From 05d285c157e6605a65e01287f274e2de02fe0927 Mon Sep 17 00:00:00 2001
From: op-ct <chris.tessmer@onyxpoint.com>
Date: Fri, 11 Jan 2019 09:31:21 -0600
Subject: [PATCH 1/3] Unswap `:ssl_key` and `:ssl_cert` @config options

---
 lib/lookup_http.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/lookup_http.rb b/lib/lookup_http.rb
index 432aa8b..286c2ec 100644
--- a/lib/lookup_http.rb
+++ b/lib/lookup_http.rb
@@ -27,8 +27,8 @@ def initialize(opts={})
         store.add_cert(OpenSSL::X509::Certificate.new(File.read(@config[:ssl_ca_cert])))
         @http.cert_store = store
 
-        @http.key = OpenSSL::PKey::RSA.new(File.read(@config[:ssl_cert]))
-        @http.cert = OpenSSL::X509::Certificate.new(File.read(@config[:ssl_key]))
+        @http.key = OpenSSL::PKey::RSA.new(File.read(@config[:ssl_key]))
+        @http.cert = OpenSSL::X509::Certificate.new(File.read(@config[:ssl_cert]))
       end
     else
       @http.use_ssl = false

From 8495bc1c3434719576e3b5556715284b778a53a9 Mon Sep 17 00:00:00 2001
From: op-ct <chris.tessmer@onyxpoint.com>
Date: Fri, 11 Jan 2019 11:43:54 -0600
Subject: [PATCH 2/3] Set `@http.ca_file=`

`@http.ca_file=` must be set when `@http.verify_mode` is set to
`OpenSSL::SSL::VERIFY_PEER`, otherwise the connection will fail with:

```
SSL_connect returned=1 errno=0 state=error: certificate verify failed
```
---
 lib/lookup_http.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/lookup_http.rb b/lib/lookup_http.rb
index 286c2ec..66f2e8d 100644
--- a/lib/lookup_http.rb
+++ b/lib/lookup_http.rb
@@ -26,9 +26,9 @@ def initialize(opts={})
         store = OpenSSL::X509::Store.new
         store.add_cert(OpenSSL::X509::Certificate.new(File.read(@config[:ssl_ca_cert])))
         @http.cert_store = store
-
-        @http.key = OpenSSL::PKey::RSA.new(File.read(@config[:ssl_key]))
-        @http.cert = OpenSSL::X509::Certificate.new(File.read(@config[:ssl_cert]))
+        @http.key     = OpenSSL::PKey::RSA.new(File.read(@config[:ssl_key]))
+        @http.cert    = OpenSSL::X509::Certificate.new(File.read(@config[:ssl_cert]))
+        @http.ca_file = @config[:ssl_ca_cert]
       end
     else
       @http.use_ssl = false

From 888e5b607af363ef62207d0a322a6ebee0522437 Mon Sep 17 00:00:00 2001
From: op-ct <chris.tessmer@onyxpoint.com>
Date: Fri, 11 Jan 2019 12:17:40 -0600
Subject: [PATCH 3/3] Separated :ssl_cert and :ssl_ca_cert conditionals

Now we can specify `:ssl_ca_cert` without needing a `:ssl_cert` and `:ssl_key`
---
 lib/lookup_http.rb | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/lib/lookup_http.rb b/lib/lookup_http.rb
index 66f2e8d..abf7cb8 100644
--- a/lib/lookup_http.rb
+++ b/lib/lookup_http.rb
@@ -21,15 +21,15 @@ def initialize(opts={})
       else
         @http.verify_mode = OpenSSL::SSL::VERIFY_PEER
       end
-
+      
       if @config[:ssl_cert]
-        store = OpenSSL::X509::Store.new
-        store.add_cert(OpenSSL::X509::Certificate.new(File.read(@config[:ssl_ca_cert])))
-        @http.cert_store = store
-        @http.key     = OpenSSL::PKey::RSA.new(File.read(@config[:ssl_key]))
-        @http.cert    = OpenSSL::X509::Certificate.new(File.read(@config[:ssl_cert]))
+        @http.cert = OpenSSL::X509::Certificate.new(File.read(@config[:ssl_cert]))
+        @http.key = OpenSSL::PKey::RSA.new(File.read(@config[:ssl_key]))
+      end 
+      
+      if @config[:ssl_ca_cert]
         @http.ca_file = @config[:ssl_ca_cert]
-      end
+      end       
     else
       @http.use_ssl = false
     end