wfe/sa/features: Deprecate TrackReplacementCertificatesARI (#7766)

features/features.go

@@ -29,6 +29,7 @@ type Config struct {
 	CertCheckerRequiresCorrespondence bool
 	ECDSAForAll                       bool
 	CheckRenewalExemptionAtWFE        bool
+	TrackReplacementCertificatesARI   bool
 	UseKvLimitsForNewAccount          bool
 
 	// ServeRenewalInfo exposes the renewalInfo endpoint in the directory and for
@@ -73,16 +74,6 @@ type Config struct {
 	// maxRemoteValidationFailures. Only used when EnforceMultiCAA is true.
 	MultiCAAFullResults bool
 
-	// TrackReplacementCertificatesARI, when enabled, triggers the following
-	// behavior:
-	//   - SA.NewOrderAndAuthzs: upon receiving a NewOrderRequest with a
-	//     'replacesSerial' value, will create a new entry in the 'replacement
-	//     Orders' table. This will occur inside of the new order transaction.
-	//   - SA.FinalizeOrder will update the 'replaced' column of any row with
-	//     a 'orderID' matching the finalized order to true. This will occur
-	//     inside of the finalize (order) transaction.
-	TrackReplacementCertificatesARI bool
-
 	// MultipleCertificateProfiles, when enabled, triggers the following
 	// behavior:
 	//   - SA.NewOrderAndAuthzs: upon receiving a NewOrderRequest with a

sa/model_test.go

@@ -19,7 +19,6 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/letsencrypt/boulder/db"
-	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/grpc"
 	"github.com/letsencrypt/boulder/probs"
 	"github.com/letsencrypt/boulder/test/vars"
@@ -461,9 +460,6 @@ func TestAddReplacementOrder(t *testing.T) {
 	sa, _, cleanUp := initSA(t)
 	defer cleanUp()
 
-	features.Set(features.Config{TrackReplacementCertificatesARI: true})
-	defer features.Reset()
-
 	oldCertSerial := "1234567890"
 	orderId := int64(1337)
 	orderExpires := time.Now().Add(24 * time.Hour).UTC().Truncate(time.Second)
@@ -513,9 +509,6 @@ func TestSetReplacementOrderFinalized(t *testing.T) {
 	sa, _, cleanUp := initSA(t)
 	defer cleanUp()
 
-	features.Set(features.Config{TrackReplacementCertificatesARI: true})
-	defer features.Reset()
-
 	oldCertSerial := "1234567890"
 	orderId := int64(1337)
 	orderExpires := time.Now().Add(24 * time.Hour).UTC().Truncate(time.Second)

sa/sa.go

@@ -739,11 +739,9 @@ func (ssa *SQLStorageAuthority) FinalizeOrder(ctx context.Context, req *sapb.Fin
 			return nil, err
 		}
 
-		if features.Get().TrackReplacementCertificatesARI {
-			err = setReplacementOrderFinalized(ctx, tx, req.Id)
-			if err != nil {
-				return nil, err
-			}
+		err = setReplacementOrderFinalized(ctx, tx, req.Id)
+		if err != nil {
+			return nil, err
 		}
 
 		return nil, nil

sa/sa_test.go

@@ -4059,9 +4059,6 @@ func TestReplacementOrderExists(t *testing.T) {
 	sa, fc, cleanUp := initSA(t)
 	defer cleanUp()
 
-	features.Set(features.Config{TrackReplacementCertificatesARI: true})
-	defer features.Reset()
-
 	oldCertSerial := "1234567890"
 
 	// Check that a non-existent replacement order does not exist.

test/config-next/sa.json

@@ -50,7 +50,6 @@
 		"healthCheckInterval": "4s",
 		"features": {
 			"MultipleCertificateProfiles": true,
-			"TrackReplacementCertificatesARI": true,
 			"DisableLegacyLimitWrites": true,
 			"InsertAuthzsIndividually": true
 		}

test/config-next/wfe2.json

@@ -128,7 +128,6 @@
 		},
 		"features": {
 			"ServeRenewalInfo": true,
-			"TrackReplacementCertificatesARI": true,
 			"CheckIdentifiersPaused": true,
 			"UseKvLimitsForNewOrder": true
 		},

test/config/sa.json

@@ -47,7 +47,9 @@
 				}
 			}
 		},
-		"features": {}
+		"features": {
+			"TrackReplacementCertificatesARI": true
+		}
 	},
 	"syslog": {
 		"stdoutlevel": 6,

test/config/wfe2.json

@@ -106,6 +106,7 @@
 		"pendingAuthorizationLifetimeDays": 7,
 		"features": {
 			"ServeRenewalInfo": true,
+			"TrackReplacementCertificatesARI": true,
 			"CheckRenewalExemptionAtWFE": true,
 			"UseKvLimitsForNewAccount": true
 		}

test/integration/ari_test.go

@@ -8,7 +8,6 @@ import (
 	"crypto/rand"
 	"crypto/x509/pkix"
 	"math/big"
-	"os"
 	"testing"
 	"time"
 
@@ -50,27 +49,17 @@ func TestARI(t *testing.T) {
 	test.AssertEquals(t, ari.SuggestedWindow.End.Sub(time.Now()).Round(time.Hour), 1463*time.Hour)
 	test.AssertEquals(t, ari.RetryAfter.Sub(time.Now()).Round(time.Hour), 6*time.Hour)
 
-	// TODO(@pgporada): Clean this up when 'test/config/{sa,wfe2}.json' sets
-	// TrackReplacementCertificatesARI=true.
-	if os.Getenv("BOULDER_CONFIG_DIR") == "test/config-next" {
-		// Make a new order which indicates that it replaces the cert issued above.
-		_, order, err := makeClientAndOrder(client, key, []string{name}, true, cert)
-		test.AssertNotError(t, err, "failed to issue test cert")
-		replaceID, err := acme.GenerateARICertID(cert)
-		test.AssertNotError(t, err, "failed to generate ARI certID")
-		test.AssertEquals(t, order.Replaces, replaceID)
-		test.AssertNotEquals(t, order.Replaces, "")
-
-		// Try it again and verify it fails
-		_, order, err = makeClientAndOrder(client, key, []string{name}, true, cert)
-		test.AssertError(t, err, "subsequent ARI replacements for a replaced cert should fail, but didn't")
-	} else {
-		// ARI is disabled so we only use the client to POST the replacement
-		// order, but we never finalize it.
-		replacementOrder, err := client.ReplacementOrder(client.Account, cert, []acme.Identifier{{Type: "dns", Value: name}})
-		test.AssertNotError(t, err, "ARI replacement request should have succeeded")
-		test.AssertNotEquals(t, replacementOrder.Replaces, "")
-	}
+	// Make a new order which indicates that it replaces the cert issued above.
+	_, order, err := makeClientAndOrder(client, key, []string{name}, true, cert)
+	test.AssertNotError(t, err, "failed to issue test cert")
+	replaceID, err := acme.GenerateARICertID(cert)
+	test.AssertNotError(t, err, "failed to generate ARI certID")
+	test.AssertEquals(t, order.Replaces, replaceID)
+	test.AssertNotEquals(t, order.Replaces, "")
+
+	// Try it again and verify it fails
+	_, order, err = makeClientAndOrder(client, key, []string{name}, true, cert)
+	test.AssertError(t, err, "subsequent ARI replacements for a replaced cert should fail, but didn't")
 
 	// Revoke the cert and re-request ARI. The renewal window should now be in
 	// the past indicating to the client that a renewal should happen

wfe2/wfe.go

@@ -2348,12 +2348,10 @@ func (wfe *WebFrontEndImpl) NewOrder(
 
 	var replaces string
 	var isARIRenewal bool
-	if features.Get().TrackReplacementCertificatesARI {
-		replaces, isARIRenewal, err = wfe.validateReplacementOrder(ctx, acct, names, newOrderRequest.Replaces)
-		if err != nil {
-			wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "While validating order as a replacement an error occurred"), err)
-			return
-		}
+	replaces, isARIRenewal, err = wfe.validateReplacementOrder(ctx, acct, names, newOrderRequest.Replaces)
+	if err != nil {
+		wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "While validating order as a replacement an error occurred"), err)
+		return
 	}
 
 	var isRenewal bool
@@ -2391,12 +2389,10 @@ func (wfe *WebFrontEndImpl) NewOrder(
 	var newOrderSuccessful bool
 	var errIsRateLimit bool
 	defer func() {
-		if features.Get().TrackReplacementCertificatesARI {
-			wfe.stats.ariReplacementOrders.With(prometheus.Labels{
-				"isReplacement": fmt.Sprintf("%t", replaces != ""),
-				"limitsExempt":  fmt.Sprintf("%t", isARIRenewal),
-			}).Inc()
-		}
+		wfe.stats.ariReplacementOrders.With(prometheus.Labels{
+			"isReplacement": fmt.Sprintf("%t", replaces != ""),
+			"limitsExempt":  fmt.Sprintf("%t", isARIRenewal),
+		}).Inc()
 
 		if !newOrderSuccessful && !errIsRateLimit && refundLimits != nil {
 			go refundLimits()

wfe2/wfe_test.go

@@ -4007,7 +4007,6 @@ func makeARICertID(leaf *x509.Certificate) (string, error) {
 
 func TestCountNewOrderWithReplaces(t *testing.T) {
 	wfe, _, signer := setupWFE(t)
-	features.Set(features.Config{TrackReplacementCertificatesARI: true})
 
 	expectExpiry := time.Now().AddDate(0, 0, 1)
 	var expectAKID []byte