22
33[ ![ Build Status] ( https://github.com/letsencrypt/crl-monitor/actions/workflows/test.yml/badge.svg?branch=main )] ( https://github.com/letsencrypt/crl-monitor/actions/workflows/test.yml?query=branch%3Amain )
44
5- CRL-Monitor monitors CRLs
5+ CRL-Monitor monitors CRLs.
6+
7+ It issues certificates, revokes them, and then looks for them to appear in CRLs.
8+ Each component runs as an AWS Lambda.
9+
10+ The ` churner ` runs periodically. On each run it issues a certificate, fetches and lints
11+ the certificate's CRL URL, revokes the certificate, and stores its serial number and metadata
12+ for the ` checker ` to later verify that it shows up as revoked. It also checks previously
13+ seen serials. If they haven't shown up in a CRL after a reasonable amount of time, ` checker `
14+ produces an error.
15+
16+ The ` checker ` runs in response to the upload of each new CRL shard in S3. It diffs the newly
17+ uploaded CRL shard against its previous version and verifies:
18+
19+ - New CRL has a later date and higher CRL number than the previous version.
20+ - New CRL passes lints.
21+ - For any serials removed between the old shard and the new one:
22+ - The certificate is expired (based on fetching it by serial from Let's Encrypt).
23+ - For any serials added (if the certificate was issued by the churner):
24+ - The certificate's CRLDistributionPoint matches the CRL shard's IssuingDistributionPoint.
25+
26+ The ` checker ` also removes from database any certificates it sees, to indicate that their
27+ revocation has been published, so the ` churner ` won't alert about them
28+ It then marks as completed (deletes) any ` churner ` -issued certificates that show up on
29+ the new CRL.
30+
31+ ## Build and Deployment
32+
33+ This repository has two binaries named ` checker ` and two binaries named ` churner ` . The
34+ binaries under ` cmd ` are for local use and testing. The binaries under ` lambda ` are for
35+ deployment to AWS Lambda. The key difference is that the ` lambda/ ` binaries register a
36+ lambda handler ([ ` lambda.StartWithOptions() ` ] ), which AWS then calls. That
37+ [ handler can return errors] , and we have separate Cloudwatch monitoring that alerts when
38+ any errors are detected.
39+
40+ The lambda binaries are built by a release workflow on GitHub Actions triggered by uploading
41+ a release tag (starting with ` v ` ). Those binaries are uploaded to S3 under a versioned path.
42+ They are then deployed to Lambda using Terraform (in another repository).
43+
44+ [ `lambda.StartWithOptions()` ] : https://pkg.go.dev/github.com/aws/aws-lambda-go/lambda#StartWithOptions
45+ [ handler can return errors ] : https://docs.aws.amazon.com/lambda/latest/dg/foundation-progmodel.html
46+
47+ ## Testing
48+
49+ Most of the tests are unittests and can be run with:
50+
51+ go test ./...
52+
53+ There is also an integration test for DynamoDB code. To run this, install Java and run:
54+
55+ ./db/run_integration_test.sh
656
757## Architecture Diagram
858
@@ -17,6 +67,7 @@ sequenceDiagram
1767 loop timer
1868 activate churn
1969 churn->>ca: Issue certificate
70+ churn->>ca: Fetch CRL
2071 churn->>ca: Revoke certificate
2172 churn->>ddb: Store certificate metadata
2273 ddb->>churn: Get previous revoked serials
0 commit comments