Lack of information when missing a DNS domain

[ben-ballot]

Bug Description

If you create a user managing a domain not managed by the charm, the error on the client is not straightforward.

• Client side using httprequest-lego-k8s charm latest/stable rev 99

unit-httprequest-lego-k8s-0: 14:20:59 DEBUG unit.httprequest-lego-k8s/0.juju-log failed to validate databag: {'csr-edge.launchpad.net': '-----BEGIN CERTIFICATE REQUEST-----\nMIICwTCCAakCAQAwTDEbMBkGA1UEAwwSZWRnZS5sYXVuY2hwYWQubmV0MS0wKwYD\nVQQtDCRkZWNiZjQ0Yi01NDEzLTQxOTUtOGQ2YS0zNzIzYjBkN2ZhZTIwggEiMA0G\nCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGUnwr9UOfwGlttmK7/OA6WeurRhB6\nTIDfVcDvLXx2rAMkkvjtH9ZZvSAWMSnAtzsHQOpgXy4EUus47umSdt0+Z8xP3PCc\nIma99ukMDQblQ0o5XFl9DEhQiZ3bfoT7O7dxE1RvRoeTRmlkWEjlmwdBtXVBdWJQ\nevNFUFjktnZdxFOsOQSOilmdVCnzJCOYnm5AcJRhS2GNFAO+A4/o0HBB7PyhL0tc\nDQspi82/sJWLLj3WvuC/I2GQdjz8LRS1qfq4dszi3pIith6GxSLPFKlXG/AGmtrX\n5U6TLRqnLUP3+aekP6lNXSVhqxwEH2ZRV0HY7QGlfB4TrC1aaLiIJVazAgMBAAGg\nMDAuBgkqhkiG9w0BCQ4xITAfMB0GA1UdEQQWMBSCEmVkZ2UubGF1bmNocGFkLm5l\ndDANBgkqhkiG9w0BAQsFAAOCAQEAoyDRKqS/acoOOk8xsi9MsePoLU4VZn+pG0ng\n6fe48wxp1hlQy/c6CmlH7L0Ju20aH9exhP37lBNy7mMJacakkVnXbDfOOB1AoNzl\nsP08HHWQWyV4J01HEm9vAT95C0fDX1AJAICRTyPreyql5bBLVcI7cp2TxZ8rayff\nIq+Za3tCPZQpVjIpsl78FJ2oDJMk1Ltj8QEmnfJIjgzOJetmhy01bLGCFfKF8ns8\nls1qDea0qCi/Cboy6ENLtj6KUASApQP2QnlmY9WUabBshVogBy4Hjqfkn82boOKo\nIACzjF9x/YXKJ8UecW4Mk5QFPC9c+eKE13rSUbdUkY+iWAe8lQ==\n-----END CERTIFICATE REQUEST-----\n'}
Traceback (most recent call last):
  File "/var/lib/juju/agents/unit-httprequest-lego-k8s-0/charm/lib/charms/tls_certificates_interface/v4/tls_certificates.py", line 237, in load
    return cls.model_validate_json(json.dumps(data))
  File "/var/lib/juju/agents/unit-httprequest-lego-k8s-0/charm/venv/pydantic/main.py", line 597, in model_validate_json
    return cls.__pydantic_validator__.validate_json(json_data, strict=strict, context=context)
pydantic_core._pydantic_core.ValidationError: 1 validation error for _RequirerData
certificate_signing_requests
  Field required [type=missing, input_value={}, input_type=dict]
    For further information visit https://errors.pydantic.dev/2.8/v/missing
unit-httprequest-lego-k8s-0: 14:20:59 DEBUG unit.httprequest-lego-k8s/0.juju-log Invalid requirer relation data for nginx-ingress-integrator
unit-httprequest-lego-k8s-0: 14:22:56 DEBUG unit.httprequest-lego-k8s/0.juju-log failed to validate databag: {}
Traceback (most recent call last):
  File "/var/lib/juju/agents/unit-httprequest-lego-k8s-0/charm/lib/charms/tls_certificates_interface/v4/tls_certificates.py", line 237, in load
    return cls.model_validate_json(json.dumps(data))
  File "/var/lib/juju/agents/unit-httprequest-lego-k8s-0/charm/venv/pydantic/main.py", line 597, in model_validate_json
    return cls.__pydantic_validator__.validate_json(json_data, strict=strict, context=context)
pydantic_core._pydantic_core.ValidationError: 1 validation error for _ProviderApplicationData
certificates
  Field required [type=missing, input_value={}, input_type=dict]
    For further information visit https://errors.pydantic.dev/2.8/v/missing

• Server using httprequest-lego-provider charm latest/edge rev 31 side you have this in the django-app pod logs

2025-04-28T13:41:35.959Z [django] Internal Server Error: /cleanup              
2025-04-28T13:41:35.959Z [django] Traceback (most recent call last):                     
2025-04-28T13:41:35.959Z [django]   File "/lib/python3.10/site-packages/django/core/handlers/exception.py", line 55, in inner
2025-04-28T13:41:35.959Z [django]     response = get_response(request)             
2025-04-28T13:41:35.959Z [django]   File "/lib/python3.10/site-packages/django/core/handlers/base.py", line 197, in _get_response
2025-04-28T13:41:35.959Z [django]     response = wrapped_callback(request, *callback_args, **callback_kwargs)
2025-04-28T13:41:35.959Z [django]   File "/lib/python3.10/site-packages/django/views/decorators/csrf.py", line 56, in wrapper_view
2025-04-28T13:41:35.959Z [django]     return view_func(*args, **kwargs)                                                                                                                                                                                       
2025-04-28T13:41:35.959Z [django]   File "/lib/python3.10/site-packages/django/views/generic/base.py", line 104, in view    
2025-04-28T13:41:35.959Z [django]     return self.dispatch(request, *args, **kwargs)                                                                                                                                                                          
2025-04-28T13:41:35.959Z [django]   File "/lib/python3.10/site-packages/rest_framework/views.py", line 509, in dispatch     
2025-04-28T13:41:35.959Z [django]     response = self.handle_exception(exc)                                                                                                                                                                                   
2025-04-28T13:41:35.959Z [django]   File "/lib/python3.10/site-packages/rest_framework/views.py", line 469, in handle_exception 
2025-04-28T13:41:35.959Z [django]     self.raise_uncaught_exception(exc)                                                                                                                                                                                      
2025-04-28T13:41:35.959Z [django]   File "/lib/python3.10/site-packages/rest_framework/views.py", line 480, in raise_uncaught_exception
2025-04-28T13:41:35.959Z [django]     raise exc
2025-04-28T13:41:35.959Z [django]   File "/lib/python3.10/site-packages/rest_framework/views.py", line 506, in dispatch
2025-04-28T13:41:35.959Z [django]     response = handler(request, *args, **kwargs)
2025-04-28T13:41:35.959Z [django]   File "/lib/python3.10/site-packages/rest_framework/decorators.py", line 50, in handler
2025-04-28T13:41:35.959Z [django]     return func(*args, **kwargs)
2025-04-28T13:41:35.959Z [django]   File "/django/app/httprequest_lego_provider/views.py", line 71, in handle_cleanup
2025-04-28T13:41:35.959Z [django]     remove_dns_record(domain.fqdn)
2025-04-28T13:41:35.959Z [django]   File "/django/app/httprequest_lego_provider/dns.py", line 142, in remove_dns_record
2025-04-28T13:41:35.959Z [django]     content = dns_record_file.read_text("utf-8")
2025-04-28T13:41:35.959Z [django]   File "/usr/lib/python3.10/pathlib.py", line 1134, in read_text
2025-04-28T13:41:35.959Z [django]     with self.open(mode='r', encoding=encoding, errors=errors) as f:
2025-04-28T13:41:35.959Z [django]   File "/usr/lib/python3.10/pathlib.py", line 1119, in open
2025-04-28T13:41:35.959Z [django]     return self._accessor.open(self, mode, buffering, encoding, errors,
2025-04-28T13:41:35.959Z [django] FileNotFoundError: [Errno 2] No such file or directory: '/tmp/tmpufojuumy/launchpad.net.domain'

So while investigating on the server side provides some hints on the issue, it's not really clear for the end user

To Reproduce

1. Pick a DNS name using a domain not managed by the httprequest-lego-provider charm
2. use the allow-domains action to allow a user to manage this DNS

Environment

Answered above for the charm channel and revision

Relevant log output

See above

Additional context

No response

[seb4stien]

Thanks for reporting it. We created a corresponding item in our internal backlog: https://warthogs.atlassian.net/browse/ISD-3379

[swetha1654]

@ben-ballot i took a look at this issue and the issue arises because launchpad.net.domain file is not present in the external git repo configured in the httprequest-lego-provider charm. Now we could either:

1. Have the charm create the .domain file for a new domain if it does not exist.
2. Have IS create the .domain file manually. From the httprequest-lego-provider's perspective, it would assume that the .domain file for a give domain would always be present.

I checked with the team internally and they mentioned that it would be good to check with IS how they want the charm to behave. So would appreciate your input here. Thanks!

[syncronize-issues-to-jira]

Thank you for reporting your feedback to us!

The internal ticket has been created: https://warthogs.atlassian.net/browse/ISD-4097.

This message was autogenerated

[alexdlukens]

@swetha1654 Following up from IS side. I think having IS create the .domain file manually would make sense here, since our DNS servers are only authoritative for certain domains. Nothing would stop a client from requesting a cert for testing.google.com but this would surely fail validation. But to @ben-ballot 's point, the error could be more descriptive that the domain is not configured.

e.g. Error: launchpad.net.domain file not found in git repository. Is this site configured for DNS?.

Also is there any way to communicate this error to the lego charm requesting the certificate? Instead of just having a pydantic validation error

Thanks

[swetha1654]

@alexdlukens Thanks for the response. Let me raise a PR to make the error message a bit more clear.
WRT to the response back to LEGO, the httprequest-lego-provider code is executed when the LEGO workload makes a API call to the charm. We would perhaps make the error message clear in the API response, and the LEGO charm would have to ensure to log the API outputs properly.