Make CertFile and KeyFile relative to CustomPath (#9868)

* Make CertFile and KeyFile relative to CustomPath The current code will absolute CertFile and KeyFile against the current working directory. This is quite unexpected for users. This code makes relative paths absolute against the CustomPath. Fix #4196 * Improve error reporting when reading certificates * Apply suggestions from code review Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
author: zeripath <art27@cantab.net> 2020-01-19 19:07:44 +0000
committer: GitHub <noreply@github.com> 2020-01-19 19:07:44 +0000
commit: 1d7b7504d07e6d58dd7c4a37055a2d754374dee2 (patch)
tree: 8776a6daeb0c6eb5baf78258258ee26d6176a3e8
parent: 1803b38efcb919e43ab519e0f0e132d461149c39 (diff)
download: gitea-1d7b7504d07e6d58dd7c4a37055a2d754374dee2.tar.gz
gitea-1d7b7504d07e6d58dd7c4a37055a2d754374dee2.zip
4 files changed, 27 insertions, 6 deletions
diff --git a/custom/conf/app.ini.sample b/custom/conf/app.ini.sample
index 7e7dbbf5f3..971a99e264 100644
--- a/custom/conf/app.ini.sample
+++ b/custom/conf/app.ini.sample
@@ -282,8 +282,9 @@ DISABLE_ROUTER_LOG = false
 ; not forget to export the private key):
 ; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
 ; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
-CERT_FILE = custom/https/cert.pem
-KEY_FILE = custom/https/key.pem
+; Paths are relative to CUSTOM_PATH
+CERT_FILE = https/cert.pem
+KEY_FILE = https/key.pem
 ; Root directory containing templates and static files.
 ; default is the path where Gitea is executed
 STATIC_ROOT_PATH =
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index 2cce34bd89..d63eaf8e46 100644
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -181,8 +181,8 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `SSH_LISTEN_PORT`: **%(SSH\_PORT)s**: Port for the built-in SSH server.
 - `OFFLINE_MODE`: **false**: Disables use of CDN for static files and Gravatar for profile pictures.
 - `DISABLE_ROUTER_LOG`: **false**: Mute printing of the router log.
-- `CERT_FILE`: **custom/https/cert.pem**: Cert file path used for HTTPS.
-- `KEY_FILE`: **custom/https/key.pem**: Key file path used for HTTPS.
+- `CERT_FILE`: **https/cert.pem**: Cert file path used for HTTPS. From 1.11 paths are relative to `CUSTOM_PATH`.
+- `KEY_FILE`: **https/key.pem**: Key file path used for HTTPS. From 1.11 paths are relative to `CUSTOM_PATH`.
 - `STATIC_ROOT_PATH`: **./**: Upper level of template and static files path.
 - `STATIC_CACHE_TIME`: **6h**: Web browser cache time for static resources on `custom/`, `public/` and all uploaded avatars.
 - `ENABLE_GZIP`: **false**: Enables application-level GZIP support.
diff --git a/modules/graceful/server.go b/modules/graceful/server.go
index 30fb8cdffa..19ce8a866f 100644
--- a/modules/graceful/server.go
+++ b/modules/graceful/server.go
@@ -7,6 +7,7 @@ package graceful
 
 import (
 	"crypto/tls"
+	"io/ioutil"
 	"net"
 	"os"
 	"strings"
@@ -99,12 +100,25 @@ func (srv *Server) ListenAndServeTLS(certFile, keyFile string, serve ServeFuncti
 	}
 
 	config.Certificates = make([]tls.Certificate, 1)
-	var err error
-	config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile)
+
+	certPEMBlock, err := ioutil.ReadFile(certFile)
 	if err != nil {
 		log.Error("Failed to load https cert file %s for %s:%s: %v", certFile, srv.network, srv.address, err)
 		return err
 	}
+
+	keyPEMBlock, err := ioutil.ReadFile(keyFile)
+	if err != nil {
+		log.Error("Failed to load https key file %s for %s:%s: %v", keyFile, srv.network, srv.address, err)
+		return err
+	}
+
+	config.Certificates[0], err = tls.X509KeyPair(certPEMBlock, keyPEMBlock)
+	if err != nil {
+		log.Error("Failed to create certificate from cert file %s and key file %s for %s:%s: %v", certFile, keyFile, srv.network, srv.address, err)
+		return err
+	}
+
 	return srv.ListenAndServeTLSConfig(config, serve)
 }
 
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index 17c84d3d31..4183c203ed 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -554,6 +554,12 @@ func NewContext() {
 		Protocol = HTTPS
 		CertFile = sec.Key("CERT_FILE").String()
 		KeyFile = sec.Key("KEY_FILE").String()
+		if !filepath.IsAbs(CertFile) && len(CertFile) > 0 {
+			CertFile = filepath.Join(CustomPath, CertFile)
+		}
+		if !filepath.IsAbs(KeyFile) && len(KeyFile) > 0 {
+			KeyFile = filepath.Join(CustomPath, KeyFile)
+		}
 	case "fcgi":
 		Protocol = FCGI
 	case "fcgi+unix":
author	zeripath <art27@cantab.net>	2020-01-19 19:07:44 +0000
committer	GitHub <noreply@github.com>	2020-01-19 19:07:44 +0000
commit	1d7b7504d07e6d58dd7c4a37055a2d754374dee2 (patch)
tree	8776a6daeb0c6eb5baf78258258ee26d6176a3e8
parent	1803b38efcb919e43ab519e0f0e132d461149c39 (diff)
download	gitea-1d7b7504d07e6d58dd7c4a37055a2d754374dee2.tar.gz gitea-1d7b7504d07e6d58dd7c4a37055a2d754374dee2.zip