diff --git a/internal/home/tls.go b/internal/home/tls.go index 7742b5770..0c38b49fe 100644 --- a/internal/home/tls.go +++ b/internal/home/tls.go @@ -326,13 +326,13 @@ func (m *tlsManager) loadTLSConfig( } }() - err = loadCertificateChainData(tlsConf, status) + err = loadCertificateChainData(tlsConf) if err != nil { // Don't wrap the error, because it's informative enough as is. return err } - err = loadPrivateKeyData(tlsConf, status) + err = loadPrivateKeyData(tlsConf) if err != nil { // Don't wrap the error, because it's informative enough as is. return err @@ -350,8 +350,10 @@ func (m *tlsManager) loadTLSConfig( } // loadCertificateChainData loads PEM-encoded certificates chain data to the -// TLS configuration. -func loadCertificateChainData(tlsConf *tlsConfigSettings, status *tlsConfigStatus) (err error) { +// TLS configuration. tlsConf must be not nil. tlsConf.CertificateChainData +// struct field will be modified in case tlsConfig.CertificatePath is not an +// empty string. +func loadCertificateChainData(tlsConf *tlsConfigSettings) (err error) { tlsConf.CertificateChainData = []byte(tlsConf.CertificateChain) if tlsConf.CertificatePath != "" { if tlsConf.CertificateChain != "" { @@ -362,18 +364,15 @@ func loadCertificateChainData(tlsConf *tlsConfigSettings, status *tlsConfigStatu if err != nil { return fmt.Errorf("reading cert file: %w", err) } - - // Set status.ValidCert to true to signal the frontend that the - // certificate opens successfully while the private key can't be opened. - status.ValidCert = true } return nil } // loadPrivateKeyData loads PEM-encoded private key data to the TLS -// configuration. -func loadPrivateKeyData(tlsConf *tlsConfigSettings, status *tlsConfigStatus) (err error) { +// configuration. tlsConf must be not nil. tlsConf.PrivateKeyData struct field +// will be modified in case tlsConfig.PrivateKeyPath is not an empty string. +func loadPrivateKeyData(tlsConf *tlsConfigSettings) (err error) { tlsConf.PrivateKeyData = []byte(tlsConf.PrivateKey) if tlsConf.PrivateKeyPath != "" { if tlsConf.PrivateKey != "" { @@ -384,8 +383,6 @@ func loadPrivateKeyData(tlsConf *tlsConfigSettings, status *tlsConfigStatus) (er if err != nil { return fmt.Errorf("reading key file: %w", err) } - - status.ValidKey = true } return nil @@ -954,6 +951,8 @@ func (m *tlsManager) validateCertificates( return keyErr } + // Set status.ValidKey to true to signal the frontend that the + // key is valid. status.ValidKey = true } @@ -982,6 +981,9 @@ func (m *tlsManager) validateCertificate( // parseErr is a non-critical parse warning. var parseErr error var certs []*x509.Certificate + + // Set status.ValidCert to true to signal the frontend that the + // certificate opens successfully and certificate chain is valid. certs, status.ValidCert, parseErr = m.parseCertChain(ctx, certChain) if !status.ValidCert { // Don't wrap the error, since it's informative enough as is.