log common name when a cert is revoked

pkg/apiserver/middlewares/v1/tls_auth.go

@@ -271,7 +271,7 @@ func (ta *TLSAuth) ValidateCert(c *gin.Context) (bool, string, error) {
 		}
 
 		if revoked {
-			return false, "", fmt.Errorf("client certificate is revoked")
+			return false, "", fmt.Errorf("client certificate for %s is revoked", clientCert.Subject.CommonName)
 		}
 
 		ta.logger.Debugf("client OU %v is allowed vs required OU %v", clientCert.Subject.OrganizationalUnit, ta.AllowedOUs)

test/bats/30_machines_tls.bats

@@ -138,6 +138,7 @@ teardown() {
 }
 
 @test "revoked cert for agent" {
+    truncate_log
     config_set "${CONFIG_DIR}/local_api_credentials.yaml" '
         .ca_cert_path=strenv(tmpdir) + "/bundle.pem" |
         .key_path=strenv(tmpdir) + "/agent_revoked-key.pem" |
@@ -148,6 +149,8 @@ teardown() {
     config_set "${CONFIG_DIR}/local_api_credentials.yaml" 'del(.login,.password)'
     ./instance-crowdsec start
     rune -1 cscli lapi status
+    assert_log --partial "client certificate is revoked by CRL"
+    assert_log --partial "client certificate for localhost is revoked"
     rune -0 cscli machines list -o json
     assert_output '[]'
 }