diff options
author | elijah <elijah@riseup.net> | 2012-11-15 00:19:57 -0800 |
---|---|---|
committer | elijah <elijah@riseup.net> | 2012-11-15 00:19:57 -0800 |
commit | c7f46ce58bbeda414b9063591eba3369176a7048 (patch) | |
tree | 1133eb7b3c555d61b689a7decd75fd19055726d7 | |
parent | 852d05a9e7453968f1f4cf8feaec8b2da0506861 (diff) |
ensure certificates are generated with subjectAltName that includes all domain aliases
-rw-r--r-- | lib/leap_cli/commands/ca.rb | 31 |
1 files changed, 22 insertions, 9 deletions
diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb index 830b468..5b556a3 100644 --- a/lib/leap_cli/commands/ca.rb +++ b/lib/leap_cli/commands/ca.rb @@ -102,15 +102,18 @@ module LeapCli; module Commands # TODO: currently this only works with a single IP or DNS. # if ext.oid == "subjectAltName" - ext.value.match /IP Address:(.*?)(,|$)/ - ip = $1 - ext.value.match /DNS:(.*?)(,|$)/ - dns = $1 - if ip != node.ip_address - log :updating, "cert for node '#{node.name}' because ip_address has changed" + ips = [] + dns_names = [] + ext.value.split(",").each do |value| + value.strip! + ips << $1 if value =~ /^IP Address:(.*)$/ + dns_names << $1 if value =~ /^DNS:(.*)$/ + end + if ips.first != node.ip_address + log :updating, "cert for node '#{node.name}' because ip_address has changed (from #{ips} to #{node.ip_address})" return true - elsif dns != node.domain.internal - log :updating, "cert for node '#{node.name}' because domain.internal has changed" + elsif dns_names != dns_names_for_node(node) + log :updating, "cert for node '#{node.name}' because domain name aliases have changed (from #{dns_names.inspect} to #{dns_names_for_node(node).inspect})" return true end end @@ -193,12 +196,22 @@ module LeapCli; module Commands }, "subjectAltName" => { "ips" => [node.ip_address], - "dns_names" => [node.domain.internal] + "dns_names" => dns_names_for_node(node) } } } end + def dns_names_for_node(node) + names = [node.domain.internal] + if node['dns'] && node.dns['aliases'] && node.dns.aliases.any? + names += node.dns.aliases + names.compact! + end + names.delete(node.domain.full) # already set to common name + return names + end + # # For cert serial numbers, we need a non-colliding number less than 160 bits. # md5 will do nicely, since there is no need for a secure hash, just a short one. |