xlab/tls_cert_management.go

## tls_cert_management.go
package main

import (
	"crypto/tls"
	"flag"
	"log"
	"net/http"
	"os"
	"path/filepath"
	"strings"
	"time"
)

var certsDir = flag.String("certs", "ssl/", "A location of SSL certificates dir.")

func init() {
	flag.Parse()
	log.SetFlags(log.Lshortfile)
}

func main() {
	http.HandleFunc("/", rootHandler)
	go http.ListenAndServe(":80", nil)

	tlsConfig := getTLSConfig()
	srv := &http.Server{
		ReadTimeout:    time.Minute,
		WriteTimeout:   time.Minute,
		MaxHeaderBytes: 1 << 20,
		TLSConfig:      tlsConfig,
	}
	listener, err := tls.Listen("tcp", ":443", tlsConfig)
	orPanic(err)
	orPanic(srv.Serve(listener))
}

func orPanic(err error) {
	if err != nil {
		panic(err)
	}
}

func getTLSConfig() *tls.Config {
	info, err := os.Stat(*certsDir)
	if err != nil {
		panic("no SSL certs found: " + err.Error())
	} else if !info.IsDir() {
		panic("SSL certs dir is not a dir")
	}
	var defaultCert string
	certs := make(map[string]bool)
	var defaultKey string
	keys := make(map[string]bool)
	filepath.Walk(*certsDir, func(name string, info os.FileInfo, err error) error {
		orPanic(err)
		if info.IsDir() {
			return nil
		}
		base := filepath.Base(name)
		switch filepath.Ext(name) {
		case ".crt":
			if filepath.HasPrefix(base, "default_") {
				defaultCert = name
				return nil
			}
			certs[name] = true
		case ".key":
			if filepath.HasPrefix(base, "default_") {
				defaultKey = name
				return nil
			}
			keys[name] = true
		default:
			log.Println("[WARN] unknown file in SSL cert dir:", name)
		}
		return nil
	})
	tlsConfig := &tls.Config{}
	switch {
	case len(defaultCert) == 0 && len(defaultKey) == 0:
		log.Println("[WARN] no default cert and key set (no files with prefix default_)")
	case len(defaultCert) == 0:
		log.Println("[WARN] no default cert set (no files with prefix default_)")
	case len(defaultKey) == 0:
		log.Println("[WARN] default cert set, but no default key (no files with prefix default_)")
		log.Println("[WARN] omitting default cert")
		defaultCert = ""
	default:
		cert, err := tls.LoadX509KeyPair(defaultCert, defaultKey)
		orPanic(err)
		tlsConfig.Certificates = append(tlsConfig.Certificates, cert)

		log.Printf("[INFO] using %s and %s as default cert and key", defaultCert, defaultKey)
	}
	for certName := range certs {
		base := strings.TrimSuffix(certName, filepath.Ext(certName))
		key := base + ".key"
		if !keys[key] {
			if len(defaultKey) == 0 {
				log.Println("[WARN] skipping cert", certName, "because no key and no default key file set.")
				continue
			}
			log.Println("[WARN] no key for cert", certName, "fallback to default", defaultKey)
			key = defaultKey
		}
		cert, err := tls.LoadX509KeyPair(certName, key)
		orPanic(err)
		tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
	}
	if len(tlsConfig.Certificates) == 0 {
		log.Println("[WARN] no certificates loaded from", *certsDir)
		return nil
	}
	tlsConfig.BuildNameToCertificate()
	return tlsConfig
}
	package main

	import (
	"crypto/tls"
	"flag"
	"log"
	"net/http"
	"os"
	"path/filepath"
	"strings"
	"time"
	)

	var certsDir = flag.String("certs", "ssl/", "A location of SSL certificates dir.")

	func init() {
	flag.Parse()
	log.SetFlags(log.Lshortfile)
	}

	func main() {
	http.HandleFunc("/", rootHandler)
	go http.ListenAndServe(":80", nil)

	tlsConfig := getTLSConfig()
	srv := &http.Server{
	ReadTimeout: time.Minute,
	WriteTimeout: time.Minute,
	MaxHeaderBytes: 1 << 20,
	TLSConfig: tlsConfig,
	}
	listener, err := tls.Listen("tcp", ":443", tlsConfig)
	orPanic(err)
	orPanic(srv.Serve(listener))
	}

	func orPanic(err error) {
	if err != nil {
	panic(err)
	}
	}

	func getTLSConfig() *tls.Config {
	info, err := os.Stat(*certsDir)
	if err != nil {
	panic("no SSL certs found: " + err.Error())
	} else if !info.IsDir() {
	panic("SSL certs dir is not a dir")
	}
	var defaultCert string
	certs := make(map[string]bool)
	var defaultKey string
	keys := make(map[string]bool)
	filepath.Walk(*certsDir, func(name string, info os.FileInfo, err error) error {
	orPanic(err)
	if info.IsDir() {
	return nil
	}
	base := filepath.Base(name)
	switch filepath.Ext(name) {
	case ".crt":
	if filepath.HasPrefix(base, "default_") {
	defaultCert = name
	return nil
	}
	certs[name] = true
	case ".key":
	if filepath.HasPrefix(base, "default_") {
	defaultKey = name
	return nil
	}
	keys[name] = true
	default:
	log.Println("[WARN] unknown file in SSL cert dir:", name)
	}
	return nil
	})
	tlsConfig := &tls.Config{}
	switch {
	case len(defaultCert) == 0 && len(defaultKey) == 0:
	log.Println("[WARN] no default cert and key set (no files with prefix default_)")
	case len(defaultCert) == 0:
	log.Println("[WARN] no default cert set (no files with prefix default_)")
	case len(defaultKey) == 0:
	log.Println("[WARN] default cert set, but no default key (no files with prefix default_)")
	log.Println("[WARN] omitting default cert")
	defaultCert = ""
	default:
	cert, err := tls.LoadX509KeyPair(defaultCert, defaultKey)
	orPanic(err)
	tlsConfig.Certificates = append(tlsConfig.Certificates, cert)

	log.Printf("[INFO] using %s and %s as default cert and key", defaultCert, defaultKey)
	}
	for certName := range certs {
	base := strings.TrimSuffix(certName, filepath.Ext(certName))
	key := base + ".key"
	if !keys[key] {
	if len(defaultKey) == 0 {
	log.Println("[WARN] skipping cert", certName, "because no key and no default key file set.")
	continue
	}
	log.Println("[WARN] no key for cert", certName, "fallback to default", defaultKey)
	key = defaultKey
	}
	cert, err := tls.LoadX509KeyPair(certName, key)
	orPanic(err)
	tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
	}
	if len(tlsConfig.Certificates) == 0 {
	log.Println("[WARN] no certificates loaded from", *certsDir)
	return nil
	}
	tlsConfig.BuildNameToCertificate()
	return tlsConfig
	}