From d2f6de01856917b19e1f1ba6028f7e05d60e674b Mon Sep 17 00:00:00 2001 From: Daenney Date: Sat, 4 Mar 2023 18:24:02 +0100 Subject: [feature] Allow loading TLS certs from disk (#1586) Currently, GtS only supports using the built-in LE client directly for TLS. However, admins may still want to use GtS directly (so without a reverse proxy) but with certificates provided through some other mechanism. They may have some centralised way of provisioning these things themselves, or simply prefer to use LE but with a different challenge like DNS-01 which is not supported by autocert. This adds support for loading a public/private keypair from disk instead of using LE and reconfigures the server to use a TLS listener if we succeed in doing so. Additionally, being able to load TLS keypair from disk opens up the path to using a custom CA for testing purposes avoinding the need for a constellation of containers and something like Pebble or Step CA to provide LE APIs. --- internal/config/config.go | 3 +++ 1 file changed, 3 insertions(+) (limited to 'internal/config/config.go') diff --git a/internal/config/config.go b/internal/config/config.go index fdfda8583..a7a36eebf 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -114,6 +114,9 @@ type Configuration struct { LetsEncryptCertDir string `name:"letsencrypt-cert-dir" usage:"Directory to store acquired letsencrypt certificates."` LetsEncryptEmailAddress string `name:"letsencrypt-email-address" usage:"Email address to use when requesting letsencrypt certs. Will receive updates on cert expiry etc."` + TLSCertificateChain string `name:"tls-certificate-chain" usage:"Filesystem path to the certificate chain including any intermediate CAs and the TLS public key"` + TLSCertificateKey string `name:"tls-certificate-key" usage:"Filesystem path to the TLS private key"` + OIDCEnabled bool `name:"oidc-enabled" usage:"Enabled OIDC authorization for this instance. If set to true, then the other OIDC flags must also be set."` OIDCIdpName string `name:"oidc-idp-name" usage:"Name of the OIDC identity provider. Will be shown to the user when logging in."` OIDCSkipVerification bool `name:"oidc-skip-verification" usage:"Skip verification of tokens returned by the OIDC provider. Should only be set to 'true' for testing purposes, never in a production environment!"` -- cgit v1.2.3