fix: better handling of insecure option

hm-edu · Oct 11, 2023 · 2d0b19f · 2d0b19f
1 parent 244c056
commit 2d0b19f
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/authority/config/config.go b/authority/config/config.go
@@ -79,7 +79,6 @@ type Config struct {
 	Address          string               `json:"address"`
 	PublicAddress    string               `json:"publicAddress"`
 	InsecureAddress  string               `json:"insecureAddress"`
-	AllInsecure      bool                 `json:"allInsecure"`
 	DNSNames         []string             `json:"dnsNames"`
 	KMS              *kms.Options         `json:"kms,omitempty"`
 	SSH              *SSHConfig           `json:"ssh,omitempty"`

diff --git a/ca/ca.go b/ca/ca.go
@@ -218,7 +218,14 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 	}
 	ca.auth = auth
 	var tlsConfig *tls.Config
-	if cfg.AllInsecure {
+
+	allInsecure := false
+
+	if os.Getenv("STEP_TLS_INSECURE") == "1" {
+		allInsecure = true
+	}
+
+	if allInsecure {
 		tls, clientTLSConfig, err := ca.getTLSConfig(auth, cfg)
 		tlsConfig = tls
 		if err != nil {
@@ -387,7 +394,7 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 
 	baseContext := buildContext(auth, scepAuthority, acmeDB, acmeLinker, client, validationBroker)
 
-	if cfg.AllInsecure {
+	if allInsecure {
 		ca.srv = server.New(cfg.Address, handler, nil)
 	} else {
 		ca.srv = server.New(cfg.Address, handler, tlsConfig)
@@ -396,7 +403,7 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 		return baseContext
 	}
 	if cfg.PublicAddress != "" {
-		if cfg.AllInsecure {
+		if allInsecure {
 			ca.public = server.New(cfg.PublicAddress, publicHandler, nil)
 		} else {
 			ca.public = server.New(cfg.PublicAddress, publicHandler, tlsConfig)