smallstep · marten-seemann · Jun 20, 2024 · Jun 20, 2024
diff --git a/api/api.go b/api/api.go
@@ -372,7 +372,7 @@ func Root(w http.ResponseWriter, r *http.Request) {
 	// Load root certificate with the
 	cert, err := mustAuthority(r.Context()).Root(sum)
 	if err != nil {
-		render.Error(w, r, errs.Wrapf(http.StatusNotFound, err, "%s was not found", r.RequestURI))
+		render.Error(w, r, errs.NotFoundErr(err, errs.WithMessage("root certificate with fingerprint %q was not found", sum)))
 		return
 	}
 

diff --git a/api/api_test.go b/api/api_test.go
@@ -835,20 +835,22 @@ func Test_Health(t *testing.T) {
 }
 
 func Test_Root(t *testing.T) {
+	const sha = "efc7d6b475a56fe587650bcdb999a4a308f815ba44db4bf0371ea68a786ccd36"
 	tests := []struct {
-		name       string
-		root       *x509.Certificate
-		err        error
-		statusCode int
+		name        string
+		root        *x509.Certificate
+		err         error
+		expectedMsg string
+		statusCode  int
 	}{
-		{"ok", parseCertificate(rootPEM), nil, 200},
-		{"fail", nil, fmt.Errorf("not found"), 404},
+		{"ok", parseCertificate(rootPEM), nil, "", 200},
+		{"fail", nil, fmt.Errorf("not found"), fmt.Sprintf("root certificate with fingerprint %q was not found", sha), 404},
 	}
 
 	// Request with chi context
 	chiCtx := chi.NewRouteContext()
-	chiCtx.URLParams.Add("sha", "efc7d6b475a56fe587650bcdb999a4a308f815ba44db4bf0371ea68a786ccd36")
-	req := httptest.NewRequest("GET", "http://example.com/root/efc7d6b475a56fe587650bcdb999a4a308f815ba44db4bf0371ea68a786ccd36", http.NoBody)
+	chiCtx.URLParams.Add("sha", sha)
+	req := httptest.NewRequest("GET", "http://example.com/root/"+sha, http.NoBody)
 	req = req.WithContext(context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx))
 
 	expected := []byte(`{"ca":"` + strings.ReplaceAll(rootPEM, "\n", `\n`) + `\n"}`)
@@ -873,6 +875,8 @@ func Test_Root(t *testing.T) {
 				if !bytes.Equal(bytes.TrimSpace(body), expected) {
 					t.Errorf("caHandler.Root Body = %s, wants %s", body, expected)
 				}
+			} else {
+				require.Contains(t, string(body), tt.expectedMsg)
 			}
 		})
 	}

diff --git a/test/integration/requestid_test.go b/test/integration/requestid_test.go
@@ -146,11 +146,9 @@ func Test_reflectRequestID(t *testing.T) {
 	var firstErr *errs.Error
 	if assert.ErrorAs(t, err, &firstErr) {
 		assert.Equal(t, 404, firstErr.StatusCode())
-		assert.Equal(t, "The requested resource could not be found. Please see the certificate authority logs for more info.", firstErr.Err.Error())
+		assert.Equal(t, `root certificate with fingerprint "invalid" was not found`, firstErr.Err.Error())
 		assert.NotEmpty(t, firstErr.RequestID)
 
-		// TODO: include the below error in the JSON? It's currently only output to the CA logs. Also see https://github.com/smallstep/certificates/pull/759
-		//assert.Equal(t, "/root/invalid was not found: certificate with fingerprint invalid was not found", apiErr.Msg)
 	}
 	assert.Nil(t, rootResponse)
 
@@ -159,7 +157,7 @@ func Test_reflectRequestID(t *testing.T) {
 	var secondErr *errs.Error
 	if assert.ErrorAs(t, err, &secondErr) {
 		assert.Equal(t, 404, secondErr.StatusCode())
-		assert.Equal(t, "The requested resource could not be found. Please see the certificate authority logs for more info.", secondErr.Err.Error())
+		assert.Equal(t, `root certificate with fingerprint "invalid" was not found`, secondErr.Err.Error())
 		assert.Equal(t, "reqID", secondErr.RequestID)
 	}
 	assert.Nil(t, rootResponse)