summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2012-11-15 00:19:57 -0800
committerelijah <elijah@riseup.net>2012-11-15 00:19:57 -0800
commitc7f46ce58bbeda414b9063591eba3369176a7048 (patch)
tree1133eb7b3c555d61b689a7decd75fd19055726d7
parent852d05a9e7453968f1f4cf8feaec8b2da0506861 (diff)
ensure certificates are generated with subjectAltName that includes all domain aliases
-rw-r--r--lib/leap_cli/commands/ca.rb31
1 files changed, 22 insertions, 9 deletions
diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb
index 830b468..5b556a3 100644
--- a/lib/leap_cli/commands/ca.rb
+++ b/lib/leap_cli/commands/ca.rb
@@ -102,15 +102,18 @@ module LeapCli; module Commands
# TODO: currently this only works with a single IP or DNS.
#
if ext.oid == "subjectAltName"
- ext.value.match /IP Address:(.*?)(,|$)/
- ip = $1
- ext.value.match /DNS:(.*?)(,|$)/
- dns = $1
- if ip != node.ip_address
- log :updating, "cert for node '#{node.name}' because ip_address has changed"
+ ips = []
+ dns_names = []
+ ext.value.split(",").each do |value|
+ value.strip!
+ ips << $1 if value =~ /^IP Address:(.*)$/
+ dns_names << $1 if value =~ /^DNS:(.*)$/
+ end
+ if ips.first != node.ip_address
+ log :updating, "cert for node '#{node.name}' because ip_address has changed (from #{ips} to #{node.ip_address})"
return true
- elsif dns != node.domain.internal
- log :updating, "cert for node '#{node.name}' because domain.internal has changed"
+ elsif dns_names != dns_names_for_node(node)
+ log :updating, "cert for node '#{node.name}' because domain name aliases have changed (from #{dns_names.inspect} to #{dns_names_for_node(node).inspect})"
return true
end
end
@@ -193,12 +196,22 @@ module LeapCli; module Commands
},
"subjectAltName" => {
"ips" => [node.ip_address],
- "dns_names" => [node.domain.internal]
+ "dns_names" => dns_names_for_node(node)
}
}
}
end
+ def dns_names_for_node(node)
+ names = [node.domain.internal]
+ if node['dns'] && node.dns['aliases'] && node.dns.aliases.any?
+ names += node.dns.aliases
+ names.compact!
+ end
+ names.delete(node.domain.full) # already set to common name
+ return names
+ end
+
#
# For cert serial numbers, we need a non-colliding number less than 160 bits.
# md5 will do nicely, since there is no need for a secure hash, just a short one.