In case the order fails print the human readable reason from the

challenge objects that the server hopefully provides.
input & OK deraadt
OK beck, benno

3 files changed, 26 insertions, 9 deletions

diff --git a/usr.sbin/acme-client/extern.h b/usr.sbin/acme-client/extern.h
index daadc813b97..529d3350205 100644
--- a/usr.sbin/acme-client/extern.h
+++ b/usr.sbin/acme-client/extern.h
@@ -1,4 +1,4 @@
-/*	$Id: extern.h,v 1.17 2020/02/07 14:34:15 florian Exp $ */
+/*	$Id: extern.h,v 1.18 2020/05/10 17:34:07 florian Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -159,6 +159,7 @@ enum	chngstatus {
 struct	chng {
 	char		*uri; /* uri on ACME server */
 	char		*token; /* token we must offer */
+	char		*error; /* "detail" field in case of error */
 	size_t		 retry; /* how many times have we tried */
 	enum chngstatus	 status; /* challenge accepted? */
 };
diff --git a/usr.sbin/acme-client/json.c b/usr.sbin/acme-client/json.c
index 36c7be4c988..ca3012f9bd5 100644
--- a/usr.sbin/acme-client/json.c
+++ b/usr.sbin/acme-client/json.c
@@ -1,4 +1,4 @@
-/*	$Id: json.c,v 1.16 2020/01/22 22:25:22 tedu Exp $ */
+/*	$Id: json.c,v 1.17 2020/05/10 17:34:07 florian Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -265,7 +265,6 @@ json_getarray(struct jsmnn *n, const char *name)
 	return n->d.obj[i].rhs;
 }
 
-#ifdef notyet
 /*
  * Extract subtree from the returned JSON object, making sure that it's
  * the correct type.
@@ -292,7 +291,6 @@ json_getobj(struct jsmnn *n, const char *name)
 		return NULL;
 	return n->d.obj[i].rhs;
 }
-#endif /* notyet */
 
 /*
  * Extract a single string from the returned JSON object, making sure
@@ -375,7 +373,7 @@ json_parse_response(struct jsmnn *n)
 int
 json_parse_challenge(struct jsmnn *n, struct chng *p)
 {
-	struct jsmnn	*array, *obj;
+	struct jsmnn	*array, *obj, *error;
 	size_t		 i;
 	int		 rc;
 	char		*type;
@@ -401,6 +399,10 @@ json_parse_challenge(struct jsmnn *n, struct chng *p)
 		p->uri = json_getstr(obj, "url");
 		p->token = json_getstr(obj, "token");
 		p->status = json_parse_response(obj);
+		if (p->status == CHNG_INVALID) {
+			error = json_getobj(obj, "error");
+			p->error = json_getstr(error, "detail");
+		}
 		return p->uri != NULL && p->token != NULL;
 	}
 
diff --git a/usr.sbin/acme-client/netproc.c b/usr.sbin/acme-client/netproc.c
index 79c26ef4c67..7b8152196d1 100644
--- a/usr.sbin/acme-client/netproc.c
+++ b/usr.sbin/acme-client/netproc.c
@@ -1,4 +1,4 @@
-/*	$Id: netproc.c,v 1.25 2019/08/11 19:44:25 florian Exp $ */
+/*	$Id: netproc.c,v 1.26 2020/05/10 17:34:07 florian Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -23,6 +23,7 @@
 #include <string.h>
 #include <unistd.h>
 #include <tls.h>
+#include <vis.h>
 
 #include "http.h"
 #include "extern.h"
@@ -664,7 +665,7 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd,
 {
 	int		 rc = 0;
 	size_t		 i;
-	char		*cert = NULL, *thumb = NULL, *url = NULL;
+	char		*cert = NULL, *thumb = NULL, *url = NULL, *error = NULL;
 	struct conn	 c;
 	struct capaths	 paths;
 	struct order	 order;
@@ -805,7 +806,8 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd,
 				    "%d", chngs[i].token, chngs[i].uri,
 				    chngs[i].status);
 
-				if (chngs[i].status == CHNG_VALID)
+				if (chngs[i].status == CHNG_VALID ||
+				    chngs[i].status == CHNG_INVALID)
 					continue;
 
 				if (chngs[i].retry++ >= RETRY_MAX) {
@@ -858,8 +860,20 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd,
 			sleep(RETRY_DELAY);
 	}
 
-	if (order.status != ORDER_VALID)
+	if (order.status != ORDER_VALID) {
+		for (i = 0; i < order.authsz; i++) {
+			dochngreq(&c, order.auths[i], &chngs[i]);
+			if (chngs[i].error != NULL) {
+				if (stravis(&error, chngs[i].error, VIS_SAFE)
+				    != -1) {
+					warnx("%s", error);
+					free(error);
+					error = NULL;
+				}
+			}
+		}
 		goto out;
+	}
 
 	if (order.certificate == NULL) {
 		warnx("no certificate url received");