WFE: Gate ARI limit exemption and replacement tracking on a feature f…

…lag (#7383)

Gate checking of replacement orders and exemption for ARI replacements
on the `TrackReplacementCertificatesARI` feature flag.

sa/sa.go

@@ -567,7 +567,7 @@ func (ssa *SQLStorageAuthority) NewOrderAndAuthzs(ctx context.Context, req *sapb
 			BeganProcessing: false,
 		}
 
-		if features.Get().TrackReplacementCertificatesARI && req.NewOrder.ReplacesSerial != "" {
+		if req.NewOrder.ReplacesSerial != "" {
 			// Update the replacementOrders table to indicate that this order
 			// replaces the provided certificate serial.
 			err := addReplacementOrder(ctx, tx, req.NewOrder.ReplacesSerial, order.ID, order.Expires)

test/config-next/wfe2.json

@@ -127,7 +127,8 @@
 			"Overrides": "test/config-next/wfe2-ratelimit-overrides.yml"
 		},
 		"features": {
-			"ServeRenewalInfo": true
+			"ServeRenewalInfo": true,
+			"TrackReplacementCertificatesARI": true
 		}
 	},
 	"syslog": {

wfe2/wfe.go

@@ -2316,10 +2316,14 @@ func (wfe *WebFrontEndImpl) NewOrder(
 
 	logEvent.DNSNames = names
 
-	replaces, limitsExempt, err := wfe.validateReplacementOrder(ctx, acct, names, newOrderRequest.Replaces)
-	if err != nil {
-		wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "While validating order as a replacement an error occurred"), err)
-		return
+	var replaces string
+	var limitsExempt bool
+	if features.Get().TrackReplacementCertificatesARI {
+		replaces, limitsExempt, err = wfe.validateReplacementOrder(ctx, acct, names, newOrderRequest.Replaces)
+		if err != nil {
+			wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "While validating order as a replacement an error occurred"), err)
+			return
+		}
 	}
 
 	// TODO(#5545): Spending and Refunding can be async until these rate limits