feat: expose certificates pool creation (go-acme#2210)

ldez · web-flow · commit 834a9089f143 · 2024-06-13T21:10:59.000Z
diff --git a/challenge/http01/domain_matcher.go b/challenge/http01/domain_matcher.go
@@ -57,7 +57,7 @@ func (m *hostMatcher) matches(r *http.Request, domain string) bool {
 	return strings.HasPrefix(r.Host, domain)
 }
 
-// hostMatcher checks whether the specified (*net/http.Request).Header value starts with a domain name.
+// arbitraryMatcher checks whether the specified (*net/http.Request).Header value starts with a domain name.
 type arbitraryMatcher string
 
 func (m arbitraryMatcher) name() string {
diff --git a/lego/client_config.go b/lego/client_config.go
@@ -100,26 +100,41 @@ func initCertPool() *x509.CertPool {
 		return nil
 	}
 
-	certPool := getCertPool()
+	useSystemCertPool, _ := strconv.ParseBool(os.Getenv(caSystemCertPool))
+
+	caCerts := strings.Split(customCACertsPath, string(os.PathListSeparator))
+
+	certPool, err := CreateCertPool(caCerts, useSystemCertPool)
+	if err != nil {
+		panic(fmt.Sprintf("create certificates pool: %v", err))
+	}
+
+	return certPool
+}
 
-	for _, customPath := range strings.Split(customCACertsPath, string(os.PathListSeparator)) {
+// CreateCertPool creates a *x509.CertPool populated with the PEM certificates.
+func CreateCertPool(caCerts []string, useSystemCertPool bool) (*x509.CertPool, error) {
+	if len(caCerts) == 0 {
+		return nil, nil
+	}
+
+	certPool := newCertPool(useSystemCertPool)
+
+	for _, customPath := range caCerts {
 		customCAs, err := os.ReadFile(customPath)
 		if err != nil {
-			panic(fmt.Sprintf("error reading %s=%q: %v",
-				caCertificatesEnvVar, customPath, err))
+			return nil, fmt.Errorf("error reading %q: %w", customPath, err)
 		}
 
 		if ok := certPool.AppendCertsFromPEM(customCAs); !ok {
-			panic(fmt.Sprintf("error creating x509 cert pool from %s=%q: %v",
-				caCertificatesEnvVar, customPath, err))
+			return nil, fmt.Errorf("error creating x509 cert pool from %q: %w", customPath, err)
 		}
 	}
 
-	return certPool
+	return certPool, nil
 }
 
-func getCertPool() *x509.CertPool {
-	useSystemCertPool, _ := strconv.ParseBool(os.Getenv(caSystemCertPool))
+func newCertPool(useSystemCertPool bool) *x509.CertPool {
 	if !useSystemCertPool {
 		return x509.NewCertPool()
 	}
@@ -128,5 +143,6 @@ func getCertPool() *x509.CertPool {
 	if err == nil {
 		return pool
 	}
+
 	return x509.NewCertPool()
 }
diff --git a/providers/dns/acmedns/acmedns_test.go b/providers/dns/acmedns/acmedns_test.go
@@ -59,7 +59,7 @@ func (c mockUpdateClient) UpdateTXTRecord(acct goacmedns.Account, value string)
 	return nil
 }
 
-// errorRegisterClient is a mock implementing the acmeDNSClient interface that always
+// errorUpdateClient is a mock implementing the acmeDNSClient interface that always
 // returns errors from errorUpdateClient.
 type errorUpdateClient struct {
 	mockClient

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ func (m hostMatcher) matches(r http.Request, domain string) bool {`
`57`	`57`	`return strings.HasPrefix(r.Host, domain)`
`58`	`58`	`}`
`59`	`59`
`60`		`-// hostMatcher checks whether the specified (*net/http.Request).Header value starts with a domain name.`
	`60`	`+// arbitraryMatcher checks whether the specified (*net/http.Request).Header value starts with a domain name.`
`61`	`61`	`type arbitraryMatcher string`
`62`	`62`
`63`	`63`	`func (m arbitraryMatcher) name() string {`
Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ func (c mockUpdateClient) UpdateTXTRecord(acct goacmedns.Account, value string)`
`59`	`59`	`return nil`
`60`	`60`	`}`
`61`	`61`
`62`		`-// errorRegisterClient is a mock implementing the acmeDNSClient interface that always`
	`62`	`+// errorUpdateClient is a mock implementing the acmeDNSClient interface that always`
`63`	`63`	`// returns errors from errorUpdateClient.`
`64`	`64`	`type errorUpdateClient struct {`
`65`	`65`	`mockClient`