Improve error message for IPv6 failure with no IPv4 fallback. (#2844)
This commit improves the rather vague error message that was previously returned if an IPv6 challenge validation failed when IPv6First was enabled and there were no IPv4 addresses left to try as a fallback. Resolves #2821
This commit is contained in:
Daniel McCarney
GitHub
parent
bbd0587440
commit
7120d72197
29
va/va.go
29
va/va.go
|
|
@ -214,9 +214,16 @@ func (d *dialer) Dial(_, _ string) (net.Conn, error) {
|
|||
d.stats.Inc("IPv4Fallback", 1)
|
||||
}
|
||||
|
||||
// This shouldn't happen, but be defensive about it anyway
|
||||
if len(v4) < 1 {
|
||||
return nil, fmt.Errorf("No available addresses for dialer to dial")
|
||||
// If there are no IPv4 addresses and we tried an IPv6 address return an
|
||||
// error - there's nothing left to try
|
||||
if len(v4) == 0 && len(d.record.AddressesTried) > 0 {
|
||||
return nil,
|
||||
fmt.Errorf("Unable to contact %q at %q, no IPv4 addresses to try as fallback",
|
||||
d.record.Hostname, d.record.AddressesTried[0])
|
||||
} else if len(v4) == 0 && len(d.record.AddressesTried) == 0 {
|
||||
// It shouldn't be possible that there are no IPv4 addresses and no previous
|
||||
// attempts at an IPv6 address connection but be defensive about it anyway
|
||||
return nil, fmt.Errorf("no IP addresses found for %q", d.record.Hostname)
|
||||
}
|
||||
|
||||
// Otherwise if there are no IPv6 addresses, or there was an error
|
||||
|
|
@ -471,13 +478,17 @@ func (va *ValidationAuthorityImpl) tryGetTLSSNICerts(ctx context.Context, identi
|
|||
va.stats.Inc("IPv4Fallback", 1)
|
||||
}
|
||||
|
||||
// If there are no v4 addresses then return an error about there being no
|
||||
// usable addresses found. We don't say "no IP addresses found" here because
|
||||
// we may have tried an IPv6 address before this point, had it fail, and then
|
||||
// found no fallbacks.
|
||||
if len(v4) < 1 {
|
||||
// If there are no IPv4 addresses and we tried an IPv6 address return
|
||||
// an error - there's nothing left to try
|
||||
if len(v4) == 0 && len(thisRecord.AddressesTried) > 0 {
|
||||
return nil, validationRecords, probs.Malformed(
|
||||
fmt.Sprintf("no working IP addresses found for %q", identifier.Value))
|
||||
fmt.Sprintf("Unable to contact %q at %q, no IPv4 addresses to try as fallback",
|
||||
thisRecord.Hostname, thisRecord.AddressesTried[0]))
|
||||
} else if len(v4) == 0 && len(thisRecord.AddressesTried) == 0 {
|
||||
// It shouldn't be possible that there are no IPv4 addresses and no previous
|
||||
// attempts at an IPv6 address connection but be defensive about it anyway
|
||||
return nil, validationRecords, probs.Malformed(
|
||||
fmt.Sprintf("No IP addresses found for %q", thisRecord.Hostname))
|
||||
}
|
||||
|
||||
// Otherwise if there are no IPv6 addresses, or there was an error
|
||||
|
|
|
|||
|
|
@ -1309,8 +1309,9 @@ func TestFallbackTLS(t *testing.T) {
|
|||
// and a broken IPv6
|
||||
records, prob = va.validateChallenge(ctx, ident, chall)
|
||||
test.Assert(t, prob != nil, "validation succeeded with broken IPv6 and no IPv4 fallback")
|
||||
// We expect that the problem has the correct error message about working IPs
|
||||
test.AssertEquals(t, prob.Detail, "no working IP addresses found for \"ipv6.localhost\"")
|
||||
// We expect that the problem has the correct error message about nothing to fallback to
|
||||
test.AssertEquals(t, prob.Detail,
|
||||
"Unable to contact \"ipv6.localhost\" at \"::1\", no IPv4 addresses to try as fallback")
|
||||
// We expect one validation record to be present
|
||||
test.AssertEquals(t, len(records), 1)
|
||||
// We expect that the address eventually used was the IPv6 localhost address
|
||||
|
|
|
|||
Loading…
Reference in New Issue