From 0a3efd1641f07ceaa2035cedec1ba43448b2d520 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Mon, 30 Jan 2023 09:30:53 -0700 Subject: [PATCH] caddytls: Debug log for ask endpoint --- modules/caddytls/acmeissuer.go | 10 ++++++++-- modules/caddytls/automation.go | 3 +-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go index 12e300ed..ca799817 100644 --- a/modules/caddytls/acmeissuer.go +++ b/modules/caddytls/acmeissuer.go @@ -495,7 +495,7 @@ func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { // to see if a certificate can be obtained for name. // The certificate request should be denied if this // returns an error. -func onDemandAskRequest(ask string, name string) error { +func onDemandAskRequest(logger *zap.Logger, ask string, name string) error { askURL, err := url.Parse(ask) if err != nil { return fmt.Errorf("parsing ask URL: %v", err) @@ -504,13 +504,19 @@ func onDemandAskRequest(ask string, name string) error { qs.Set("domain", name) askURL.RawQuery = qs.Encode() - resp, err := onDemandAskClient.Get(askURL.String()) + askURLString := askURL.String() + resp, err := onDemandAskClient.Get(askURLString) if err != nil { return fmt.Errorf("error checking %v to determine if certificate for hostname '%s' should be allowed: %v", ask, name, err) } resp.Body.Close() + logger.Debug("response from ask endpoint", + zap.String("domain", name), + zap.String("url", askURLString), + zap.Int("status", resp.StatusCode)) + if resp.StatusCode < 200 || resp.StatusCode > 299 { return fmt.Errorf("%s: %w %s - non-2xx status code %d", name, errAskDenied, ask, resp.StatusCode) } diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go index e80d3558..7f216d5e 100644 --- a/modules/caddytls/automation.go +++ b/modules/caddytls/automation.go @@ -174,8 +174,7 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error { if tlsApp.Automation != nil && tlsApp.Automation.OnDemand != nil && tlsApp.Automation.OnDemand.Ask != "" { - err := onDemandAskRequest(tlsApp.Automation.OnDemand.Ask, name) - if err != nil { + if err := onDemandAskRequest(tlsApp.logger, tlsApp.Automation.OnDemand.Ask, name); err != nil { // distinguish true errors from denials, because it's important to log actual errors if !errors.Is(err, errAskDenied) { tlsApp.logger.Error("request to 'ask' endpoint failed",