Remove ocsp-updater from Boulder (#6769)

Delete the ocsp-updater service, and the //ocsp/updater library that
supports it. Remove test configs for the service, and remove references
to the service from other test files.

This service has been fully shut down for an extended period now, and is
safe to remove.

Fixes #6499

README.md

@@ -30,8 +30,8 @@ Boulder is divided into the following main components:
 4. Certificate Authority
 5. Storage Authority
 6. Publisher
-7. OCSP Updater
-8. OCSP Responder
+7. OCSP Responder
+8. CRL Updater
 
 This component model lets us separate the function of the CA by security
 context. The Web Front End, Validation Authority, OCSP Responder and
@@ -43,18 +43,14 @@ Registration Authority. All components talk to the SA for storage, so most
 lines indicating SA RPCs are not shown here.
 
 ```text
-                             +--------- OCSP Updater
-                             |               |
-                             v               |
-                            CA -> Publisher  |
-                             ^               |
-                             |               v
+                            CA ---------> Publisher
+                             ^
+                             |
        Subscriber -> WFE --> RA --> SA --> MariaDB
                              |               ^
 Subscriber server <- VA <----+               |
                                              |
-          Browser ------------------>  OCSP Responder
-
+          Browser -------------------> OCSP Responder
 ```
 
 Internally, the logic of the system is based around five types of objects:

cmd/boulder-ca/main.go

@@ -54,8 +54,7 @@ type Config struct {
 		// The maximum number of subjectAltNames in a single certificate
 		MaxNames int `validate:"required,min=1,max=100"`
 
-		// LifespanOCSP is how long OCSP responses are valid for. It should be
-		// longer than the minTimeToExpiry field for the OCSP Updater. Per the BRs,
+		// LifespanOCSP is how long OCSP responses are valid for. Per the BRs,
 		// Section 4.9.10, it MUST NOT be more than 10 days.
 		LifespanOCSP config.Duration
 

cmd/boulder/main.go

@@ -29,7 +29,6 @@ import (
 	_ "github.com/letsencrypt/boulder/cmd/nonce-service"
 	_ "github.com/letsencrypt/boulder/cmd/notify-mailer"
 	_ "github.com/letsencrypt/boulder/cmd/ocsp-responder"
-	_ "github.com/letsencrypt/boulder/cmd/ocsp-updater"
 	_ "github.com/letsencrypt/boulder/cmd/orphan-finder"
 	_ "github.com/letsencrypt/boulder/cmd/reversed-hostname-checker"
 	_ "github.com/letsencrypt/boulder/cmd/rocsp-tool"

cmd/ocsp-responder/main.go

@@ -54,25 +54,6 @@ type Config struct {
 		// upstream's timeout when making request to ocsp-responder.
 		Timeout config.Duration `validate:"-"`
 
-		// The worst-case freshness of a response during normal operations.
-		//
-		// This controls behavior when both Redis and MariaDB backends are
-		// configured. If a MariaDB response is older than this, ocsp-responder
-		// will try to serve a fresher response from Redis, waiting for a Redis
-		// response if necessary.
-		//
-		// This is related to OCSPMinTimeToExpiry in ocsp-updater's config,
-		// and both are related to the mandated refresh times in the BRs and
-		// root programs (minus a safety margin).
-		//
-		// This should be configured slightly higher than ocsp-updater's
-		// OCSPMinTimeToExpiry, to account for the time taken to sign
-		// responses once they pass that threshold. For instance, a good value
-		// would be: OCSPMinTimeToExpiry + OldOCSPWindow.
-		//
-		// This has a default value of 61h.
-		ExpectedFreshness config.Duration `validate:"-"`
-
 		// How often a response should be signed when using Redis/live-signing
 		// path. This has a default value of 60h.
 		LiveSigningPeriod config.Duration `validate:"-"`
@@ -123,6 +104,11 @@ type Config struct {
 		// LogSampleRate sets how frequently error logs should be emitted. This
 		// avoids flooding the logs during outages. 1 out of N log lines will be emitted.
 		LogSampleRate int `validate:"min=0"`
+
+		// Deprecated: ExpectedFreshness is no longer used now that we do not read
+		// OCSP Response bytes from the database.
+		// TODO(#6775): Remove this.
+		ExpectedFreshness config.Duration `validate:"-"`
 	}
 
 	Syslog cmd.SyslogConfig

core/objects.go

@@ -406,47 +406,44 @@ type Certificate struct {
 }
 
 // CertificateStatus structs are internal to the server. They represent the
-// latest data about the status of the certificate, required for OCSP updating
-// and for validating that the subscriber has accepted the certificate.
+// latest data about the status of the certificate, required for generating new
+// OCSP responses and determining if a certificate has been revoked.
 type CertificateStatus struct {
 	ID int64 `db:"id"`
 
 	Serial string `db:"serial"`
 
 	// status: 'good' or 'revoked'. Note that good, expired certificates remain
-	//   with status 'good' but don't necessarily get fresh OCSP responses.
+	// with status 'good' but don't necessarily get fresh OCSP responses.
 	Status OCSPStatus `db:"status"`
 
 	// ocspLastUpdated: The date and time of the last time we generated an OCSP
-	//   response. If we have never generated one, this has the zero value of
-	//   time.Time, i.e. Jan 1 1970.
+	// response. If we have never generated one, this has the zero value of
+	// time.Time, i.e. Jan 1 1970.
 	OCSPLastUpdated time.Time `db:"ocspLastUpdated"`
 
 	// revokedDate: If status is 'revoked', this is the date and time it was
-	//   revoked. Otherwise it has the zero value of time.Time, i.e. Jan 1 1970.
+	// revoked. Otherwise it has the zero value of time.Time, i.e. Jan 1 1970.
 	RevokedDate time.Time `db:"revokedDate"`
 
 	// revokedReason: If status is 'revoked', this is the reason code for the
-	//   revocation. Otherwise it is zero (which happens to be the reason
-	//   code for 'unspecified').
+	// revocation. Otherwise it is zero (which happens to be the reason
+	// code for 'unspecified').
 	RevokedReason revocation.Reason `db:"revokedReason"`
 
 	LastExpirationNagSent time.Time `db:"lastExpirationNagSent"`
 
 	// The encoded and signed OCSP response.
+	//
+	// Deprecated: We are phasing out storing OCSP Response bytes in the database,
+	// so CertificateStatus objects should not be expected to have a populated
+	// OCSPResponse field anymore.
 	OCSPResponse []byte `db:"ocspResponse"`
 
-	// For performance reasons[0] we duplicate the `Expires` field of the
-	// `Certificates` object/table in `CertificateStatus` to avoid a costly `JOIN`
-	// later on just to retrieve this `Time` value. This helps both the OCSP
-	// updater and the expiration-mailer stay performant.
-	//
-	// Similarly, we add an explicit `IsExpired` boolean to `CertificateStatus`
-	// table that the OCSP updater so that the database can create a meaningful
-	// index on `(isExpired, ocspLastUpdated)` without a `JOIN` on `certificates`.
-	// For more detail see Boulder #1864[0].
-	//
-	// [0]: https://github.com/letsencrypt/boulder/issues/1864
+	// NotAfter and IsExpired are convenience columns which allow expensive
+	// queries to quickly filter out certificates that we don't need to care about
+	// anymore. These are particularly useful for the expiration mailer and CRL
+	// updater. See https://github.com/letsencrypt/boulder/issues/1864.
 	NotAfter  time.Time `db:"notAfter"`
 	IsExpired bool      `db:"isExpired"`