1 files changed, 43 insertions, 1 deletions

diff --git a/service/http/service.go b/service/http/service.go
index 8ffc725a..b260008c 100644
--- a/service/http/service.go
+++ b/service/http/service.go
@@ -3,6 +3,8 @@ package http
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
+	"errors"
 	"fmt"
 	"github.com/sirupsen/logrus"
 	"github.com/spiral/roadrunner"
@@ -12,6 +14,7 @@ import (
 	"github.com/spiral/roadrunner/util"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
+	"io/ioutil"
 	"net/http"
 	"net/http/fcgi"
 	"net/url"
@@ -27,6 +30,8 @@ const (
 	EventInitSSL = 750
 )
 
+var couldNotAppendPemError = errors.New("could not append Certs from PEM")
+
 // http middleware type.
 type middleware func(f http.HandlerFunc) http.HandlerFunc
 
@@ -124,6 +129,12 @@ func (s *Service) Serve() error {
 
 	if s.cfg.EnableTLS() {
 		s.https = s.initSSL()
+		if s.cfg.SSL.RootCA != "" {
+			err := s.appendRootCa()
+			if err != nil {
+				return err
+			}
+		}
 
 		if s.cfg.EnableHTTP2() {
 			if err := s.initHTTP2(); err != nil {
@@ -266,7 +277,38 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	f(w, r)
 }
 
-// Init https server.
+// append RootCA to the https server TLS config
+func (s *Service) appendRootCa() error {
+	rootCAs, err := x509.SystemCertPool()
+	if err != nil {
+		s.throw(EventInitSSL, nil)
+		return nil
+	}
+	if rootCAs == nil {
+		rootCAs = x509.NewCertPool()
+	}
+
+	CA, err := ioutil.ReadFile(s.cfg.SSL.RootCA)
+	if err != nil {
+		s.throw(EventInitSSL, nil)
+		return err
+	}
+
+	// should append our CA cert
+	ok := rootCAs.AppendCertsFromPEM(CA)
+	if !ok {
+		return couldNotAppendPemError
+	}
+	config := &tls.Config{
+		InsecureSkipVerify: false,
+		RootCAs:            rootCAs,
+	}
+	s.http.TLSConfig = config
+
+	return nil
+}
+
+// Init https server
 func (s *Service) initSSL() *http.Server {
 	server := &http.Server{
 		Addr:    s.tlsAddr(s.cfg.Address, true),