[feature] Allow loading TLS certs from disk (#1586)

Currently, GtS only supports using the built-in LE client directly for
TLS. However, admins may still want to use GtS directly (so without a
reverse proxy) but with certificates provided through some other
mechanism. They may have some centralised way of provisioning these
things themselves, or simply prefer to use LE but with a different
challenge like DNS-01 which is not supported by autocert.

This adds support for loading a public/private keypair from disk instead
of using LE and reconfigures the server to use a TLS listener if we
succeed in doing so.

Additionally, being able to load TLS keypair from disk opens up the path
to using a custom CA for testing purposes avoinding the need for a
constellation of containers and something like Pebble or Step CA to
provide LE APIs.
This commit is contained in:
Daenney
2023-03-04 18:24:02 +01:00
committed by GitHub
parent ef074752d0
commit d2f6de0185
12 changed files with 153 additions and 4 deletions

View File

@@ -1,4 +1,12 @@
# LetsEncrypt
# TLS
It's possible to configure TLS support in one of two ways:
* Built-in support for Lets Encrypt / ACME compatible vendors
* Loading TLS files from disk
It is not possible to have both methods enabled at the same time.
Note that when using TLS files loaded from disk you are responsible for restarting the instance when the files change. They are not automatically reloaded.
## Settings
@@ -39,4 +47,20 @@ letsencrypt-cert-dir: "/gotosocial/storage/certs"
# Examples: ["admin@example.org"]
# Default: ""
letsencrypt-email-address: ""
##############################
##### MANUAL TLS CONFIG #####
##############################
# String. Path to a PEM-encoded file on disk that includes the certificate chain
# and the public key
# Examples: ["/gotosocial/storage/certs/chain.pem"]
# Default: ""
tls-certificate-chain: ""
# String. Path to a PEM-encoded file on disk containing the private key for the
# associated tls-certificate-chain
# Examples: ["/gotosocial/storage/certs/private.pem"]
# Default: ""
tls-certificate-key: ""
```