diff options
| author |   florian <florian@openbsd.org> | 2019-01-08 18:35:27 +0000 |
|---|---|---|
| committer | florian <florian@openbsd.org> | 2019-01-08 18:35:27 +0000 |
| commit | 8f2f19698a0c65ee90a4c49a8521aec13a2ad8bd (patch) | |
| tree | 53df9497adbed5610609372c4a7720656efbe1bd /usr.sbin/httpd | |
| parent | viocon: Remove obsolete handling of sc_intrhand (diff) | |
| download | wireguard-openbsd-8f2f19698a0c65ee90a4c49a8521aec13a2ad8bd.tar.xz wireguard-openbsd-8f2f19698a0c65ee90a4c49a8521aec13a2ad8bd.zip | |
Allow httpd(8) to start when TLS is configured but a cert is not yet
available.
Assuming a httpd.conf based on /etc/examples/httpd.conf, httpd(8)
will only listen on port 80 and serve the acme-challenge directory
for acme-client(1).
The workflow to get a certificate then becomes
acme-client -vAD example.com && rcctl reload httpd
Without the need to edit the httpd.conf yet again. Once the cert
is in place and httpd is reloaded it starts to serve on port 443.
Idea, tweaks & OK deraadt, OK benno
Diffstat (limited to 'usr.sbin/httpd')
| -rw-r--r-- | usr.sbin/httpd/parse.y | 26 | ||||
| -rw-r--r-- | usr.sbin/httpd/server.c | 13 |
2 files changed, 22 insertions, 17 deletions
diff --git a/usr.sbin/httpd/parse.y b/usr.sbin/httpd/parse.y index 9f3b70526d9..a68bddc2486 100644 --- a/usr.sbin/httpd/parse.y +++ b/usr.sbin/httpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.107 2018/11/01 00:18:44 sashan Exp $ */ +/* $OpenBSD: parse.y,v 1.108 2019/01/08 18:35:27 florian Exp $ */ /* * Copyright (c) 2007 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -344,13 +344,10 @@ server : SERVER optmatch STRING { YYERROR; } - if (server_tls_load_keypair(srv) == -1) { - yyerror("server \"%s\": failed to load " - "public/private keys", srv->srv_conf.name); - serverconfig_free(srv_conf); - free(srv); - YYERROR; - } + if (server_tls_load_keypair(srv) == -1) + log_warnx("%s:%d: server \"%s\": failed to " + "load public/private keys", file->name, + yylval.lineno, srv->srv_conf.name); if (server_tls_load_ca(srv) == -1) { yyerror("server \"%s\": failed to load " @@ -2133,16 +2130,13 @@ server_inherit(struct server *src, struct server_config *alias, dst->srv_conf.flags &= ~SRVFLAG_SERVER_MATCH; dst->srv_conf.flags |= (alias->flags & SRVFLAG_SERVER_MATCH); - if (server_tls_load_keypair(dst) == -1) { - yyerror("failed to load public/private keys " - "for server %s", dst->srv_conf.name); - serverconfig_free(&dst->srv_conf); - free(dst); - return (NULL); - } + if (server_tls_load_keypair(dst) == -1) + log_warnx("%s:%d: server \"%s\": failed to " + "load public/private keys", file->name, + yylval.lineno, dst->srv_conf.name); if (server_tls_load_ca(dst) == -1) { - yyerror("falied to load ca cert(s) for server %s", + yyerror("failed to load ca cert(s) for server %s", dst->srv_conf.name); serverconfig_free(&dst->srv_conf); return NULL; diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c index 63536a060e2..82d2c44c8f0 100644 --- a/usr.sbin/httpd/server.c +++ b/usr.sbin/httpd/server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server.c,v 1.116 2018/10/11 09:52:22 benno Exp $ */ +/* $OpenBSD: server.c,v 1.117 2019/01/08 18:35:27 florian Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -119,6 +119,13 @@ server_privinit(struct server *srv) } /* Open listening socket in the privileged process */ + if ((srv->srv_conf.flags & SRVFLAG_TLS) && srv->srv_conf.tls_cert == + NULL) { + /* soft fail if cert is not there yet */ + srv->srv_s = -1; + return (0); + } + if ((srv->srv_s = server_socket_listen(&srv->srv_conf.ss, srv->srv_conf.port, &srv->srv_conf)) == -1) return (-1); @@ -250,6 +257,10 @@ server_tls_init(struct server *srv) if ((srv->srv_conf.flags & SRVFLAG_TLS) == 0) return (0); + if (srv->srv_conf.tls_cert == NULL) + /* soft fail if cert is not there yet */ + return (0); + log_debug("%s: setting up tls for %s", __func__, srv->srv_conf.name); if (tls_init() != 0) { |