From ec612b33bcf7d16dd17e9b6c50dfb1582e3a7475 Mon Sep 17 00:00:00 2001 From: zeripath Date: Sun, 19 Jan 2020 19:07:44 +0000 Subject: [PATCH] Make CertFile and KeyFile relative to CustomPath (#9868) * Make CertFile and KeyFile relative to CustomPath The current code will absolute CertFile and KeyFile against the current working directory. This is quite unexpected for users. This code makes relative paths absolute against the CustomPath. Fix #4196 * Improve error reporting when reading certificates * Apply suggestions from code review Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com> --- docs/content/doc/advanced/config-cheat-sheet.en-us.md | 4 ++-- modules/graceful/server.go | 18 ++++++++++++++++-- modules/setting/setting.go | 6 ++++++ 3 files changed, 24 insertions(+), 4 deletions(-) diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 2cce34bd8..d63eaf8e4 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -181,8 +181,8 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`. - `SSH_LISTEN_PORT`: **%(SSH\_PORT)s**: Port for the built-in SSH server. - `OFFLINE_MODE`: **false**: Disables use of CDN for static files and Gravatar for profile pictures. - `DISABLE_ROUTER_LOG`: **false**: Mute printing of the router log. -- `CERT_FILE`: **custom/https/cert.pem**: Cert file path used for HTTPS. -- `KEY_FILE`: **custom/https/key.pem**: Key file path used for HTTPS. +- `CERT_FILE`: **https/cert.pem**: Cert file path used for HTTPS. From 1.11 paths are relative to `CUSTOM_PATH`. +- `KEY_FILE`: **https/key.pem**: Key file path used for HTTPS. From 1.11 paths are relative to `CUSTOM_PATH`. - `STATIC_ROOT_PATH`: **./**: Upper level of template and static files path. - `STATIC_CACHE_TIME`: **6h**: Web browser cache time for static resources on `custom/`, `public/` and all uploaded avatars. - `ENABLE_GZIP`: **false**: Enables application-level GZIP support. diff --git a/modules/graceful/server.go b/modules/graceful/server.go index 30fb8cdff..19ce8a866 100644 --- a/modules/graceful/server.go +++ b/modules/graceful/server.go @@ -7,6 +7,7 @@ package graceful import ( "crypto/tls" + "io/ioutil" "net" "os" "strings" @@ -99,12 +100,25 @@ func (srv *Server) ListenAndServeTLS(certFile, keyFile string, serve ServeFuncti } config.Certificates = make([]tls.Certificate, 1) - var err error - config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile) + + certPEMBlock, err := ioutil.ReadFile(certFile) if err != nil { log.Error("Failed to load https cert file %s for %s:%s: %v", certFile, srv.network, srv.address, err) return err } + + keyPEMBlock, err := ioutil.ReadFile(keyFile) + if err != nil { + log.Error("Failed to load https key file %s for %s:%s: %v", keyFile, srv.network, srv.address, err) + return err + } + + config.Certificates[0], err = tls.X509KeyPair(certPEMBlock, keyPEMBlock) + if err != nil { + log.Error("Failed to create certificate from cert file %s and key file %s for %s:%s: %v", certFile, keyFile, srv.network, srv.address, err) + return err + } + return srv.ListenAndServeTLSConfig(config, serve) } diff --git a/modules/setting/setting.go b/modules/setting/setting.go index 17c84d3d3..4183c203e 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -554,6 +554,12 @@ func NewContext() { Protocol = HTTPS CertFile = sec.Key("CERT_FILE").String() KeyFile = sec.Key("KEY_FILE").String() + if !filepath.IsAbs(CertFile) && len(CertFile) > 0 { + CertFile = filepath.Join(CustomPath, CertFile) + } + if !filepath.IsAbs(KeyFile) && len(KeyFile) > 0 { + KeyFile = filepath.Join(CustomPath, KeyFile) + } case "fcgi": Protocol = FCGI case "fcgi+unix":