starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-12 04:10:32 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

[Feature] log errors from acme/autocert renewals #1161

New Issue
Closed
opened 2025-12-29 02:28:37 +01:00 by adam · 6 comments
adam commented 2025-12-29 02:28:37 +01:00
Owner
Copy Link

Originally created by @dustymabe on GitHub (Nov 21, 2025).

Use case

Users can observe errors from ACME certificate renewal requests in the logs of the headscale server.

Description

My ACME renewals weren't working at all and I had no idea why from looking at the logs of headscale today. This ListenAndServe() seems to not be outputting any logs from the go func().

If I added some debug logging via Environment=GODEBUG=http2debug=1 I could see more information:

2025/11/21 13:11:01 http2: Transport received DATA flags=END_STREAM stream=103 len=520 data="{\n  \"type\": \"urn:ietf:params:acme:error:rateLimited\",\n  \"detail\": \"Your account is temporarily prevented from requesting certificates for <redacted>.com and possibly others. Please visit: https://portal.letsencrypt.org/sfe/v1/unpause?jwt=123456789" (264 bytes omitted)

but as you can see (264 bytes omitted) from [1] made the message unactionable for me because it chopped off the unique ID I was supposed to use to unpause my ratelimiting.

[1] https://cs.opensource.google/go/go/+/master:src/net/http/h2_bundle.go;l=3274;drc=4b0e3cc1d63a00ee184ea1f6b17e79808e3d9fdc

Contribution

  • I can write the design doc for this feature
  • I can contribute this feature

How can it be implemented?

No response

Originally created by @dustymabe on GitHub (Nov 21, 2025). ### Use case Users can observe errors from ACME certificate renewal requests in the logs of the headscale server. ### Description My ACME renewals weren't working at all and I had no idea why from looking at the logs of headscale today. This ListenAndServe() seems to not be outputting any logs from the `go func()`. If I added some debug logging via `Environment=GODEBUG=http2debug=1` I could see more information: ``` 2025/11/21 13:11:01 http2: Transport received DATA flags=END_STREAM stream=103 len=520 data="{\n \"type\": \"urn:ietf:params:acme:error:rateLimited\",\n \"detail\": \"Your account is temporarily prevented from requesting certificates for <redacted>.com and possibly others. Please visit: https://portal.letsencrypt.org/sfe/v1/unpause?jwt=123456789" (264 bytes omitted) ``` but as you can see `(264 bytes omitted)` from [1] made the message unactionable for me because it chopped off the unique ID I was supposed to use to unpause my ratelimiting. [1] https://cs.opensource.google/go/go/+/master:src/net/http/h2_bundle.go;l=3274;drc=4b0e3cc1d63a00ee184ea1f6b17e79808e3d9fdc ### Contribution - [ ] I can write the design doc for this feature - [x] I can contribute this feature ### How can it be implemented? _No response_
adam added the enhancement label 2025-12-29 02:28:37 +01:00
adam closed this issue 2025-12-29 02:28:37 +01:00
adam commented 2025-12-29 02:28:37 +01:00
Author
Owner
Copy Link

@dustymabe commented on GitHub (Nov 21, 2025):

I created a patch for this and it works. I did use google/gemini to help me get familiar with the code base and understand where to hook in for the logging.

If the maintainers agree this is a worthy feature then I can open a PR.

@dustymabe commented on GitHub (Nov 21, 2025): I created a [patch](https://github.com/dustymabe/headscale/commit/704aacf3946c45493509e26d8948c24de6b518a3) for this and it works. I did use google/gemini to help me get familiar with the code base and understand where to hook in for the logging. If the maintainers agree this is a worthy feature then I can open a PR.
adam commented 2025-12-29 02:28:37 +01:00
Author
Owner
Copy Link

@dustymabe commented on GitHub (Nov 21, 2025):

I can write the design doc for this feature

I'm not sure this feature really needs a design doc. WDYT?

@dustymabe commented on GitHub (Nov 21, 2025): > I can write the design doc for this feature I'm not sure this feature really needs a design doc. WDYT?
adam commented 2025-12-29 02:28:38 +01:00
Author
Owner
Copy Link

@dustymabe commented on GitHub (Dec 1, 2025):

@kradalby @nblock - if you could consider this and let me know what you think. If it seems reasonable I'd like to open a PR while it's fresh in my memory.

@dustymabe commented on GitHub (Dec 1, 2025): @kradalby @nblock - if you could consider this and let me know what you think. If it seems reasonable I'd like to open a PR while it's fresh in my memory.
adam commented 2025-12-29 02:28:38 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Dec 1, 2025):

Sorry, I've been swamped, since the logger only hooks into the HTTP client for the cert logic, I dont see any problem with this.

Two things to make sure of would be that we dont leak any sort of secrets/private keys and that it respect the trace/debug logging system we already use.

Otherwise a PR is good.

@kradalby commented on GitHub (Dec 1, 2025): Sorry, I've been swamped, since the logger only hooks into the HTTP client for the cert logic, I dont see any problem with this. Two things to make sure of would be that we dont leak any sort of secrets/private keys and that it respect the trace/debug logging system we already use. Otherwise a PR is good.
adam commented 2025-12-29 02:28:39 +01:00
Author
Owner
Copy Link

@dustymabe commented on GitHub (Dec 3, 2025):

Sorry, I've been swamped, since the logger only hooks into the HTTP client for the cert logic, I dont see any problem with this.

No worries! Thank you for replying

Two things to make sure of would be that we dont leak any sort of secrets/private keys and that it respect the trace/debug logging system we already use.

I didn't see any secrets when I was doing this but I'll try to confirm.

Otherwise a PR is good.

Thanks. I'll open a PR for it hopefully before Saturday.

@dustymabe commented on GitHub (Dec 3, 2025): > Sorry, I've been swamped, since the logger only hooks into the HTTP client for the cert logic, I dont see any problem with this. No worries! Thank you for replying > > Two things to make sure of would be that we dont leak any sort of secrets/private keys and that it respect the trace/debug logging system we already use. I didn't see any secrets when I was doing this but I'll try to confirm. > > Otherwise a PR is good. Thanks. I'll open a PR for it hopefully before Saturday.
adam commented 2025-12-29 02:28:40 +01:00
Author
Owner
Copy Link

@dustymabe commented on GitHub (Dec 4, 2025):

opened https://github.com/juanfont/headscale/pull/2933

@dustymabe commented on GitHub (Dec 4, 2025): opened https://github.com/juanfont/headscale/pull/2933
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#1161
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?