fs:Added multiple ca certificate support.

2023-01-11 07:59:51 +00:00 · 2023-01-11 07:59:51 +00:00 · 6b17044f8e
parent 844e8fb8bd
commit 6b17044f8e
4 changed files with 19 additions and 15 deletions
--- a/docs/content/docs.md
+++ b/docs/content/docs.md
@ -2099,9 +2099,9 @@ these options.  For example this can be very useful with the HTTP or
 WebDAV backends. Rclone HTTP servers have their own set of
 configuration for SSL/TLS which you can find in their documentation.
-### --ca-cert string
+### --ca-cert stringArray
-This loads the PEM encoded certificate authority certificate and uses
+This loads the PEM encoded certificate authority certificates and uses
 it to verify the certificates of the servers rclone connects to.
 If you have generated certificates signed with a local CA then you
--- a/fs/config.go
+++ b/fs/config.go
@ -120,9 +120,9 @@ type ConfigInfo struct {
 	ProgressTerminalTitle   bool
 	Cookie                  bool
 	UseMmap                 bool
-	CaCert                  string // Client Side CA
+	CaCert                  []string // Client Side CA
-	ClientCert              string // Client Side Cert
+	ClientCert              string   // Client Side Cert
-	ClientKey               string // Client Side Key
+	ClientKey               string   // Client Side Key
 	MultiThreadCutoff       SizeSuffix
 	MultiThreadStreams      int
 	MultiThreadSet          bool   // whether MultiThreadStreams was set (set in fs/config/configflags)
--- a/fs/config/configflags/configflags.go
+++ b/fs/config/configflags/configflags.go
@ -120,7 +120,7 @@ func AddFlags(ci *fs.ConfigInfo, flagSet *pflag.FlagSet) {
 	flags.BoolVarP(flagSet, &ci.ProgressTerminalTitle, "progress-terminal-title", "", ci.ProgressTerminalTitle, "Show progress on the terminal title (requires -P/--progress)")
 	flags.BoolVarP(flagSet, &ci.Cookie, "use-cookies", "", ci.Cookie, "Enable session cookiejar")
 	flags.BoolVarP(flagSet, &ci.UseMmap, "use-mmap", "", ci.UseMmap, "Use mmap allocator (see docs)")
-	flags.StringVarP(flagSet, &ci.CaCert, "ca-cert", "", ci.CaCert, "CA certificate used to verify servers")
+	flags.StringArrayVarP(flagSet, &ci.CaCert, "ca-cert", "", ci.CaCert, "CA certificate used to verify servers")
 	flags.StringVarP(flagSet, &ci.ClientCert, "client-cert", "", ci.ClientCert, "Client SSL certificate (PEM) for mutual TLS auth")
 	flags.StringVarP(flagSet, &ci.ClientKey, "client-key", "", ci.ClientKey, "Client SSL private key (PEM) for mutual TLS auth")
 	flags.FVarP(flagSet, &ci.MultiThreadCutoff, "multi-thread-cutoff", "", "Use multi-thread downloads for files above this size")
--- a/fs/fshttp/http.go
+++ b/fs/fshttp/http.go
@ -72,16 +72,20 @@ func NewTransportCustom(ctx context.Context, customize func(*http.Transport)) ht
 		t.TLSClientConfig.Certificates = []tls.Certificate{cert}
 	}
-	// Load CA cert
+	// Load CA certs
-	if ci.CaCert != "" {
+	if len(ci.CaCert) != 0 {
-		caCert, err := os.ReadFile(ci.CaCert)
+
 		if err != nil {
 			log.Fatalf("Failed to read --ca-cert: %v", err)
 		}
 		caCertPool := x509.NewCertPool()
-		ok := caCertPool.AppendCertsFromPEM(caCert)
+
-		if !ok {
+		for _, cert := range ci.CaCert {
-			log.Fatalf("Failed to add certificates from --ca-cert")
+			caCert, err := os.ReadFile(cert)
 			if err != nil {
 				log.Fatalf("Failed to read --ca-cert file %q : %v", cert, err)
 			}
 			ok := caCertPool.AppendCertsFromPEM(caCert)
 			if !ok {
 				log.Fatalf("Failed to add certificates from --ca-cert file %q", cert)
 			}
 		}
 		t.TLSClientConfig.RootCAs = caCertPool
 	}