Add feature flag

jsha · jsha · commit b2eba4ca365c · 2026-01-28T16:51:41.000-08:00
diff --git a/features/features.go b/features/features.go
@@ -51,6 +51,10 @@ type Config struct {
 	// for the cert URL to appear.
 	AsyncFinalize bool
 
+	// CAARechecksFailOrder causes the RA to set an order to "invalid" if its CAA
+	// rechecks fail.
+	CAARechecksFailOrder bool
+
 	// CheckIdentifiersPaused checks if any of the identifiers in the order are
 	// currently paused at NewOrder time. If any are paused, an error is
 	// returned to the Subscriber indicating that the order cannot be processed
diff --git a/ra/ra.go b/ra/ra.go
@@ -714,6 +714,15 @@ func (ra *RegistrationAuthorityImpl) checkOrderAuthorizations(
 		return nil, berrors.UnauthorizedError("incorrect number of identifiers requested for finalization")
 	}
 
+	if !features.Get().CAARechecksFailOrder {
+		// Check that the authzs either don't need CAA rechecking, or do the
+		// necessary CAA rechecks right now.
+		err = ra.checkAuthorizationsCAA(ctx, int64(acctID), authzs, now)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	return authzs, nil
 }
 
@@ -932,11 +941,10 @@ func (ra *RegistrationAuthorityImpl) FinalizeOrder(ctx context.Context, req *rap
 		return nil, errIncompleteGRPCRequest
 	}
 
-	requester := req.Order.RegistrationID
 	logEvent := certificateRequestEvent{
 		ID:          core.NewToken(),
 		OrderID:     req.Order.Id,
-		Requester:   requester,
+		Requester:   req.Order.RegistrationID,
 		RequestTime: ra.clk.Now(),
 		UserAgent:   web.UserAgent(ctx),
 	}
@@ -1292,11 +1300,13 @@ func (ra *RegistrationAuthorityImpl) issueCertificateInner(
 		return fmt.Errorf("%s: %s", prefix, e)
 	}
 
-	// Check that the authzs either don't need CAA rechecking, or do the
-	// necessary CAA rechecks right now.
-	err := ra.checkAuthorizationsCAA(ctx, int64(acctID), authzs, ra.clk.Now())
-	if err != nil {
-		return nil, err
+	if features.Get().CAARechecksFailOrder {
+		// Check that the authzs either don't need CAA rechecking, or do the
+		// necessary CAA rechecks right now.
+		err := ra.checkAuthorizationsCAA(ctx, int64(acctID), authzs, ra.clk.Now())
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	issueReq := &capb.IssueCertificateRequest{
diff --git a/test/config-next/ra.json b/test/config-next/ra.json
@@ -160,7 +160,7 @@
 			]
 		},
 		"features": {
-			"AsyncFinalize": true,
+			"CAARechecksFailOrder": true,
 			"AutomaticallyPauseZombieClients": true,
 			"DNSAccount01Enabled": true,
 			"NoPendingAuthzReuse": true

Original file line number	Diff line number	Diff line change
`@@ -160,7 +160,7 @@`
`160`	`160`	`]`
`161`	`161`	`},`
`162`	`162`	`"features": {`
`163`		`- "AsyncFinalize": true,`
	`163`	`+ "CAARechecksFailOrder": true,`
`164`	`164`	`"AutomaticallyPauseZombieClients": true,`
`165`	`165`	`"DNSAccount01Enabled": true,`
`166`	`166`	`"NoPendingAuthzReuse": true`