github-starred/newt
2
0
Fork 0
mirror of https://github.com/fosrl/newt.git synced 2026-03-09 07:12:28 -05:00
Code Issues 21 Packages Projects Releases 25 Wiki Activity

[PR #143] [MERGED] Mlts pkcs12 compatibility #142

New Issue
Closed
opened 2025-11-19 07:14:58 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2025-11-19 07:14:58 -06:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/fosrl/newt/pull/143
Author: @rgutmen
Created: 9/19/2025
Status: Merged
Merged: 9/20/2025
Merged by: @oschwartz10612

Base: devHead: mlts-pkcs12-compatibility

📝 Commits (4)

  • 0fc13be feat(Docs): Addding GoReport Badge
  • a08a3b9 feat(Docs): Add License Badge and PkgGo Badge
  • c673743 Merge pull request #142 from marcschaeferger/main
  • 9bd96ac Support TLS_CLIENT_CERT, TLS_CLIENT_KEY and TLS_CA_CERT in Docker Compose

📊 Changes

2 files changed (+4 additions, -1 deletions)

View changed files

📝 README.md (+3 -0)
📝 main.go (+1 -1)

📄 Description

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

In our Docker Compose setup for mTLS, the recommended configuration is to pass the three PEM-based variables:

  • TLS_CLIENT_CERT
  • TLS_CLIENT_KEY
  • TLS_CA_CERT

However, the current code path has an unintended fallback: when TLS_CLIENT_CERT_PKCS12 is unset or empty, it automatically treats TLS_CLIENT_CERT as the certificate source and ignores TLS_CLIENT_KEY and TLS_CA_CERT even if they are provided. This makes the PEM triplet unusable and forces a pseudo-PKCS#12 behavior when it shouldn’t.

Observed error / symptom

TLS configuration error: cannot use both PKCS12 format (--tls-client-cert) and separate certificate files (--tls-client-cert-file, --tls-client-key, --tls-client-ca)

Important scope note (not affected)

This issue does not occur when running the binary directly with CLI flags, e.g.:

docker run ... \
  --tls-client-cert-file /tls/client.crt \
  --tls-client-key /tls/client.key \
  --tls-client-ca /tls/ca.crt

With explicit flags, the PEM triplet works as expected. The problem is specific to the environment-variable–driven configuration commonly used in Docker Compose.

How to test?

PEM triplet via Docker Compose

Create three test files (client.crt, client.key, ca.crt).
Run the service with:

volumes:
      - /opt/newt/tls:/tls:ro
    environment:
      - PANGOLIN_ENDPOINT=my.endpoint.com
      - TLS_CLIENT_CERT=/tls/newt.crt
      - TLS_CLIENT_KEY=/tls/newt.key
      - TLS_CA_CERT=/tls/server-ca.pem
      - NEWT_ID=iw3c.....
      - NEWT_SECRET=cc9tny.....

PKCS#12 via Docker Compose

Create a client.p12 (same material as above).
Run the service with:

volumes:
      - /opt/newt/tls:/tls:ro
    environment:
      - PANGOLIN_ENDPOINT=my.endpoint.com
      - TLS_CLIENT_CERT_PKCS12=/tls/client.p12
      - NEWT_ID=iw3c.....
      - NEWT_SECRET=cc9tny.....

Expected: both PEM triplet and PKCS#12 paths work; when PKCS#12 is unset, the PEM triplet is honored.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/newt/pull/143 **Author:** [@rgutmen](https://github.com/rgutmen) **Created:** 9/19/2025 **Status:** ✅ Merged **Merged:** 9/20/2025 **Merged by:** [@oschwartz10612](https://github.com/oschwartz10612) **Base:** `dev` ← **Head:** `mlts-pkcs12-compatibility` --- ### 📝 Commits (4) - [`0fc13be`](https://github.com/fosrl/newt/commit/0fc13be413b356768c7840baef0b64599b16518e) feat(Docs): Addding GoReport Badge - [`a08a3b9`](https://github.com/fosrl/newt/commit/a08a3b96659816cfeb0dea84f5e00be8cb630f37) feat(Docs): Add License Badge and PkgGo Badge - [`c673743`](https://github.com/fosrl/newt/commit/c673743692d0f8c66f31d288977a7fbf4d079df2) Merge pull request #142 from marcschaeferger/main - [`9bd96ac`](https://github.com/fosrl/newt/commit/9bd96ac5401de68f04eb7270f24295a0d63236db) Support TLS_CLIENT_CERT, TLS_CLIENT_KEY and TLS_CA_CERT in Docker Compose ### 📊 Changes **2 files changed** (+4 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `README.md` (+3 -0) 📝 `main.go` (+1 -1) </details> ### 📄 Description ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description In our Docker Compose setup for mTLS, the recommended configuration is to pass the three PEM-based variables: - TLS_CLIENT_CERT - TLS_CLIENT_KEY - TLS_CA_CERT However, the current code path has an unintended fallback: when TLS_CLIENT_CERT_PKCS12 is unset or empty, it automatically treats TLS_CLIENT_CERT as the certificate source and ignores TLS_CLIENT_KEY and TLS_CA_CERT even if they are provided. This makes the PEM triplet unusable and forces a pseudo-PKCS#12 behavior when it shouldn’t. #### Observed error / symptom ```bash TLS configuration error: cannot use both PKCS12 format (--tls-client-cert) and separate certificate files (--tls-client-cert-file, --tls-client-key, --tls-client-ca) ``` ### Important scope note (not affected) This issue does not occur when running the binary directly with CLI flags, e.g.: ```bash docker run ... \ --tls-client-cert-file /tls/client.crt \ --tls-client-key /tls/client.key \ --tls-client-ca /tls/ca.crt ``` With explicit flags, the PEM triplet works as expected. The problem is specific to the environment-variable–driven configuration commonly used in Docker Compose. ## How to test? ### PEM triplet via Docker Compose Create three test files (client.crt, client.key, ca.crt). Run the service with: ```yml volumes: - /opt/newt/tls:/tls:ro environment: - PANGOLIN_ENDPOINT=my.endpoint.com - TLS_CLIENT_CERT=/tls/newt.crt - TLS_CLIENT_KEY=/tls/newt.key - TLS_CA_CERT=/tls/server-ca.pem - NEWT_ID=iw3c..... - NEWT_SECRET=cc9tny..... ``` ### PKCS#12 via Docker Compose Create a client.p12 (same material as above). Run the service with: ```yml volumes: - /opt/newt/tls:/tls:ro environment: - PANGOLIN_ENDPOINT=my.endpoint.com - TLS_CLIENT_CERT_PKCS12=/tls/client.p12 - NEWT_ID=iw3c..... - NEWT_SECRET=cc9tny..... ``` Expected: both PEM triplet and PKCS#12 paths work; when PKCS#12 is unset, the PEM triplet is honored. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2025-11-19 07:14:58 -06:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
enhancement
good first issue
help wanted
Improvement
pull-request
Mirrored from GitHub Pull Request
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/newt#142
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?