From: William Lallemand Date: Mon, 28 Apr 2025 15:52:28 +0000 (+0200) Subject: MEDIUM: acme: use 'crt-base' to load the account key X-Git-Tag: v3.2-dev13~59 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=32b2b782e2a1b22834c4284314cafdb884cf74ee;p=thirdparty%2Fhaproxy.git MEDIUM: acme: use 'crt-base' to load the account key Prefix the filename with the 'crt-base' before loading the account key, in order to work like every other keypair in haproxy. --- diff --git a/src/acme.c b/src/acme.c index 1ffc59a32..63fb1009a 100644 --- a/src/acme.c +++ b/src/acme.c @@ -398,6 +398,7 @@ static int cfg_postsection_acme() int err_code = 0; char *errmsg = NULL; char *path; + char store_path[PATH_MAX]; /* complete path with crt_base */ struct stat st; /* TODO: generate a key at startup and dumps on the filesystem @@ -413,7 +414,21 @@ static int cfg_postsection_acme() } } - path = cur_acme->account.file; + + if (global_ssl.crt_base && *cur_acme->account.file != '/') { + int rv; + /* When no crt_store name, complete the name in the ckch_tree with 'crt-base' */ + + rv = snprintf(store_path, sizeof(store_path), "%s/%s", global_ssl.crt_base, cur_acme->account.file); + if (rv >= sizeof(store_path)) { + ha_alert(errmsg, "'%s/%s' : path too long", global_ssl.crt_base, cur_acme->account.file); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; + } + path = store_path; + } else { + path = cur_acme->account.file; + } if (!cur_acme->directory) { err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT; @@ -440,7 +455,7 @@ static int cfg_postsection_acme() } /* ha_notice("acme: reading account key '%s' for id '%s'.\n", path, cur_acme->name); */ } else { - ha_notice("acme: generate account key '%s' for acme section '%s'.\n", cur_acme->account.file, cur_acme->name); + ha_notice("acme: generate account key '%s' for acme section '%s'.\n", path, cur_acme->name); if ((key = acme_EVP_PKEY_gen(cur_acme->key.type, cur_acme->key.curves, cur_acme->key.bits, &errmsg)) == NULL) { ha_alert("acme: %s\n", errmsg);