From 32b2b782e2a1b22834c4284314cafdb884cf74ee Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Mon, 28 Apr 2025 17:52:28 +0200 Subject: [PATCH] MEDIUM: acme: use 'crt-base' to load the account key Prefix the filename with the 'crt-base' before loading the account key, in order to work like every other keypair in haproxy. --- src/acme.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/src/acme.c b/src/acme.c index 1ffc59a32..63fb1009a 100644 --- a/src/acme.c +++ b/src/acme.c @@ -398,6 +398,7 @@ static int cfg_postsection_acme() int err_code = 0; char *errmsg = NULL; char *path; + char store_path[PATH_MAX]; /* complete path with crt_base */ struct stat st; /* TODO: generate a key at startup and dumps on the filesystem @@ -413,7 +414,21 @@ static int cfg_postsection_acme() } } - path = cur_acme->account.file; + + if (global_ssl.crt_base && *cur_acme->account.file != '/') { + int rv; + /* When no crt_store name, complete the name in the ckch_tree with 'crt-base' */ + + rv = snprintf(store_path, sizeof(store_path), "%s/%s", global_ssl.crt_base, cur_acme->account.file); + if (rv >= sizeof(store_path)) { + ha_alert(errmsg, "'%s/%s' : path too long", global_ssl.crt_base, cur_acme->account.file); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; + } + path = store_path; + } else { + path = cur_acme->account.file; + } if (!cur_acme->directory) { err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT; @@ -440,7 +455,7 @@ static int cfg_postsection_acme() } /* ha_notice("acme: reading account key '%s' for id '%s'.\n", path, cur_acme->name); */ } else { - ha_notice("acme: generate account key '%s' for acme section '%s'.\n", cur_acme->account.file, cur_acme->name); + ha_notice("acme: generate account key '%s' for acme section '%s'.\n", path, cur_acme->name); if ((key = acme_EVP_PKEY_gen(cur_acme->key.type, cur_acme->key.curves, cur_acme->key.bits, &errmsg)) == NULL) { ha_alert("acme: %s\n", errmsg); -- 2.47.2