[TLS] issue trace if unable to check/refresh cert

gstrauss · gstrauss · commit 069971fb2131 · 2025-03-26T00:28:05.000-04:00
when configured to check/refresh certificates
  server.feature-flags += ("ssl.refresh-certs" =&gt; "enable")
diff --git a/src/mod_gnutls.c b/src/mod_gnutls.c
@@ -3361,6 +3361,18 @@ mod_gnutls_refresh_plugin_ssl_ctx (plugin_ssl_ctx * const s)
 }
 
 
+__attribute_cold__
+static int
+mod_gnutls_refresh_plugin_cert_fail (server * const srv, plugin_cert * const pc)
+{
+    log_perror(srv->errh, __FILE__, __LINE__,
+               "GnuTLS: unable to check/refresh cert key; "
+               "continuing to use already-loaded %s",
+               pc->ssl_privkey->ptr);
+    return 0;
+}
+
+
 static int
 mod_gnutls_refresh_plugin_cert (server * const srv, plugin_cert * const pc)
 {
@@ -3388,15 +3400,17 @@ mod_gnutls_refresh_plugin_cert (server * const srv, plugin_cert * const pc)
      * update privkey last, after pem file (and OCSP stapling file) */
     struct stat st;
     if (0 != stat(pc->ssl_privkey->ptr, &st))
-        return 0; /* ignore if stat() error; keep using existing crt/pk */
+        return mod_gnutls_refresh_plugin_cert_fail(srv, pc);
+        /* ignore if stat() error; keep using existing crt/pk */
     if (TIME64_CAST(st.st_mtime) <= pc->pkey_ts)
         return 0; /* mtime match; no change */
 
     plugin_cert *npc =
       network_gnutls_load_pemfile(srv, pc->ssl_pemfile, pc->ssl_privkey,
                                   pc->ssl_stapling_file);
     if (NULL == npc)
-        return 0; /* ignore if crt/pk error; keep using existing crt/pk */
+        return mod_gnutls_refresh_plugin_cert_fail(srv, pc);
+        /* ignore if crt/pk error; keep using existing crt/pk */
 
     /*(future: if threaded, only one thread should update pcs)*/
 
diff --git a/src/mod_mbedtls.c b/src/mod_mbedtls.c
@@ -2985,6 +2985,18 @@ mod_mbedtls_refresh_plugin_ssl_ctx (server * const srv, plugin_ssl_ctx * const s
 }
 
 
+__attribute_cold__
+static int
+mod_mbedtls_refresh_plugin_cert_fail (server * const srv, plugin_cert * const pc)
+{
+    log_perror(srv->errh, __FILE__, __LINE__,
+               "MTLS: unable to check/refresh cert key; "
+               "continuing to use already-loaded %s",
+               pc->ssl_privkey->ptr);
+    return 0;
+}
+
+
 static int
 mod_mbedtls_refresh_plugin_cert (server * const srv, plugin_cert * const pc)
 {
@@ -3012,14 +3024,16 @@ mod_mbedtls_refresh_plugin_cert (server * const srv, plugin_cert * const pc)
      * update privkey last, after pem file (and OCSP stapling file) */
     struct stat st;
     if (0 != stat(pc->ssl_privkey->ptr, &st))
-        return 0; /* ignore if stat() error; keep using existing crt/pk */
+        return mod_mbedtls_refresh_plugin_cert_fail(srv, pc);
+        /* ignore if stat() error; keep using existing crt/pk */
     if (TIME64_CAST(st.st_mtime) <= pc->pkey_ts)
         return 0; /* mtime match; no change */
 
     plugin_cert *npc =
       network_mbedtls_load_pemfile(srv, pc->ssl_pemfile, pc->ssl_privkey);
     if (NULL == npc)
-        return 0; /* ignore if crt/pk error; keep using existing crt/pk */
+        return mod_mbedtls_refresh_plugin_cert_fail(srv, pc);
+        /* ignore if crt/pk error; keep using existing crt/pk */
 
     /*(future: if threaded, only one thread should update pcs)*/
 
diff --git a/src/mod_nss.c b/src/mod_nss.c
@@ -2885,6 +2885,18 @@ mod_nss_refresh_plugin_ssl_ctx (server * const srv, plugin_ssl_ctx * const s)
 }
 
 
+__attribute_cold__
+static int
+mod_nss_refresh_plugin_cert_fail (server * const srv, plugin_cert * const pc)
+{
+    log_perror(srv->errh, __FILE__, __LINE__,
+               "NSS: unable to check/refresh cert key; "
+               "continuing to use already-loaded %s",
+               pc->ssl_privkey->ptr);
+    return 0;
+}
+
+
 static int
 mod_nss_refresh_plugin_cert (server * const srv, plugin_cert * const pc)
 {
@@ -2912,15 +2924,17 @@ mod_nss_refresh_plugin_cert (server * const srv, plugin_cert * const pc)
      * update privkey last, after pem file (and OCSP stapling file) */
     struct stat st;
     if (0 != stat(pc->ssl_privkey->ptr, &st))
-        return 0; /* ignore if stat() error; keep using existing crt/pk */
+        return mod_nss_refresh_plugin_cert_fail(srv, pc);
+        /* ignore if stat() error; keep using existing crt/pk */
     if (TIME64_CAST(st.st_mtime) <= pc->pkey_ts)
         return 0; /* mtime match; no change */
 
     plugin_cert *npc =
       network_nss_load_pemfile(srv, pc->ssl_pemfile, pc->ssl_privkey,
                                pc->ssl_stapling_file);
     if (NULL == npc)
-        return 0; /* ignore if crt/pk error; keep using existing crt/pk */
+        return mod_nss_refresh_plugin_cert_fail(srv, pc);
+        /* ignore if crt/pk error; keep using existing crt/pk */
 
     /*(future: if threaded, only one thread should update pcs)*/
 
diff --git a/src/mod_openssl.c b/src/mod_openssl.c
@@ -5042,6 +5042,18 @@ mod_openssl_refresh_plugin_ssl_ctx (server * const srv, plugin_ssl_ctx * const s
 }
 
 
+__attribute_cold__
+static int
+mod_openssl_refresh_plugin_cert_fail (server * const srv, plugin_cert * const pc)
+{
+    log_perror(srv->errh, __FILE__, __LINE__,
+               "SSL: unable to check/refresh cert key; "
+               "continuing to use already-loaded %s",
+               pc->ssl_privkey->ptr);
+    return 0;
+}
+
+
 static int
 mod_openssl_refresh_plugin_cert (server * const srv, plugin_cert * const pc)
 {
@@ -5069,15 +5081,17 @@ mod_openssl_refresh_plugin_cert (server * const srv, plugin_cert * const pc)
      * update privkey last, after pem file (and OCSP stapling file) */
     struct stat st;
     if (0 != stat(pc->ssl_privkey->ptr, &st))
-        return 0; /* ignore if stat() error; keep using existing crt/pk */
+        return mod_openssl_refresh_plugin_cert_fail(srv, pc);
+        /* ignore if stat() error; keep using existing crt/pk */
     if (TIME64_CAST(st.st_mtime) <= pc->pkey_ts)
         return 0; /* mtime match; no change */
 
     plugin_cert *npc =
       network_openssl_load_pemfile(srv, pc->ssl_pemfile, pc->ssl_privkey,
                                    pc->ssl_stapling_file);
     if (NULL == npc)
-        return 0; /* ignore if crt/pk error; keep using existing crt/pk */
+        return mod_openssl_refresh_plugin_cert_fail(srv, pc);
+        /* ignore if crt/pk error; keep using existing crt/pk */
 
     /*(future: if threaded, only one thread should update pcs)*/
 
diff --git a/src/mod_wolfssl.c b/src/mod_wolfssl.c
@@ -3795,6 +3795,18 @@ mod_wolfssl_refresh_plugin_ssl_ctx (server * const srv, plugin_ssl_ctx * const s
 }
 
 
+__attribute_cold__
+static int
+mod_wolfssl_refresh_plugin_cert_fail (server * const srv, plugin_cert * const pc)
+{
+    log_perror(srv->errh, __FILE__, __LINE__,
+               "SSL: unable to check/refresh cert key; "
+               "continuing to use already-loaded %s",
+               pc->ssl_privkey->ptr);
+    return 0;
+}
+
+
 static int
 mod_wolfssl_refresh_plugin_cert (server * const srv, plugin_cert * const pc)
 {
@@ -3822,15 +3834,17 @@ mod_wolfssl_refresh_plugin_cert (server * const srv, plugin_cert * const pc)
      * update privkey last, after pem file (and OCSP stapling file) */
     struct stat st;
     if (0 != stat(pc->ssl_privkey->ptr, &st))
-        return 0; /* ignore if stat() error; keep using existing crt/pk */
+        return mod_wolfssl_refresh_plugin_cert_fail(srv, pc);
+        /* ignore if stat() error; keep using existing crt/pk */
     if (TIME64_CAST(st.st_mtime) <= pc->pkey_ts)
         return 0; /* mtime match; no change */
 
     plugin_cert *npc =
       network_openssl_load_pemfile(srv, pc->ssl_pemfile, pc->ssl_privkey,
                                    pc->ssl_stapling_file);
     if (NULL == npc)
-        return 0; /* ignore if crt/pk error; keep using existing crt/pk */
+        return mod_wolfssl_refresh_plugin_cert_fail(srv, pc);
+        /* ignore if crt/pk error; keep using existing crt/pk */
 
     /*(future: if threaded, only one thread should update pcs)*/
 
