/tls/configure -- allow submitting empty certificates and keys to clear them out from config

control.go

@@ -1049,25 +1049,30 @@ func handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	var mainCert *x509.Certificate
+
+	if data.CertificateChain != "" {
 		certPEM, err := base64.StdEncoding.DecodeString(data.CertificateChain)
 		if err != nil {
 			httpError(w, http.StatusBadRequest, "Failed to base64-decode certificate chain: %s", err)
 			return
 		}
 
+		log.Printf("got certificate: %s", certPEM)
+
+		if data.PrivateKey != "" {
 			keyPEM, err := base64.StdEncoding.DecodeString(data.PrivateKey)
 			if err != nil {
 				httpError(w, http.StatusBadRequest, "Failed to base64-decode private key: %s", err)
 				return
 			}
 
-	log.Printf("got certificate: %s", certPEM)
-
 			_, err = tls.X509KeyPair(certPEM, keyPEM)
 			if err != nil {
 				httpError(w, http.StatusBadRequest, "Invalid certificate or key: %s", err)
 				return
 			}
+		}
 
 		// now do a more extended validation
 		var certs []*pem.Block    // PEM-encoded certificates
@@ -1129,10 +1134,12 @@ func handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		// spew.Dump(chains)
+	}
 
 	config.TLS = data
 
 	// update status
+	if mainCert != nil {
 		config.TLS.StatusCertificate = fmt.Sprintf("Certificate expires on %s", mainCert.NotAfter) //, valid for hostname %s", mainCert.NotAfter, mainCert.Subject.CommonName)
 		if len(mainCert.DNSNames) == 1 {
 			config.TLS.StatusCertificate += fmt.Sprintf(", valid for hostname %s", mainCert.DNSNames[0])
@@ -1150,6 +1157,7 @@ func handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
 				config.TLS.Warning = fmt.Sprintf("Your certificate has expired on %s, we recommend you update it immediatedly", mainCert.NotAfter)
 			}
 		}
+	}
 	httpUpdateConfigReloadDNSReturnOK(w, r)
 }