feat: expose certificates pool creation (#2210)
This commit is contained in:
parent
c63be848f6
commit
834a9089f1
3 changed files with 31 additions and 15 deletions
|
@ -57,7 +57,7 @@ func (m *hostMatcher) matches(r *http.Request, domain string) bool {
|
|||
return strings.HasPrefix(r.Host, domain)
|
||||
}
|
||||
|
||||
// hostMatcher checks whether the specified (*net/http.Request).Header value starts with a domain name.
|
||||
// arbitraryMatcher checks whether the specified (*net/http.Request).Header value starts with a domain name.
|
||||
type arbitraryMatcher string
|
||||
|
||||
func (m arbitraryMatcher) name() string {
|
||||
|
|
|
@ -100,26 +100,41 @@ func initCertPool() *x509.CertPool {
|
|||
return nil
|
||||
}
|
||||
|
||||
certPool := getCertPool()
|
||||
useSystemCertPool, _ := strconv.ParseBool(os.Getenv(caSystemCertPool))
|
||||
|
||||
for _, customPath := range strings.Split(customCACertsPath, string(os.PathListSeparator)) {
|
||||
customCAs, err := os.ReadFile(customPath)
|
||||
caCerts := strings.Split(customCACertsPath, string(os.PathListSeparator))
|
||||
|
||||
certPool, err := CreateCertPool(caCerts, useSystemCertPool)
|
||||
if err != nil {
|
||||
panic(fmt.Sprintf("error reading %s=%q: %v",
|
||||
caCertificatesEnvVar, customPath, err))
|
||||
}
|
||||
|
||||
if ok := certPool.AppendCertsFromPEM(customCAs); !ok {
|
||||
panic(fmt.Sprintf("error creating x509 cert pool from %s=%q: %v",
|
||||
caCertificatesEnvVar, customPath, err))
|
||||
}
|
||||
panic(fmt.Sprintf("create certificates pool: %v", err))
|
||||
}
|
||||
|
||||
return certPool
|
||||
}
|
||||
|
||||
func getCertPool() *x509.CertPool {
|
||||
useSystemCertPool, _ := strconv.ParseBool(os.Getenv(caSystemCertPool))
|
||||
// CreateCertPool creates a *x509.CertPool populated with the PEM certificates.
|
||||
func CreateCertPool(caCerts []string, useSystemCertPool bool) (*x509.CertPool, error) {
|
||||
if len(caCerts) == 0 {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
certPool := newCertPool(useSystemCertPool)
|
||||
|
||||
for _, customPath := range caCerts {
|
||||
customCAs, err := os.ReadFile(customPath)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error reading %q: %w", customPath, err)
|
||||
}
|
||||
|
||||
if ok := certPool.AppendCertsFromPEM(customCAs); !ok {
|
||||
return nil, fmt.Errorf("error creating x509 cert pool from %q: %w", customPath, err)
|
||||
}
|
||||
}
|
||||
|
||||
return certPool, nil
|
||||
}
|
||||
|
||||
func newCertPool(useSystemCertPool bool) *x509.CertPool {
|
||||
if !useSystemCertPool {
|
||||
return x509.NewCertPool()
|
||||
}
|
||||
|
@ -128,5 +143,6 @@ func getCertPool() *x509.CertPool {
|
|||
if err == nil {
|
||||
return pool
|
||||
}
|
||||
|
||||
return x509.NewCertPool()
|
||||
}
|
||||
|
|
|
@ -59,7 +59,7 @@ func (c mockUpdateClient) UpdateTXTRecord(acct goacmedns.Account, value string)
|
|||
return nil
|
||||
}
|
||||
|
||||
// errorRegisterClient is a mock implementing the acmeDNSClient interface that always
|
||||
// errorUpdateClient is a mock implementing the acmeDNSClient interface that always
|
||||
// returns errors from errorUpdateClient.
|
||||
type errorUpdateClient struct {
|
||||
mockClient
|
||||
|
|
Loading…
Reference in a new issue