feat: allow runtime TLS cert updates

apernet · Dec 29, 2023 · c4993f8 · c4993f8
1 parent f0c7af5
commit c4993f8
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/app/cmd/server.go b/app/cmd/server.go
@@ -252,11 +252,12 @@ func (c *serverConfig) fillTLSConfig(hyConfig *server.Config) error {
 		if c.TLS.Cert == "" || c.TLS.Key == "" {
 			return configError{Field: "tls", Err: errors.New("empty cert or key path")}
 		}
-		cert, err := tls.LoadX509KeyPair(c.TLS.Cert, c.TLS.Key)
-		if err != nil {
-			return configError{Field: "tls", Err: err}
+		// Use GetCertificate instead of Certificates so that
+		// users can update the cert without restarting the server.
+		hyConfig.TLSConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			cert, err := tls.LoadX509KeyPair(c.TLS.Cert, c.TLS.Key)
+			return &cert, err
 		}
-		hyConfig.TLSConfig.Certificates = []tls.Certificate{cert}
 	} else {
 		// ACME
 		dataDir := c.ACME.Dir