func diagError()

in transport/httpcommon/diag.go [150:203]

• 40 lines of code
• 12 McCabe index (conditional complexity)

func diagError(err error) string {
	// client does not support server algorithm
	if errors.Is(err, x509.ErrUnsupportedAlgorithm) {
		return fmt.Sprintf("%v: caused by client does not support server's signature algorithm.", err)
	}

	// a *net.OpError could indicate an HTTP request made to an HTTPS server
	var netErr *net.OpError
	if errors.As(err, &netErr) {
		if netErr.Err.Error() == "read: connection reset by peer" {
			return fmt.Sprintf("%v: possible cause: HTTP schema used for HTTPS server.", netErr)
		}
	}

	// Client does not have CA that matches server cert
	var unknownAuthErr x509.UnknownAuthorityError
	if errors.As(err, &unknownAuthErr) {
		return fmt.Sprintf("%v: caused by no trusted client CA.", err)
	}

	// CA is ok but the server's cert is not.
	var certValidErr x509.CertificateInvalidError
	if errors.As(err, &certValidErr) {
		return fmt.Sprintf("%v: caused by invalid server certificate.", certValidErr)
	}

	// cert validation error can indicate that a custom CA needs to be used
	var tlsErr *tls.CertificateVerificationError
	if errors.As(err, &tlsErr) {
		return fmt.Sprintf("%v: possible cause: client TLS settings incorrect.", tlsErr)
	}

	// keep unwrapping to url.Error as the last error as other failures can be embedded in a url.Error
	// Can detect if an HTTPS request is made to an HTTP server
	var uErr *url.Error

	if errors.As(err, &uErr) {
		errString := uErr.Err.Error()
		if strings.Contains(errString, "http: server gave HTTP response to HTTPS client") {
			return fmt.Sprintf("%v: caused by using HTTPS schema on HTTP server.", uErr)
		}
		if strings.Contains(errString, "remote error: tls: certificate required") {
			return fmt.Sprintf("%v:  caused by missing mTLS client cert.", uErr)
		}
		if strings.Contains(errString, "remote error: tls: expired certificate") {
			return fmt.Sprintf("%v: caused by expired mTLS client cert.", uErr)
		}
		if strings.Contains(errString, "remote error: tls: bad certificate") {
			return fmt.Sprintf("%v: caused by invalid mTLS client cert, does the server trust the CA used for the client cert?.", uErr)
		}
	}

	return err.Error()
}