features: Deprecate CertCheckerRequiresCorrespondence (#7542)

Also, update the comment in features.go to clarify when features can be
removed.

cmd/cert-checker/main.go

@@ -452,19 +452,17 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno
 			problems = append(problems, fmt.Sprintf("Key Policy isn't willing to issue for public key: %s", err))
 		}
 
-		if features.Get().CertCheckerRequiresCorrespondence {
-			precertDER, err := c.getPrecert(ctx, cert.Serial)
+		precertDER, err := c.getPrecert(ctx, cert.Serial)
+		if err != nil {
+			// Log and continue, since we want the problems slice to only contains
+			// problems with the cert itself.
+			c.logger.Errf("fetching linting precertificate for %s: %s", cert.Serial, err)
+			atomic.AddInt64(&c.issuedReport.DbErrs, 1)
+		} else {
+			err = precert.Correspond(precertDER, cert.DER)
 			if err != nil {
-				// Log and continue, since we want the problems slice to only contains
-				// problems with the cert itself.
-				c.logger.Errf("fetching linting precertificate for %s: %s", cert.Serial, err)
-				atomic.AddInt64(&c.issuedReport.DbErrs, 1)
-			} else {
-				err = precert.Correspond(precertDER, cert.DER)
-				if err != nil {
-					problems = append(problems,
-						fmt.Sprintf("Certificate does not correspond to precert for %s: %s", cert.Serial, err))
-				}
+				problems = append(problems,
+					fmt.Sprintf("Certificate does not correspond to precert for %s: %s", cert.Serial, err))
 			}
 		}
 

cmd/cert-checker/main_test.go

@@ -29,7 +29,6 @@ import (
 
 	"github.com/letsencrypt/boulder/core"
 	"github.com/letsencrypt/boulder/ctpolicy/loglist"
-	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/goodkey"
 	"github.com/letsencrypt/boulder/goodkey/sagoodkey"
 	blog "github.com/letsencrypt/boulder/log"
@@ -660,7 +659,6 @@ func TestIgnoredLint(t *testing.T) {
 }
 
 func TestPrecertCorrespond(t *testing.T) {
-	features.Set(features.Config{CertCheckerRequiresCorrespondence: true})
 	checker := newChecker(nil, clock.New(), pa, kp, time.Hour, testValidityDurations, blog.NewMock())
 	checker.getPrecert = func(_ context.Context, _ string) ([]byte, error) {
 		return []byte("hello"), nil

features/features.go

@@ -15,13 +15,18 @@ import (
 // then call features.Set(parsedConfig) to load the parsed struct into this
 // package's global Config.
 type Config struct {
-	// Deprecated features. Safe for removal once all references to them have
-	// been removed from deployed configuration.
-	CAAAfterValidation         bool
-	AllowNoCommonName          bool
-	SHA256SubjectKeyIdentifier bool
-	EnforceMultiVA             bool
-	MultiVAFullResults         bool
+	// Deprecated features. These features have no effect. Removing them from
+	// configuration is safe.
+	//
+	// Once all references to them have been removed from deployed configuration,
+	// they can be deleted from this struct, after which Boulder will fail to
+	// start if they are present in configuration.
+	CAAAfterValidation                bool
+	AllowNoCommonName                 bool
+	SHA256SubjectKeyIdentifier        bool
+	EnforceMultiVA                    bool
+	MultiVAFullResults                bool
+	CertCheckerRequiresCorrespondence bool
 
 	// ECDSAForAll enables all accounts, regardless of their presence in the CA's
 	// ecdsaAllowedAccounts config value, to get issuance from ECDSA issuers.
@@ -46,12 +51,6 @@ type Config struct {
 	// authorizations.
 	CertCheckerRequiresValidations bool
 
-	// CertCheckerRequiresCorrespondence enables an extra query for each certificate
-	// checked, to find the linting precertificate in the `precertificates` table.
-	// It then checks that the final certificate "corresponds" to the precertificate
-	// using `precert.Correspond`.
-	CertCheckerRequiresCorrespondence bool
-
 	// AsyncFinalize enables the RA to return approximately immediately from
 	// requests to finalize orders. This allows us to take longer getting SCTs,
 	// issuing certs, and updating the database; it indirectly reduces the number