feat: allow runtime TLS cert updates

tobyxdd · tobyxdd · commit c4993f8dd1c0 · 2023-12-29T15:06:19.000-08:00
diff --git a/app/cmd/server.go b/app/cmd/server.go
@@ -252,11 +252,12 @@ func (c *serverConfig) fillTLSConfig(hyConfig *server.Config) error {
 		if c.TLS.Cert == "" || c.TLS.Key == "" {
 			return configError{Field: "tls", Err: errors.New("empty cert or key path")}
 		}
-		cert, err := tls.LoadX509KeyPair(c.TLS.Cert, c.TLS.Key)
-		if err != nil {
-			return configError{Field: "tls", Err: err}
+		// Use GetCertificate instead of Certificates so that
+		// users can update the cert without restarting the server.
+		hyConfig.TLSConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			cert, err := tls.LoadX509KeyPair(c.TLS.Cert, c.TLS.Key)
+			return &cert, err
 		}
-		hyConfig.TLSConfig.Certificates = []tls.Certificate{cert}
 	} else {
 		// ACME
 		dataDir := c.ACME.Dir
