From b772e34abd739073711c6384e4573e328fbad79e Mon Sep 17 00:00:00 2001
From: Juan Mesaglio <juan.mesaglio@gmail.com>
Date: Sat, 14 Mar 2026 11:58:18 -0300
Subject: [PATCH] fix(server): use tlsConfig nil-check to decide between Serve
 and ServeTLS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When LetsEncrypt was configured, autocert.Manager set tlsConfig.GetCertificate
but left CertFile and KeyFile empty. The previous condition checked for empty
cert/key strings, which caused the server to call hs.Serve() (plain HTTP)
instead of hs.ServeTLS(), silently ignoring the TLS configuration entirely.

Replacing the condition with a tlsConfig == nil check ensures that any
configured TLS path — whether via explicit cert files or LetsEncrypt — always
results in ServeTLS being called. ServeTLS with empty certFile/keyFile is valid
in Go and delegates certificate provisioning to GetCertificate.
---
 auth_server/main.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth_server/main.go b/auth_server/main.go
index 9a229de0..3a833a36 100644
--- a/auth_server/main.go
+++ b/auth_server/main.go
@@ -158,7 +158,7 @@ func ServeOnce(c *server.Config, cf string) (*server.AuthServer, *http.Server) {
 	}
 
 	go func() {
-		if c.Server.CertFile == "" && c.Server.KeyFile == "" {
+		if tlsConfig == nil {
 			if err := hs.Serve(listener); err != nil {
 				if err == http.ErrServerClosed {
 					return