From 9d58977fa676201957cb19dedaaf41dd9a51a6db Mon Sep 17 00:00:00 2001
From: yusing <yusing@6uo.me>
Date: Sun, 25 May 2025 17:33:13 +0800
Subject: [PATCH] feat(autocert): add CACerts field to autocert Config for
 custom CA

---
 internal/autocert/config.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/internal/autocert/config.go b/internal/autocert/config.go
index a71d429..987a105 100644
--- a/internal/autocert/config.go
+++ b/internal/autocert/config.go
@@ -26,6 +26,7 @@ type Config struct {
 	ACMEKeyPath string         `json:"acme_key_path,omitempty"`
 	Provider    string         `json:"provider,omitempty"`
 	CADirURL    string         `json:"ca_dir_url,omitempty"`
+	CACerts     []string       `json:"ca_certs,omitempty"`
 	Options     map[string]any `json:"options,omitempty"`
 
 	HTTPClient *http.Client `json:"-"` // for tests only
@@ -151,6 +152,14 @@ func (cfg *Config) GetLegoConfig() (*User, *lego.Config, gperr.Error) {
 		legoCfg.CADirURL = cfg.CADirURL
 	}
 
+	if len(cfg.CACerts) > 0 {
+		certPool, err := lego.CreateCertPool(cfg.CACerts, true)
+		if err != nil {
+			return nil, nil, gperr.New("failed to create cert pool").With(err)
+		}
+		legoCfg.HTTPClient.Transport.(*http.Transport).TLSClientConfig.RootCAs = certPool
+	}
+
 	return user, legoCfg, nil
 }