prosody
89c51ee23122
core/certmanager.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

core/certmanager.lua @ 7122:89c51ee23122

core.certmanager: Look for certificate and key in a few different places
author Kim Alvefur <zash@zash.se>
date Wed, 03 Feb 2016 22:44:29 +0100
parent 6903:5ff42d85d4d5
child 7140:b19438c2ca1b
comparison
equal deleted inserted replaced
7118:dacc07833b86 7122:89c51ee23122
21 local log = require "util.logger".init("certmanager"); 21 local log = require "util.logger".init("certmanager");
22 local ssl_context = ssl.context or softreq"ssl.context"; 22 local ssl_context = ssl.context or softreq"ssl.context";
23 local ssl_x509 = ssl.x509 or softreq"ssl.x509"; 23 local ssl_x509 = ssl.x509 or softreq"ssl.x509";
24 local ssl_newcontext = ssl.newcontext; 24 local ssl_newcontext = ssl.newcontext;
25 local new_config = require"util.sslconfig".new; 25 local new_config = require"util.sslconfig".new;
26 local stat = require "lfs".attributes;
26 27
27 local tostring = tostring; 28 local tostring = tostring;
28 local pairs = pairs; 29 local pairs = pairs;
29 local type = type; 30 local type = type;
30 local io_open = io.open; 31 local io_open = io.open;
47 48
48 local _ENV = nil; 49 local _ENV = nil;
49 50
50 -- Global SSL options if not overridden per-host 51 -- Global SSL options if not overridden per-host
51 local global_ssl_config = configmanager.get("*", "ssl"); 52 local global_ssl_config = configmanager.get("*", "ssl");
53
54 local global_certificates = configmanager.get("*", "certificates") or "certs";
55
56 local crt_try = { "", "/%s.crt", "/%s/fullchain.pem", "/%s.pem", };
57 local key_try = { "", "/%s.key", "/%s/privkey.pem", "/%s.pem", };
58
59 local function find_cert(host)
60 local certs = configmanager.get(host, "certificate") or global_certificates;
61 certs = resolve_path(config_path, certs);
62 for i = 1, #crt_try do
63 local crt_path = certs .. crt_try[i]:format(host);
64 local key_path = certs .. key_try[i]:format(host);
65
66 if stat(crt_path, "mode") == "file" then
67 if stat(key_path, "mode") == "file" then
68 return { certificate = crt_path, key = key_path };
69 end
70 if key_path:sub(-4) == ".crt" then
71 key_path = key_path:sub(1, -4) .. "key";
72 if stat(key_path, "mode") == "file" then
73 return { certificate = crt_path, key = key_path };
74 end
75 end
76 end
77 end
78 end
52 79
53 -- Built-in defaults 80 -- Built-in defaults
54 local core_defaults = { 81 local core_defaults = {
55 capath = "/etc/ssl/certs"; 82 capath = "/etc/ssl/certs";
56 depth = 9; 83 depth = 9;
80 107
81 local function create_context(host, mode, ...) 108 local function create_context(host, mode, ...)
82 local cfg = new_config(); 109 local cfg = new_config();
83 cfg:apply(core_defaults); 110 cfg:apply(core_defaults);
84 cfg:apply(global_ssl_config); 111 cfg:apply(global_ssl_config);
112 cfg:apply(find_cert(host) or find_cert(host:match("%.(.*)")));
85 cfg:apply({ 113 cfg:apply({
86 mode = mode, 114 mode = mode,
87 -- We can't read the password interactively when daemonized 115 -- We can't read the password interactively when daemonized
88 password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; 116 password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
89 }); 117 });