From 97523470735df59742b31ba7cff7606d9a03c0b8 Mon Sep 17 00:00:00 2001
From: Haruue <i@haruue.moe>
Date: Mon, 15 Apr 2024 19:31:23 +0800
Subject: [PATCH 1/2] fix: check if cert-key is loadable on server start

close: #1040
---
 app/cmd/server.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/app/cmd/server.go b/app/cmd/server.go
index 9b6665e..3f52c28 100644
--- a/app/cmd/server.go
+++ b/app/cmd/server.go
@@ -10,6 +10,7 @@ import (
 	"net/http"
 	"net/http/httputil"
 	"net/url"
+	"os"
 	"strconv"
 	"strings"
 	"time"
@@ -254,6 +255,19 @@ func (c *serverConfig) fillTLSConfig(hyConfig *server.Config) error {
 		if c.TLS.Cert == "" || c.TLS.Key == "" {
 			return configError{Field: "tls", Err: errors.New("empty cert or key path")}
 		}
+		// Load cert-key pair here for early error reporting (especially permission denied)
+		certPEMBlock, err := os.ReadFile(c.TLS.Cert)
+		if err != nil {
+			return configError{Field: "tls.cert", Err: err}
+		}
+		keyPEMBlock, err := os.ReadFile(c.TLS.Key)
+		if err != nil {
+			return configError{Field: "tls.key", Err: err}
+		}
+		_, err = tls.X509KeyPair(certPEMBlock, keyPEMBlock)
+		if err != nil {
+			return configError{Field: "tls", Err: fmt.Errorf("invalid cert-key pair: %w", err)}
+		}
 		// Use GetCertificate instead of Certificates so that
 		// users can update the cert without restarting the server.
 		hyConfig.TLSConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {

From dc1f58414a723cf5bec8ea6ecebc0e5163eb9b41 Mon Sep 17 00:00:00 2001
From: Toby <tobyxdd@gmail.com>
Date: Mon, 15 Apr 2024 14:58:09 -0700
Subject: [PATCH 2/2] chore: improve comments

---
 app/cmd/server.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/cmd/server.go b/app/cmd/server.go
index 3f52c28..9e81312 100644
--- a/app/cmd/server.go
+++ b/app/cmd/server.go
@@ -255,7 +255,8 @@ func (c *serverConfig) fillTLSConfig(hyConfig *server.Config) error {
 		if c.TLS.Cert == "" || c.TLS.Key == "" {
 			return configError{Field: "tls", Err: errors.New("empty cert or key path")}
 		}
-		// Load cert-key pair here for early error reporting (especially permission denied)
+		// Try loading the cert-key pair here to catch errors early
+		// (e.g. invalid files or insufficient permissions)
 		certPEMBlock, err := os.ReadFile(c.TLS.Cert)
 		if err != nil {
 			return configError{Field: "tls.cert", Err: err}