x/crypto/acme/autocert: reason acme challenge fails to complete is not logged #19800
Comments
|
/cc @x1ddos |
|
Well, we already have the Error type but it isn't used in that case. Instead, ErrAuthorizationFailed is returned. It makes sense in the context of the acme client, but yeah, autocert then throws that information away. I suppose we could enrich the error returned by GetCertificate but I'm a bit worried about this bit:
Not sure about logging. The autocert package has never logged, it doesn't even import log pkg. Other ideas? |
|
Maybe we could use something like expvar or a similar way to expose stats and errors of autocert. |
Ah I agree, I mentioned it because IMO, the best approach would be either returning the ACME error type, or annotating the sentinel error with fmt.Errorf. |
|
@bradfitz what do you think? |
|
@x1ddos, we make no API promises in this package, and I also don't think it would affect many people, so I think it's okay to delete |
|
CL https://golang.org/cl/40450 mentions this issue. |
This provides acme users with more insights into authorization failures. Updates golang/go#19800. Change-Id: I821298a6c8bd21fc517b2ab9128dd3d32be90249 Reviewed-on: https://go-review.googlesource.com/40450 Run-TryBot: Alex Vaghin <ddos@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
|
Can anyone advise when CL 40450 (mentioned above) will make it onto Alternatively, is there some way I can use an experimental version of the package in my project? |
|
Ignore me, I have been stupid and just realised that the repo is already up to date, and the error messages are still just not complete (don't include the full body if you dump the raw message). I will update this issue/create a new issue for this, and perhaps a CL too. |
|
@munnerz what kind of errors do you get? It's supposed to be in Error.Detail field, at least for a well-behaved ACME CA. Also, check Error.ProblemType of the same struct. It's good for programmatic decisions about errors. |
|
Change https://golang.org/cl/115938 mentions this issue: |
Fixes golang/go#19800 Change-Id: If915a70f4dee78e71dcfc487726cdf83d45b4d50 Reviewed-on: https://go-review.googlesource.com/115938 Reviewed-by: Alex Vaghin <ddos@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Fixes golang/go#19800 Change-Id: If915a70f4dee78e71dcfc487726cdf83d45b4d50 Reviewed-on: https://go-review.googlesource.com/115938 Reviewed-by: Alex Vaghin <ddos@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Fixes golang/go#19800 Change-Id: If915a70f4dee78e71dcfc487726cdf83d45b4d50 Reviewed-on: https://go-review.googlesource.com/115938 Reviewed-by: Alex Vaghin <ddos@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Fixes golang/go#19800 Change-Id: If915a70f4dee78e71dcfc487726cdf83d45b4d50 Reviewed-on: https://go-review.googlesource.com/115938 Reviewed-by: Alex Vaghin <ddos@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Fixes golang/go#19800 Change-Id: If915a70f4dee78e71dcfc487726cdf83d45b4d50 Reviewed-on: https://go-review.googlesource.com/115938 Reviewed-by: Alex Vaghin <ddos@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
If a Let's Encrypt challenge fails with autocert, it's very difficult to debug the actual reason the challenge was invalid.
Logs show that authorization failed, but not the reason. Additionally, due to #17740 unless the server is restarted, the
identifier authorization failedlog line only shows up once.A simple solution, if the authorization failed would be to log an additional line with the let's encrypt authorization URL here:
https://github.com/golang/crypto/blob/3cb07270c9455e8ad27956a70891c962d121a228/acme/autocert/autocert.go#L509
Another option would be to create and log a custom error type, like
RemoteErrorin xenolf/xegoChanging the error type would be a breaking change though.
The text was updated successfully, but these errors were encountered: