Generating "subproblems" to test against

rmbolger · June 20, 2019, 6:18pm

Saw this in another thread. Was there a thread in API Announcements I missed about it?

Regardless, it's awesome and I'd love to make sure my client handles and displays these appropriately. Is there an easy way to generate some subproblem errors with Pebble or Staging?

jsha · June 20, 2019, 6:23pm

There wasn’t a post in API Announcements. I think it didn’t occur to us to make one since it’s a backwards-compatible change, but it probably does make sense to let everyone know it’s available!

The easiest way to generate subproblems on staging is to submit an order that has some valid identifiers and some invalid ones (basically anything that’s not a domain name). Pebble doesn’t yet support subproblems; we should add that.

rmbolger · June 20, 2019, 6:49pm

Are we sure this is actually live? I just sent an order request to staging with the following payload:

{
   "identifiers":[
      {
         "value":"_example.org",
         "type":"dns"
      },
      {
         "value":"example.net",
         "type":"dns"
      },
      {
         "value":"asdf",
         "type":"dns"
      }
   ]
}

And this is the raw response I’m getting at the moment.

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 231
Boulder-Requester: 8473560
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <removed>
Expires: Thu, 20 Jun 2019 18:44:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 20 Jun 2019 18:44:56 GMT
Connection: close

{
  "type": "urn:ietf:params:acme:error:rejectedIdentifier",
  "detail": "Error creating new order :: Policy forbids issuing for \"example.net\" and 1 more identifiers. Refer to sub-problems for more information",
  "status": 400
}

So it looks like it thinks its sending subproblems, but didn’t actually attach them?

cpu · June 20, 2019, 7:37pm

You're totally correct I filed a Boulder issue with more details, but there is definitely a bug and I apologize! I'll aim to get that fixed for the next release.

Thank you for spotting that!

rmbolger · June 20, 2019, 8:05pm

No worries. Glad to help!

cpu · June 20, 2019, 8:40pm

This is fixed in Boulder as of 5a1c18d. It'll go to staging and prod on the usual release schedule. If all goes according to plan that would mean it will be fixed in staging with the June 25th update and in prod on June 27th.

Thanks again!

cpu · June 20, 2019, 8:45pm

I'm +1 for writing an API announcement. Great idea. I can volunteer to do that. Given we have a bug in the live implementation I'm going to delay posting it until after the 25th

rmbolger · June 26, 2019, 3:39pm

Confirmed staging is now properly sending subproblems in error responses. It appears to include them even if there’s only one identifier and one problem.

For instance, sending an order with the following payload:

{
   "identifiers":[
      {
         "value":"_example.org",
         "type":"dns"
      }
   ]
}

Results in the following error body:

{
  "type": "urn:ietf:params:acme:error:rejectedIdentifier",
  "detail": "Error creating new order :: Invalid character in DNS name",
  "status": 400,
  "subproblems": [
    {
      "type": "malformed",
      "detail": "Error creating new order :: Invalid character in DNS name",
      "status": 400,
      "Identifier": {
        "type": "dns",
        "value": "_example.org"
      }
    }
  ]
}

Not a problem, just an observation.

cpu · June 26, 2019, 4:37pm

Perhaps a sub-problem of sub-problems?

I'll take a look. That doesn't match what I intended to happen in this case.

cpu · June 27, 2019, 5:24pm

Thanks for the report @rmbolger, this is fixed in 2d1a0d8 and will hit staging on July 2nd. We're not doing a production release this week so the buggy subproblems currently in staging won't be promoted to prod today.

rmbolger · June 27, 2019, 9:49pm

I giggled at the branch name in your PR. Who knew subproblems were so annoying to implement?

cpu · June 28, 2019, 8:32pm

Because of the July 4th holiday next week we ended up doing an out of cycle staging deploy today. The fix from 2d1a0d8 is now live in staging.

rmbolger · June 28, 2019, 8:53pm

Confirmed no more subproblems on single error responses. Same payload as before now returns:

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Error creating new order :: Invalid character in DNS name",
  "status": 400
}

I hate to continue being a bother, but the other thing I notice is that when they payload contains multiple identifiers and only one of them has a problem, the error detail doesn’t indicate which one had the problem. So the error response above is identical if I change the payload to this:

{
   "identifiers":[
      {
         "value":"_example.org",
         "type":"dns"
      },
      {
         "value":"example.com",
         "type":"dns"
      }
   ]
}

jsha · June 28, 2019, 9:13pm

Good catch, @rmbolger! Thanks for helping us debug this new feature. Filed an issue: https://github.com/letsencrypt/boulder/issues/4311

system · July 28, 2019, 9:13pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.