Set TLS Handshake logs to debug

certs/certs.go

@@ -88,37 +88,51 @@ func isACME(info *tls.ClientHelloInfo) bool {
 
 // GetCertificate implements the interface required by tls.Config
 func (c *CertManager) GetCertificate(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	cert, err := c.get(info)
+	if err != nil {
+		slog.Warn("getting certificate", slog.String("error", err.Error()), slog.String("sni", info.ServerName))
+	}
+
+	return cert, err
+}
+
+// get is the core of GetCertificate, which wraps this for observability
+func (c *CertManager) get(info *tls.ClientHelloInfo) (*tls.Certificate, error) { //nolint:funcorder
 	sni := info.ServerName
 
+	if sni == "" {
+		return nil, fmt.Errorf("no SNI provided")
+	}
+
 	c.mu.Lock()
 	defer c.mu.Unlock()
 
 	if isACME(info) {
 		challengeCert, ok := c.challengeCerts[sni]
 		if !ok {
-			return nil, fmt.Errorf("no challenge certificate found for %q", sni)
+			return nil, fmt.Errorf("no challenge certificate found")
 		}
 
 		return challengeCert, nil
 	}
 
 	cert, ok := c.certs[info.ServerName]
 	if !ok {
-		return nil, fmt.Errorf("no certificate for %s", sni)
+		return nil, fmt.Errorf("no certificate")
 	}
 
 	expired := time.Now().After(cert.Leaf.NotAfter)
 	shouldBeExpired, ok := c.expired[info.ServerName]
 	if !ok {
-		return nil, fmt.Errorf("cert for %s not in c.expired", sni)
+		return nil, fmt.Errorf("cert not in c.expired")
 	}
 
 	if expired && !shouldBeExpired {
-		return nil, fmt.Errorf("certificate for %s is expired", sni)
+		return nil, fmt.Errorf("certificate is expired")
 	}
 
 	if !expired && shouldBeExpired {
-		return nil, fmt.Errorf("certificate for %s is not expired, but should be", sni)
+		return nil, fmt.Errorf("certificate is not expired, but should be")
 	}
 
 	return cert, nil

config/config.go

@@ -96,6 +96,9 @@ type Config struct {
 
 	// TextTemplate overrides the default plain text webpage
 	TextTemplate string
+
+	// LogDebug enables debug level logs when set to true
+	LogDebug bool
 }
 
 // Site configures a particular site.

integration/test-certs-site-config.json

@@ -15,5 +15,6 @@
     "directory": "https://pebble:14000/dir",
     "termsOfServiceAgreed": true
   },
-  "dataDir": "/data"
+  "dataDir": "/data",
+  "logDebug": true
 }

main.go

@@ -21,7 +21,9 @@ import (
 )
 
 func run(args []string) error {
-	slog.SetDefault(slog.New(slog.NewJSONHandler(os.Stdout, nil)))
+	logLevel := &slog.LevelVar{}
+	logLevel.Set(slog.LevelInfo)
+	slog.SetDefault(slog.New(slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{Level: logLevel})))
 
 	fs := flag.NewFlagSet(args[0], flag.ExitOnError)
 	cfgPath := fs.String("config", "config.json", "path to json config file")
@@ -40,6 +42,10 @@ func run(args []string) error {
 		return fmt.Errorf("loading config: %w", err)
 	}
 
+	if cfg.LogDebug {
+		logLevel.Set(slog.LevelDebug)
+	}
+
 	store, err := storage.New(cfg.DataDir)
 	if err != nil {
 		return fmt.Errorf("creating storage: %w", err)

server/server.go

@@ -26,9 +26,12 @@ func Run(ctx context.Context, cfg *config.Config, getCert GetCertificateFunc) er
 		return err
 	}
 
+	logger := slog.NewLogLogger(slog.Default().Handler(), slog.LevelDebug)
+
 	srv := http.Server{
-		Addr:    cfg.ListenAddr,
-		Handler: handler,
+		Addr:     cfg.ListenAddr,
+		Handler:  handler,
+		ErrorLog: logger,
 
 		IdleTimeout:       timeout,
 		ReadHeaderTimeout: timeout,