From 063432aa4bf0a845387034637ab8a9a7237a6797 Mon Sep 17 00:00:00 2001
From: Ivan Kozlovic <ivan@synadia.com>
Date: Thu, 2 Sep 2021 09:13:54 -0600
Subject: [PATCH] [FIXED] Account resolver TLS configuration

The RootCAs was not properly set, which could prevent the server
to create a TLS connection to the account resolver with an error
such as:
```
x509: certificate signed by unknown authority
```

Resolves #1207

Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
---
 server/jwt_test.go    | 17 +++++++++++++++--
 server/opts.go        |  7 ++++++-
 server/reload_test.go | 17 +++++++++++++++--
 3 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/server/jwt_test.go b/server/jwt_test.go
index ff8eb267..2abd4ee9 100644
--- a/server/jwt_test.go
+++ b/server/jwt_test.go
@@ -1556,7 +1556,18 @@ func TestAccountURLResolver(t *testing.T) {
 			})
 			var ts *httptest.Server
 			if test.useTLS {
-				ts = httptest.NewTLSServer(hf)
+				tc := &TLSConfigOpts{
+					CertFile: "../test/configs/certs/server-cert.pem",
+					KeyFile:  "../test/configs/certs/server-key.pem",
+					CaFile:   "../test/configs/certs/ca.pem",
+				}
+				tlsConfig, err := GenTLSConfig(tc)
+				if err != nil {
+					t.Fatalf("Error generating tls config: %v", err)
+				}
+				ts = httptest.NewUnstartedServer(hf)
+				ts.TLS = tlsConfig
+				ts.StartTLS()
 			} else {
 				ts = httptest.NewServer(hf)
 			}
@@ -1567,7 +1578,9 @@ func TestAccountURLResolver(t *testing.T) {
 				listen: -1
 				resolver: URL("%s/ngs/v1/accounts/jwt/")
 				resolver_tls {
-					insecure: true
+					cert_file: "../test/configs/certs/client-cert.pem"
+					key_file: "../test/configs/certs/client-key.pem"
+					ca_file: "../test/configs/certs/ca.pem"
 				}
 			`
 			conf := createConfFile(t, []byte(fmt.Sprintf(confTemplate, ojwt, ts.URL)))
diff --git a/server/opts.go b/server/opts.go
index 15ffd176..68d3fd71 100644
--- a/server/opts.go
+++ b/server/opts.go
@@ -1105,11 +1105,16 @@ func (o *Options) processConfigFileLine(k string, v interface{}, errors *[]error
 			*errors = append(*errors, err)
 			return
 		}
-		if o.AccountResolverTLSConfig, err = GenTLSConfig(tc); err != nil {
+		tlsConfig, err := GenTLSConfig(tc)
+		if err != nil {
 			err := &configErr{tk, err.Error()}
 			*errors = append(*errors, err)
 			return
 		}
+		o.AccountResolverTLSConfig = tlsConfig
+		// GenTLSConfig loads the CA file into ClientCAs, but since this will
+		// be used as a client connection, we need to set RootCAs.
+		o.AccountResolverTLSConfig.RootCAs = tlsConfig.ClientCAs
 	case "resolver_preload":
 		mp, ok := v.(map[string]interface{})
 		if !ok {
diff --git a/server/reload_test.go b/server/reload_test.go
index eb5fb7d7..ee8eea2b 100644
--- a/server/reload_test.go
+++ b/server/reload_test.go
@@ -4041,9 +4041,20 @@ func TestConfigReloadAccountResolverTLSConfig(t *testing.T) {
 	}
 	pub, _ := kp.PublicKey()
 
-	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	tc := &TLSConfigOpts{
+		CertFile: "../test/configs/certs/server-cert.pem",
+		KeyFile:  "../test/configs/certs/server-key.pem",
+		CaFile:   "../test/configs/certs/ca.pem",
+	}
+	tlsConfig, err := GenTLSConfig(tc)
+	if err != nil {
+		t.Fatalf("Error generating tls config: %v", err)
+	}
+	ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Write([]byte(ajwt))
 	}))
+	ts.TLS = tlsConfig
+	ts.StartTLS()
 	defer ts.Close()
 	// Set a dummy logger to prevent tls bad certificate output to stderr.
 	ts.Config.ErrorLog = log.New(&bytes.Buffer{}, "", 0)
@@ -4056,7 +4067,9 @@ func TestConfigReloadAccountResolverTLSConfig(t *testing.T) {
 	`
 	conf := createConfFile(t, []byte(fmt.Sprintf(confTemplate, pub, ts.URL, `
 		resolver_tls {
-			insecure: true
+			cert_file: "../test/configs/certs/client-cert.pem"
+			key_file: "../test/configs/certs/client-key.pem"
+			ca_file: "../test/configs/certs/ca.pem"
 		}
 	`)))
 	defer removeFile(t, conf)