[PR #2933] [MERGED] hscontrol: log acme/autocert errors #2942

New Issue

adam · 2025-12-29T04:19:45+01:00

adam commented

2025-12-29 04:19:45 +01:00

📋 Pull Request Information

Original PR: https://github.com/juanfont/headscale/pull/2933
Author: @dustymabe
Created: 12/4/2025
Status: ✅ Merged
Merged: 12/8/2025
Merged by: @kradalby

Base: main ← Head: dusty-log-acme-errors

📝 Commits (1)

53b7cf5 hscontrol: log acme/autocert errors

📊 Changes

1 file changed (+31 additions, -0 deletions)

View changed files

📝 hscontrol/app.go (+31 -0)

📄 Description

My ACME renewals weren't working at all and I had no idea why from looking at the logs of headscale today. This ListenAndServe() seems to not be outputting any logs from the go func().

If I added some debug logging via Environment=GODEBUG=http2debug=1 I could see more information:

2025/11/21 13:11:01 http2: Transport received DATA flags=END_STREAM stream=103 len=520 data="{\n  \"type\": \"urn:ietf:params:acme:error:rateLimited\",\n  \"detail\": \"Your account is temporarily prevented from requesting certificates for <redacted>.com and possibly others. Please visit: https://portal.letsencrypt.org/sfe/v1/unpause?jwt=123456789" (264 bytes omitted)

but as you can see (264 bytes omitted) from [1] made the message unactionable for me because it chopped off the unique ID I was supposed to use to unpause my ratelimiting.

Let's add add some middleware via http.RoundTripper to get the approprate log messages to help me understand what was going on. This is the resulting message I see:

2025-11-21T15:59:19-05:00 ERR ACME request returned error body="{\n  \"type\": \"urn:ietf:params:acme:error:rateLimited\",\n  \"detail\": \"Your account is temporarily prevented from requesting certificates for <redacted>.com and possibly others. Please visit: https://portal.letsencrypt.org/sfe/v1/unpause?jwt=0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012\",\n  \"status\": 429\n}" status_code=429 url=https://acme-v02.api.letsencrypt.org/acme/new-order

Assisted-By: <google/gemini-3-pro-preview>

Fixes: https://github.com/juanfont/headscale/issues/2911

[1] https://cs.opensource.google/go/go/+/master:src/net/http/h2_bundle.go;l=3274;drc=4b0e3cc1d63a00ee184ea1f6b17e79808e3d9fdc

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/juanfont/headscale/pull/2933 **Author:** [@dustymabe](https://github.com/dustymabe) **Created:** 12/4/2025 **Status:** ✅ Merged **Merged:** 12/8/2025 **Merged by:** [@kradalby](https://github.com/kradalby) **Base:** `main` ← **Head:** `dusty-log-acme-errors` --- ### 📝 Commits (1) - [`53b7cf5`](https://github.com/juanfont/headscale/commit/53b7cf5c2e77240f429786d8ad78c570cbbcb355) hscontrol: log acme/autocert errors ### 📊 Changes **1 file changed** (+31 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `hscontrol/app.go` (+31 -0) </details> ### 📄 Description My ACME renewals weren't working at all and I had no idea why from looking at the logs of headscale today. This ListenAndServe() seems to not be outputting any logs from the `go func()`. If I added some debug logging via `Environment=GODEBUG=http2debug=1` I could see more information: ``` 2025/11/21 13:11:01 http2: Transport received DATA flags=END_STREAM stream=103 len=520 data="{\n \"type\": \"urn:ietf:params:acme:error:rateLimited\",\n \"detail\": \"Your account is temporarily prevented from requesting certificates for <redacted>.com and possibly others. Please visit: https://portal.letsencrypt.org/sfe/v1/unpause?jwt=123456789" (264 bytes omitted) ``` but as you can see `(264 bytes omitted)` from [1] made the message unactionable for me because it chopped off the unique ID I was supposed to use to unpause my ratelimiting. Let's add add some middleware via http.RoundTripper to get the approprate log messages to help me understand what was going on. This is the resulting message I see: ``` 2025-11-21T15:59:19-05:00 ERR ACME request returned error body="{\n \"type\": \"urn:ietf:params:acme:error:rateLimited\",\n \"detail\": \"Your account is temporarily prevented from requesting certificates for <redacted>.com and possibly others. Please visit: https://portal.letsencrypt.org/sfe/v1/unpause?jwt=0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012\",\n \"status\": 429\n}" status_code=429 url=https://acme-v02.api.letsencrypt.org/acme/new-order ``` Assisted-By: <google/gemini-3-pro-preview> Fixes: https://github.com/juanfont/headscale/issues/2911 [1] https://cs.opensource.google/go/go/+/master:src/net/http/h2_bundle.go;l=3274;drc=4b0e3cc1d63a00ee184ea1f6b17e79808e3d9fdc --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

adam added the pull-request label 2025-12-29 04:19:45 +01:00

adam closed this issue

2025-12-29 04:19:45 +01:00

adam referenced this issue

2025-12-29 04:19:47 +01:00

[PR #2942] [CLOSED] feat: implement PingNode gRPC handler #2950

adam referenced this issue

2025-12-29 04:19:48 +01:00

[PR #2943] [CLOSED] feat: add ping CLI command and integration tests #2953

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#2942