Skip to content

Commit 901bad0

Browse files
committed
fix(clickhouse): error on unexpected CA cert read failures in directory TLS
Distinguish "file not found" (ca.crt is optional) from other read errors (e.g. permission denied) that would otherwise be silently swallowed, leading to confusing TLS failures downstream.
1 parent 29f3711 commit 901bad0

1 file changed

Lines changed: 6 additions & 1 deletion

File tree

flow/connectors/clickhouse/clickhouse.go

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -256,8 +256,13 @@ func configureDirectoryTLS(tlsConfig *tls.Config, dir string) error {
256256

257257
// Load CA certificate upfront — RootCAs must be set before the TLS
258258
// handshake so the server certificate can be verified.
259+
// ca.crt is optional: when absent, the system CA pool is used instead.
259260
caCertPEM, err := os.ReadFile(caPath)
260-
if err == nil && len(caCertPEM) > 0 {
261+
if errors.Is(err, os.ErrNotExist) {
262+
// ca.crt is optional — use system CA pool
263+
} else if err != nil {
264+
return fmt.Errorf("failed to read CA certificate from %q: %w", caPath, err)
265+
} else if len(caCertPEM) > 0 {
261266
caPool := x509.NewCertPool()
262267
if !caPool.AppendCertsFromPEM(caCertPEM) {
263268
return fmt.Errorf("failed to parse CA certificate from %q", caPath)

0 commit comments

Comments
 (0)