caddytls: Debug log for ask endpoint

This commit is contained in:
Matthew Holt 2023-01-30 09:30:53 -07:00
parent d73660f7c3
commit 0a3efd1641
No known key found for this signature in database
GPG Key ID: 2A349DD577D586A5
2 changed files with 9 additions and 4 deletions

View File

@ -495,7 +495,7 @@ func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
// to see if a certificate can be obtained for name. // to see if a certificate can be obtained for name.
// The certificate request should be denied if this // The certificate request should be denied if this
// returns an error. // returns an error.
func onDemandAskRequest(ask string, name string) error { func onDemandAskRequest(logger *zap.Logger, ask string, name string) error {
askURL, err := url.Parse(ask) askURL, err := url.Parse(ask)
if err != nil { if err != nil {
return fmt.Errorf("parsing ask URL: %v", err) return fmt.Errorf("parsing ask URL: %v", err)
@ -504,13 +504,19 @@ func onDemandAskRequest(ask string, name string) error {
qs.Set("domain", name) qs.Set("domain", name)
askURL.RawQuery = qs.Encode() askURL.RawQuery = qs.Encode()
resp, err := onDemandAskClient.Get(askURL.String()) askURLString := askURL.String()
resp, err := onDemandAskClient.Get(askURLString)
if err != nil { if err != nil {
return fmt.Errorf("error checking %v to determine if certificate for hostname '%s' should be allowed: %v", return fmt.Errorf("error checking %v to determine if certificate for hostname '%s' should be allowed: %v",
ask, name, err) ask, name, err)
} }
resp.Body.Close() resp.Body.Close()
logger.Debug("response from ask endpoint",
zap.String("domain", name),
zap.String("url", askURLString),
zap.Int("status", resp.StatusCode))
if resp.StatusCode < 200 || resp.StatusCode > 299 { if resp.StatusCode < 200 || resp.StatusCode > 299 {
return fmt.Errorf("%s: %w %s - non-2xx status code %d", name, errAskDenied, ask, resp.StatusCode) return fmt.Errorf("%s: %w %s - non-2xx status code %d", name, errAskDenied, ask, resp.StatusCode)
} }

View File

@ -174,8 +174,7 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
if tlsApp.Automation != nil && if tlsApp.Automation != nil &&
tlsApp.Automation.OnDemand != nil && tlsApp.Automation.OnDemand != nil &&
tlsApp.Automation.OnDemand.Ask != "" { tlsApp.Automation.OnDemand.Ask != "" {
err := onDemandAskRequest(tlsApp.Automation.OnDemand.Ask, name) if err := onDemandAskRequest(tlsApp.logger, tlsApp.Automation.OnDemand.Ask, name); err != nil {
if err != nil {
// distinguish true errors from denials, because it's important to log actual errors // distinguish true errors from denials, because it's important to log actual errors
if !errors.Is(err, errAskDenied) { if !errors.Is(err, errAskDenied) {
tlsApp.logger.Error("request to 'ask' endpoint failed", tlsApp.logger.Error("request to 'ask' endpoint failed",