From 71a83ac39c887a4b5be9c56d5cf8ea63152bbaf0 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Fri, 20 Sep 2024 18:34:02 -0400 Subject: [PATCH] Try for more DNS lookups Try to hit likely DNS names, or at least provide a means of manipulating /etc/hosts to induce a good domain for the default certificate SAN fields. Note putting the FQDN first in /etc/hosts will get the FQDN in the certificate. --- confluent_server/confluent/certutil.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/confluent_server/confluent/certutil.py b/confluent_server/confluent/certutil.py index 4ac67165..3b8e5ef5 100644 --- a/confluent_server/confluent/certutil.py +++ b/confluent_server/confluent/certutil.py @@ -218,11 +218,17 @@ def create_certificate(keyout=None, certout=None, csrout=None): subprocess.check_call( ['openssl', 'ecparam', '-name', 'secp384r1', '-genkey', '-out', keyout]) - san = ['IP:{0}'.format(x) for x in get_ip_addresses()] + ipaddrs = list(get_ip_addresses()) + san = ['IP:{0}'.format(x) for x in ipaddrs] # It is incorrect to put IP addresses as DNS type. However # there exists non-compliant clients that fail with them as IP - san.extend(['DNS:{0}'.format(x) for x in get_ip_addresses()]) - san.append('DNS:{0}'.format(shortname)) + # san.extend(['DNS:{0}'.format(x) for x in ipaddrs]) + dnsnames = set(ipaddrs) + dnsnames.add(shortname) + for currip in ipaddrs: + dnsnames.add(socket.getnameinfo((currip, 0), 0)[0]) + for currname in dnsnames: + san.append('DNS:{0}'.format(currname)) #san.append('DNS:{0}'.format(longname)) san = ','.join(san) sslcfg = get_openssl_conf_location()