Silent logs

[Julow]

I don't want to see what the ca-certs library does in my logs because it's generally too complex for me to understand and it generally just works.

The errors generated by fold_decode_pem_multiple are especially problematic because I cannot do anything about them and the authenticator works as intended anyway.

On NixOS, this message is repeated 175 times each time an authenticator is created:

my_app: [WARNING] Ignoring undecodable trust anchor: ignore non certificate.

[hannesm]

Hmm, so... The default log level is "warn/error" - you shouldn't by default see the info/debug messages.

Another thing is in Logs you can adjust the log level of each specific log source -- so in your application if you desire to shut up the ca-certs log source, you could:

let silence_ca_certs () =
  match List.find_opt (fun src -> String.equal (List.Src.name src) "ca-certs") (Logs.Src.list ()) with
  | Some src -> Logs.Src.set_level src None
  | None -> assert false

But I agree that what you see is unpleasant - and we should demote some of these messages to debug. Also the "ignore non certificate" isn't very useful - maybe in the fold we should collect the errors and only print a single warning. The same strategy should be applied to the windows_trust_anchors -- and finally the error message (originating from x509) should be improved.

Would that work for you -- to have a single warning that 25000 things have been ignored (and on debug level, you get an explanation for each one)?

[Julow]

Thanks for the snippet, that solves my immediate problem :)
Note: This is undone by the next call to Logs.set_level.
To make this easier, shouldn't the log source be exposed in the library ? After all, logs are side effects that user might want to control.

The default log level is "warn/error" - you shouldn't by default see the info/debug messages.

I also don't want these to show up in the verbose output of my app. I changed everything to the debug level because at that level cohttp is also extremely verbose and I might still want to see what's wrong with certificates sometimes.

Would that work for you -- to have a single warning that 25000 things have been ignored (and on debug level, you get an explanation for each one)?

That's not satisfying to me as ca-certs just works (everytime for now) or errors-out. I don't want to see a permanent warning that I can't fix and also doesn't mean anything about the state of my app.

Perhaps that's only the case for the "ignore non certificate" warning, which could be completely silented while keeping the other warnings ?
Looking at x509's code, I'm thinking that this is just the result of the library not understanding some feature of certificates that is also not needed.