about summary refs log tree commit diff stats
path: root/internal/server/tls.go
diff options
context:
space:
mode:
Diffstat (limited to 'internal/server/tls.go')
-rw-r--r--internal/server/tls.go18
1 files changed, 13 insertions, 5 deletions
diff --git a/internal/server/tls.go b/internal/server/tls.go
index 84dae74..f6bc320 100644
--- a/internal/server/tls.go
+++ b/internal/server/tls.go
@@ -22,17 +22,25 @@ type redisConfig struct {
 
 func (s *Server) serveTLS() (err error) {
 	if s.runtimeConfig.Development {
-		ca := s.runtimeConfig.ACMECACert
+		ca := s.runtimeConfig.ACMECA
 		if ca == "" {
-			return errors.New("Need ACME_CA_CERT to enable TLS in development")
+			return errors.New("can't enable tls in development without an ACME_CA")
 		}
 
-		cp := x509.NewCertPool()
-		cp.AppendCertsFromPEM([]byte(ca))
+		cp, err := x509.SystemCertPool()
+		if err != nil {
+			log.Warn("could not get system certificate pool", "error", err)
+			cp = x509.NewCertPool()
+		}
+
+		cacert := s.runtimeConfig.ACMECACert
+		if cacert != "" {
+			cp.AppendCertsFromPEM([]byte(cacert))
+		}
 
 		cfg := certmagic.NewDefault()
 		issuer := certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{
-			CA:                      "https://localhost/acme/local/directory",
+			CA:                      s.runtimeConfig.ACMECA,
 			TrustedRoots:            cp,
 			DisableTLSALPNChallenge: true,
 			AltHTTPPort:             s.runtimeConfig.Port,