require only ACME_CA for TLS in development It makes sense to add the CA root certificate to the system trust store so that user agents don't produce warnings
2 files changed, 14 insertions(+), 5 deletions(-)
changed files
M internal/server/server.go → internal/server/server.go
@@ -40,6 +40,7 @@ TLSPort int `conf:"default:8443"` TLS bool `conf:"default:false"` Development bool `conf:"default:false,flag:dev"` + ACMECA string `conf:"env:ACME_CA"` ACMECACert string `conf:"env:ACME_CA_CERT"` Domains string }
M internal/server/tls.go → internal/server/tls.go
@@ -22,17 +22,25 @@ } func (s *Server) serveTLS() (err error) { if s.runtimeConfig.Development { - ca := s.runtimeConfig.ACMECACert + ca := s.runtimeConfig.ACMECA if ca == "" { - return errors.New("Need ACME_CA_CERT to enable TLS in development") + return errors.New("can't enable tls in development without an ACME_CA") } - cp := x509.NewCertPool() - cp.AppendCertsFromPEM([]byte(ca)) + cp, err := x509.SystemCertPool() + if err != nil { + log.Warn("could not get system certificate pool", "error", err) + cp = x509.NewCertPool() + } + + cacert := s.runtimeConfig.ACMECACert + if cacert != "" { + cp.AppendCertsFromPEM([]byte(cacert)) + } cfg := certmagic.NewDefault() issuer := certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{ - CA: "https://localhost/acme/local/directory", + CA: s.runtimeConfig.ACMECA, TrustedRoots: cp, DisableTLSALPNChallenge: true, AltHTTPPort: s.runtimeConfig.Port,