From 7eb530d63f6264216ba326408bba4bcf84f8dcbf Mon Sep 17 00:00:00 2001 From: Lucas Di Pentima Date: Fri, 17 Apr 2020 11:52:59 -0300 Subject: [PATCH] 16029: Creates SSL certificate with -listen-host as alternate name. This allows to run arvados boot on a docker container and access it from the outside without the browser complaining about invalid certs. Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima --- lib/boot/cert.go | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/lib/boot/cert.go b/lib/boot/cert.go index 4b12c72edd..f0797c2ac5 100644 --- a/lib/boot/cert.go +++ b/lib/boot/cert.go @@ -6,7 +6,9 @@ package boot import ( "context" + "fmt" "io/ioutil" + "net" "path/filepath" ) @@ -23,6 +25,13 @@ func (createCertificates) String() string { } func (createCertificates) Run(ctx context.Context, fail func(error), super *Supervisor) error { + var san string + if net.ParseIP(super.ListenHost) != nil { + san = fmt.Sprintf("IP:%s", super.ListenHost) + } else { + san = fmt.Sprintf("DNS:%s", super.ListenHost) + } + // Generate root key err := super.RunProgram(ctx, super.tempdir, nil, nil, "openssl", "genrsa", "-out", "rootCA.key", "4096") if err != nil { @@ -43,10 +52,7 @@ func (createCertificates) Run(ctx context.Context, fail func(error), super *Supe if err != nil { return err } - err = ioutil.WriteFile(filepath.Join(super.tempdir, "server.cfg"), append(defaultconf, []byte(` -[SAN] -subjectAltName=DNS:localhost,DNS:localhost.localdomain -`)...), 0644) + err = ioutil.WriteFile(filepath.Join(super.tempdir, "server.cfg"), append(defaultconf, []byte(fmt.Sprintf("\n[SAN]\nsubjectAltName=DNS:localhost,DNS:localhost.localdomain,%s\n", san))...), 0644) if err != nil { return err } @@ -56,7 +62,7 @@ subjectAltName=DNS:localhost,DNS:localhost.localdomain return err } // Sign certificate - err = super.RunProgram(ctx, super.tempdir, nil, nil, "openssl", "x509", "-req", "-in", "server.csr", "-CA", "rootCA.crt", "-CAkey", "rootCA.key", "-CAcreateserial", "-out", "server.crt", "-days", "3650", "-sha256") + err = super.RunProgram(ctx, super.tempdir, nil, nil, "openssl", "x509", "-req", "-in", "server.csr", "-CA", "rootCA.crt", "-CAkey", "rootCA.key", "-CAcreateserial", "-out", "server.crt", "-extfile", "server.cfg", "-extensions", "SAN", "-days", "3650", "-sha256") if err != nil { return err } -- 2.30.2