diff options
| -rw-r--r-- | modules/caddytls/acmeissuer.go | 52 | ||||
| -rw-r--r-- | modules/caddytls/automation.go | 9 | 
2 files changed, 37 insertions, 24 deletions
| diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go index 9552d6f..2fe4004 100644 --- a/modules/caddytls/acmeissuer.go +++ b/modules/caddytls/acmeissuer.go @@ -17,6 +17,7 @@ package caddytls  import (  	"context"  	"crypto/x509" +	"errors"  	"fmt"  	"net/url"  	"os" @@ -250,28 +251,27 @@ func (iss *ACMEIssuer) GetACMEIssuer() *ACMEIssuer { return iss }  // UnmarshalCaddyfile deserializes Caddyfile tokens into iss.  // -//     ... acme [<directory_url>] { -//         dir <directory_url> -//         test_dir <test_directory_url> -//         email <email> -//         timeout <duration> -//         disable_http_challenge -//         disable_tlsalpn_challenge -//         alt_http_port    <port> -//         alt_tlsalpn_port <port> -//         eab <key_id> <mac_key> -//         trusted_roots <pem_files...> -//         dns <provider_name> [<options>] -//         propagation_delay <duration> -//         propagation_timeout <duration> -//         resolvers <dns_servers...> -//         dns_challenge_override_domain <domain> -//         preferred_chains [smallest] { -//             root_common_name <common_names...> -//             any_common_name  <common_names...> -//         } -//     } -// +//	... acme [<directory_url>] { +//	    dir <directory_url> +//	    test_dir <test_directory_url> +//	    email <email> +//	    timeout <duration> +//	    disable_http_challenge +//	    disable_tlsalpn_challenge +//	    alt_http_port    <port> +//	    alt_tlsalpn_port <port> +//	    eab <key_id> <mac_key> +//	    trusted_roots <pem_files...> +//	    dns <provider_name> [<options>] +//	    propagation_delay <duration> +//	    propagation_timeout <duration> +//	    resolvers <dns_servers...> +//	    dns_challenge_override_domain <domain> +//	    preferred_chains [smallest] { +//	        root_common_name <common_names...> +//	        any_common_name  <common_names...> +//	    } +//	}  func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {  	for d.Next() {  		if d.NextArg() { @@ -494,8 +494,7 @@ func onDemandAskRequest(ask string, name string) error {  	resp.Body.Close()  	if resp.StatusCode < 200 || resp.StatusCode > 299 { -		return fmt.Errorf("certificate for hostname '%s' not allowed; non-2xx status code %d returned from %v", -			name, resp.StatusCode, ask) +		return fmt.Errorf("%s: %w %s - non-2xx status code %d", name, errAskDenied, ask, resp.StatusCode)  	}  	return nil @@ -568,6 +567,11 @@ type ChainPreference struct {  	AnyCommonName []string `json:"any_common_name,omitempty"`  } +// errAskDenied is an error that should be wrapped or returned when the +// configured "ask" endpoint does not allow a certificate to be issued, +// to distinguish that from other errors such as connection failure. +var errAskDenied = errors.New("certificate not allowed by ask endpoint") +  // Interface guards  var (  	_ certmagic.PreChecker  = (*ACMEIssuer)(nil) diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go index ee168b4..0a732b8 100644 --- a/modules/caddytls/automation.go +++ b/modules/caddytls/automation.go @@ -16,6 +16,7 @@ package caddytls  import (  	"encoding/json" +	"errors"  	"fmt"  	"net/http"  	"time" @@ -23,6 +24,7 @@ import (  	"github.com/caddyserver/caddy/v2"  	"github.com/caddyserver/certmagic"  	"github.com/mholt/acmez" +	"go.uber.org/zap"  )  // AutomationConfig governs the automated management of TLS certificates. @@ -174,6 +176,13 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {  					tlsApp.Automation.OnDemand.Ask != "" {  					err := onDemandAskRequest(tlsApp.Automation.OnDemand.Ask, name)  					if err != nil { +						// distinguish true errors from denials, because it's important to log actual errors +						if !errors.Is(err, errAskDenied) { +							tlsApp.logger.Error("request to 'ask' endpoint failed", +								zap.Error(err), +								zap.String("endpoint", tlsApp.Automation.OnDemand.Ask), +								zap.String("domain", name)) +						}  						return err  					}  				} | 
