getssl icon indicating copy to clipboard operation
getssl copied to clipboard

Published 20 hours ago verified publisher icon srvrco

Make -d flag available to scripts

Open davidc opened this issue 3 years ago • 2 comments

Is your feature request related to a problem? Please describe. Scripts (dns update and reload) running under getssl should be able to determine whether getssl is running in debug mode (-d) in order to produce more verbose output.

Describe the solution you'd like Export _USE_DEBUG (or a new variable without the underscore prefix such as GETSSL_DEBUG).

Describe alternatives you've considered It should not be necessary to amend getssl.cfg to add debug parameteres to the scripts each time you want to run in debug mode.

Additional context I am happy to send a pull request if you let me know whether you would prefer to export _USE_DEBUG or a new variable GETSSL_DEBUG.

davidc avatar Jun 13 '21 09:06 davidc

Hi @davidc

Thanks for this suggestion, I'll have a look at some bash style guides and see whether exporting _USE_DEBUG or adding GETSSL_DEBUG is best practice

timkimber avatar Jul 01 '21 14:07 timkimber

I don't object to exporting GETSSL_DEBUG, but I have some reservations about how it would be used. getssl's -d is not very granular.

I found that when debugging the DNS scripts and my server reload actions, it was an advantage to have more granular controls.

For example, dns_godaddy (the action script under dns_add_godaddy and dns_del_godaddy) has its own options for general and protocol trace debugging, and also defaults to a GODADDY_DEBUG environment variable. Thus no edits are required to debug any repeatable simple issues, while a full protocol trace can be obtained if necessary. But debugging the DNS updates are orthogonal to debugging the getssl ACME logic. In fact, virtually all of the time, it's better to debug the DNS updates separately from getssl.

Keeping the debug level separate avoids the voluminous output from getssl relating to probing the environment and the ACME protocol message preparation/decoding/exchanges. This allowed me to focus on the intricacies of the GoDaddy updates - which generate plenty of output on their own. I found that when all debug output was enabled, It took a lot of time to sort out the lines that matter from thousands of lines of debug output.

In configurations where all of the domains don't use the same token delivery script, a global (all or nothing) debug switch would create even more output - most of which isn't relevant to debugging any one issue.

Rather than turn getssl -d into a global flag, I would prefer to see other update/reload scripts follow the GoDaddy model of separate debug levels controlled by their own options/envvars. (I'm biased - I wrote the GoDaddy support...which admittedly is quite complex.)

tlhackque avatar Aug 10 '21 19:08 tlhackque