1 files changed, 10 insertions, 25 deletions

diff --git a/src/main.rs b/src/main.rs
index eecb946..56a9b19 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -2,13 +2,15 @@
 #![feature(slice_split_once)]
 #![feature(iterator_try_collect)]
 
+pub mod certs;
 pub mod config;
 pub mod error;
 pub mod helper;
 pub mod modules;
 
 use aes_gcm_siv::{aead::generic_array::GenericArray, Aes256GcmSiv, KeyInit};
-use anyhow::{anyhow, Context, Result};
+use anyhow::{Context, Result};
+use certs::CertPool;
 use config::{setup_file_watch, Config, NODE_KINDS};
 use error::ServiceError;
 use futures::future::try_join_all;
@@ -24,15 +26,8 @@ use hyper::{
 };
 use log::{debug, error, info, warn, LevelFilter};
 use modules::{NodeContext, MODULES};
-use rustls::pki_types::{CertificateDer, PrivateKeyDer};
 use std::{
-    collections::HashMap,
-    io::BufReader,
-    net::SocketAddr,
-    path::{Path, PathBuf},
-    process::exit,
-    str::FromStr,
-    sync::Arc,
+    collections::HashMap, net::SocketAddr, path::PathBuf, process::exit, str::FromStr, sync::Arc,
 };
 use tokio::{
     fs::File,
@@ -58,6 +53,10 @@ async fn main() -> anyhow::Result<()> {
         .parse_env("LOG")
         .init();
 
+    rustls::crypto::ring::default_provider()
+        .install_default()
+        .unwrap();
+
     NODE_KINDS
         .write()
         .unwrap()
@@ -147,11 +146,10 @@ async fn serve_https(state: Arc<State>) -> Result<()> {
         None => return Ok(()),
     };
     let tls_config = {
-        let certs = load_certs(&https_config.tls_cert)?;
-        let key = load_private_key(&https_config.tls_key)?;
+        let certs = CertPool::load(&https_config.cert_path)?;
         let mut cfg = rustls::ServerConfig::builder()
             .with_no_client_auth()
-            .with_single_cert(certs, key)?;
+            .with_cert_resolver(Arc::new(certs));
         cfg.alpn_protocols = vec![
             // b"h2".to_vec(),
             b"http/1.1".to_vec(),
@@ -222,19 +220,6 @@ pub async fn serve_stream<T: Unpin + Send + 'static + hyper::rt::Read + hyper::r
     }
 }
 
-fn load_certs(path: &Path) -> anyhow::Result<Vec<CertificateDer<'static>>> {
-    let mut reader = BufReader::new(std::fs::File::open(path).context("reading tls certs")?);
-    let certs = rustls_pemfile::certs(&mut reader)
-        .try_collect::<Vec<_>>()
-        .context("parsing tls certs")?;
-    Ok(certs)
-}
-fn load_private_key(path: &Path) -> anyhow::Result<PrivateKeyDer<'static>> {
-    let mut reader = BufReader::new(std::fs::File::open(path).context("reading tls private key")?);
-    let keys = rustls_pemfile::private_key(&mut reader).context("parsing tls private key")?;
-    keys.ok_or(anyhow!("no private key found"))
-}
-
 async fn service(
     state: Arc<State>,
     config: Arc<Config>,