cli
cli copied to clipboard
temporalio
[Feature Request] Show actual error message when mTLS certs are missing
Is your feature request related to a problem? Please describe.
Right now, if mTLS certs (--tls-cert-path and --tls-cert-path) are left out by mistake, the cli returns an empty error.
➜ workflow reset --address='<namespace>.tmprl.cloud:7233' --namespace='<namespace>' --workflow-id "fbfcc301-e801-48c0-8bba-4d8b4afcfe7d" --reason test --event-id 3 --run-id "ac56c805-87fa-486d-af43-eb9fb54518a6"
Error: reset failed:
('export TEMPORAL_CLI_SHOW_STACKS=1' to see stack traces)
Describe the solution you'd like
It would be more helpful if it tells you want went wrong, e.g. server requires mTLS so please provide --tls-cert-path and --tls-cert-path.
Additional context
Similar issue was previously reported in tctl in https://github.com/temporalio/tctl/issues/228 and https://github.com/temporalio/tctl/issues/353. At least one Temporal customer has submitted a support ticket with this issue.
On the CLI rewrite branch the connection failure is logged, but not returned as the output. We need to decide if logging in the CLI is appropriate
time=2024-03-02T15:37:55.037 level=ERROR msg="failed reaching server: last connection error: connection error: desc = \"error reading server preface: read tcp 192.168.0.20:56053->54.191.166.44:7233: read: connection reset by peer\""
Exit code: 1
TLS doesn't always provide details on why handshake failed. We delegate to the Go TLS library, and are subject to its error messages. We may be able to guess that TLS expectation exists but not was provided by checking error message though and hint the user.
To be clear my question was not with what is logged, but the fact that we log at all and if we want that in a CLI
I think we do want to log connection failure (which is the output, it just happens to be in log format and on stderr, so it can be seen regardless of stdout output format). Whether we want to more clearly clarify that it is due to TLS failure may be worth confirming though.