Merge pull request #7395 from TheThingsNetwork/fix/cli-tls

Pass custom CA to grpc dial option
TheThingsNetwork · Nov 19, 2024 · 9fb31df · 9fb31df
2 parents 50bc235 + 51670f6
commit 9fb31df
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/cmd/ttn-lw-cli/commands/root.go b/cmd/ttn-lw-cli/commands/root.go
@@ -233,6 +233,9 @@ func preRun(tasks ...func() error) func(cmd *cobra.Command, args []string) error
 			}
 			rootCAs.AppendCertsFromPEM(pemBytes)
 			http.DefaultTransport.(*http.Transport).TLSClientConfig.RootCAs = rootCAs
+			if err = api.AddCA(pemBytes); err != nil {
+				return err
+			}
 		}
 
 		// OAuth

diff --git a/cmd/ttn-lw-cli/internal/api/grpc.go b/cmd/ttn-lw-cli/internal/api/grpc.go
@@ -17,6 +17,7 @@ package api
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"sync"
 	"time"
 
@@ -134,6 +135,24 @@ var (
 	conns  = make(map[string]*grpc.ClientConn)
 )
 
+// AddCA adds the CA certificate file.
+func AddCA(pemBytes []byte) (err error) {
+	if tlsConfig == nil {
+		tlsConfig = &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		}
+	}
+	rootCAs := tlsConfig.RootCAs
+	if rootCAs == nil {
+		if rootCAs, err = x509.SystemCertPool(); err != nil {
+			rootCAs = x509.NewCertPool()
+		}
+	}
+	rootCAs.AppendCertsFromPEM(pemBytes)
+	tlsConfig.RootCAs = rootCAs
+	return nil
+}
+
 // Dial dials a gRPC connection to the target.
 func Dial(ctx context.Context, target string) (*grpc.ClientConn, error) {
 	connMu.Lock()