From 9a24340bd4b2e73d875575925b4f00091b1e6655 Mon Sep 17 00:00:00 2001 From: Ward Vandewege Date: Fri, 16 Jul 2021 22:02:05 -0400 Subject: [PATCH] Turn the combination of TLS-ALPN-01 and listen_addr on a port other than 443 into a warning, not an error, refs #53. --- cmd/headscale/cli/utils.go | 3 ++- cmd/headscale/headscale_test.go | 3 +-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/headscale/cli/utils.go b/cmd/headscale/cli/utils.go index 662196e..05b2f54 100644 --- a/cmd/headscale/cli/utils.go +++ b/cmd/headscale/cli/utils.go @@ -48,7 +48,8 @@ func LoadConfig(path string) error { } if (viper.GetString("tls_letsencrypt_hostname") != "") && (viper.GetString("tls_letsencrypt_challenge_type") == "TLS-ALPN-01") && (!strings.HasSuffix(viper.GetString("listen_addr"), ":443")) { - errorText += "Fatal config error: when using tls_letsencrypt_hostname with TLS-ALPN-01 as challenge type, listen_addr must end in :443\n" + // this is only a warning because there could be something sitting in front of headscale that redirects the traffic (e.g. an iptables rule) + log.Println("Warning: when using tls_letsencrypt_hostname with TLS-ALPN-01 as challenge type, headscale must be reachable on port 443, i.e. listen_addr should probably end in :443") } if (viper.GetString("tls_letsencrypt_challenge_type") != "HTTP-01") && (viper.GetString("tls_letsencrypt_challenge_type") != "TLS-ALPN-01") { diff --git a/cmd/headscale/headscale_test.go b/cmd/headscale/headscale_test.go index 838852c..dc13171 100644 --- a/cmd/headscale/headscale_test.go +++ b/cmd/headscale/headscale_test.go @@ -126,6 +126,5 @@ func (*Suite) TestTLSConfigValidation(c *check.C) { configYaml = []byte("---\nserver_url: \"http://127.0.0.1:8000\"\ntls_letsencrypt_hostname: \"example.com\"\ntls_letsencrypt_challenge_type: \"TLS-ALPN-01\"") writeConfig(c, tmpDir, configYaml) err = cli.LoadConfig(tmpDir) - c.Assert(err, check.NotNil) - c.Assert(err, check.ErrorMatches, "Fatal config error: when using tls_letsencrypt_hostname with TLS-ALPN-01 as challenge type, listen_addr must end in :443.*") + c.Assert(err, check.IsNil) }