feat: use "system" as default when ssl_trusted_certificate not passed

apache · Feb 25, 2025 · 541ebd6 · 541ebd6
1 parent cc7441f
commit 541ebd6
Showing 1 changed file with 26 additions and 26 deletions.
diff --git a/apisix/cli/ops.lua b/apisix/cli/ops.lua
@@ -505,36 +505,36 @@ Please modify "admin_key" in conf/config.yaml .
 
 
     if yaml_conf.apisix.ssl.ssl_trusted_certificate ~= nil then
-        local cert_paths = {}
-        local ssl_certificates = yaml_conf.apisix.ssl.ssl_trusted_certificate
-        for cert_path in string.gmatch(ssl_certificates, '([^,]+)') do
-            cert_path = util.trim(cert_path)
-            if cert_path == "system" then
-                local trusted_certs_path, err = util.get_system_trusted_certs_filepath()
-                if not trusted_certs_path then
-                    util.die(err)
-                end
-                table.insert(cert_paths, trusted_certs_path)
-            else
-                -- During validation, the path is relative to PWD
-                -- When Nginx starts, the path is relative to conf
-                -- Therefore we need to check the absolute version instead
-                cert_path = pl_path.abspath(cert_path)
-                if not pl_path.exists(cert_path) then
-                    util.die("certificate path", cert_path, "doesn't exist\n")
-                end
-
-                table.insert(cert_paths, cert_path)
+        yaml_conf.apisix.ssl.ssl_trusted_certificate = {"system"}
+    end
+    local cert_paths = {}
+    local ssl_certificates = yaml_conf.apisix.ssl.ssl_trusted_certificate
+    for cert_path in string.gmatch(ssl_certificates, '([^,]+)') do
+        cert_path = util.trim(cert_path)
+        if cert_path == "system" then
+            local trusted_certs_path, err = util.get_system_trusted_certs_filepath()
+            if not trusted_certs_path then
+                util.die(err)
+            end
+            table.insert(cert_paths, trusted_certs_path)
+        else
+            -- During validation, the path is relative to PWD
+            -- When Nginx starts, the path is relative to conf
+            -- Therefore we need to check the absolute version instead
+            cert_path = pl_path.abspath(cert_path)
+            if not pl_path.exists(cert_path) then
+                util.die("certificate path", cert_path, "doesn't exist\n")
             end
-        end
-
-        local combined_cert_filepath = yaml_conf.apisix.ssl.ssl_trusted_combined_path
-                                       or "/usr/local/apisix/conf/ssl_trusted_combined.pem"
-        util.gen_trusted_certs_combined_file(combined_cert_filepath, cert_paths)
 
-        yaml_conf.apisix.ssl.ssl_trusted_certificate = combined_cert_filepath
+            table.insert(cert_paths, cert_path)
+        end
     end
 
+    local combined_cert_filepath = yaml_conf.apisix.ssl.ssl_trusted_combined_path
+                                   or "/usr/local/apisix/conf/ssl_trusted_combined.pem"
+    util.gen_trusted_certs_combined_file(combined_cert_filepath, cert_paths)
+
+    yaml_conf.apisix.ssl.ssl_trusted_certificate = combined_cert_filepath
     -- enable ssl with place holder crt&key
     yaml_conf.apisix.ssl.ssl_cert = "cert/ssl_PLACE_HOLDER.crt"
     yaml_conf.apisix.ssl.ssl_cert_key = "cert/ssl_PLACE_HOLDER.key"