Unclear error when CA fingerprint does not match

[tashian]

When the CA URL is correct, and the fingerprint does not match, the output of step ca bootstrap is confusing:

$ step ca bootstrap --ca-url https://ca.example.com --fingerprint abc1230
The requested resource could not be found. Please see the certificate authority logs for more info.
Re-run with STEPDEBUG=1 for more info.

It would be nice here if the client could say that the cert fingerprint doesn't match.

[marten-seemann]

The cli issues a HTTP GET request to <ca-url>/root/<fingerprint>. Assuming that we manage to connect to the hostname and perform the GET request, the error we get when using an invalid fingerprint is a 404:

{"status":404,"message":"The requested resource could not be found. Please see the certificate authority logs for more info."}

I can see two ways to get a more meaningful error message here:

1. Return a more meaningful 404 message from the CA.
2. Special-case the 404 handling in the cli, and emit a more helpful error message.

(1) seems preferable to me, since there might be other consumers of the REST API. @tashian, wdyt?

[hslatman]

First option would be my choice too.

A combination of the two might also be possible, but I think then we would preferably have an application error code as a field in the response, which the CLI (and possibly other clients) can act on. That's what's done with the ACME API, and would be nice if we'd implement this on more endpoints. But just a clearer message will get the job done now.