Validate certificates and update certificate statuses on launch as well.
This commit is contained in:
Eugene Bujak
Eugene Bujak
parent
bdec98f18e
commit
571be68733
24
app.go
24
app.go
|
|
@ -177,20 +177,30 @@ func run(args options) {
|
|||
httpsServer.cond.Wait()
|
||||
}
|
||||
address := net.JoinHostPort(config.BindHost, strconv.Itoa(config.TLS.PortHTTPS))
|
||||
// validate current TLS config and update warnings (it could have been loaded from file)
|
||||
data, err := validateCertificates(config.TLS)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
os.Exit(1)
|
||||
}
|
||||
confing.TLS = data // update warnings
|
||||
|
||||
// prepare cert for HTTPS server
|
||||
cert, err := tls.X509KeyPair([]byte(config.TLS.CertificateChain), []byte(config.TLS.PrivateKey))
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
os.Exit(1)
|
||||
}
|
||||
config := &tls.Config{
|
||||
Certificates: []tls.Certificate{cert},
|
||||
}
|
||||
httpsServer.server = &http.Server{
|
||||
Addr: address,
|
||||
TLSConfig: config,
|
||||
}
|
||||
httpsServer.cond.L.Unlock()
|
||||
|
||||
// prepare HTTPS server
|
||||
httpsServer.server = &http.Server{
|
||||
Addr: address,
|
||||
TLSConfig: &tls.Config{
|
||||
Certificates: []tls.Certificate{cert},
|
||||
},
|
||||
}
|
||||
|
||||
URL := fmt.Sprintf("https://%s", address)
|
||||
log.Println("Go to " + URL)
|
||||
err = httpsServer.server.ListenAndServeTLS("", "")
|
||||
|
|
|
|||
15
config.go
15
config.go
|
|
@ -70,15 +70,18 @@ type tlsConfigSettings struct {
|
|||
dnsforward.TLSConfig `yaml:",inline" json:",inline"`
|
||||
}
|
||||
|
||||
// field ordering is not important -- these are for API and are recalculated on each run
|
||||
type tlsConfigStatus struct {
|
||||
StatusCertificate string `yaml:"-" json:"status_cert,omitempty"`
|
||||
StatusKey string `yaml:"-" json:"status_key,omitempty"`
|
||||
Warning string `yaml:"-" json:"warning,omitempty"`
|
||||
WarningValidation string `yaml:"-" json:"warning_validation,omitempty"`
|
||||
}
|
||||
|
||||
// field ordering is important -- yaml fields will mirror ordering from here
|
||||
type tlsConfig struct {
|
||||
tlsConfigSettings `yaml:",inline" json:",inline"`
|
||||
|
||||
// only for API, no need to be stored in config
|
||||
StatusCertificate string `yaml:"status_cert" json:"status_cert,omitempty"`
|
||||
StatusKey string `yaml:"status_key" json:"status_key,omitempty"`
|
||||
Warning string `yaml:"warning" json:"warning,omitempty"`
|
||||
WarningValidation string `yaml:"warning_validation" json:"warning_validation,omitempty"`
|
||||
tlsConfigStatus `yaml:"-" json:",inline"`
|
||||
}
|
||||
|
||||
// initialize to default values, will be changed later when reading config or parsing command line
|
||||
|
|
|
|||
|
|
@ -1156,6 +1156,9 @@ func validateCertificates(data tlsConfig) (tlsConfig, error) {
|
|||
opts.Intermediates = pool
|
||||
}
|
||||
|
||||
// clear out all warnings and statuses
|
||||
data.tlsConfigStatus = tlsConfigStatus{}
|
||||
|
||||
// TODO: save it as a warning rather than error it out -- shouldn't be a big problem
|
||||
mainCert := parsedCerts[0]
|
||||
_, err := mainCert.Verify(opts)
|
||||
|
|
|
|||
Loading…
Reference in New Issue