Skip to content

Add internal property to ACME challenge error response logs #2227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Add internal property to ACME challenge error response logs #2227

wants to merge 1 commit into from

Conversation

hslatman
Copy link
Member

@hslatman hslatman commented Mar 27, 2025
edited
Loading

This PR adds the internal error message to the ACME response log. This provides more information in the event of an ACME challenge failing to be completed, such as network connectivity issues.

Technically this isn't the correct thing to do, as the internal error message isn't part of the response that's sent to the ACME client by the CA. Furthermore, the error message will be logged on INFO level, whereas it might be more fitting to log it on ERROR. Despite that, doing it like this keeps the internal error close to the corresponding ACME request, so it seemed like a pragmatic solution to me.

The logging logic has only been changed for the Challenge type, but can be easily extended to other ACME types if this approach makes sense.

A log line will now look something like this (note the response object):

INFO[0039] duration=30.003247083s duration-ns=30003247083 fields.time="2025-03-27T11:05:44+01:00" 
method=POST name=ca nonce=UW80Q2hWRDJTdkZOa0dLU3BzYVlIUkFtQ1R2QnZqWlM path=/acme/acme/challenge/cdz67FVppDAFoLEQihPhQGwhlIeQ6obU/iTlKgajNu9ObGHHEHZ0bujAKlgYUcOG7 
protocol=HTTP/2.0 referer= remote-address=127.0.0.1 request-id=7a227ad4-1495-45c3-af73-f80c7deb75db 
response="{\"type\":\"http-01\",\"status\":\"pending\",\"token\":\"XQgTblLaYhkNZjMSltYUx35co0eAsFFI\",\"url\":\"https://127.0.0.1:8443/acme/acme/challenge/cdz67FVppDAFoLEQihPhQGwhlIeQ6obU/iTlKgajNu9ObGHHEHZ0bujAKlgYUcOG7\",\"error\":{\"detail\":\"The server could not connect to validation target\",\"internal\":\"error doing http GET for url http://10.0.0.1/.well-known/acme-challenge/XQgTblLaYhkNZjMSltYUx35co0eAsFFI: Get \\\"http://10.0.0.1/.well-known/acme-challenge/XQgTblLaYhkNZjMSltYUx35co0eAsFFI\\\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\",\"type\":\"urn:ietf:params:acme:error:connection\"}}" 
size=316 status=200 user-agent="Smallstep CLI/0000000-dev (darwin/arm64)" user-id=

A slightly different solution could be to handle the internal error message separately from the response near https://github.com/smallstep/certificates/blob/master/api/log/log.go#L51-L99.

@hslatman hslatman changed the title Add internal property to ACME error response logs Add internal property to ACME challenge error response logs Mar 27, 2025
@github-actions github-actions bot added the needs triage Waiting for discussion / prioritization by team label Mar 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@hslatman