mirror of
https://github.com/mjl-/mox.git
synced 2025-01-14 01:06:27 +03:00
if requesting a tls certificate through acme fails, put any validation error messages provided by the acme server in the error message
so users can understand what is going on. e.g. a CAA record that doesn't allow a CA to sign a certificate. previously, the error message would just be "no viable challenge type found", which doesn't help the user.
This commit is contained in:
parent
14d09bb308
commit
7d28d80191
4 changed files with 19 additions and 4 deletions
2
go.mod
2
go.mod
|
@ -4,7 +4,7 @@ go 1.20
|
||||||
|
|
||||||
require (
|
require (
|
||||||
github.com/mjl-/adns v0.0.0-20231009145311-e3834995f16c
|
github.com/mjl-/adns v0.0.0-20231009145311-e3834995f16c
|
||||||
github.com/mjl-/autocert v0.0.0-20231009155929-d0d48f2f0290
|
github.com/mjl-/autocert v0.0.0-20231013072455-c361ae2e20a6
|
||||||
github.com/mjl-/bstore v0.0.2
|
github.com/mjl-/bstore v0.0.2
|
||||||
github.com/mjl-/sconf v0.0.5
|
github.com/mjl-/sconf v0.0.5
|
||||||
github.com/mjl-/sherpa v0.6.6
|
github.com/mjl-/sherpa v0.6.6
|
||||||
|
|
2
go.sum
2
go.sum
|
@ -149,6 +149,8 @@ github.com/mjl-/adns v0.0.0-20231009145311-e3834995f16c h1:ZOr9KnCxfAwJWSeZn8Qs6
|
||||||
github.com/mjl-/adns v0.0.0-20231009145311-e3834995f16c/go.mod h1:JWhGACVviyVUEra9Zv1M8JMkDVXArVt+AIXjTXtuwb4=
|
github.com/mjl-/adns v0.0.0-20231009145311-e3834995f16c/go.mod h1:JWhGACVviyVUEra9Zv1M8JMkDVXArVt+AIXjTXtuwb4=
|
||||||
github.com/mjl-/autocert v0.0.0-20231009155929-d0d48f2f0290 h1:0hCRSu8+XCZ2cSRW+ZtP/7L5wMYjOKFSQthoyj+4cN8=
|
github.com/mjl-/autocert v0.0.0-20231009155929-d0d48f2f0290 h1:0hCRSu8+XCZ2cSRW+ZtP/7L5wMYjOKFSQthoyj+4cN8=
|
||||||
github.com/mjl-/autocert v0.0.0-20231009155929-d0d48f2f0290/go.mod h1:taMFU86abMxKLPV4Bynhv8enbYmS67b8LG80qZv2Qus=
|
github.com/mjl-/autocert v0.0.0-20231009155929-d0d48f2f0290/go.mod h1:taMFU86abMxKLPV4Bynhv8enbYmS67b8LG80qZv2Qus=
|
||||||
|
github.com/mjl-/autocert v0.0.0-20231013072455-c361ae2e20a6 h1:TEXyTghAN9pmV2ffzdnhmzkML08e1Z/oGywJ9eunbRI=
|
||||||
|
github.com/mjl-/autocert v0.0.0-20231013072455-c361ae2e20a6/go.mod h1:taMFU86abMxKLPV4Bynhv8enbYmS67b8LG80qZv2Qus=
|
||||||
github.com/mjl-/bstore v0.0.2 h1:4fdpIOY/+Dv1dBHyzdqa4PD90p8Mz86FeyRpI4qcehw=
|
github.com/mjl-/bstore v0.0.2 h1:4fdpIOY/+Dv1dBHyzdqa4PD90p8Mz86FeyRpI4qcehw=
|
||||||
github.com/mjl-/bstore v0.0.2/go.mod h1:/cD25FNBaDfvL/plFRxI3Ba3E+wcB0XVOS8nJDqndg0=
|
github.com/mjl-/bstore v0.0.2/go.mod h1:/cD25FNBaDfvL/plFRxI3Ba3E+wcB0XVOS8nJDqndg0=
|
||||||
github.com/mjl-/sconf v0.0.5 h1:4CMUTENpSnaeP2g6RKtrs8udTxnJgjX2MCCovxGId6s=
|
github.com/mjl-/sconf v0.0.5 h1:4CMUTENpSnaeP2g6RKtrs8udTxnJgjX2MCCovxGId6s=
|
||||||
|
|
17
vendor/github.com/mjl-/autocert/autocert.go
generated
vendored
17
vendor/github.com/mjl-/autocert/autocert.go
generated
vendored
|
@ -724,7 +724,8 @@ func (m *Manager) verifyRFC(ctx context.Context, client *acme.Client, domain str
|
||||||
// all order authorizations: if we've tried a challenge type once and it didn't work,
|
// all order authorizations: if we've tried a challenge type once and it didn't work,
|
||||||
// it will most likely not work on another order's authorization either.
|
// it will most likely not work on another order's authorization either.
|
||||||
challengeTypes := m.supportedChallengeTypes()
|
challengeTypes := m.supportedChallengeTypes()
|
||||||
nextTyp := 0 // challengeTypes index
|
nextTyp := 0 // challengeTypes index
|
||||||
|
var authErrs []error // Validation errors, possibly hinting at a solution.
|
||||||
AuthorizeOrderLoop:
|
AuthorizeOrderLoop:
|
||||||
for {
|
for {
|
||||||
o, err := client.AuthorizeOrder(ctx, acme.DomainIDs(domain))
|
o, err := client.AuthorizeOrder(ctx, acme.DomainIDs(domain))
|
||||||
|
@ -765,18 +766,29 @@ AuthorizeOrderLoop:
|
||||||
nextTyp++
|
nextTyp++
|
||||||
}
|
}
|
||||||
if chal == nil {
|
if chal == nil {
|
||||||
return nil, fmt.Errorf("acme/autocert: unable to satisfy %q for domain %q: no viable challenge type found", z.URI, domain)
|
details := ""
|
||||||
|
if len(authErrs) > 0 {
|
||||||
|
details = " (failures: " + authErrs[0].Error()
|
||||||
|
for _, err := range authErrs[1:] {
|
||||||
|
details += "; " + err.Error()
|
||||||
|
}
|
||||||
|
details += ")"
|
||||||
|
}
|
||||||
|
return nil, fmt.Errorf("acme/autocert: unable to satisfy %q for domain %q: no viable challenge type found%s", z.URI, domain, details)
|
||||||
}
|
}
|
||||||
// Respond to the challenge and wait for validation result.
|
// Respond to the challenge and wait for validation result.
|
||||||
cleanup, err := m.fulfill(ctx, client, chal, domain)
|
cleanup, err := m.fulfill(ctx, client, chal, domain)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
authErrs = append(authErrs, fmt.Errorf("challenge %s: preparing response for validation: %v", chal.Type, err))
|
||||||
continue AuthorizeOrderLoop
|
continue AuthorizeOrderLoop
|
||||||
}
|
}
|
||||||
defer cleanup()
|
defer cleanup()
|
||||||
if _, err := client.Accept(ctx, chal); err != nil {
|
if _, err := client.Accept(ctx, chal); err != nil {
|
||||||
|
authErrs = append(authErrs, fmt.Errorf("challenge %s: requesting validation: %v", chal.Type, err))
|
||||||
continue AuthorizeOrderLoop
|
continue AuthorizeOrderLoop
|
||||||
}
|
}
|
||||||
if _, err := client.WaitAuthorization(ctx, z.URI); err != nil {
|
if _, err := client.WaitAuthorization(ctx, z.URI); err != nil {
|
||||||
|
authErrs = append(authErrs, fmt.Errorf("challenge %s: %v", chal.Type, err))
|
||||||
continue AuthorizeOrderLoop
|
continue AuthorizeOrderLoop
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -785,6 +797,7 @@ AuthorizeOrderLoop:
|
||||||
// Wait for the CA to update the order status.
|
// Wait for the CA to update the order status.
|
||||||
o, err = client.WaitOrder(ctx, o.URI)
|
o, err = client.WaitOrder(ctx, o.URI)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
authErrs = append(authErrs, fmt.Errorf("waiting for order: %v", err))
|
||||||
continue AuthorizeOrderLoop
|
continue AuthorizeOrderLoop
|
||||||
}
|
}
|
||||||
return o, nil
|
return o, nil
|
||||||
|
|
2
vendor/modules.txt
vendored
2
vendor/modules.txt
vendored
|
@ -17,7 +17,7 @@ github.com/mjl-/adns
|
||||||
github.com/mjl-/adns/internal/bytealg
|
github.com/mjl-/adns/internal/bytealg
|
||||||
github.com/mjl-/adns/internal/itoa
|
github.com/mjl-/adns/internal/itoa
|
||||||
github.com/mjl-/adns/internal/singleflight
|
github.com/mjl-/adns/internal/singleflight
|
||||||
# github.com/mjl-/autocert v0.0.0-20231009155929-d0d48f2f0290
|
# github.com/mjl-/autocert v0.0.0-20231013072455-c361ae2e20a6
|
||||||
## explicit; go 1.20
|
## explicit; go 1.20
|
||||||
github.com/mjl-/autocert
|
github.com/mjl-/autocert
|
||||||
# github.com/mjl-/bstore v0.0.2
|
# github.com/mjl-/bstore v0.0.2
|
||||||
|
|
Loading…
Reference in a new issue