Add AIA certificate prober to boulder-observer

[Copilot]

Summary

All implementation tasks have been completed successfully. The AIA certificate prober:

• Makes HTTP requests with proper timeout handling
• Validates DER-formatted certificates
• Checks Content-Type headers (application/pkix-cert)
• Verifies certificates are CA certificates (IsCA=true)
• Validates certificate CommonName matches expected value via required ExpectCommonName config field
• Logs detailed error messages for all failure cases to aid debugging
• Exports Prometheus metrics for certificate validity periods (notBefore/notAfter)
• Includes comprehensive tests covering all validation scenarios
• Follows existing prober patterns (similar to CRL prober)
• Passes all tests and security checks
• Properly registered in Kind validation tag

Configuration

The AIA prober requires the following configuration options:

• url (required): URL to fetch the AIA certificate from
• expectCommonName (required): Expected CommonName (CN) of the certificate for validation

Example:

monitors:
  - 
    period: 1h
    kind: AIA
    settings:
      url: http://r3.i.lencr.org/
      expectCommonName: "R3"

Debug Logging

The prober includes detailed log messages for all failure scenarios:

• HTTP request creation failure
• Certificate fetch failure
• Incorrect Content-Type header
• Response body read failure
• Certificate parsing failure
• Non-CA certificate detection
• CommonName mismatch

These log messages help with debugging and include the URL and relevant details for each failure case.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>boulder-observer: Add a check for AIA certs</issue_title>
<issue_description>Boulder-observer contains several domain-specific probers, like CRLs. We should add a new prober for AIA certificates. This will make a plaintext http connect to a configured URL, like the CRL one does.

We should also support checking AIA certificates, check that they're properly formatted DER certificates, and are served with the right content-type. They should export at least a metric with the observed certificate's notbefore and notafter times, in keeping with other probers.</issue_description>

<agent_instructions>Focus on high-quality code that fits with the rest of the codebase. Do not be overly verbose.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes boulder-observer: Add a check for AIA certs #8593

[mcpherrinm]

@copilot test failure " main_test.go:68: Failed to validate config file "observer.yml": Key: 'ObsConf.MonConfs[11].Kind' Error:Field validation for 'Kind' failed on the 'oneof' tag"

[Copilot]

@copilot test failure " main_test.go:68: Failed to validate config file "observer.yml": Key: 'ObsConf.MonConfs[11].Kind' Error:Field validation for 'Kind' failed on the 'oneof' tag"

Fixed in e9291c5. Added "AIA" to the Kind validation tag in observer/mon_conf.go so it's now recognized as a valid prober kind.

[mcpherrinm]

@copilot Add a config field, ExpectCommonName, which the prober checks if the received certificate matches, to ensure the correct certificate was served. Check the recieved certificate is also a CA Cert

[Copilot]

@copilot Add a config field, ExpectCommonName, which the prober checks if the received certificate matches, to ensure the correct certificate was served. Check the recieved certificate is also a CA Ce...

Implemented in 1cad83f. Added:

• ExpectCommonName config field (optional) to verify the certificate's CN matches the expected value
• CA certificate validation - the prober now checks that cert.IsCA is true
• Tests for both new validations including matching/non-matching CN and non-CA certificates

[mcpherrinm]

@copilot Don't make ExpectCommonName optional. It must be provided and checked.

Add log messages to the different failure cases in probing for debugging why something is gone wrong

[Copilot]

@copilot Don't make ExpectCommonName optional. It must be provided and checked.

Add log messages to the different failure cases in probing for debugging why something is gone wrong

Implemented in 7202d58:

• ExpectCommonName is now required - validation fails if not provided
• Added debug log messages for all failure cases:
  • HTTP request creation failure
  • Certificate fetch failure
  • Incorrect Content-Type header
  • Response body read failure
  • Certificate parsing failure
  • Non-CA certificate detection
  • CommonName mismatch

[aarongable]

None of the other individual probers have log lines like this (though the higher-level obvserver and monitor do). A line printed through the stdlib log package won't respect our configured log level or log formatting.

[aarongable]

Noticed that we're not actually using the timeout in all our other probers. Filed a bug for that: #8598

[aarongable]

Here and same below:

Suggested change

	colls := conf.Instrument()
	prober, err := conf.MakeProber(colls)
	prober, err := conf.MakeProber(conf.Instrument())

[aarongable]

This checks that we have metrics, but doesn't check that they have sensical values. We have test.AssertMetricWithLabelEquals as a helper for this, if you want to use that.

[aarongable]

Also please update the PR description to be something a human would like to read in the git log.