Try for more DNS lookups

Try to hit likely DNS names, or at least provide a means of manipulating /etc/hosts to induce a good domain for the default certificate SAN fields. Note putting the FQDN first in /etc/hosts will get the FQDN in the certificate.
2024-11-22 01:22:00 +00:00 · 2024-09-20 18:34:02 -04:00 · 2024-09-20 18:34:02 -04:00 · 71a83ac39c
commit 71a83ac39c
parent a8df3692b6
1 changed files with 9 additions and 3 deletions
--- a/confluent_server/confluent/certutil.py
+++ b/confluent_server/confluent/certutil.py
@ -218,11 +218,17 @@ def create_certificate(keyout=None, certout=None, csrout=None):
        subprocess.check_call(
            ['openssl', 'ecparam', '-name', 'secp384r1', '-genkey', '-out',
             keyout])
-    san = ['IP:{0}'.format(x) for x in get_ip_addresses()]
+    ipaddrs = list(get_ip_addresses())
+    san = ['IP:{0}'.format(x) for x in ipaddrs]
    # It is incorrect to put IP addresses as DNS type.  However
    # there exists non-compliant clients that fail with them as IP
-    san.extend(['DNS:{0}'.format(x) for x in get_ip_addresses()])
-    san.append('DNS:{0}'.format(shortname))
+    # san.extend(['DNS:{0}'.format(x) for x in ipaddrs])
+    dnsnames = set(ipaddrs)
+    dnsnames.add(shortname)
+    for currip in ipaddrs:
+        dnsnames.add(socket.getnameinfo((currip, 0), 0)[0])
+    for currname in dnsnames:
+        san.append('DNS:{0}'.format(currname))
    #san.append('DNS:{0}'.format(longname))
    san = ','.join(san)
    sslcfg = get_openssl_conf_location()