[feature] Allow loading TLS certs from disk (#1586)

Currently, GtS only supports using the built-in LE client directly for TLS. However, admins may still want to use GtS directly (so without a reverse proxy) but with certificates provided through some other mechanism. They may have some centralised way of provisioning these things themselves, or simply prefer to use LE but with a different challenge like DNS-01 which is not supported by autocert. This adds support for loading a public/private keypair from disk instead of using LE and reconfigures the server to use a TLS listener if we succeed in doing so. Additionally, being able to load TLS keypair from disk opens up the path to using a custom CA for testing purposes avoinding the need for a constellation of containers and something like Pebble or Step CA to provide LE APIs.
2025-11-26 01:13:33 -06:00 · 2023-03-04 18:24:02 +01:00 · 2023-03-04 18:24:02 +01:00 · d2f6de0185
commit d2f6de0185
parent ef074752d0
12 changed files with 153 additions and 4 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -114,6 +114,9 @@ type Configuration struct {
 	LetsEncryptCertDir      string `name:"letsencrypt-cert-dir" usage:"Directory to store acquired letsencrypt certificates."`
 	LetsEncryptEmailAddress string `name:"letsencrypt-email-address" usage:"Email address to use when requesting letsencrypt certs. Will receive updates on cert expiry etc."`

+	TLSCertificateChain string `name:"tls-certificate-chain" usage:"Filesystem path to the certificate chain including any intermediate CAs and the TLS public key"`
+	TLSCertificateKey   string `name:"tls-certificate-key" usage:"Filesystem path to the TLS private key"`
+
 	OIDCEnabled          bool     `name:"oidc-enabled" usage:"Enabled OIDC authorization for this instance. If set to true, then the other OIDC flags must also be set."`
 	OIDCIdpName          string   `name:"oidc-idp-name" usage:"Name of the OIDC identity provider. Will be shown to the user when logging in."`
 	OIDCSkipVerification bool     `name:"oidc-skip-verification" usage:"Skip verification of tokens returned by the OIDC provider. Should only be set to 'true' for testing purposes, never in a production environment!"`
--- a/internal/config/defaults.go
+++ b/internal/config/defaults.go
@ -91,6 +91,9 @@ var Defaults = Configuration{
 	LetsEncryptCertDir:      "/gotosocial/storage/certs",
 	LetsEncryptEmailAddress: "",

+	TLSCertificateChain: "",
+	TLSCertificateKey:   "",
+
 	OIDCEnabled:          false,
 	OIDCIdpName:          "",
 	OIDCSkipVerification: false,
--- a/internal/config/flags.go
+++ b/internal/config/flags.go
@ -114,6 +114,10 @@ func (s *ConfigState) AddServerFlags(cmd *cobra.Command) {
 		cmd.Flags().String(LetsEncryptCertDirFlag(), cfg.LetsEncryptCertDir, fieldtag("LetsEncryptCertDir", "usage"))
 		cmd.Flags().String(LetsEncryptEmailAddressFlag(), cfg.LetsEncryptEmailAddress, fieldtag("LetsEncryptEmailAddress", "usage"))

+		// Manual TLS
+		cmd.Flags().String(TLSCertificateChainFlag(), cfg.TLSCertificateChain, fieldtag("TLSCertificateChain", "usage"))
+		cmd.Flags().String(TLSCertificateKeyFlag(), cfg.TLSCertificateKey, fieldtag("TLSCertificateKey", "usage"))
+
 		// OIDC
 		cmd.Flags().Bool(OIDCEnabledFlag(), cfg.OIDCEnabled, fieldtag("OIDCEnabled", "usage"))
 		cmd.Flags().String(OIDCIdpNameFlag(), cfg.OIDCIdpName, fieldtag("OIDCIdpName", "usage"))
--- a/internal/config/helpers.gen.go
+++ b/internal/config/helpers.gen.go
@ -1524,6 +1524,56 @@ func GetLetsEncryptEmailAddress() string { return global.GetLetsEncryptEmailAddr
 // SetLetsEncryptEmailAddress safely sets the value for global configuration 'LetsEncryptEmailAddress' field
 func SetLetsEncryptEmailAddress(v string) { global.SetLetsEncryptEmailAddress(v) }

+// GetTLSCertificateChain safely fetches the Configuration value for state's 'TLSCertificateChain' field
+func (st *ConfigState) GetTLSCertificateChain() (v string) {
+	st.mutex.Lock()
+	v = st.config.TLSCertificateChain
+	st.mutex.Unlock()
+	return
+}
+
+// SetTLSCertificateChain safely sets the Configuration value for state's 'TLSCertificateChain' field
+func (st *ConfigState) SetTLSCertificateChain(v string) {
+	st.mutex.Lock()
+	defer st.mutex.Unlock()
+	st.config.TLSCertificateChain = v
+	st.reloadToViper()
+}
+
+// TLSCertificateChainFlag returns the flag name for the 'TLSCertificateChain' field
+func TLSCertificateChainFlag() string { return "tls-certificate-chain" }
+
+// GetTLSCertificateChain safely fetches the value for global configuration 'TLSCertificateChain' field
+func GetTLSCertificateChain() string { return global.GetTLSCertificateChain() }
+
+// SetTLSCertificateChain safely sets the value for global configuration 'TLSCertificateChain' field
+func SetTLSCertificateChain(v string) { global.SetTLSCertificateChain(v) }
+
+// GetTLSCertificateKey safely fetches the Configuration value for state's 'TLSCertificateKey' field
+func (st *ConfigState) GetTLSCertificateKey() (v string) {
+	st.mutex.Lock()
+	v = st.config.TLSCertificateKey
+	st.mutex.Unlock()
+	return
+}
+
+// SetTLSCertificateKey safely sets the Configuration value for state's 'TLSCertificateKey' field
+func (st *ConfigState) SetTLSCertificateKey(v string) {
+	st.mutex.Lock()
+	defer st.mutex.Unlock()
+	st.config.TLSCertificateKey = v
+	st.reloadToViper()
+}
+
+// TLSCertificateKeyFlag returns the flag name for the 'TLSCertificateKey' field
+func TLSCertificateKeyFlag() string { return "tls-certificate-key" }
+
+// GetTLSCertificateKey safely fetches the value for global configuration 'TLSCertificateKey' field
+func GetTLSCertificateKey() string { return global.GetTLSCertificateKey() }
+
+// SetTLSCertificateKey safely sets the value for global configuration 'TLSCertificateKey' field
+func SetTLSCertificateKey(v string) { global.SetTLSCertificateKey(v) }
+
 // GetOIDCEnabled safely fetches the Configuration value for state's 'OIDCEnabled' field
 func (st *ConfigState) GetOIDCEnabled() (v bool) {
 	st.mutex.Lock()
--- a/internal/config/validate.go
+++ b/internal/config/validate.go
@ -67,6 +67,19 @@ func Validate() error {
 		errs = append(errs, fmt.Errorf("%s must be set", WebAssetBaseDirFlag()))
 	}

+	tlsChain := GetTLSCertificateChain()
+	tlsKey := GetTLSCertificateKey()
+	tlsChainFlag := TLSCertificateChainFlag()
+	tlsKeyFlag := TLSCertificateKeyFlag()
+
+	if GetLetsEncryptEnabled() && (tlsChain != "" || tlsKey != "") {
+		errs = append(errs, fmt.Errorf("%s cannot be enabled when %s and/or %s are also set", LetsEncryptEnabledFlag(), tlsChainFlag, tlsKeyFlag))
+	}
+
+	if (tlsChain != "" && tlsKey == "") || (tlsChain == "" && tlsKey != "") {
+		errs = append(errs, fmt.Errorf("%s and %s need to both be set or unset", tlsChainFlag, tlsKeyFlag))
+	}
+
 	if len(errs) > 0 {
 		errStrings := []string{}
 		for _, err := range errs {
--- a/internal/router/router.go
+++ b/internal/router/router.go
@ -20,6 +20,7 @@ package router

 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net"
 	"net/http"
@ -78,6 +79,26 @@ func (r *router) Start() {
 	// but updated to TLS if LetsEncrypt is enabled.
 	listen := r.srv.ListenAndServe

+	// During config validation we already checked that both Chain and Key are set
+	// so we can forego checking for both here
+	if chain := config.GetTLSCertificateChain(); chain != "" {
+		pkey := config.GetTLSCertificateKey()
+		cer, err := tls.LoadX509KeyPair(chain, pkey)
+		if err != nil {
+			log.Fatalf(
+				nil,
+				"tls: failed to load keypair from %s and %s, ensure they are PEM-encoded and can be read by this process: %s",
+				chain, pkey, err,
+			)
+		}
+		r.srv.TLSConfig = &tls.Config{
+			MinVersion:   tls.VersionTLS12,
+			Certificates: []tls.Certificate{cer},
+		}
+		// TLS is enabled, update the listen function
+		listen = func() error { return r.srv.ListenAndServeTLS("", "") }
+	}
+
 	if config.GetLetsEncryptEnabled() {
 		// LetsEncrypt support is enabled