From b07da455c2635a464ce8f33c19cef0bef035ee25 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Fri, 7 Nov 2025 11:22:12 -0500
Subject: [PATCH] Fix SAN generation

The nameconstraint support missed
a branch, fix this.
---
 confluent_server/confluent/certutil.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/confluent_server/confluent/certutil.py b/confluent_server/confluent/certutil.py
index d7c6ba16..b87a3818 100644
--- a/confluent_server/confluent/certutil.py
+++ b/confluent_server/confluent/certutil.py
@@ -334,6 +334,7 @@ def create_certificate(keyout=None, certout=None, csrfile=None, subj=None, san=N
             dnsnames = set(ipaddrs)
             dnsnames.add(shortname)
             dnsnames.add(longname)
+        else:
             # nameconstraints preclude IP and shortname
             san = []
             dnsnames = set()
@@ -341,7 +342,6 @@ def create_certificate(keyout=None, certout=None, csrfile=None, subj=None, san=N
                 if longname.endswith(suffix):
                     dnsnames.add(longname)
                     break
-                    break
         for currip in ipaddrs:
             currname = socket.getnameinfo((currip, 0), 0)[0]
             for suffix in permitdomains: