notmain

package
v0.20251007.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 7, 2025 License: MPL-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Config 

type Config struct {
	RA struct {
		cmd.ServiceConfig
		cmd.HostnamePolicyConfig

		// RateLimitPoliciesFilename is deprecated.
		RateLimitPoliciesFilename string

		MaxContactsPerRegistration int

		SAService        *cmd.GRPCClientConfig
		VAService        *cmd.GRPCClientConfig
		CAService        *cmd.GRPCClientConfig
		PublisherService *cmd.GRPCClientConfig

		// Deprecated: TODO(#8345): Remove this.
		AkamaiPurgerService *cmd.GRPCClientConfig

		// Deprecated: TODO(#8349): Remove this when removing the corresponding
		// service from the CA.
		OCSPService *cmd.GRPCClientConfig

		Limiter struct {
			// Redis contains the configuration necessary to connect to Redis
			// for rate limiting. This field is required to enable rate
			// limiting.
			Redis *bredis.Config `validate:"required_with=Defaults"`

			// Defaults is a path to a YAML file containing default rate limits.
			// See: ratelimits/README.md for details. This field is required to
			// enable rate limiting. If any individual rate limit is not set,
			// that limit will be disabled. Limits passed in this file must be
			// identical to those in the WFE.
			//
			// Note: At this time, only the Failed Authorizations rate limit is
			// necessary in the RA.
			Defaults string `validate:"required_with=Redis"`

			// Overrides is a path to a YAML file containing overrides for the
			// default rate limits. See: ratelimits/README.md for details. If
			// this field is not set, all requesters will be subject to the
			// default rate limits. Overrides passed in this file must be
			// identical to those in the WFE.
			//
			// Note: At this time, only the Failed Authorizations overrides are
			// necessary in the RA.
			Overrides string
		}

		// MaxNames is the maximum number of subjectAltNames in a single cert.
		// The value supplied MUST be greater than 0 and no more than 100. These
		// limits are per section 7.1 of our combined CP/CPS, under "DV-SSL
		// Subscriber Certificate". The value must match the CA and WFE
		// configurations.
		//
		// Deprecated: Set ValidationProfiles[*].MaxNames instead.
		MaxNames int `validate:"omitempty,min=1,max=100"`

		// ValidationProfiles is a map of validation profiles to their
		// respective issuance allow lists. If a profile is not included in this
		// mapping, it cannot be used by any account. If this field is left
		// empty, all profiles are open to all accounts.
		ValidationProfiles map[string]*ra.ValidationProfileConfig `validate:"required"`

		// DefaultProfileName sets the profile to use if one wasn't provided by the
		// client in the new-order request. Must match a configured validation
		// profile or the RA will fail to start. Must match a certificate profile
		// configured in the CA or finalization will fail for orders using this
		// default.
		DefaultProfileName string `validate:"required"`

		// MustStapleAllowList specified the path to a YAML file containing a
		// list of account IDs permitted to request certificates with the OCSP
		// Must-Staple extension.
		//
		// Deprecated: This field no longer has any effect, all Must-Staple requests
		// are rejected.
		// TODO(#8345): Remove this field.
		MustStapleAllowList string `validate:"omitempty"`

		// GoodKey is an embedded config stanza for the goodkey library.
		GoodKey goodkey.Config

		// FinalizeTimeout is how long the RA is willing to wait for the Order
		// finalization process to take. This config parameter only has an effect
		// if the AsyncFinalization feature flag is enabled. Any systems which
		// manage the shutdown of an RA must be willing to wait at least this long
		// after sending the shutdown signal, to allow background goroutines to
		// complete.
		FinalizeTimeout config.Duration `validate:"-"`

		// CTLogs contains groupings of CT logs organized by what organization
		// operates them. When we submit precerts to logs in order to get SCTs, we
		// will submit the cert to one randomly-chosen log from each group, and use
		// the SCTs from the first two groups which reply. This allows us to comply
		// with various CT policies that require (for certs with short lifetimes
		// like ours) two SCTs from logs run by different operators. It also holds
		// a `Stagger` value controlling how long we wait for one operator group
		// to respond before trying a different one.
		CTLogs ctconfig.CTConfig

		// IssuerCerts are paths to all intermediate certificates which may have
		// been used to issue certificates in the last 90 days. These are used to
		// generate OCSP URLs to purge during revocation.
		IssuerCerts []string `validate:"min=1,dive,required"`

		Features features.Config
	}

	PA cmd.PAConfig

	Syslog        cmd.SyslogConfig
	OpenTelemetry cmd.OpenTelemetryConfig
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.