Skip to content

feat: enhance log message for certificate parsing errors#8801

Merged
mnencia merged 4 commits intocloudnative-pg:mainfrom
leonardoce:certificate-error
Oct 9, 2025
Merged

feat: enhance log message for certificate parsing errors#8801
mnencia merged 4 commits intocloudnative-pg:mainfrom
leonardoce:certificate-error

Conversation

@leonardoce
Copy link
Contributor

@leonardoce leonardoce commented Oct 9, 2025
edited by gbartolini
Loading

When the certificate parser failed, the log only contained a generic error message, making it difficult to diagnose the underlying problem.

This patch introduces a dedicated parsing step that captures and logs the specific parsing error, improving observability and troubleshooting.

This change is especially relevant after the fix for CVE-2025-58187 included in Go 1.25.2 and 1.24.8, which increases the likelihood of parsing failures if a DNS Subject Alternative Name in the certificate is invalid.

Closes: #8800

@leonardoce leonardoce requested a review from a team as a code owner October 9, 2025 11:22
@dosubot dosubot bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Oct 9, 2025
@cnpg-bot cnpg-bot added backport-requested ◀️ This pull request should be backported to all supported releases release-1.25 release-1.26 release-1.27 labels Oct 9, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Oct 9, 2025

❗ By default, the pull request is configured to backport to all release branches.

  • To stop backporting this pr, remove the label: backport-requested ◀️ or add the label 'do not backport'
  • To stop backporting this pr to a certain release branch, remove the specific branch label: release-x.y

@dosubot dosubot bot added the enhancement 🪄 New feature or request label Oct 9, 2025
@mnencia
Copy link
Member

mnencia commented Oct 9, 2025

/test

@github-actions
Copy link
Contributor

github-actions bot commented Oct 9, 2025

@mnencia, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/18375598110

@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Oct 9, 2025
@mnencia mnencia force-pushed the certificate-error branch from 148293d to 47e84a1 Compare October 9, 2025 12:52
@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. and removed size:S This PR changes 10-29 lines, ignoring generated files. labels Oct 9, 2025
@armru armru force-pushed the certificate-error branch from 652fc4d to 3888381 Compare October 9, 2025 13:21
@armru armru force-pushed the certificate-error branch from 3888381 to d6a9fa5 Compare October 9, 2025 13:33
@mnencia mnencia force-pushed the certificate-error branch from d6a9fa5 to adc4b44 Compare October 9, 2025 13:39
@armru armru force-pushed the certificate-error branch 2 times, most recently from 9b6bdb6 to 3d53741 Compare October 9, 2025 13:45
@mnencia
Copy link
Member

mnencia commented Oct 9, 2025

/ok-to-merge E2E failed for a known glitch in csi-hostpath driver

@mnencia mnencia added the ok to merge 👌 This PR can be merged label Oct 9, 2025
@gbartolini gbartolini changed the title feat: improve log message on certificate parsing error feat: enhance log message for certificate parsing errors Oct 9, 2025
leonardoce and others added 3 commits October 9, 2025 20:43
@leonardoce @gbartolini
feat: improve log message on certificate parsing error
ba9c5d6 
When the certificate parser failed, a generic error message was raised
in the log, without actually specifying what went wrong.

This makes really complex understanding and ultimately fixing the issue.

This patch improves the log message by having a separate parsing step
and recording the actual error.

Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
@armru @gbartolini
feat: return a detailed error on nil block
17a7446 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@armru @gbartolini
feat: enrich errors
fd4c13a 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@armru @gbartolini
chore: improve other errors
14ca13d 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@mnencia mnencia merged commit 3a1423e into cloudnative-pg:main Oct 9, 2025
30 checks passed
cnpg-bot pushed a commit that referenced this pull request Oct 9, 2025
@leonardoce @armru
feat: enhance log message for certificate parsing errors (#8801)
a265d45 
When the certificate parser failed, the log only contained a generic
error message, making it difficult to diagnose the underlying problem.

This patch introduces a dedicated parsing step that captures and logs
the specific parsing error, improving observability and troubleshooting.

This change is especially relevant after the fix for `CVE-2025-58187`
included in Go 1.25.2 and 1.24.8, which increases the likelihood of
parsing failures if a DNS Subject Alternative Name in the certificate is
invalid.

Closes: #8800

Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Co-authored-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
(cherry picked from commit 3a1423e)
cnpg-bot pushed a commit that referenced this pull request Oct 9, 2025
@leonardoce @armru
feat: enhance log message for certificate parsing errors (#8801)
00d0c4d 
When the certificate parser failed, the log only contained a generic
error message, making it difficult to diagnose the underlying problem.

This patch introduces a dedicated parsing step that captures and logs
the specific parsing error, improving observability and troubleshooting.

This change is especially relevant after the fix for `CVE-2025-58187`
included in Go 1.25.2 and 1.24.8, which increases the likelihood of
parsing failures if a DNS Subject Alternative Name in the certificate is
invalid.

Closes: #8800

Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Co-authored-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
(cherry picked from commit 3a1423e)
cnpg-bot pushed a commit that referenced this pull request Oct 9, 2025
@leonardoce @armru
feat: enhance log message for certificate parsing errors (#8801)
43ec32c 
When the certificate parser failed, the log only contained a generic
error message, making it difficult to diagnose the underlying problem.

This patch introduces a dedicated parsing step that captures and logs
the specific parsing error, improving observability and troubleshooting.

This change is especially relevant after the fix for `CVE-2025-58187`
included in Go 1.25.2 and 1.24.8, which increases the likelihood of
parsing failures if a DNS Subject Alternative Name in the certificate is
invalid.

Closes: #8800

Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Co-authored-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
(cherry picked from commit 3a1423e)
THE-BRAHMA pushed a commit to THE-BRAHMA/cloudnative-pg that referenced this pull request Oct 30, 2025
@leonardoce @armru @THE-BRAHMA
feat: enhance log message for certificate parsing errors (cloudnative…
c91a8fc 
…-pg#8801)

When the certificate parser failed, the log only contained a generic
error message, making it difficult to diagnose the underlying problem.

This patch introduces a dedicated parsing step that captures and logs
the specific parsing error, improving observability and troubleshooting.

This change is especially relevant after the fix for `CVE-2025-58187`
included in Go 1.25.2 and 1.24.8, which increases the likelihood of
parsing failures if a DNS Subject Alternative Name in the certificate is
invalid.

Closes: cloudnative-pg#8800

Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Co-authored-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Signed-off-by: theBrahma <office.utpal.brahma@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mnencia mnencia mnencia approved these changes

@gbartolini gbartolini gbartolini approved these changes

@armru armru armru approved these changes

+1 more reviewer

@gabriele-wolfox gabriele-wolfox gabriele-wolfox approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport-requested ◀️ This pull request should be backported to all supported releases enhancement 🪄 New feature or request lgtm This PR has been approved by a maintainer ok to merge 👌 This PR can be merged release-1.25 release-1.26 release-1.27 size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Error while parsing server certificate for mTLS authentication

6 participants

@leonardoce @mnencia @gbartolini @gabriele-wolfox @armru @cnpg-bot