Add AIA certificate prober to boulder-observer

[Copilot]

Implementation Plan for AIA Certificate Prober

• Create AIA prober structure and implementation (observer/probers/aia/aia.go)
  • Implement AIAProbe struct with URL and prometheus metrics
  • Implement Name() and Kind() methods
  • Implement Probe() method to fetch certificate via HTTP
  • Validate DER format using x509.ParseCertificate
  • Check Content-Type header (application/pkix-cert)
  • Export notBefore and notAfter metrics
  • Fix timeout handling using context.WithTimeout
  • Fix nil pointer check for response body
  • Fix formatting issues
• Create AIA prober configuration (observer/probers/aia/aia_conf.go)
  • Implement AIAConf struct with URL field
  • Implement Kind(), UnmarshalSettings() methods
  • Implement MakeProber() to construct AIAProbe
  • Implement Instrument() to create prometheus collectors
  • Add init() to register prober with probers.Register()
• Create tests for AIA prober
  • Test AIAConf.MakeProber() validation (observer/probers/aia/aia_conf_test.go)
  • Test AIAConf.UnmarshalSettings() parsing (observer/probers/aia/aia_conf_test.go)
  • Test AIAProbe.Probe() with valid certificate (observer/probers/aia/aia_test.go)
  • Test AIAProbe.Probe() with wrong content-type (observer/probers/aia/aia_test.go)
  • Test AIAProbe.Probe() with invalid certificate (observer/probers/aia/aia_test.go)
  • Test AIAProbe.Probe() with unreachable server (observer/probers/aia/aia_test.go)
  • Test metrics collection (observer/probers/aia/aia_test.go)
• Register AIA prober in observer.go
• Update observer configuration example
  • Add AIA monitor to test configuration
  • Add AIA prober documentation to README
  • Add AIA metrics documentation
  • Update table of contents
• Address code review feedback
• Run security checks
• Fix validation tag to include AIA in allowed kinds

Summary

All implementation tasks have been completed successfully. The AIA certificate prober:

• Makes HTTP requests with proper timeout handling
• Validates DER-formatted certificates
• Checks Content-Type headers
• Exports Prometheus metrics for certificate validity periods
• Includes comprehensive tests
• Follows existing prober patterns
• Passes all tests and security checks
• Now properly registered in Kind validation tag

Original prompt

---

This section details on the original issue you should resolve

<issue_title>boulder-observer: Add a check for AIA certs</issue_title>
<issue_description>Boulder-observer contains several domain-specific probers, like CRLs. We should add a new prober for AIA certificates. This will make a plaintext http connect to a configured URL, like the CRL one does.

We should also support checking AIA certificates, check that they're properly formatted DER certificates, and are served with the right content-type. They should export at least a metric with the observed certificate's notbefore and notafter times, in keeping with other probers.</issue_description>

<agent_instructions>Focus on high-quality code that fits with the rest of the codebase. Do not be overly verbose.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes boulder-observer: Add a check for AIA certs #8593

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[mcpherrinm]

@copilot test failure " main_test.go:68: Failed to validate config file "observer.yml": Key: 'ObsConf.MonConfs[11].Kind' Error:Field validation for 'Kind' failed on the 'oneof' tag"

[Copilot]

@copilot test failure " main_test.go:68: Failed to validate config file "observer.yml": Key: 'ObsConf.MonConfs[11].Kind' Error:Field validation for 'Kind' failed on the 'oneof' tag"

Fixed in e9291c5. Added "AIA" to the Kind validation tag in observer/mon_conf.go so it's now recognized as a valid prober kind.