send acme logs to core

Author: t-aleksander

src/acme.rs

@@ -57,17 +57,19 @@ pub async fn run_acme_http01(
     progress_tx: mpsc::UnboundedSender<AcmeStep>,
 ) -> anyhow::Result<AcmeCertResult> {
     info!("Starting ACME HTTP-01 certificate issuance for domain: {domain}");
+    let env_label = if use_staging { "staging" } else { "production" };
+    info!("Using Let's Encrypt {env_label} environment");
 
     // Restore or create account.
     let (account, credentials) = if existing_credentials_json.is_empty() {
-        info!("Creating new ACME account");
+        info!("No stored ACME account found; creating a new one with Let's Encrypt");
         let builder = Account::builder().context("Failed to create ACME account builder")?;
         let dir_url = if use_staging {
             LetsEncrypt::Staging.url().to_owned()
         } else {
             LetsEncrypt::Production.url().to_owned()
         };
-        info!("Using ACME directory URL: {dir_url}");
+        info!("Registering account at ACME directory: {dir_url}");
         let (account, credentials) = builder
             .create(
                 &NewAccount {
@@ -80,6 +82,7 @@ pub async fn run_acme_http01(
             )
             .await
             .context("Failed to create ACME account")?;
+        info!("ACME account registered successfully");
         (account, credentials)
     } else {
         info!("Restoring existing ACME account from stored credentials");
@@ -90,6 +93,7 @@ pub async fn run_acme_http01(
             .from_credentials(creds)
             .await
             .context("Failed to restore ACME account from credentials")?;
+        info!("ACME account restored successfully");
         // After restoring there are no new credentials returned - re-serialize the same ones.
         let restored_creds: AccountCredentials =
             serde_json::from_str(&existing_credentials_json)
@@ -104,6 +108,7 @@ pub async fn run_acme_http01(
         .new_order(&NewOrder::new(&[Identifier::Dns(domain.clone())]))
         .await
         .context("Failed to create ACME order")?;
+    info!("ACME order placed for domain: {domain}");
 
     // Collect all (token, key_authorization) pairs we need to serve.
     let challenge_map: Arc<Mutex<HashMap<String, String>>> = Arc::new(Mutex::new(HashMap::new()));
@@ -175,7 +180,7 @@ pub async fn run_acme_http01(
         let token = challenge.token.clone();
         let key_auth = challenge.key_authorization().as_str().to_owned();
 
-        debug!("HTTP-01 challenge token: {token}");
+        info!("Preparing HTTP-01 challenge for domain: {domain} (token: {token})");
 
         {
             let mut map = challenge_map.lock().unwrap();
@@ -186,32 +191,36 @@ pub async fn run_acme_http01(
             .set_ready()
             .await
             .context("Failed to signal ACME challenge as ready")?;
+        info!("HTTP-01 challenge signalled as ready; waiting for Let's Encrypt to validate");
     }
 
     // LE will now attempt HTTP-01 validation against our challenge server.
     let _ = progress_tx.send(AcmeStep::ValidatingDomain);
+    info!("Polling Let's Encrypt for domain validation result...");
 
     // Wait for the order to become ready for finalization.
     let status = order
         .poll_ready(&RetryPolicy::default())
         .await
         .context("ACME order did not become ready")?;
-    debug!("ACME order status after poll_ready: {status:?}");
+    info!("Domain validation complete, order status: {status:?}");
 
     server_handle.abort();
-    info!("ACME challenge server shut down");
+    info!("ACME challenge server shut down; port 80 released");
 
     if let Some(done_tx) = port80_permit {
         let _ = done_tx.send(());
     }
 
     // Domain validated; finalizing order and retrieving the certificate.
     let _ = progress_tx.send(AcmeStep::IssuingCertificate);
+    info!("Finalizing ACME order and requesting certificate issuance...");
 
     let key_pem = order
         .finalize()
         .await
         .context("Failed to finalize ACME order")?;
+    info!("ACME order finalized; polling for certificate...");
 
     // Poll until the certificate is issued.
     let cert_pem = order

src/grpc.rs

@@ -25,13 +25,14 @@ use tower::ServiceBuilder;
 use tracing::Instrument;
 
 use crate::{
-    MIN_CORE_VERSION, VERSION, acme,
+    LogsReceiver, MIN_CORE_VERSION, VERSION, acme,
     acme::Port80Permit,
     error::ApiError,
     http::{GRPC_CERT_NAME, GRPC_KEY_NAME},
     proto::{
-        AcmeCertificate, AcmeChallenge, AcmeIssueEvent, AcmeProgress, AcmeStep, CoreRequest,
-        CoreResponse, DeviceInfo, acme_issue_event, core_request, core_response, proxy_server,
+        AcmeCertificate, AcmeChallenge, AcmeIssueEvent, AcmeLogs, AcmeProgress, AcmeStep,
+        CoreRequest, CoreResponse, DeviceInfo, acme_issue_event, core_request, core_response,
+        proxy_server,
     },
 };
 
@@ -58,6 +59,9 @@ pub(crate) struct ProxyServer {
     /// `Some` only when the main HTTP server is bound to port 80.
     /// Used to hand off port 80 gracefully during ACME HTTP-01 challenges.
     port80_pause_tx: Option<mpsc::Sender<(oneshot::Sender<()>, oneshot::Receiver<()>)>>,
+    /// Shared log receiver - written by `GrpcLogLayer` for every tracing event.
+    /// Drained during ACME execution to collect proxy log lines for error reporting.
+    logs_rx: LogsReceiver,
 }
 
 impl ProxyServer {
@@ -69,6 +73,7 @@ impl ProxyServer {
         reset_tx: broadcast::Sender<()>,
         https_cert_tx: broadcast::Sender<(String, String)>,
         port80_pause_tx: Option<mpsc::Sender<(oneshot::Sender<()>, oneshot::Receiver<()>)>>,
+        logs_rx: LogsReceiver,
     ) -> Self {
         Self {
             cookie_key,
@@ -82,6 +87,7 @@ impl ProxyServer {
             reset_tx,
             https_cert_tx,
             port80_pause_tx,
+            logs_rx,
         }
     }
 
@@ -205,6 +211,7 @@ impl Clone for ProxyServer {
             reset_tx: self.reset_tx.clone(),
             https_cert_tx: self.https_cert_tx.clone(),
             port80_pause_tx: self.port80_pause_tx.clone(),
+            logs_rx: Arc::clone(&self.logs_rx),
         }
     }
 }
@@ -460,14 +467,21 @@ impl proxy_server::Proxy for ProxyServer {
 
         let (tx, rx) = mpsc::unbounded_channel::<Result<AcmeIssueEvent, Status>>();
 
-        // Emit the first progress step immediately — we are connected and about to start.
+        // Emit the first progress step immediately - we are connected and about to start.
         let _ = tx.send(Ok(AcmeIssueEvent {
             payload: Some(acme_issue_event::Payload::Progress(AcmeProgress {
                 step: AcmeStep::Connecting as i32,
             })),
         }));
 
+        // Drain any stale log entries accumulated before this ACME run started.
+        {
+            let mut rx_guard = self.logs_rx.lock().await;
+            while rx_guard.try_recv().is_ok() {}
+        }
+
         let pause_tx = self.port80_pause_tx.clone();
+        let logs_rx = Arc::clone(&self.logs_rx);
         tokio::spawn(async move {
             // Request a graceful hand-off of port 80 from the main HTTP server if it is bound
             // there, so the ACME challenge listener can bind.
@@ -505,7 +519,7 @@ impl proxy_server::Proxy for ProxyServer {
                         })),
                     };
                     if tx_fwd.send(Ok(event)).is_err() {
-                        // Core disconnected — stop forwarding.
+                        // Core disconnected - stop forwarding.
                         break;
                     }
                 }
@@ -538,6 +552,30 @@ impl proxy_server::Proxy for ProxyServer {
                 }
                 Err(err) => {
                     error!("ACME HTTP-01 failed for domain '{domain}': {err}");
+
+                    // Drain collected log lines and forward them to Core before the error status.
+                    let log_lines: Vec<String> = {
+                        let mut rx_guard = logs_rx.lock().await;
+                        let mut lines = Vec::new();
+                        while let Ok(entry) = rx_guard.try_recv() {
+                            lines.push(format!(
+                                "{} {} {}: message={}",
+                                entry.timestamp,
+                                entry.level.to_uppercase(),
+                                entry.target,
+                                entry.message
+                            ));
+                        }
+                        lines
+                    };
+                    if !log_lines.is_empty() {
+                        let _ = tx.send(Ok(AcmeIssueEvent {
+                            payload: Some(acme_issue_event::Payload::Logs(AcmeLogs {
+                                lines: log_lines,
+                            })),
+                        }));
+                    }
+
                     let _ = tx.send(Err(Status::internal(format!(
                         "ACME HTTP-01 certificate issuance failed: {err}"
                     ))));

src/http.rs

@@ -326,13 +326,19 @@ pub async fn run_server(
         (None, None)
     };
 
+    // Both the gRPC setup loop and the permanent ProxyServer
+    // share the same Arc<Mutex<Receiver<LogEntry>>> so they draw from the same channel.
+    let logs_rx = logs_rx
+        .ok_or_else(|| anyhow::anyhow!("Log receiver not available; cannot start server"))?;
+
     // connect to upstream gRPC server
     let grpc_server = ProxyServer::new(
         Arc::clone(&cookie_key),
         env_config.cert_dir.clone(),
         reset_tx,
         https_cert_tx,
         port80_pause_tx,
+        Arc::clone(&logs_rx),
     );
 
     // Preload existing TLS configuration so /api/v1/info can report "disconnected"
@@ -347,11 +353,6 @@ pub async fn run_server(
     // Start gRPC server.
     debug!("Spawning gRPC server task");
     tasks.spawn(async move {
-        let logs_rx = logs_rx.ok_or_else(|| {
-            anyhow::anyhow!(
-                "gRPC logs receiver not available for setup process; reset cannot be handled"
-            )
-        })?;
         let mut proxy_configuration = config;
 
         loop {
@@ -360,11 +361,7 @@ pub async fn run_server(
                 conf
             } else {
                 info!("gRPC certificates not found, running setup process");
-                let conf = run_setup(
-                    &env_config_clone,
-                    Arc::clone(&logs_rx),
-                )
-                .await?;
+                let conf = run_setup(&env_config_clone, Arc::clone(&logs_rx)).await?;
                 info!("Setup process completed successfully");
                 proxy_configuration = Some(conf.clone());
                 conf