MINOR: ssl: Allow 'commit ssl cert' with no privkey

The ckch_stores might be used to store public certificates only so in
this case we won't provide private keys when updating the certificate
via the CLI.
If the ckch_store is actually used in a bind or server line an error
will still be raised if the private key is missing.

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 75dc02caa1fd2f6f0eda0246bc7d79deeaee3806..b22522681366f5b054e53a0224cc74b019067475 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -2879,13 +2879,8 @@ static int cli_parse_commit_cert(char **args, char *payload, struct appctx *appc
                goto error;
        }
 
-       /* if a certificate is here, a private key must be here too */
-       if (ckchs_transaction.new_ckchs->data->cert && !ckchs_transaction.new_ckchs->data->key) {
-               memprintf(&err, "The transaction must contain at least a certificate and a private key!\n");
-               goto error;
-       }
-
-       if (!X509_check_private_key(ckchs_transaction.new_ckchs->data->cert, ckchs_transaction.new_ckchs->data->key)) {
+       if (ckchs_transaction.new_ckchs->data->key &&
+           !X509_check_private_key(ckchs_transaction.new_ckchs->data->cert, ckchs_transaction.new_ckchs->data->key)) {
                memprintf(&err, "inconsistencies between private key and certificate loaded '%s'.\n", ckchs_transaction.path);
                goto error;
        }