From 571be687336ad874eef025061112b3dfed0fab5d Mon Sep 17 00:00:00 2001
From: Eugene Bujak <hmage@hmage.net>
Date: Wed, 13 Feb 2019 11:45:23 +0300
Subject: [PATCH] Validate certificates and update certificate statuses on
 launch as well.

---
 app.go     | 24 +++++++++++++++++-------
 config.go  | 15 +++++++++------
 control.go |  3 +++
 3 files changed, 29 insertions(+), 13 deletions(-)

diff --git a/app.go b/app.go
index b57d052c..f0f2addf 100644
--- a/app.go
+++ b/app.go
@@ -177,20 +177,30 @@ func run(args options) {
 				httpsServer.cond.Wait()
 			}
 			address := net.JoinHostPort(config.BindHost, strconv.Itoa(config.TLS.PortHTTPS))
+			// validate current TLS config and update warnings (it could have been loaded from file)
+			data, err := validateCertificates(config.TLS)
+			if err != nil {
+				log.Fatal(err)
+				os.Exit(1)
+			}
+			confing.TLS = data // update warnings
+
+			// prepare cert for HTTPS server
 			cert, err := tls.X509KeyPair([]byte(config.TLS.CertificateChain), []byte(config.TLS.PrivateKey))
 			if err != nil {
 				log.Fatal(err)
 				os.Exit(1)
 			}
-			config := &tls.Config{
-				Certificates: []tls.Certificate{cert},
-			}
-			httpsServer.server = &http.Server{
-				Addr:      address,
-				TLSConfig: config,
-			}
 			httpsServer.cond.L.Unlock()
 
+			// prepare HTTPS server
+			httpsServer.server = &http.Server{
+				Addr: address,
+				TLSConfig: &tls.Config{
+					Certificates: []tls.Certificate{cert},
+				},
+			}
+
 			URL := fmt.Sprintf("https://%s", address)
 			log.Println("Go to " + URL)
 			err = httpsServer.server.ListenAndServeTLS("", "")
diff --git a/config.go b/config.go
index 51fa5bf8..bd026649 100644
--- a/config.go
+++ b/config.go
@@ -70,15 +70,18 @@ type tlsConfigSettings struct {
 	dnsforward.TLSConfig `yaml:",inline" json:",inline"`
 }
 
+// field ordering is not important -- these are for API and are recalculated on each run
+type tlsConfigStatus struct {
+	StatusCertificate string `yaml:"-" json:"status_cert,omitempty"`
+	StatusKey         string `yaml:"-" json:"status_key,omitempty"`
+	Warning           string `yaml:"-" json:"warning,omitempty"`
+	WarningValidation string `yaml:"-" json:"warning_validation,omitempty"`
+}
+
 // field ordering is important -- yaml fields will mirror ordering from here
 type tlsConfig struct {
 	tlsConfigSettings `yaml:",inline" json:",inline"`
-
-	// only for API, no need to be stored in config
-	StatusCertificate string `yaml:"status_cert" json:"status_cert,omitempty"`
-	StatusKey         string `yaml:"status_key" json:"status_key,omitempty"`
-	Warning           string `yaml:"warning" json:"warning,omitempty"`
-	WarningValidation string `yaml:"warning_validation" json:"warning_validation,omitempty"`
+	tlsConfigStatus   `yaml:"-" json:",inline"`
 }
 
 // initialize to default values, will be changed later when reading config or parsing command line
diff --git a/control.go b/control.go
index 8b9e8d22..65a7077e 100644
--- a/control.go
+++ b/control.go
@@ -1156,6 +1156,9 @@ func validateCertificates(data tlsConfig) (tlsConfig, error) {
 			opts.Intermediates = pool
 		}
 
+		// clear out all warnings and statuses
+		data.tlsConfigStatus = tlsConfigStatus{}
+
 		// TODO: save it as a warning rather than error it out -- shouldn't be a big problem
 		mainCert := parsedCerts[0]
 		_, err := mainCert.Verify(opts)