From 541ebd625885fde4b737c38c661d61b655d12815 Mon Sep 17 00:00:00 2001 From: Ashish Tiwari Date: Tue, 25 Feb 2025 12:38:38 +0530 Subject: [PATCH] feat: use "system" as default when ssl_trusted_certificate not passed --- apisix/cli/ops.lua | 52 +++++++++++++++++++++++----------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/apisix/cli/ops.lua b/apisix/cli/ops.lua index c10bcfaa769e..d12efd1adf54 100644 --- a/apisix/cli/ops.lua +++ b/apisix/cli/ops.lua @@ -505,36 +505,36 @@ Please modify "admin_key" in conf/config.yaml . if yaml_conf.apisix.ssl.ssl_trusted_certificate ~= nil then - local cert_paths = {} - local ssl_certificates = yaml_conf.apisix.ssl.ssl_trusted_certificate - for cert_path in string.gmatch(ssl_certificates, '([^,]+)') do - cert_path = util.trim(cert_path) - if cert_path == "system" then - local trusted_certs_path, err = util.get_system_trusted_certs_filepath() - if not trusted_certs_path then - util.die(err) - end - table.insert(cert_paths, trusted_certs_path) - else - -- During validation, the path is relative to PWD - -- When Nginx starts, the path is relative to conf - -- Therefore we need to check the absolute version instead - cert_path = pl_path.abspath(cert_path) - if not pl_path.exists(cert_path) then - util.die("certificate path", cert_path, "doesn't exist\n") - end - - table.insert(cert_paths, cert_path) + yaml_conf.apisix.ssl.ssl_trusted_certificate = {"system"} + end + local cert_paths = {} + local ssl_certificates = yaml_conf.apisix.ssl.ssl_trusted_certificate + for cert_path in string.gmatch(ssl_certificates, '([^,]+)') do + cert_path = util.trim(cert_path) + if cert_path == "system" then + local trusted_certs_path, err = util.get_system_trusted_certs_filepath() + if not trusted_certs_path then + util.die(err) + end + table.insert(cert_paths, trusted_certs_path) + else + -- During validation, the path is relative to PWD + -- When Nginx starts, the path is relative to conf + -- Therefore we need to check the absolute version instead + cert_path = pl_path.abspath(cert_path) + if not pl_path.exists(cert_path) then + util.die("certificate path", cert_path, "doesn't exist\n") end - end - - local combined_cert_filepath = yaml_conf.apisix.ssl.ssl_trusted_combined_path - or "/usr/local/apisix/conf/ssl_trusted_combined.pem" - util.gen_trusted_certs_combined_file(combined_cert_filepath, cert_paths) - yaml_conf.apisix.ssl.ssl_trusted_certificate = combined_cert_filepath + table.insert(cert_paths, cert_path) + end end + local combined_cert_filepath = yaml_conf.apisix.ssl.ssl_trusted_combined_path + or "/usr/local/apisix/conf/ssl_trusted_combined.pem" + util.gen_trusted_certs_combined_file(combined_cert_filepath, cert_paths) + + yaml_conf.apisix.ssl.ssl_trusted_certificate = combined_cert_filepath -- enable ssl with place holder crt&key yaml_conf.apisix.ssl.ssl_cert = "cert/ssl_PLACE_HOLDER.crt" yaml_conf.apisix.ssl.ssl_cert_key = "cert/ssl_PLACE_HOLDER.key"