open-consul/vendor/github.com/hashicorp/go-rootcerts/README.md

# rootcerts

Functions for loading root certificates for TLS connections.

-----

Go's standard library `crypto/tls` provides a common mechanism for configuring
TLS connections in `tls.Config`. The `RootCAs` field on this struct is a pool
of certificates for the client to use as a trust store when verifying server
certificates.

This library contains utility functions for loading certificates destined for
that field, as well as one other important thing:

When the `RootCAs` field is `nil`, the standard library attempts to load the
host's root CA set.  This behavior is OS-specific, and the Darwin
implementation contains [a bug that prevents trusted certificates from the
System and Login keychains from being loaded][1]. This library contains
Darwin-specific behavior that works around that bug.

[1]: https://github.com/golang/go/issues/14514

## Example Usage

Here's a snippet demonstrating how this library is meant to be used:

```go
func httpClient() (*http.Client, error)
	tlsConfig := &tls.Config{}
	err := rootcerts.ConfigureTLS(tlsConfig, &rootcerts.Config{
		CAFile:      os.Getenv("MYAPP_CAFILE"),
		CAPath:      os.Getenv("MYAPP_CAPATH"),
		Certificate: os.Getenv("MYAPP_CERTIFICATE"),
	})
	if err != nil {
		return nil, err
	}
	c := cleanhttp.DefaultClient()
	t := cleanhttp.DefaultTransport()
	t.TLSClientConfig = tlsConfig
	c.Transport = t
	return c, nil
}
```
Vendor the go-rootcerts lib for the client tls options 2017-04-14 20:46:19 +00:00			`# rootcerts`

			`Functions for loading root certificates for TLS connections.`

			`-----`

			Go's standard library `crypto/tls` provides a common mechanism for configuring
			TLS connections in `tls.Config`. The `RootCAs` field on this struct is a pool
			`of certificates for the client to use as a trust store when verifying server`
			`certificates.`

			`This library contains utility functions for loading certificates destined for`
			`that field, as well as one other important thing:`

			When the `RootCAs` field is `nil`, the standard library attempts to load the
			`host's root CA set. This behavior is OS-specific, and the Darwin`
			`implementation contains [a bug that prevents trusted certificates from the`
			`System and Login keychains from being loaded][1]. This library contains`
			`Darwin-specific behavior that works around that bug.`

			`[1]: https://github.com/golang/go/issues/14514`

			`## Example Usage`

			`Here's a snippet demonstrating how this library is meant to be used:`

			```go
			`func httpClient() (*http.Client, error)`
			`tlsConfig := &tls.Config{}`
			`err := rootcerts.ConfigureTLS(tlsConfig, &rootcerts.Config{`
api: add option to set TLS options in-memory for API client (#7093) This PR adds the option to set in-memory certificates to the API client instead of requiring the certificate to be stored on disk in a file. This allows us to define API client TLS options per Consul secret backend in Vault. Related issue hashicorp/vault#4800 2020-01-28 10:54:49 +00:00			`CAFile: os.Getenv("MYAPP_CAFILE"),`
			`CAPath: os.Getenv("MYAPP_CAPATH"),`
			`Certificate: os.Getenv("MYAPP_CERTIFICATE"),`
Vendor the go-rootcerts lib for the client tls options 2017-04-14 20:46:19 +00:00			`})`
			`if err != nil {`
			`return nil, err`
			`}`
			`c := cleanhttp.DefaultClient()`
			`t := cleanhttp.DefaultTransport()`
			`t.TLSClientConfig = tlsConfig`
			`c.Transport = t`
			`return c, nil`
			`}`
			```