Better error messages when PKCS12 import fails

src/LibgnutlsTLSContext.cc

@@ -119,7 +119,9 @@ bool GnuTLSContext::addP12CredentialFile(const std::string& p12file)
   int err = gnutls_certificate_set_x509_simple_pkcs12_mem(
       certCred_, &data, GNUTLS_X509_FMT_DER, "");
   if (err != GNUTLS_E_SUCCESS) {
-    A2_LOG_ERROR("Failed to import pkcs12");
+    A2_LOG_ERROR("Failed to import PKCS12 file. "
+                 "If you meant to use PEM, you'll also have to specify "
+                 "--rpc-private-key. See the manual.");
     return false;
   }
   return true;

src/LibsslTLSContext.cc

@@ -161,12 +161,14 @@ bool OpenSSLTLSContext::addP12CredentialFile(const std::string& p12file)
   bio_t bio(BIO_new_mem_buf(ptr, len));
 
   if (!bio) {
-    A2_LOG_ERROR("Failed to open p12 file: no memory");
+    A2_LOG_ERROR("Failed to open PKCS12 file: no memory.");
     return false;
   }
   p12_t p12(d2i_PKCS12_bio(bio.get(), nullptr));
   if (!p12) {
-    A2_LOG_ERROR(fmt("Failed to open p12 file: %s",
+    A2_LOG_ERROR(fmt("Failed to open PKCS12 file: %s. "
+                     "If you meant to use PEM, you'll also have to specify "
+                     "--rpc-private-key. See the manual.",
                      ERR_error_string(ERR_get_error(), nullptr)));
     return false;
   }
@@ -174,7 +176,9 @@ bool OpenSSLTLSContext::addP12CredentialFile(const std::string& p12file)
   X509 *cert;
   STACK_OF(X509) *ca = 0;
   if (!PKCS12_parse(p12.get(), "", &pkey, &cert, &ca)) {
-    A2_LOG_ERROR(fmt("Failed to parse p12 file: %s",
+    A2_LOG_ERROR(fmt("Failed to parse PKCS12 file: %s. "
+                     "If you meant to use PEM, you'll also have to specify "
+                     "--rpc-private-key. See the manual.",
                      ERR_error_string(ERR_get_error(), nullptr)));
     return false;
   }
@@ -184,27 +188,27 @@ bool OpenSSLTLSContext::addP12CredentialFile(const std::string& p12file)
   x509_sk_t ca_holder(ca);
 
   if (!pkey || !cert) {
-    A2_LOG_ERROR(fmt("Failed to use p12 file: no pkey or cert %s",
+    A2_LOG_ERROR(fmt("Failed to use PKCS12 file: no pkey or cert %s",
                      ERR_error_string(ERR_get_error(), nullptr)));
     return false;
   }
   if (!SSL_CTX_use_PrivateKey(sslCtx_, pkey)) {
-    A2_LOG_ERROR(fmt("Failed to use p12 file pkey: %s",
+    A2_LOG_ERROR(fmt("Failed to use PKCS12 file pkey: %s",
                       ERR_error_string(ERR_get_error(), nullptr)));
     return false;
   }
   if (!SSL_CTX_use_certificate(sslCtx_, cert)) {
-    A2_LOG_ERROR(fmt("Failed to use p12 file cert: %s",
+    A2_LOG_ERROR(fmt("Failed to use PKCS12 file cert: %s",
                       ERR_error_string(ERR_get_error(), nullptr)));
     return false;
   }
   if (ca && sk_X509_num(ca) && !SSL_CTX_add_extra_chain_cert(sslCtx_, ca)) {
-    A2_LOG_ERROR(fmt("Failed to use p12 file chain: %s",
+    A2_LOG_ERROR(fmt("Failed to use PKCS12 file chain: %s",
                       ERR_error_string(ERR_get_error(), nullptr)));
     return false;
   }
 
-  A2_LOG_INFO("Using certificate and key from p12 file");
+  A2_LOG_INFO("Using certificate and key from PKCS12 file");
   return true;
 }