require only ACME_CA for TLS in development

It makes sense to add the CA root certificate to the system trust
store so that user agents don't produce warnings

2 files changed, 14 insertions, 5 deletions

diff --git a/internal/server/server.go b/internal/server/server.go
index 717320d..0f7701a 100644
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -40,6 +40,7 @@ type Config struct {
 	TLS           bool   `conf:"default:false"`
 
 	Development bool   `conf:"default:false,flag:dev"`
+	ACMECA      string `conf:"env:ACME_CA"`
 	ACMECACert  string `conf:"env:ACME_CA_CERT"`
 	Domains     string
 }
diff --git a/internal/server/tls.go b/internal/server/tls.go
index 84dae74..f6bc320 100644
--- a/internal/server/tls.go
+++ b/internal/server/tls.go
@@ -22,17 +22,25 @@ type redisConfig struct {
 
 func (s *Server) serveTLS() (err error) {
 	if s.runtimeConfig.Development {
-		ca := s.runtimeConfig.ACMECACert
+		ca := s.runtimeConfig.ACMECA
 		if ca == "" {
-			return errors.New("Need ACME_CA_CERT to enable TLS in development")
+			return errors.New("can't enable tls in development without an ACME_CA")
 		}
 
-		cp := x509.NewCertPool()
-		cp.AppendCertsFromPEM([]byte(ca))
+		cp, err := x509.SystemCertPool()
+		if err != nil {
+			log.Warn("could not get system certificate pool", "error", err)
+			cp = x509.NewCertPool()
+		}
+
+		cacert := s.runtimeConfig.ACMECACert
+		if cacert != "" {
+			cp.AppendCertsFromPEM([]byte(cacert))
+		}
 
 		cfg := certmagic.NewDefault()
 		issuer := certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{
-			CA:                      "https://localhost/acme/local/directory",
+			CA:                      s.runtimeConfig.ACMECA,
 			TrustedRoots:            cp,
 			DisableTLSALPNChallenge: true,
 			AltHTTPPort:             s.runtimeConfig.Port,