certmagic icon indicating copy to clipboard operation
certmagic copied to clipboard

Published 20 hours ago verified publisher icon caddyserver

DefaultCertificateSelector should log a debug message if no matching certificates are found.

Open ryancdotorg opened this issue 1 year ago • 3 comments

What would you like to have changed?

DefaultCertificateSelector in handshake.go should log a debug message if no matching certificates are found.

There is currently just a comment for that case, reading:

// all matching certs are expired or incompatible, oh well

Why is this feature a useful, necessary, and/or important addition to this project?

It's

  1. Trivial to add.
  2. Having it would ease debugging - I spent two hours wondering why things weren't working because I didn't bother adding SANs to my test certificates, and a debug message would have helped me find the problem sooner.

What alternatives are there, or what are you doing in the meantime to work around the lack of this feature?

I don't think there's any meaningful alternatives or workarounds.

Please link to any relevant issues, pull requests, or other discussions.

I have documented my mistakes so that others needn't repeat them. https://github.com/caddyserver/caddy/issues/5450

ryancdotorg avatar Mar 21 '23 18:03 ryancdotorg

That would get logged on every TLS request to an unknown domain, so it might be pretty noisy. There's already a TLS handshake error at debug level, adding another there would mean two logs for every bad request (including from bots).

I think there's probably a better place to put it. We should probably more loudly write an error log on startup when a cert with no SAN is provided.

francislavoie avatar Mar 21 '23 18:03 francislavoie

logged on every TLS request to an unknown domain

I was suggesting a message be logged at debug level only, which already has multiple messages for every TLS connection, so I don't think this would be an issue.

We should probably more loudly write an error log on startup when a cert with no SAN is provided.

That would be helpful - if someone is trying to generate a self-signed certificate for testing, they'll likely find instructions for doing so with OpenSSL - without SANs.

ryancdotorg avatar Mar 21 '23 20:03 ryancdotorg

@ryancdotorg Sorry for the late reply, but am looking into this. I think we're already logging when the cert has no subjects. When you load your SAN-less certificate, there should be a debug log emitted with message "added certificate to cache" -- and it should list the subjects next to it on the same line. On a relevant certificate, what does that log line say?

mholt avatar May 06 '23 02:05 mholt