Don't put remote certificate errors into the log

[jo-so]

Description

I'm having tons of warnings in the log which aren't useful

2019-07-14 17:41:18,489 - synapse.http.matrixfederationclient - 482 - WARNING - PUT-61673- {GET-O-1430} [matrix.sebdu.de] Request failed: GET matrix://matrix.sebdu.de/_matrix/key/v2/server/ed25519%3Aa_vZnw: ResponseNeverReceived:[Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])]
2019-07-14 17:41:18,489 - synapse.crypto.keyring - 792 - WARNING - PUT-61673- Error looking up keys {'ed25519:a_vZnw': 1563118872464} from matrix.sebdu.de: Failed to connect to remote server
2019-07-14 17:41:18,490 - synapse.federation.transport.server - 286 - WARNING - PUT-61673- authenticate_request failed: 401: No key for matrix.sebdu.de with ids in ['ed25519:a_vZnw'] (min_validity 1563118872464)

To find failed requests, the log message with 'certificate verify failed' is enough. These warnings aren't needed.

Proposed patch: 0001-federation-client-Don-t-put-remote-certificate-error.patch.txt

Version information

• Version: 1.0.0-2
• Install method: apt install matrix-synapse
• Platform: Debian/stable

[jo-so]

For synapse/http/matrixfederationclient.py:_send_request (line 479) it might be better to reduce the log level to info. All of the raised messages aren't useful for Synapse admins, because they are problems on the remote site:

% LC_ALL=C journalctl --no-hostname --since=2019-07-01 -o verbose --output-fields=CODE_ARGS CODE_FUNC=_send_request |grep CODE |cut -f5- -d, |sed "/b'[^']*'/s//b''/; /DNSServerError/s/DNSServerError.*/DNSServerError/" |sort |uniq -c |sort -n  
      1  'ConnectError(<twisted.python.failure.Failure twisted.internet.error.ConnectionDone: Connection was closed cleanly.>)')
      1  "RequestTransmissionFailed:[ConnectionLost('Connection lost')]")
      2  'HttpResponseException("520: b\'Origin Error\'")')
      3  'HttpResponseException("401: b\'Unauthorized\'")')
      4  "DNSLookupError('no results for hostname lookup: it-zirkel')")
      5  'HttpResponseException("526: b\'Origin SSL Certificate Error\'")')
      7  "ResponseNeverReceived:[Error([('SSL routines', 'ssl3_get_record', 'wrong version number')])]")
      8  'HttpResponseException("502: b\'Bad Gateway\'")')
      8  'HttpResponseException("522: b\'Origin Connection Time-out\'")')
      9  "ConnectingCancelledError(HostnameAddress(hostname=b'', port=443))")
     15  'HttpResponseException("503: b\'Service Unavailable\'")')
     26  "DNSServerError
     34  'HttpResponseException("404: b\'Not Found\'")')
     52  "TimeoutError('')")
     54  'HttpResponseException("500: b\'Internal Server Error\'")')
    100  "ConnectError('No route to host')")
    165  "TimeoutError(10.0, 'Deferred')")
    256  'ResponseNeverReceived:[CancelledError()]')
    525  "ConnectingCancelledError(HostnameAddress(hostname=b'', port=8448))")
    748  "ConnectionRefusedError('Connection refused')")
    960  "ResponseNeverReceived:[VerificationError(errors=[DNSMismatch(mismatched_id=DNS_ID(hostname=b''))])]")
   3808  "ResponseNeverReceived:[Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])]")

[richvdh]

I agree that sometimes synapse can be verbose, but I think there is useful information in these errors, and I don't think swallowing them is the right answer.