From 0a3efd1641f07ceaa2035cedec1ba43448b2d520 Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Mon, 30 Jan 2023 09:30:53 -0700
Subject: caddytls: Debug log for ask endpoint

---
 modules/caddytls/acmeissuer.go | 10 ++++++++--
 modules/caddytls/automation.go |  3 +--
 2 files changed, 9 insertions(+), 4 deletions(-)

(limited to 'modules/caddytls')

diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go
index 12e300e..ca79981 100644
--- a/modules/caddytls/acmeissuer.go
+++ b/modules/caddytls/acmeissuer.go
@@ -495,7 +495,7 @@ func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 // to see if a certificate can be obtained for name.
 // The certificate request should be denied if this
 // returns an error.
-func onDemandAskRequest(ask string, name string) error {
+func onDemandAskRequest(logger *zap.Logger, ask string, name string) error {
 	askURL, err := url.Parse(ask)
 	if err != nil {
 		return fmt.Errorf("parsing ask URL: %v", err)
@@ -504,13 +504,19 @@ func onDemandAskRequest(ask string, name string) error {
 	qs.Set("domain", name)
 	askURL.RawQuery = qs.Encode()
 
-	resp, err := onDemandAskClient.Get(askURL.String())
+	askURLString := askURL.String()
+	resp, err := onDemandAskClient.Get(askURLString)
 	if err != nil {
 		return fmt.Errorf("error checking %v to determine if certificate for hostname '%s' should be allowed: %v",
 			ask, name, err)
 	}
 	resp.Body.Close()
 
+	logger.Debug("response from ask endpoint",
+		zap.String("domain", name),
+		zap.String("url", askURLString),
+		zap.Int("status", resp.StatusCode))
+
 	if resp.StatusCode < 200 || resp.StatusCode > 299 {
 		return fmt.Errorf("%s: %w %s - non-2xx status code %d", name, errAskDenied, ask, resp.StatusCode)
 	}
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
index e80d355..7f216d5 100644
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@@ -174,8 +174,7 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
 				if tlsApp.Automation != nil &&
 					tlsApp.Automation.OnDemand != nil &&
 					tlsApp.Automation.OnDemand.Ask != "" {
-					err := onDemandAskRequest(tlsApp.Automation.OnDemand.Ask, name)
-					if err != nil {
+					if err := onDemandAskRequest(tlsApp.logger, tlsApp.Automation.OnDemand.Ask, name); err != nil {
 						// distinguish true errors from denials, because it's important to log actual errors
 						if !errors.Is(err, errAskDenied) {
 							tlsApp.logger.Error("request to 'ask' endpoint failed",
-- 
cgit v1.2.3