diff options
-rw-r--r-- | modules/caddytls/acmeissuer.go | 10 | ||||
-rw-r--r-- | modules/caddytls/automation.go | 3 |
2 files changed, 9 insertions, 4 deletions
diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go index 12e300e..ca79981 100644 --- a/modules/caddytls/acmeissuer.go +++ b/modules/caddytls/acmeissuer.go @@ -495,7 +495,7 @@ func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { // to see if a certificate can be obtained for name. // The certificate request should be denied if this // returns an error. -func onDemandAskRequest(ask string, name string) error { +func onDemandAskRequest(logger *zap.Logger, ask string, name string) error { askURL, err := url.Parse(ask) if err != nil { return fmt.Errorf("parsing ask URL: %v", err) @@ -504,13 +504,19 @@ func onDemandAskRequest(ask string, name string) error { qs.Set("domain", name) askURL.RawQuery = qs.Encode() - resp, err := onDemandAskClient.Get(askURL.String()) + askURLString := askURL.String() + resp, err := onDemandAskClient.Get(askURLString) if err != nil { return fmt.Errorf("error checking %v to determine if certificate for hostname '%s' should be allowed: %v", ask, name, err) } resp.Body.Close() + logger.Debug("response from ask endpoint", + zap.String("domain", name), + zap.String("url", askURLString), + zap.Int("status", resp.StatusCode)) + if resp.StatusCode < 200 || resp.StatusCode > 299 { return fmt.Errorf("%s: %w %s - non-2xx status code %d", name, errAskDenied, ask, resp.StatusCode) } diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go index e80d355..7f216d5 100644 --- a/modules/caddytls/automation.go +++ b/modules/caddytls/automation.go @@ -174,8 +174,7 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error { if tlsApp.Automation != nil && tlsApp.Automation.OnDemand != nil && tlsApp.Automation.OnDemand.Ask != "" { - err := onDemandAskRequest(tlsApp.Automation.OnDemand.Ask, name) - if err != nil { + if err := onDemandAskRequest(tlsApp.logger, tlsApp.Automation.OnDemand.Ask, name); err != nil { // distinguish true errors from denials, because it's important to log actual errors if !errors.Is(err, errAskDenied) { tlsApp.logger.Error("request to 'ask' endpoint failed", |