diff options
| author | Simon Rettberg | 2020-12-11 10:51:33 +0100 |
|---|---|---|
| committer | Simon Rettberg | 2020-12-11 10:51:33 +0100 |
| commit | b70de7897809b1d880ce57f9a24d642e43952b92 (patch) | |
| tree | 0ec1630ca7399a2153d61dad50cf7e77fd5dc49a | |
| parent | [SSPS] slx-cert: Also restart if running via terminal (diff) | |
| download | setup-scripts-b70de7897809b1d880ce57f9a24d642e43952b92.tar.gz setup-scripts-b70de7897809b1d880ce57f9a24d642e43952b92.tar.xz setup-scripts-b70de7897809b1d880ce57f9a24d642e43952b92.zip | |
[SSPS] slx-cert: Put hostname in SAN too, chromium requires this
| -rwxr-xr-x | satellit_installer/static_files/slx-cert | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/satellit_installer/static_files/slx-cert b/satellit_installer/static_files/slx-cert index fac8d26..3f5cc3e 100755 --- a/satellit_installer/static_files/slx-cert +++ b/satellit_installer/static_files/slx-cert @@ -189,11 +189,24 @@ if [ -n "$mknew" ] || [ "${#srv_list[@]}" = 0 ] \ done echo "Signing with $in_cert" create_conf + # Need extfile for SAN, chromium doesn't honor CN anymore + cat > "${csr}.cnf" <<-END + basicConstraints = CA:FALSE + nsCertType = server + nsComment = "OpenSSL Generated Server Certificate" + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer:always + keyUsage = critical, digitalSignature, keyEncipherment + extendedKeyUsage = serverAuth + subjectAltName = @alt_names + [alt_names] + DNS.1 = satellite.bwlehrpool + END openssl ca -config "$ca_config" -create_serial -policy policy_anything -days "$srv_days" \ - -cert "$in_cert" -keyfile "${PRIV}/intermediate.key" \ + -cert "$in_cert" -keyfile "${PRIV}/intermediate.key" -extfile "${csr}.cnf" \ -notext -name CA_openslx -batch -out "${CERT}/srv-${srv_new_ts}.crt" -in "$csr" || exit 4 rm -rf -- "$ca_dir" - rm -f -- "$csr" + rm -f -- "$csr" "${csr}.cnf" mv "${PRIV}/srv.key.tmp" "${PRIV}/srv-${srv_new_ts}.key" || exit 5 srv_list+=( "$srv_new_ts" ) |