all repos — website @ 765a227bbf42983a9edb3eaac6e48df7a43f2808

My website

require only ACME_CA for TLS in development

It makes sense to add the CA root certificate to the system trust
store so that user agents don't produce warnings
Alan Pearce alan@alanpearce.eu
Thu, 27 Jun 2024 09:43:39 +0200
commit

765a227bbf42983a9edb3eaac6e48df7a43f2808

parent

d5b95136d5f162645a6bfaa76833cbf5520f7e45

2 files changed, 14 insertions(+), 5 deletions(-)

jump to
M internal/server/server.gointernal/server/server.go
@@ -40,6 +40,7 @@ TLSPort       int    `conf:"default:8443"` 	TLS           bool   `conf:"default:false"`
 
 	Development bool   `conf:"default:false,flag:dev"`
+	ACMECA      string `conf:"env:ACME_CA"`
 	ACMECACert  string `conf:"env:ACME_CA_CERT"`
 	Domains     string
 }
M internal/server/tls.gointernal/server/tls.go
@@ -22,17 +22,25 @@ } 
 func (s *Server) serveTLS() (err error) {
 	if s.runtimeConfig.Development {
-		ca := s.runtimeConfig.ACMECACert
+		ca := s.runtimeConfig.ACMECA
 		if ca == "" {
-			return errors.New("Need ACME_CA_CERT to enable TLS in development")
+			return errors.New("can't enable tls in development without an ACME_CA")
 		}
 
-		cp := x509.NewCertPool()
-		cp.AppendCertsFromPEM([]byte(ca))
+		cp, err := x509.SystemCertPool()
+		if err != nil {
+			log.Warn("could not get system certificate pool", "error", err)
+			cp = x509.NewCertPool()
+		}
+
+		cacert := s.runtimeConfig.ACMECACert
+		if cacert != "" {
+			cp.AppendCertsFromPEM([]byte(cacert))
+		}
 
 		cfg := certmagic.NewDefault()
 		issuer := certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{
-			CA:                      "https://localhost/acme/local/directory",
+			CA:                      s.runtimeConfig.ACMECA,
 			TrustedRoots:            cp,
 			DisableTLSALPNChallenge: true,
 			AltHTTPPort:             s.runtimeConfig.Port,