From 97523470735df59742b31ba7cff7606d9a03c0b8 Mon Sep 17 00:00:00 2001
From: Haruue <i@haruue.moe>
Date: Mon, 15 Apr 2024 19:31:23 +0800
Subject: [PATCH] fix: check if cert-key is loadable on server start

close: #1040
---
 app/cmd/server.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/app/cmd/server.go b/app/cmd/server.go
index 9b6665e..3f52c28 100644
--- a/app/cmd/server.go
+++ b/app/cmd/server.go
@@ -10,6 +10,7 @@ import (
 	"net/http"
 	"net/http/httputil"
 	"net/url"
+	"os"
 	"strconv"
 	"strings"
 	"time"
@@ -254,6 +255,19 @@ func (c *serverConfig) fillTLSConfig(hyConfig *server.Config) error {
 		if c.TLS.Cert == "" || c.TLS.Key == "" {
 			return configError{Field: "tls", Err: errors.New("empty cert or key path")}
 		}
+		// Load cert-key pair here for early error reporting (especially permission denied)
+		certPEMBlock, err := os.ReadFile(c.TLS.Cert)
+		if err != nil {
+			return configError{Field: "tls.cert", Err: err}
+		}
+		keyPEMBlock, err := os.ReadFile(c.TLS.Key)
+		if err != nil {
+			return configError{Field: "tls.key", Err: err}
+		}
+		_, err = tls.X509KeyPair(certPEMBlock, keyPEMBlock)
+		if err != nil {
+			return configError{Field: "tls", Err: fmt.Errorf("invalid cert-key pair: %w", err)}
+		}
 		// Use GetCertificate instead of Certificates so that
 		// users can update the cert without restarting the server.
 		hyConfig.TLSConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {