Skip fqdn in cert generation

There are scenarios where getqfdn can induce a hang. The certificate having FQDN isn't that useful anyway, since confluent never uses it and external use of it may need more carefully crafted certificate to have a good chance of matching it anyway. Also, the chances a user would import our cert as a CA to something like a browser are low.
2024-11-22 09:32:21 +00:00 · 2021-03-29 14:29:42 -04:00 · 2021-03-29 14:29:42 -04:00 · 85c4ec5654
commit 85c4ec5654
parent 7957a6abd4
1 changed files with 2 additions and 2 deletions
--- a/confluent_server/confluent/certutil.py
+++ b/confluent_server/confluent/certutil.py
@ -72,7 +72,7 @@ def create_certificate(keyout=None, certout=None):
    if not keyout:
        raise Exception('Unable to locate TLS certificate path automatically')
    shortname = socket.gethostname().split('.')[0]
-    longname = socket.getfqdn()
+    longname = shortname # socket.getfqdn()
    subprocess.check_call(
        ['openssl', 'ecparam', '-name', 'secp384r1', '-genkey', '-out',
         keyout])
@ -81,7 +81,7 @@ def create_certificate(keyout=None, certout=None):
    # there exists non-compliant clients that fail with them as IP
    san.extend(['DNS:{0}'.format(x) for x in get_ip_addresses()])
    san.append('DNS:{0}'.format(shortname))
-    san.append('DNS:{0}'.format(longname))
+    #san.append('DNS:{0}'.format(longname))
    san = ','.join(san)
    sslcfg = get_openssl_conf_location()
    tmpconfig = tempfile.mktemp()