Load client certs early to detect misconfiguration

* Move loading of client certificate into the TLS handling code
   to an earlier position.

cmd/csaf_checker/main.go

@@ -10,6 +10,7 @@ package main
 
 import (
 	"bufio"
+	"crypto/tls"
 	_ "embed" // Used for embedding.
 	"encoding/json"
 	"fmt"
@@ -35,6 +36,8 @@ type options struct {
 	Verbose    bool     `long:"verbose" short:"v" description:"Verbose output"`
 	Rate       *float64 `long:"rate" short:"r" description:"The average upper limit of https operations per second"`
 	Years      *uint    `long:"years" short:"y" description:"Number of years to look back from now" value-name:"YEARS"`
+
+	clientCerts []tls.Certificate
 }
 
 func errCheck(err error) {
@@ -46,6 +49,18 @@ func errCheck(err error) {
 	}
 }
 
+func (o *options) prepare() error {
+	// Load client certs.
+	if o.ClientCert != nil && o.ClientKey != nil {
+		cert, err := tls.LoadX509KeyPair(*o.ClientCert, *o.ClientKey)
+		if err != nil {
+			return err
+		}
+		o.clientCerts = []tls.Certificate{cert}
+	}
+	return nil
+}
+
 // writeJSON writes the JSON encoding of the given report to the given stream.
 // It returns nil, otherwise an error.
 func writeJSON(report *Report, w io.WriteCloser) error {
@@ -143,6 +158,8 @@ func main() {
 		return
 	}
 
+	errCheck(opts.prepare())
+
 	if len(domains) == 0 {
 		log.Println("No domains given.")
 		return

cmd/csaf_checker/processor.go

@@ -359,12 +359,8 @@ func (p *processor) httpClient() util.Client {
 		tlsConfig.InsecureSkipVerify = true
 	}
 
-	if p.opts.ClientCert != nil && p.opts.ClientKey != nil {
+	if len(p.opts.clientCerts) != 0 {
-		cert, err := tls.LoadX509KeyPair(*p.opts.ClientCert, *p.opts.ClientKey)
+		tlsConfig.Certificates = p.opts.clientCerts
-		if err != nil {
-			log.Fatal(err)
-		}
-		tlsConfig.Certificates = []tls.Certificate{cert}
 	}
 
 	hClient.Transport = &http.Transport{