Only the first TLS certificate is used rather than the full chain (#3)

mdecimus · mdecimus · commit a6a4252a95ae · 2023-03-06T11:07:51.000Z
diff --git a/src/config/certificate.rs b/src/config/certificate.rs
@@ -51,8 +51,8 @@ impl ResolvesServerCert for CertificateResolver {
 }
 
 impl Config {
-    pub fn rustls_certificate(&self, cert_id: &str) -> super::Result<Certificate> {
-        certs(&mut Cursor::new(self.file_contents((
+    pub fn rustls_certificate(&self, cert_id: &str) -> super::Result<Vec<Certificate>> {
+        let certs = certs(&mut Cursor::new(self.file_contents((
             "certificate",
             cert_id,
             "cert",
@@ -62,8 +62,15 @@ impl Config {
         })?
         .into_iter()
         .map(Certificate)
-        .next()
-        .ok_or_else(|| format!("No certificates found in \"certificate.{cert_id}.cert\"."))
+        .collect::<Vec<_>>();
+
+        if !certs.is_empty() {
+            Ok(certs)
+        } else {
+            Err(format!(
+                "No certificates found in \"certificate.{cert_id}.cert\"."
+            ))
+        }
     }
 
     pub fn rustls_private_key(&self, cert_id: &str) -> super::Result<PrivateKey> {
diff --git a/src/config/server.rs b/src/config/server.rs
@@ -116,7 +116,7 @@ impl Config {
                             value,
                             match self.value((prefix, "certificate")) {
                                 Some(sni_cert_id) if sni_cert_id != cert_id => CertifiedKey {
-                                    cert: vec![self.rustls_certificate(sni_cert_id)?],
+                                    cert: self.rustls_certificate(sni_cert_id)?,
                                     key: any_supported_type(&self.rustls_private_key(sni_cert_id)?)
                                         .map_err(|err| {
                                             format!(
@@ -127,7 +127,7 @@ impl Config {
                                     sct_list: None,
                                 },
                                 _ => CertifiedKey {
-                                    cert: vec![cert.clone()],
+                                    cert: cert.clone(),
                                     key:
                                         any_supported_type(&pki).map_err(|err| {
                                             format!(
@@ -147,7 +147,7 @@ impl Config {
 
             // Add default certificate
             let default_cert = Some(Arc::new(CertifiedKey {
-                cert: vec![cert],
+                cert,
                 key: any_supported_type(&pki)
                     .map_err(|err| format!("Failed to sign certificate id {cert_id:?}: {err}"))?,
                 ocsp: None,
