From d2f6de01856917b19e1f1ba6028f7e05d60e674b Mon Sep 17 00:00:00 2001 From: Daenney Date: Sat, 4 Mar 2023 18:24:02 +0100 Subject: [feature] Allow loading TLS certs from disk (#1586) Currently, GtS only supports using the built-in LE client directly for TLS. However, admins may still want to use GtS directly (so without a reverse proxy) but with certificates provided through some other mechanism. They may have some centralised way of provisioning these things themselves, or simply prefer to use LE but with a different challenge like DNS-01 which is not supported by autocert. This adds support for loading a public/private keypair from disk instead of using LE and reconfigures the server to use a TLS listener if we succeed in doing so. Additionally, being able to load TLS keypair from disk opens up the path to using a custom CA for testing purposes avoinding the need for a constellation of containers and something like Pebble or Step CA to provide LE APIs. --- internal/router/router.go | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'internal/router/router.go') diff --git a/internal/router/router.go b/internal/router/router.go index 0b9b63494..edbf51cbb 100644 --- a/internal/router/router.go +++ b/internal/router/router.go @@ -20,6 +20,7 @@ package router import ( "context" + "crypto/tls" "fmt" "net" "net/http" @@ -78,6 +79,26 @@ func (r *router) Start() { // but updated to TLS if LetsEncrypt is enabled. listen := r.srv.ListenAndServe + // During config validation we already checked that both Chain and Key are set + // so we can forego checking for both here + if chain := config.GetTLSCertificateChain(); chain != "" { + pkey := config.GetTLSCertificateKey() + cer, err := tls.LoadX509KeyPair(chain, pkey) + if err != nil { + log.Fatalf( + nil, + "tls: failed to load keypair from %s and %s, ensure they are PEM-encoded and can be read by this process: %s", + chain, pkey, err, + ) + } + r.srv.TLSConfig = &tls.Config{ + MinVersion: tls.VersionTLS12, + Certificates: []tls.Certificate{cer}, + } + // TLS is enabled, update the listen function + listen = func() error { return r.srv.ListenAndServeTLS("", "") } + } + if config.GetLetsEncryptEnabled() { // LetsEncrypt support is enabled -- cgit v1.2.3