sends an empty string as the profile name to the CA, but we want to know exactly what the profile name chosen by the CA was, rather than just relying on comparing hashes between CA and RA audit logs.
  • Adds the profile name and hash to RA audit logs emitted after a successful issuance.
  • Adds new labels to the existing new_certificates metric exported by the RA.
# HELP new_certificates A counter of new certificates including the certificate profile name and hexadecimal certificate profile hash
# TYPE new_certificates counter
new_certificates{profileHash="de4c8c8866ed46b1d4af0d79e6b7ecf2d1ea625e26adcbbd3979ececd8fbd05a",profileName="defaultBoulderCertificateProfile"} 2

Fixes #7421

@pgporada pgporada requested a review from a team as a code owner April 16, 2024 19:33
aarongable
aarongable previously approved these changes Apr 17, 2024
View reviewed changes
Copy link
Contributor

@aarongable aarongable left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with some optional nits

ca/ca.go Outdated Show resolved Hide resolved
ra/ra.go Outdated Show resolved Hide resolved
ra/ra.go Outdated Show resolved Hide resolved
aarongable
aarongable requested changes Apr 17, 2024
View reviewed changes
ca/ca.go Outdated Show resolved Hide resolved
aarongable
aarongable previously approved these changes Apr 19, 2024
View reviewed changes
jsha
jsha previously requested changes Apr 19, 2024
View reviewed changes
Copy link
Contributor

@jsha jsha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

ca/proto/ca.proto Outdated Show resolved Hide resolved
ra/ra.go Outdated Show resolved Hide resolved
aarongable
aarongable reviewed Apr 22, 2024
View reviewed changes
ra/ra.go Outdated Show resolved Hide resolved
@pgporada pgporada dismissed jsha’s stale review April 22, 2024 18:41

Comments have been addressed.

@pgporada pgporada merged commit fc7c522 into main Apr 23, 2024
12 checks passed
@pgporada pgporada deleted the 7421-ra-certprofile-metric-and-audit-logging branch April 23, 2024 16:05
vbaranovskiy-plesk pushed a commit to plesk/boulder that referenced this pull request May 30, 2024
@pgporada
RA: Audit log and track cert profile names and hashes (letsencrypt#7433)
7e71d49 
* Adds `CertProfileName` to the CAs `capb.IssuePrecertificateResponse`
so the RA can receive the CAs configured default profile name for audit
logging/metrics. This is useful for when the RA sends an empty string as
the profile name to the CA, but we want to know exactly what the profile
name chosen by the CA was, rather than just relying on comparing hashes
between CA and RA audit logs.
* Adds the profile name and hash to RA audit logs emitted after a
successful issuance.
* Adds new labels to the existing `new_certificates` metric exported by
the RA.
```
# HELP new_certificates A counter of new certificates including the certificate profile name and hexadecimal certificate profile hash
# TYPE new_certificates counter
new_certificates{profileHash="de4c8c8866ed46b1d4af0d79e6b7ecf2d1ea625e26adcbbd3979ececd8fbd05a",profileName="defaultBoulderCertificateProfile"} 2
```

Fixes letsencrypt#7421
AlinaADmi pushed a commit to plesk/boulder that referenced this pull request Jul 29, 2024
@pgporada
RA: Audit log and track cert profile names and hashes (letsencrypt#7433)
7bf5bb2 
* Adds `CertProfileName` to the CAs `capb.IssuePrecertificateResponse`
so the RA can receive the CAs configured default profile name for audit
logging/metrics. This is useful for when the RA sends an empty string as
the profile name to the CA, but we want to know exactly what the profile
name chosen by the CA was, rather than just relying on comparing hashes
between CA and RA audit logs.
* Adds the profile name and hash to RA audit logs emitted after a
successful issuance.
* Adds new labels to the existing `new_certificates` metric exported by
the RA.
```
# HELP new_certificates A counter of new certificates including the certificate profile name and hexadecimal certificate profile hash
# TYPE new_certificates counter
new_certificates{profileHash="de4c8c8866ed46b1d4af0d79e6b7ecf2d1ea625e26adcbbd3979ececd8fbd05a",profileName="defaultBoulderCertificateProfile"} 2
```

Fixes letsencrypt#7421
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aarongable aarongable aarongable approved these changes

@beautifulentropy beautifulentropy beautifulentropy approved these changes

@jsha jsha Awaiting requested review from jsha

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Track chosen certificate profile in RA audit log and metric
4 participants
@pgporada @jsha @aarongable @beautifulentropy