Pull request 2588: AGDNS-3684-fix-tls-status

Squashed commit of the following:

commit 0aa099cd1f
Merge: 94ed08dcb 8c9756f32
Author: Maksim Kazantsev <m.kazantsev@adguard.com>
Date:   Wed Feb 25 18:40:29 2026 +0300

    Merge branch 'master' into AGDNS-3684-fix-tls-status

commit 94ed08dcb3
Merge: 229f678c8 4c1dcfee4
Author: Maksim Kazantsev <m.kazantsev@adguard.com>
Date:   Wed Feb 25 18:20:38 2026 +0300

    Merge branch 'master' into AGDNS-3684-fix-tls-status
    all: merge changes from master;

commit 229f678c8f
Author: Maksim Kazantsev <m.kazantsev@adguard.com>
Date:   Thu Feb 19 15:49:55 2026 +0300

    home: add contracts;

commit 079e9738ee
Author: Maksim Kazantsev <m.kazantsev@adguard.com>
Date:   Wed Feb 18 13:28:26 2026 +0300

    home: upd ValidCert and ValidKey fields value setting logic; rm unused functions params;

internal/home/tls.go

@@ -326,13 +326,13 @@ func (m *tlsManager) loadTLSConfig(
 		}
 	}()
 
-	err = loadCertificateChainData(tlsConf, status)
+	err = loadCertificateChainData(tlsConf)
 	if err != nil {
 		// Don't wrap the error, because it's informative enough as is.
 		return err
 	}
 
-	err = loadPrivateKeyData(tlsConf, status)
+	err = loadPrivateKeyData(tlsConf)
 	if err != nil {
 		// Don't wrap the error, because it's informative enough as is.
 		return err
@@ -350,8 +350,10 @@ func (m *tlsManager) loadTLSConfig(
 }
 
 // loadCertificateChainData loads PEM-encoded certificates chain data to the
-// TLS configuration.
-func loadCertificateChainData(tlsConf *tlsConfigSettings, status *tlsConfigStatus) (err error) {
+// TLS configuration. tlsConf must be not nil. tlsConf.CertificateChainData
+// struct field will be modified in case tlsConfig.CertificatePath is not an
+// empty string.
+func loadCertificateChainData(tlsConf *tlsConfigSettings) (err error) {
 	tlsConf.CertificateChainData = []byte(tlsConf.CertificateChain)
 	if tlsConf.CertificatePath != "" {
 		if tlsConf.CertificateChain != "" {
@@ -362,18 +364,15 @@ func loadCertificateChainData(tlsConf *tlsConfigSettings, status *tlsConfigStatu
 		if err != nil {
 			return fmt.Errorf("reading cert file: %w", err)
 		}
-
-		// Set status.ValidCert to true to signal the frontend that the
-		// certificate opens successfully while the private key can't be opened.
-		status.ValidCert = true
 	}
 
 	return nil
 }
 
 // loadPrivateKeyData loads PEM-encoded private key data to the TLS
-// configuration.
-func loadPrivateKeyData(tlsConf *tlsConfigSettings, status *tlsConfigStatus) (err error) {
+// configuration. tlsConf must be not nil. tlsConf.PrivateKeyData struct field
+// will be modified in case tlsConfig.PrivateKeyPath is not an empty string.
+func loadPrivateKeyData(tlsConf *tlsConfigSettings) (err error) {
 	tlsConf.PrivateKeyData = []byte(tlsConf.PrivateKey)
 	if tlsConf.PrivateKeyPath != "" {
 		if tlsConf.PrivateKey != "" {
@@ -384,8 +383,6 @@ func loadPrivateKeyData(tlsConf *tlsConfigSettings, status *tlsConfigStatus) (er
 		if err != nil {
 			return fmt.Errorf("reading key file: %w", err)
 		}
-
-		status.ValidKey = true
 	}
 
 	return nil
@@ -954,6 +951,8 @@ func (m *tlsManager) validateCertificates(
 			return keyErr
 		}
 
+		// Set status.ValidKey to true to signal the frontend that the
+		// key is valid.
 		status.ValidKey = true
 	}
 
@@ -982,6 +981,9 @@ func (m *tlsManager) validateCertificate(
 	// parseErr is a non-critical parse warning.
 	var parseErr error
 	var certs []*x509.Certificate
+
+	// Set status.ValidCert to true to signal the frontend that the
+	// certificate opens successfully and certificate chain is valid.
 	certs, status.ValidCert, parseErr = m.parseCertChain(ctx, certChain)
 	if !status.ValidCert {
 		// Don't wrap the error, since it's informative enough as is.