diff options
author | Alan Pearce | 2024-06-27 09:43:39 +0200 |
---|---|---|
committer | Alan Pearce | 2024-06-27 09:43:39 +0200 |
commit | 765a227bbf42983a9edb3eaac6e48df7a43f2808 (patch) | |
tree | f239fa6cff37a599141bea5d4bf00350e95c4d67 /internal/server | |
parent | d5b95136d5f162645a6bfaa76833cbf5520f7e45 (diff) | |
download | website-765a227bbf42983a9edb3eaac6e48df7a43f2808.tar.lz website-765a227bbf42983a9edb3eaac6e48df7a43f2808.tar.zst website-765a227bbf42983a9edb3eaac6e48df7a43f2808.zip |
require only ACME_CA for TLS in development
It makes sense to add the CA root certificate to the system trust store so that user agents don't produce warnings
Diffstat (limited to 'internal/server')
-rw-r--r-- | internal/server/server.go | 1 | ||||
-rw-r--r-- | internal/server/tls.go | 18 |
2 files changed, 14 insertions, 5 deletions
diff --git a/internal/server/server.go b/internal/server/server.go index 717320d..0f7701a 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -40,6 +40,7 @@ type Config struct { TLS bool `conf:"default:false"` Development bool `conf:"default:false,flag:dev"` + ACMECA string `conf:"env:ACME_CA"` ACMECACert string `conf:"env:ACME_CA_CERT"` Domains string } diff --git a/internal/server/tls.go b/internal/server/tls.go index 84dae74..f6bc320 100644 --- a/internal/server/tls.go +++ b/internal/server/tls.go @@ -22,17 +22,25 @@ type redisConfig struct { func (s *Server) serveTLS() (err error) { if s.runtimeConfig.Development { - ca := s.runtimeConfig.ACMECACert + ca := s.runtimeConfig.ACMECA if ca == "" { - return errors.New("Need ACME_CA_CERT to enable TLS in development") + return errors.New("can't enable tls in development without an ACME_CA") } - cp := x509.NewCertPool() - cp.AppendCertsFromPEM([]byte(ca)) + cp, err := x509.SystemCertPool() + if err != nil { + log.Warn("could not get system certificate pool", "error", err) + cp = x509.NewCertPool() + } + + cacert := s.runtimeConfig.ACMECACert + if cacert != "" { + cp.AppendCertsFromPEM([]byte(cacert)) + } cfg := certmagic.NewDefault() issuer := certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{ - CA: "https://localhost/acme/local/directory", + CA: s.runtimeConfig.ACMECA, TrustedRoots: cp, DisableTLSALPNChallenge: true, AltHTTPPort: s.runtimeConfig.Port, |