ratelimits: Exempt renewals from NewOrdersPerAccount and CertificatesPerDomain

[beautifulentropy]

• Rename NewOrderRequest field LimitsExempt to IsARIRenewal
• Introduce a new NewOrderRequest field, IsRenewal
• Introduce a new (temporary) feature flag, CheckRenewalExemptionAtWFE

WFE:

• Perform renewal detection in the WFE when CheckRenewalExemptionAtWFE is set
• Skip (key-value) NewOrdersPerAccount and CertificatesPerDomain limit checks when renewal detection indicates the the order is a renewal.

RA:

• Leave renewal detection in the RA intact
• Skip renewal detection and (legacy) NewOrdersPerAccount and CertificatesPerDomain limit checks when CheckRenewalExemptionAtWFE is set and the NewOrderRequest indicates that the order is a renewal.

Fixes #7508
Part of #5545

[github-actions]

@beautifulentropy, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values.

[github-actions]

@beautifulentropy, this PR adds one or more new feature flags: CheckRenewalExemptionAtWFE. As such, this PR must be accompanied by a review of the Let's Encrypt CP/CPS to ensure that our behavior both before and after this flag is flipped is compliant with that document.

Please conduct such a review, then add your findings to the PR description in a paragraph beginning with "CPS Compliance Review:".

[aarongable]

I must be missing something, because I don't understand why this requires a new isRenewal boolean instead of re-using the limitsExempt boolean.

[beautifulentropy]

I must be missing something, because I don't understand why this requires a new isRenewal boolean instead of re-using the limitsExempt boolean.

limitsExempt is used for ARI renewals, which are exempt from all rate limits:

boulder/ra/ra.go

Lines 2526 to 2535 in 7a6632d

	// Renewal orders, indicated by ARI, are exempt from NewOrder rate limits.
	if !req.LimitsExempt {
	// Check if there is rate limit space for issuing a certificate.
	err = ra.checkNewOrderLimits(ctx, newOrder.Names, newOrder.RegistrationID, req.IsRenewal)
	if err != nil {
	return nil, err
	}
	}

isRenewal is used for detected renewals, which are exempt from just two rate limits:

boulder/ra/ra.go

Lines 1589 to 1618 in 7a6632d

	func (ra *RegistrationAuthorityImpl) checkNewOrderLimits(ctx context.Context, names []string, regID int64, isRenewal bool) error {
	newOrdersPerAccountLimits := ra.rlPolicies.NewOrdersPerAccount()
	// TODO(#7511): Remove the feature flag check.
	skipCheck := features.Get().CheckRenewalExemptionAtWFE && isRenewal
	if newOrdersPerAccountLimits.Enabled() && !skipCheck {
	started := ra.clk.Now()
	err := ra.checkNewOrdersPerAccountLimit(ctx, regID, names, newOrdersPerAccountLimits)
	elapsed := ra.clk.Since(started)
	if err != nil {
	if errors.Is(err, berrors.RateLimit) {
	ra.rlCheckLatency.WithLabelValues(ratelimit.NewOrdersPerAccount, ratelimits.Denied).Observe(elapsed.Seconds())
	}
	return err
	}
	ra.rlCheckLatency.WithLabelValues(ratelimit.NewOrdersPerAccount, ratelimits.Allowed).Observe(elapsed.Seconds())
	}
	certNameLimits := ra.rlPolicies.CertificatesPerName()
	if certNameLimits.Enabled() && !skipCheck {
	started := ra.clk.Now()
	err := ra.checkCertificatesPerNameLimit(ctx, names, certNameLimits, regID)
	elapsed := ra.clk.Since(started)
	if err != nil {
	if errors.Is(err, berrors.RateLimit) {
	ra.rlCheckLatency.WithLabelValues(ratelimit.CertificatesPerName, ratelimits.Denied).Observe(elapsed.Seconds())
	}
	return err
	}
	ra.rlCheckLatency.WithLabelValues(ratelimit.CertificatesPerName, ratelimits.Allowed).Observe(elapsed.Seconds())
	}

[aarongable]

Thanks, this makes a lot more sense to my head with the updated field names. LGTM.

[pgporada]

Suggested change

	"limitsExempt": fmt.Sprintf("%t", isARIRenewal),
	"isARIRenewal": fmt.Sprintf("%t", isARIRenewal),