search

caddyserver / certmagic

Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal
https://pkg.go.dev/github.com/caddyserver/certmagic?tab=doc
Apache License 2.0
4.89k stars 278 forks source link

Ability to disable logs with `no information found to solve challenge for identifier` #268

Closed mbardelmeijer closed 4 months ago

mbardelmeijer commented 4 months ago

What would you like to have changed?

We use certmagic's OnDemand method to allow and disallow specific domains. If a domain is disallowed, we sometimes still see logs about this domain like:

{"level":"error","ts":1707408179.1513515,"caller":"certmagic@v0.20.0/httphandler.go:76","msg":"looking up info for HTTP challenge","component":"acme_issuer","host":"XXXXXX","remote_addr":"XXXXXX","user_agent":"cert-manager/v1.5.3 (clean)","error":"no information found to solve challenge for identifier: XXXXXX","stacktrace":"github.com/caddyserver/certmagic.(*ACMEIssuer).distributedHTTPChallengeSolver\n\t/go/pkg/mod/github.com/caddyserver/certmagic@v0.20.0/httphandler.go:76\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).HandleHTTPChallenge\n\t/go/pkg/mod/github.com/caddyserver/certmagic@v0.20.0/httphandler.go:62\nmain.(*httpServer).serveRequest\n\t/github/workspace/http.go:226\nmain.newHttpServerRateLimiter.func1.1\n\t/github/workspace/http.go:157\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\nnet/http.(*ServeMux).ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2514\ngithub.com/bugsnag/bugsnag-go/v2.Handler.func1\n\t/go/pkg/mod/github.com/bugsnag/bugsnag-go/v2@v2.2.0/bugsnag.go:182\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2938\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:2009"}

Why is this feature a useful, necessary, and/or important addition to this project?

This allows us to better filter out these error messages and keep our general logs clean.

What alternatives are there, or what are you doing in the meantime to work around the lack of this feature?

We can look into adding a filter on the Logger instance provided to the ACMEIssuer, but looking for info if there might be a better option.

mholt commented 4 months ago

It looks like cert-manager is trying to validate challenges. Perhaps from a previous time the certificate was allowed? In any case, it's specifically sending challenge connections.

Why not just ignore those logs? (And maybe configure cert-manager to stop as well)

mbardelmeijer commented 4 months ago

I would also expect that, although the logs are for domains that have been disallowed for quite some time. I'm just now seeing the cert-manager user agent, I think it might be domains that still have cert-manager configured from the client's end while pointing to our infrastructure. We'll implement a logger filter rule from our end 👍

Thanks for your continued work on certmagic!

mholt commented 4 months ago

Of course - thanks for using CertMagic!