func (srv *Server) newTLSConfig(cfg ServerConfig) *tls.Config {
tlsConfig := utils.SecureTLSConfig()
if cfg.AutocertDNSName == "" {
// No official DNS name, no certificate.
tlsConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
cert, _ := srv.localCertificate(clientHello.ServerName)
return cert, nil
}
return tlsConfig
}
m := autocert.Manager{
Prompt: autocert.AcceptTOS,
Cache: srv.state.AutocertCache(),
HostPolicy: autocert.HostWhitelist(cfg.AutocertDNSName),
}
if cfg.AutocertURL != "" {
m.Client = &acme.Client{
DirectoryURL: cfg.AutocertURL,
}
}
tlsConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
logger.Infof("getting certificate for server name %q", clientHello.ServerName)
// Get the locally created certificate and whether it's appropriate
// for the SNI name. If not, we'll try to get an acme cert and
// fall back to the local certificate if that fails.
cert, shouldUse := srv.localCertificate(clientHello.ServerName)
if shouldUse {
return cert, nil
}
acmeCert, err := m.GetCertificate(clientHello)
if err == nil {
return acmeCert, nil
}
logger.Errorf("cannot get autocert certificate for %q: %v", clientHello.ServerName, err)
return cert, nil
}
return tlsConfig
}
