[feature] Allow loading TLS certs from disk (#1586)

Currently, GtS only supports using the built-in LE client directly for
TLS. However, admins may still want to use GtS directly (so without a
reverse proxy) but with certificates provided through some other
mechanism. They may have some centralised way of provisioning these
things themselves, or simply prefer to use LE but with a different
challenge like DNS-01 which is not supported by autocert.

This adds support for loading a public/private keypair from disk instead
of using LE and reconfigures the server to use a TLS listener if we
succeed in doing so.

Additionally, being able to load TLS keypair from disk opens up the path
to using a custom CA for testing purposes avoinding the need for a
constellation of containers and something like Pebble or Step CA to
provide LE APIs.

1 files changed, 13 insertions, 0 deletions

diff --git a/internal/config/validate.go b/internal/config/validate.go
index 866ec1be1..2735a9229 100644
--- a/internal/config/validate.go
+++ b/internal/config/validate.go
@@ -67,6 +67,19 @@ func Validate() error {
 		errs = append(errs, fmt.Errorf("%s must be set", WebAssetBaseDirFlag()))
 	}
 
+	tlsChain := GetTLSCertificateChain()
+	tlsKey := GetTLSCertificateKey()
+	tlsChainFlag := TLSCertificateChainFlag()
+	tlsKeyFlag := TLSCertificateKeyFlag()
+
+	if GetLetsEncryptEnabled() && (tlsChain != "" || tlsKey != "") {
+		errs = append(errs, fmt.Errorf("%s cannot be enabled when %s and/or %s are also set", LetsEncryptEnabledFlag(), tlsChainFlag, tlsKeyFlag))
+	}
+
+	if (tlsChain != "" && tlsKey == "") || (tlsChain == "" && tlsKey != "") {
+		errs = append(errs, fmt.Errorf("%s and %s need to both be set or unset", tlsChainFlag, tlsKeyFlag))
+	}
+
 	if len(errs) > 0 {
 		errStrings := []string{}
 		for _, err := range errs {