fix(ssl): include ACME error message in operator-facing warnings#486
Open
mrrobot47 wants to merge 1 commit into
Open
fix(ssl): include ACME error message in operator-facing warnings#486mrrobot47 wants to merge 1 commit into
mrrobot47 wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
SSL issuance/renewal failures logged the real exception only via
EE::debug()and showed operators a genericEE::warning(). Renewal runs unattended (cron) without--debug, so the actual ACME error (rate-limit reason,badNonce,accountDoesNotExist, a finalize/storage failure, etc.) — the single most useful diagnostic — was lost.Separately, both
executeRenewal()catch blocks emitted a hard-coded"Challenge Authorization failed. Check logs and check if your domain is pointed correctly to this server.". These catches fire for any exception/throwable (finalize failure, cert-store write error, etc.), so that line frequently misdirected operators toward a DNS/challenge problem that wasn't the cause.Fix
$e->getMessage()to the operator-facingEE::warningincheck()and bothexecuteRenewal()catches (full detail still logged atdebug).executeRenewal()catches; the now-specific message and the existing "re-run ssl-verify" hint remain.Notes
The exception text surfaces at warning level. ACME error strings contain no account-key material or JWS tokens (the ACME server never echoes those); the only incremental disclosure is absolute server paths on filesystem errors, acceptable for operator-run CLI tooling (the pre-existing
EE::debug(print_r($e))already dumped far more).Testing
Manual: trigger a renewal failure (unreachable domain / rate-limit) without
--debugand confirm the warning now carries the ACME reason.