fix: invalid TLS CA cert should error immediately

UnwashedMeme · UnwashedMeme · commit 1859885f4e47 · 2025-05-21T11:44:15.000-04:00
Previously if a consumer specified the CA cert to verify the command
connection but that CA wasn't valid then system would log at
Debug (default hidden) and proceed anyways.

I don't believe this is good behavior. If the consumer is directly
specifying a CA cert then that is the CA that should be used, not
silently ignored.

This patch returns the error up, which is now caught and swallowed at
a higher level, but at least it is more  visible:

&gt; time=2025-05-21T15:41:33.547Z level=ERROR msg="Unable to add transport credentials to gRPC dial options, adding default transport credentials" error="invalid CA cert while building transport credentials: read CA file (/etc/nginx-agent/bad.crt): open /etc/nginx-agent/bad.crt: no such file or directory"
diff --git a/internal/grpc/grpc.go b/internal/grpc/grpc.go
@@ -382,14 +382,12 @@ func getTLSConfigForCredentials(c *config.TLSConfig) (*tls.Config, error) {
 		InsecureSkipVerify: c.SkipVerify,
 	}
 
-	err := appendRootCAs(tlsConfig, c.Ca)
-	if err != nil {
-		slog.Debug("Unable to append root CA", "error", err)
+	if err := appendRootCAs(tlsConfig, c.Ca); err != nil {
+		return nil, fmt.Errorf("invalid CA cert while building transport credentials: %w", err)
 	}
 
-	err = appendCertKeyPair(tlsConfig, c.Cert, c.Key)
-	if err != nil {
-		return nil, fmt.Errorf("append cert and key pair failed: %w", err)
+	if err := appendCertKeyPair(tlsConfig, c.Cert, c.Key); err != nil {
+		return nil, fmt.Errorf("invalid client cert while building transport credentials: %w", err)
 	}
 
 	return tlsConfig, nil
diff --git a/internal/grpc/grpc_test.go b/internal/grpc/grpc_test.go
@@ -447,14 +447,11 @@ func Test_getTLSConfig(t *testing.T) {
 				require.False(t, c.InsecureSkipVerify, "InsecureSkipVerify should not be set")
 			},
 		},
-		"Test 3: incorrect CA should not error": { // REALLY ?!
+		"Test 3: incorrect CA should not error": {
 			conf: &config.TLSConfig{
 				Ca: "customca.pem",
 			},
-			wantErr: false,
-			verify: func(t require.TestingT, c *tls.Config) {
-				require.Nil(t, c.RootCAs, "RootCAs should be nil to use system")
-			},
+			wantErr: true,
 		},
 		"Test 4: incorrect key path should error": {
 			conf: &config.TLSConfig{

Original file line number	Diff line number	Diff line change
`@@ -382,14 +382,12 @@ func getTLSConfigForCredentials(c config.TLSConfig) (tls.Config, error) {`
`382`	`382`	`InsecureSkipVerify: c.SkipVerify,`
`383`	`383`	`}`
`384`	`384`
`385`		`- err := appendRootCAs(tlsConfig, c.Ca)`
`386`		`- if err != nil {`
`387`		`- slog.Debug("Unable to append root CA", "error", err)`
	`385`	`+ if err := appendRootCAs(tlsConfig, c.Ca); err != nil {`
	`386`	`+ return nil, fmt.Errorf("invalid CA cert while building transport credentials: %w", err)`
`388`	`387`	`}`
`389`	`388`
`390`		`- err = appendCertKeyPair(tlsConfig, c.Cert, c.Key)`
`391`		`- if err != nil {`
`392`		`- return nil, fmt.Errorf("append cert and key pair failed: %w", err)`
	`389`	`+ if err := appendCertKeyPair(tlsConfig, c.Cert, c.Key); err != nil {`
	`390`	`+ return nil, fmt.Errorf("invalid client cert while building transport credentials: %w", err)`
`393`	`391`	`}`
`394`	`392`
`395`	`393`	`return tlsConfig, nil`