[feature] Allow loading TLS certs from disk (#1586)

Currently, GtS only supports using the built-in LE client directly for TLS. However, admins may still want to use GtS directly (so without a reverse proxy) but with certificates provided through some other mechanism. They may have some centralised way of provisioning these things themselves, or simply prefer to use LE but with a different challenge like DNS-01 which is not supported by autocert. This adds support for loading a public/private keypair from disk instead of using LE and reconfigures the server to use a TLS listener if we succeed in doing so. Additionally, being able to load TLS keypair from disk opens up the path to using a custom CA for testing purposes avoinding the need for a constellation of containers and something like Pebble or Step CA to provide LE APIs.
author: Daenney <daenney@users.noreply.github.com> 2023-03-04 18:24:02 +0100
committer: GitHub <noreply@github.com> 2023-03-04 17:24:02 +0000
commit: d2f6de01856917b19e1f1ba6028f7e05d60e674b (patch)
tree: a8dd7a0718f67dc7248a5e2c9c98db20a6fb2741 /internal/config
parent: use updateattachment when updating to ensure cache is invalidated (#1587) (diff)
download: gotosocial-d2f6de01856917b19e1f1ba6028f7e05d60e674b.tar.xz
5 files changed, 73 insertions, 0 deletions
diff --git a/internal/config/config.go b/internal/config/config.go
index fdfda8583..a7a36eebf 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -114,6 +114,9 @@ type Configuration struct {
 	LetsEncryptCertDir      string `name:"letsencrypt-cert-dir" usage:"Directory to store acquired letsencrypt certificates."`
 	LetsEncryptEmailAddress string `name:"letsencrypt-email-address" usage:"Email address to use when requesting letsencrypt certs. Will receive updates on cert expiry etc."`
 
+	TLSCertificateChain string `name:"tls-certificate-chain" usage:"Filesystem path to the certificate chain including any intermediate CAs and the TLS public key"`
+	TLSCertificateKey   string `name:"tls-certificate-key" usage:"Filesystem path to the TLS private key"`
+
 	OIDCEnabled          bool     `name:"oidc-enabled" usage:"Enabled OIDC authorization for this instance. If set to true, then the other OIDC flags must also be set."`
 	OIDCIdpName          string   `name:"oidc-idp-name" usage:"Name of the OIDC identity provider. Will be shown to the user when logging in."`
 	OIDCSkipVerification bool     `name:"oidc-skip-verification" usage:"Skip verification of tokens returned by the OIDC provider. Should only be set to 'true' for testing purposes, never in a production environment!"`
diff --git a/internal/config/defaults.go b/internal/config/defaults.go
index e9dd2b743..7d2427ee7 100644
--- a/internal/config/defaults.go
+++ b/internal/config/defaults.go
@@ -91,6 +91,9 @@ var Defaults = Configuration{
 	LetsEncryptCertDir:      "/gotosocial/storage/certs",
 	LetsEncryptEmailAddress: "",
 
+	TLSCertificateChain: "",
+	TLSCertificateKey:   "",
+
 	OIDCEnabled:          false,
 	OIDCIdpName:          "",
 	OIDCSkipVerification: false,
diff --git a/internal/config/flags.go b/internal/config/flags.go
index 3ef44bf62..5206ee8ae 100644
--- a/internal/config/flags.go
+++ b/internal/config/flags.go
@@ -114,6 +114,10 @@ func (s *ConfigState) AddServerFlags(cmd *cobra.Command) {
 		cmd.Flags().String(LetsEncryptCertDirFlag(), cfg.LetsEncryptCertDir, fieldtag("LetsEncryptCertDir", "usage"))
 		cmd.Flags().String(LetsEncryptEmailAddressFlag(), cfg.LetsEncryptEmailAddress, fieldtag("LetsEncryptEmailAddress", "usage"))
 
+		// Manual TLS
+		cmd.Flags().String(TLSCertificateChainFlag(), cfg.TLSCertificateChain, fieldtag("TLSCertificateChain", "usage"))
+		cmd.Flags().String(TLSCertificateKeyFlag(), cfg.TLSCertificateKey, fieldtag("TLSCertificateKey", "usage"))
+
 		// OIDC
 		cmd.Flags().Bool(OIDCEnabledFlag(), cfg.OIDCEnabled, fieldtag("OIDCEnabled", "usage"))
 		cmd.Flags().String(OIDCIdpNameFlag(), cfg.OIDCIdpName, fieldtag("OIDCIdpName", "usage"))
diff --git a/internal/config/helpers.gen.go b/internal/config/helpers.gen.go
index 5ea7b61b6..b021ed617 100644
--- a/internal/config/helpers.gen.go
+++ b/internal/config/helpers.gen.go
@@ -1524,6 +1524,56 @@ func GetLetsEncryptEmailAddress() string { return global.GetLetsEncryptEmailAddr
 // SetLetsEncryptEmailAddress safely sets the value for global configuration 'LetsEncryptEmailAddress' field
 func SetLetsEncryptEmailAddress(v string) { global.SetLetsEncryptEmailAddress(v) }
 
+// GetTLSCertificateChain safely fetches the Configuration value for state's 'TLSCertificateChain' field
+func (st *ConfigState) GetTLSCertificateChain() (v string) {
+	st.mutex.Lock()
+	v = st.config.TLSCertificateChain
+	st.mutex.Unlock()
+	return
+}
+
+// SetTLSCertificateChain safely sets the Configuration value for state's 'TLSCertificateChain' field
+func (st *ConfigState) SetTLSCertificateChain(v string) {
+	st.mutex.Lock()
+	defer st.mutex.Unlock()
+	st.config.TLSCertificateChain = v
+	st.reloadToViper()
+}
+
+// TLSCertificateChainFlag returns the flag name for the 'TLSCertificateChain' field
+func TLSCertificateChainFlag() string { return "tls-certificate-chain" }
+
+// GetTLSCertificateChain safely fetches the value for global configuration 'TLSCertificateChain' field
+func GetTLSCertificateChain() string { return global.GetTLSCertificateChain() }
+
+// SetTLSCertificateChain safely sets the value for global configuration 'TLSCertificateChain' field
+func SetTLSCertificateChain(v string) { global.SetTLSCertificateChain(v) }
+
+// GetTLSCertificateKey safely fetches the Configuration value for state's 'TLSCertificateKey' field
+func (st *ConfigState) GetTLSCertificateKey() (v string) {
+	st.mutex.Lock()
+	v = st.config.TLSCertificateKey
+	st.mutex.Unlock()
+	return
+}
+
+// SetTLSCertificateKey safely sets the Configuration value for state's 'TLSCertificateKey' field
+func (st *ConfigState) SetTLSCertificateKey(v string) {
+	st.mutex.Lock()
+	defer st.mutex.Unlock()
+	st.config.TLSCertificateKey = v
+	st.reloadToViper()
+}
+
+// TLSCertificateKeyFlag returns the flag name for the 'TLSCertificateKey' field
+func TLSCertificateKeyFlag() string { return "tls-certificate-key" }
+
+// GetTLSCertificateKey safely fetches the value for global configuration 'TLSCertificateKey' field
+func GetTLSCertificateKey() string { return global.GetTLSCertificateKey() }
+
+// SetTLSCertificateKey safely sets the value for global configuration 'TLSCertificateKey' field
+func SetTLSCertificateKey(v string) { global.SetTLSCertificateKey(v) }
+
 // GetOIDCEnabled safely fetches the Configuration value for state's 'OIDCEnabled' field
 func (st *ConfigState) GetOIDCEnabled() (v bool) {
 	st.mutex.Lock()
diff --git a/internal/config/validate.go b/internal/config/validate.go
index 866ec1be1..2735a9229 100644
--- a/internal/config/validate.go
+++ b/internal/config/validate.go
@@ -67,6 +67,19 @@ func Validate() error {
 		errs = append(errs, fmt.Errorf("%s must be set", WebAssetBaseDirFlag()))
 	}
 
+	tlsChain := GetTLSCertificateChain()
+	tlsKey := GetTLSCertificateKey()
+	tlsChainFlag := TLSCertificateChainFlag()
+	tlsKeyFlag := TLSCertificateKeyFlag()
+
+	if GetLetsEncryptEnabled() && (tlsChain != "" || tlsKey != "") {
+		errs = append(errs, fmt.Errorf("%s cannot be enabled when %s and/or %s are also set", LetsEncryptEnabledFlag(), tlsChainFlag, tlsKeyFlag))
+	}
+
+	if (tlsChain != "" && tlsKey == "") || (tlsChain == "" && tlsKey != "") {
+		errs = append(errs, fmt.Errorf("%s and %s need to both be set or unset", tlsChainFlag, tlsKeyFlag))
+	}
+
 	if len(errs) > 0 {
 		errStrings := []string{}
 		for _, err := range errs {
author	Daenney <daenney@users.noreply.github.com>	2023-03-04 18:24:02 +0100
committer	GitHub <noreply@github.com>	2023-03-04 17:24:02 +0000
commit	d2f6de01856917b19e1f1ba6028f7e05d60e674b (patch)
tree	a8dd7a0718f67dc7248a5e2c9c98db20a6fb2741 /internal/config
parent	use updateattachment when updating to ensure cache is invalidated (#1587) (diff)
download	gotosocial-d2f6de01856917b19e1f1ba6028f7e05d60e674b.tar.xz