From 86278d1db7a2105058c4a0f8a1f42ec89faf1438 Mon Sep 17 00:00:00 2001 From: zeripath Date: Sun, 19 Jan 2020 09:30:22 +0000 Subject: [PATCH 1/3] Make CertFile and KeyFile relative to CustomPath The current code will absolute CertFile and KeyFile against the current working directory. This is quite unexpected for users. This code makes relative paths absolute against the CustomPath. Fix #4196 --- custom/conf/app.ini.sample | 5 +++-- docs/content/doc/advanced/config-cheat-sheet.en-us.md | 4 ++-- modules/setting/setting.go | 6 ++++++ 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/custom/conf/app.ini.sample b/custom/conf/app.ini.sample index 7e7dbbf5f36cc..cbed0b5114b16 100644 --- a/custom/conf/app.ini.sample +++ b/custom/conf/app.ini.sample @@ -282,8 +282,9 @@ DISABLE_ROUTER_LOG = false ; not forget to export the private key): ; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys ; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes -CERT_FILE = custom/https/cert.pem -KEY_FILE = custom/https/key.pem +; Relative paths will be made absolute against the CUSTOM_PATH +CERT_FILE = https/cert.pem +KEY_FILE = https/key.pem ; Root directory containing templates and static files. ; default is the path where Gitea is executed STATIC_ROOT_PATH = diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 2cce34bd8976f..7be046aa7ff5f 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -181,8 +181,8 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`. - `SSH_LISTEN_PORT`: **%(SSH\_PORT)s**: Port for the built-in SSH server. - `OFFLINE_MODE`: **false**: Disables use of CDN for static files and Gravatar for profile pictures. - `DISABLE_ROUTER_LOG`: **false**: Mute printing of the router log. -- `CERT_FILE`: **custom/https/cert.pem**: Cert file path used for HTTPS. -- `KEY_FILE`: **custom/https/key.pem**: Key file path used for HTTPS. +- `CERT_FILE`: **https/cert.pem**: Cert file path used for HTTPS. From 1.12 relative paths will be made absolute against `CUSTOM_PATH`. +- `KEY_FILE`: **https/key.pem**: Key file path used for HTTPS. From 1.12 relative paths will be made absolute against `CUSTOM_PATH`. - `STATIC_ROOT_PATH`: **./**: Upper level of template and static files path. - `STATIC_CACHE_TIME`: **6h**: Web browser cache time for static resources on `custom/`, `public/` and all uploaded avatars. - `ENABLE_GZIP`: **false**: Enables application-level GZIP support. diff --git a/modules/setting/setting.go b/modules/setting/setting.go index 17c84d3d313fe..4183c203ed08f 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -554,6 +554,12 @@ func NewContext() { Protocol = HTTPS CertFile = sec.Key("CERT_FILE").String() KeyFile = sec.Key("KEY_FILE").String() + if !filepath.IsAbs(CertFile) && len(CertFile) > 0 { + CertFile = filepath.Join(CustomPath, CertFile) + } + if !filepath.IsAbs(KeyFile) && len(KeyFile) > 0 { + KeyFile = filepath.Join(CustomPath, KeyFile) + } case "fcgi": Protocol = FCGI case "fcgi+unix": From a7aa2645ee30e1fcf664c4a7202ce3d3b7dbfb71 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sun, 19 Jan 2020 11:21:16 +0000 Subject: [PATCH 2/3] Improve error reporting when reading certificates --- modules/graceful/server.go | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/modules/graceful/server.go b/modules/graceful/server.go index 30fb8cdffa3af..19ce8a866f3d6 100644 --- a/modules/graceful/server.go +++ b/modules/graceful/server.go @@ -7,6 +7,7 @@ package graceful import ( "crypto/tls" + "io/ioutil" "net" "os" "strings" @@ -99,12 +100,25 @@ func (srv *Server) ListenAndServeTLS(certFile, keyFile string, serve ServeFuncti } config.Certificates = make([]tls.Certificate, 1) - var err error - config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile) + + certPEMBlock, err := ioutil.ReadFile(certFile) if err != nil { log.Error("Failed to load https cert file %s for %s:%s: %v", certFile, srv.network, srv.address, err) return err } + + keyPEMBlock, err := ioutil.ReadFile(keyFile) + if err != nil { + log.Error("Failed to load https key file %s for %s:%s: %v", keyFile, srv.network, srv.address, err) + return err + } + + config.Certificates[0], err = tls.X509KeyPair(certPEMBlock, keyPEMBlock) + if err != nil { + log.Error("Failed to create certificate from cert file %s and key file %s for %s:%s: %v", certFile, keyFile, srv.network, srv.address, err) + return err + } + return srv.ListenAndServeTLSConfig(config, serve) } From 69fd25d98e654c2916bd64a4c8c4fba217ea38c7 Mon Sep 17 00:00:00 2001 From: zeripath Date: Sun, 19 Jan 2020 18:34:04 +0000 Subject: [PATCH 3/3] Apply suggestions from code review Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com> --- custom/conf/app.ini.sample | 2 +- docs/content/doc/advanced/config-cheat-sheet.en-us.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/custom/conf/app.ini.sample b/custom/conf/app.ini.sample index cbed0b5114b16..971a99e264f46 100644 --- a/custom/conf/app.ini.sample +++ b/custom/conf/app.ini.sample @@ -282,7 +282,7 @@ DISABLE_ROUTER_LOG = false ; not forget to export the private key): ; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys ; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes -; Relative paths will be made absolute against the CUSTOM_PATH +; Paths are relative to CUSTOM_PATH CERT_FILE = https/cert.pem KEY_FILE = https/key.pem ; Root directory containing templates and static files. diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 7be046aa7ff5f..d63eaf8e46fb6 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -181,8 +181,8 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`. - `SSH_LISTEN_PORT`: **%(SSH\_PORT)s**: Port for the built-in SSH server. - `OFFLINE_MODE`: **false**: Disables use of CDN for static files and Gravatar for profile pictures. - `DISABLE_ROUTER_LOG`: **false**: Mute printing of the router log. -- `CERT_FILE`: **https/cert.pem**: Cert file path used for HTTPS. From 1.12 relative paths will be made absolute against `CUSTOM_PATH`. -- `KEY_FILE`: **https/key.pem**: Key file path used for HTTPS. From 1.12 relative paths will be made absolute against `CUSTOM_PATH`. +- `CERT_FILE`: **https/cert.pem**: Cert file path used for HTTPS. From 1.11 paths are relative to `CUSTOM_PATH`. +- `KEY_FILE`: **https/key.pem**: Key file path used for HTTPS. From 1.11 paths are relative to `CUSTOM_PATH`. - `STATIC_ROOT_PATH`: **./**: Upper level of template and static files path. - `STATIC_CACHE_TIME`: **6h**: Web browser cache time for static resources on `custom/`, `public/` and all uploaded avatars. - `ENABLE_GZIP`: **false**: Enables application-level GZIP support.