transport: catch new cert error

in pkg/transport, we should catch NewCert error.

pkg/transport/listener.go

@@ -438,7 +438,7 @@ func (info TLSInfo) ClientConfig() (*tls.Config, error) {
 	if info.EmptyCN {
 		hasNonEmptyCN := false
 		cn := ""
-		tlsutil.NewCert(info.CertFile, info.KeyFile, func(certPEMBlock []byte, keyPEMBlock []byte) (tls.Certificate, error) {
+		_, err := tlsutil.NewCert(info.CertFile, info.KeyFile, func(certPEMBlock []byte, keyPEMBlock []byte) (tls.Certificate, error) {
 			var block *pem.Block
 			block, _ = pem.Decode(certPEMBlock)
 			cert, err := x509.ParseCertificate(block.Bytes)
@@ -451,6 +451,9 @@ func (info TLSInfo) ClientConfig() (*tls.Config, error) {
 			}
 			return tls.X509KeyPair(certPEMBlock, keyPEMBlock)
 		})
+		if err != nil {
+			return nil, err
+		}
 		if hasNonEmptyCN {
 			return nil, fmt.Errorf("cert has non empty Common Name (%s): %s", cn, info.CertFile)
 		}

pkg/transport/listener_test.go

@@ -292,14 +292,28 @@ func TestTLSInfoParseFuncError(t *testing.T) {
 	}
 	defer del()
 
-	tlsinfo.parseFunc = fakeCertificateParserFunc(tls.Certificate{}, errors.New("fake"))
+	tests := []struct {
+		info TLSInfo
+	}{
+		{
+			info: *tlsinfo,
+		},
 
-	if _, err = tlsinfo.ServerConfig(); err == nil {
-		t.Errorf("expected non-nil error from ServerConfig()")
+		{
+			info: TLSInfo{CertFile: "", KeyFile: "", TrustedCAFile: tlsinfo.CertFile, EmptyCN: true},
+		},
 	}
 
-	if _, err = tlsinfo.ClientConfig(); err == nil {
-		t.Errorf("expected non-nil error from ClientConfig()")
+	for i, tt := range tests {
+		tt.info.parseFunc = fakeCertificateParserFunc(tls.Certificate{}, errors.New("fake"))
+
+		if _, err = tt.info.ServerConfig(); err == nil {
+			t.Errorf("#%d: expected non-nil error from ServerConfig()", i)
+		}
+
+		if _, err = tt.info.ClientConfig(); err == nil {
+			t.Errorf("#%d: expected non-nil error from ClientConfig()", i)
+		}
 	}
 }