diff options
-rw-r--r-- | internal/server/server.go | 1 | ||||
-rw-r--r-- | internal/server/tls.go | 18 |
2 files changed, 14 insertions, 5 deletions
diff --git a/internal/server/server.go b/internal/server/server.go index 717320d..0f7701a 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -40,6 +40,7 @@ type Config struct { TLS bool `conf:"default:false"` Development bool `conf:"default:false,flag:dev"` + ACMECA string `conf:"env:ACME_CA"` ACMECACert string `conf:"env:ACME_CA_CERT"` Domains string } diff --git a/internal/server/tls.go b/internal/server/tls.go index 84dae74..f6bc320 100644 --- a/internal/server/tls.go +++ b/internal/server/tls.go @@ -22,17 +22,25 @@ type redisConfig struct { func (s *Server) serveTLS() (err error) { if s.runtimeConfig.Development { - ca := s.runtimeConfig.ACMECACert + ca := s.runtimeConfig.ACMECA if ca == "" { - return errors.New("Need ACME_CA_CERT to enable TLS in development") + return errors.New("can't enable tls in development without an ACME_CA") } - cp := x509.NewCertPool() - cp.AppendCertsFromPEM([]byte(ca)) + cp, err := x509.SystemCertPool() + if err != nil { + log.Warn("could not get system certificate pool", "error", err) + cp = x509.NewCertPool() + } + + cacert := s.runtimeConfig.ACMECACert + if cacert != "" { + cp.AppendCertsFromPEM([]byte(cacert)) + } cfg := certmagic.NewDefault() issuer := certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{ - CA: "https://localhost/acme/local/directory", + CA: s.runtimeConfig.ACMECA, TrustedRoots: cp, DisableTLSALPNChallenge: true, AltHTTPPort: s.runtimeConfig.Port, |