From d2f6de01856917b19e1f1ba6028f7e05d60e674b Mon Sep 17 00:00:00 2001 From: Daenney Date: Sat, 4 Mar 2023 18:24:02 +0100 Subject: [feature] Allow loading TLS certs from disk (#1586) Currently, GtS only supports using the built-in LE client directly for TLS. However, admins may still want to use GtS directly (so without a reverse proxy) but with certificates provided through some other mechanism. They may have some centralised way of provisioning these things themselves, or simply prefer to use LE but with a different challenge like DNS-01 which is not supported by autocert. This adds support for loading a public/private keypair from disk instead of using LE and reconfigures the server to use a TLS listener if we succeed in doing so. Additionally, being able to load TLS keypair from disk opens up the path to using a custom CA for testing purposes avoinding the need for a constellation of containers and something like Pebble or Step CA to provide LE APIs. --- internal/config/validate.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'internal/config/validate.go') diff --git a/internal/config/validate.go b/internal/config/validate.go index 866ec1be1..2735a9229 100644 --- a/internal/config/validate.go +++ b/internal/config/validate.go @@ -67,6 +67,19 @@ func Validate() error { errs = append(errs, fmt.Errorf("%s must be set", WebAssetBaseDirFlag())) } + tlsChain := GetTLSCertificateChain() + tlsKey := GetTLSCertificateKey() + tlsChainFlag := TLSCertificateChainFlag() + tlsKeyFlag := TLSCertificateKeyFlag() + + if GetLetsEncryptEnabled() && (tlsChain != "" || tlsKey != "") { + errs = append(errs, fmt.Errorf("%s cannot be enabled when %s and/or %s are also set", LetsEncryptEnabledFlag(), tlsChainFlag, tlsKeyFlag)) + } + + if (tlsChain != "" && tlsKey == "") || (tlsChain == "" && tlsKey != "") { + errs = append(errs, fmt.Errorf("%s and %s need to both be set or unset", tlsChainFlag, tlsKeyFlag)) + } + if len(errs) > 0 { errStrings := []string{} for _, err := range errs { -- cgit v1.2.3