* Make CertFile and KeyFile relative to CustomPath The current code will absolute CertFile and KeyFile against the current working directory. This is quite unexpected for users. This code makes relative paths absolute against the CustomPath. Fix #4196 * Improve error reporting when reading certificates * Apply suggestions from code review Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
This commit is contained in:
parent
8add1dfacc
commit
bcb722daec
4 changed files with 27 additions and 6 deletions
|
@ -275,8 +275,9 @@ DISABLE_ROUTER_LOG = false
|
||||||
; not forget to export the private key):
|
; not forget to export the private key):
|
||||||
; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
|
; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
|
||||||
; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
|
; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
|
||||||
CERT_FILE = custom/https/cert.pem
|
; Paths are relative to CUSTOM_PATH
|
||||||
KEY_FILE = custom/https/key.pem
|
CERT_FILE = https/cert.pem
|
||||||
|
KEY_FILE = https/key.pem
|
||||||
; Root directory containing templates and static files.
|
; Root directory containing templates and static files.
|
||||||
; default is the path where Gitea is executed
|
; default is the path where Gitea is executed
|
||||||
STATIC_ROOT_PATH =
|
STATIC_ROOT_PATH =
|
||||||
|
|
|
@ -181,8 +181,8 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
|
||||||
- `SSH_LISTEN_PORT`: **%(SSH\_PORT)s**: Port for the built-in SSH server.
|
- `SSH_LISTEN_PORT`: **%(SSH\_PORT)s**: Port for the built-in SSH server.
|
||||||
- `OFFLINE_MODE`: **false**: Disables use of CDN for static files and Gravatar for profile pictures.
|
- `OFFLINE_MODE`: **false**: Disables use of CDN for static files and Gravatar for profile pictures.
|
||||||
- `DISABLE_ROUTER_LOG`: **false**: Mute printing of the router log.
|
- `DISABLE_ROUTER_LOG`: **false**: Mute printing of the router log.
|
||||||
- `CERT_FILE`: **custom/https/cert.pem**: Cert file path used for HTTPS.
|
- `CERT_FILE`: **https/cert.pem**: Cert file path used for HTTPS. From 1.11 paths are relative to `CUSTOM_PATH`.
|
||||||
- `KEY_FILE`: **custom/https/key.pem**: Key file path used for HTTPS.
|
- `KEY_FILE`: **https/key.pem**: Key file path used for HTTPS. From 1.11 paths are relative to `CUSTOM_PATH`.
|
||||||
- `STATIC_ROOT_PATH`: **./**: Upper level of template and static files path.
|
- `STATIC_ROOT_PATH`: **./**: Upper level of template and static files path.
|
||||||
- `STATIC_CACHE_TIME`: **6h**: Web browser cache time for static resources on `custom/`, `public/` and all uploaded avatars.
|
- `STATIC_CACHE_TIME`: **6h**: Web browser cache time for static resources on `custom/`, `public/` and all uploaded avatars.
|
||||||
- `ENABLE_GZIP`: **false**: Enables application-level GZIP support.
|
- `ENABLE_GZIP`: **false**: Enables application-level GZIP support.
|
||||||
|
|
|
@ -7,6 +7,7 @@ package graceful
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
|
"io/ioutil"
|
||||||
"net"
|
"net"
|
||||||
"os"
|
"os"
|
||||||
"strings"
|
"strings"
|
||||||
|
@ -99,12 +100,25 @@ func (srv *Server) ListenAndServeTLS(certFile, keyFile string, serve ServeFuncti
|
||||||
}
|
}
|
||||||
|
|
||||||
config.Certificates = make([]tls.Certificate, 1)
|
config.Certificates = make([]tls.Certificate, 1)
|
||||||
var err error
|
|
||||||
config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile)
|
certPEMBlock, err := ioutil.ReadFile(certFile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error("Failed to load https cert file %s for %s:%s: %v", certFile, srv.network, srv.address, err)
|
log.Error("Failed to load https cert file %s for %s:%s: %v", certFile, srv.network, srv.address, err)
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
keyPEMBlock, err := ioutil.ReadFile(keyFile)
|
||||||
|
if err != nil {
|
||||||
|
log.Error("Failed to load https key file %s for %s:%s: %v", keyFile, srv.network, srv.address, err)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
config.Certificates[0], err = tls.X509KeyPair(certPEMBlock, keyPEMBlock)
|
||||||
|
if err != nil {
|
||||||
|
log.Error("Failed to create certificate from cert file %s and key file %s for %s:%s: %v", certFile, keyFile, srv.network, srv.address, err)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
return srv.ListenAndServeTLSConfig(config, serve)
|
return srv.ListenAndServeTLSConfig(config, serve)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -554,6 +554,12 @@ func NewContext() {
|
||||||
Protocol = HTTPS
|
Protocol = HTTPS
|
||||||
CertFile = sec.Key("CERT_FILE").String()
|
CertFile = sec.Key("CERT_FILE").String()
|
||||||
KeyFile = sec.Key("KEY_FILE").String()
|
KeyFile = sec.Key("KEY_FILE").String()
|
||||||
|
if !filepath.IsAbs(CertFile) && len(CertFile) > 0 {
|
||||||
|
CertFile = filepath.Join(CustomPath, CertFile)
|
||||||
|
}
|
||||||
|
if !filepath.IsAbs(KeyFile) && len(KeyFile) > 0 {
|
||||||
|
KeyFile = filepath.Join(CustomPath, KeyFile)
|
||||||
|
}
|
||||||
case "fcgi":
|
case "fcgi":
|
||||||
Protocol = FCGI
|
Protocol = FCGI
|
||||||
case "fcgi+unix":
|
case "fcgi+unix":
|
||||||
|
|
Reference in a new issue