Make error messages in https://crt.sh/ocsp-responders 'traceable'

[RufusJWB]

We get plenty of messages in the columns 'Response' of https://crt.sh/ocsp-responders . It is very hard to understand, where these messages are coming from. Some seem to come from the network stack (e.g. those starting with HTTP), but many are not traceable ("unkown", "unauthorized", "verification error", "eof", "time out"). It would be great, if we could get more speaking messages, like in crtsh/libocsppq#1 ?

[robstradling]

Addressed by 903a5b5

[RufusJWB]

Addressed by 903a5b5

Thank you! At some steps the source of the error message is still missing:

[robstradling]

@RufusJWB After a first attempt at implementing this I decided that adding error context for everything was too noisy (e.g., "ocsp.ParseResponseForCert => Good" looks worse than "Good"), so I ultimately decided to add error context only for "real" errors. You managed to grab that screenshot before ocsp_monitor had caught up with that decision. In the code I actually committed, OCSP response codes aren't shown with any context.

[robstradling]

Perhaps "Status => Good", "Status => unauthorized", etc, would be clearer? WDYT, @RufusJWB?

[RufusJWB]

Perhaps "Status => Good", "Status => unauthorized", etc, would be clearer? WDYT, @RufusJWB?

My target is to understand where an error message is coming from: e.g. the network, the HTTP server or the OCSP responder. So maybe something like this would be possible:

• If no network connection at all can be created, e.g. because the OCSP URL can't be resolved, the URL is malformed or the server is not answering you use "Network ==> " as a prefix to the error message
• If a network connection can be created and the OCSP responder is replying, but not with an HTTP200 you use "OCSP Responder ==> " as a prefix followed by the returned HTTP code
• If the OCSP responder replies with an HTTP200, but there is a problem with parsing the result, you use "OCSP Parser ==>" as prefix
• If the OCSP answer can be parsed, you use as prefix "OCSP response ==>"

What do you think?

If this works, I expect some new bugs to be created in Bugzilla...