@@ -33,6 +33,7 @@ pub(crate) async fn create_tls_config_and_watch_certificate_changes(
3333) -> Result < axum_server:: tls_rustls:: RustlsConfig > {
3434 use :: tracing:: error;
3535 use axum_server:: tls_rustls:: RustlsConfig ;
36+ use inotify:: WatchDescriptor ;
3637
3738 // Build initial TLS configuration
3839 let ( mut cert, mut key) =
@@ -63,7 +64,7 @@ pub(crate) async fn create_tls_config_and_watch_certificate_changes(
6364 . add ( tls_config. key_file . clone ( ) , inotify:: WatchMask :: CLOSE_WRITE )
6465 . map_err ( |e| anyhow ! ( "Cannot watch key file: {e}" ) ) ?;
6566
66- let client_ca_watches = tls_config
67+ let client_ca_watches: Result < Vec < WatchDescriptor > , anyhow :: Error > = tls_config
6768 . client_ca_file
6869 . clone ( )
6970 . into_iter ( )
@@ -72,9 +73,10 @@ pub(crate) async fn create_tls_config_and_watch_certificate_changes(
7273 . watches ( )
7374 . add ( path, inotify:: WatchMask :: CLOSE_WRITE )
7475 . map_err ( |e| anyhow ! ( "Cannot watch client certificate file: {e}" ) )
75- . unwrap ( )
7676 } )
77- . collect :: < Vec < _ > > ( ) ;
77+ . collect ( ) ;
78+
79+ let client_ca_watches = client_ca_watches?;
7880
7981 let buffer = [ 0 ; 1024 ] ;
8082 let stream = inotify
@@ -115,46 +117,49 @@ pub(crate) async fn create_tls_config_and_watch_certificate_changes(
115117 // Reload the client CA certificates if they have changed, keeping the current server certificates unchanged
116118 if client_ca_changed {
117119 info ! ( "Reloading Client CA certificates" ) ;
118- client_verifier = Some (
119- load_client_ca_certs ( tls_config. client_ca_file . clone ( ) )
120- . await
121- . map_err ( |e| error ! ( "Failed to reload client CA certificates: {e}" ) )
122- . unwrap ( ) ,
123- ) ;
124- let server_config =
125- build_tls_server_config ( cert. clone ( ) , key. clone_key ( ) , client_verifier. clone ( ) ) ;
126- if let Err ( e) = server_config {
127- error ! ( "Failed to reload TLS certificate: {e}" ) ;
128- continue ;
129- }
130-
131- reloadable_rust_config. reload_from_config ( Arc :: new ( server_config. unwrap ( ) ) ) ;
132120
133121 client_ca_changed = false ;
122+
123+ match load_client_ca_certs ( tls_config. client_ca_file . clone ( ) ) . await {
124+ Ok ( cv) => {
125+ client_verifier = Some ( cv) ;
126+ }
127+ Err ( e) => {
128+ error ! ( "Failed to reload TLS certificates: {e}" ) ;
129+ continue ;
130+ }
131+ }
134132 }
135133
136134 // Reload the server certificates if they have changed keeping the current client CA certificates unchanged
137135 if key_changed && cert_changed {
138136 info ! ( "Reloading Server TLS certificates" ) ;
139137
140- ( cert, key) = load_server_cert_and_key ( & tls_config. cert_file , & tls_config. key_file )
141- . await
142- . map_err ( |e| error ! ( "Failed to reload TLS certificates: {e}" ) )
143- . unwrap ( ) ;
138+ cert_changed = false ;
139+ key_changed = false ;
140+
141+ match load_server_cert_and_key ( & tls_config. cert_file , & tls_config. key_file ) . await {
142+ Ok ( ck) => {
143+ ( cert, key) = ck;
144+ }
145+ Err ( e) => {
146+ error ! ( "Failed to reload TLS certificates: {e}" ) ;
147+ continue ;
148+ }
149+ }
150+ }
144151
145- let server_config =
146- build_tls_server_config ( cert. clone ( ) , key. clone_key ( ) , client_verifier. clone ( ) ) ;
147- if let Err ( e) = server_config {
152+ match build_tls_server_config ( cert. clone ( ) , key. clone_key ( ) , client_verifier. clone ( ) ) {
153+ Ok ( server_config) => {
154+ reloadable_rust_config. reload_from_config ( Arc :: new ( server_config) ) ;
155+ }
156+ Err ( e) => {
148157 error ! ( "Failed to reload TLS certificate: {e}" ) ;
149- continue ;
150158 }
151- reloadable_rust_config. reload_from_config ( Arc :: new ( server_config. unwrap ( ) ) ) ;
152-
153- cert_changed = false ;
154- key_changed = false ;
155159 }
156160 }
157161 } ) ;
162+
158163 Ok ( rust_config)
159164}
160165
0 commit comments