fix: usr: Provide more visibility into configuration errors

by logging SSL_CTX_use_certificate_chain_file and SSL_CTX_use_PrivateKey_file errors individually.

Closes #5008

Merge branch '5008-provide-more-visibility-into-ssl-errors' into 'main'

See merge request isc-projects/bind9!9683

lib/isc/tls.c

@@ -147,10 +147,25 @@ isc_tlsctx_load_certificate(isc_tlsctx_t *ctx, const char *keyfile,
 
 	rv = SSL_CTX_use_certificate_chain_file(ctx, certfile);
 	if (rv != 1) {
+		unsigned long err = ERR_peek_last_error();
+		char errbuf[1024] = { 0 };
+		ERR_error_string_n(err, errbuf, sizeof(errbuf));
+		isc_log_write(
+			ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR,
+			ISC_LOG_ERROR,
+			"SSL_CTX_use_certificate_chain_file: '%s' failed: %s",
+			certfile, errbuf);
 		return ISC_R_TLSERROR;
 	}
 	rv = SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM);
 	if (rv != 1) {
+		unsigned long err = ERR_peek_last_error();
+		char errbuf[1024] = { 0 };
+		ERR_error_string_n(err, errbuf, sizeof(errbuf));
+		isc_log_write(ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR,
+			      ISC_LOG_ERROR,
+			      "SSL_CTX_use_PrivateKey_file: '%s' failed: %s",
+			      keyfile, errbuf);
 		return ISC_R_TLSERROR;
 	}