From: Remi Tricot-Le Breton Date: Mon, 30 Jun 2025 14:56:27 +0000 (+0200) Subject: MINOR: ssl: Allow 'commit ssl cert' with no privkey X-Git-Tag: v3.3-dev3~63 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=31955e6e0afc2d93534151e68591942689a70fd3;p=thirdparty%2Fhaproxy.git MINOR: ssl: Allow 'commit ssl cert' with no privkey The ckch_stores might be used to store public certificates only so in this case we won't provide private keys when updating the certificate via the CLI. If the ckch_store is actually used in a bind or server line an error will still be raised if the private key is missing. --- diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 75dc02caa..b22522681 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -2879,13 +2879,8 @@ static int cli_parse_commit_cert(char **args, char *payload, struct appctx *appc goto error; } - /* if a certificate is here, a private key must be here too */ - if (ckchs_transaction.new_ckchs->data->cert && !ckchs_transaction.new_ckchs->data->key) { - memprintf(&err, "The transaction must contain at least a certificate and a private key!\n"); - goto error; - } - - if (!X509_check_private_key(ckchs_transaction.new_ckchs->data->cert, ckchs_transaction.new_ckchs->data->key)) { + if (ckchs_transaction.new_ckchs->data->key && + !X509_check_private_key(ckchs_transaction.new_ckchs->data->cert, ckchs_transaction.new_ckchs->data->key)) { memprintf(&err, "inconsistencies between private key and certificate loaded '%s'.\n", ckchs_transaction.path); goto error; }