let a user specify his own DNS IP records

This commit is contained in:
Andy 2018-12-27 13:40:40 +01:00
parent 5fb4785429
commit 03517d8fbb
Signed by: arno
GPG Key ID: 9076D5E6B31AE99C
2 changed files with 29 additions and 10 deletions

View File

@ -29,6 +29,8 @@ used by the client in order to validate the server's certificate.
- generate CA certificate if does not find any
- always generate server certificate on startup to ensure all IP addresses
are in x509 SAN
- optionally, a user can specify his own IP or DNS SAN records
(i.e. ``--san-dns localhost,minio.site.com``)
- write CN to x509 SAN which is a must
- warn if the CA certificate is about to expire (<30 days till expiration)
- regenerate the CA certificate if it finds it has expired

View File

@ -2,7 +2,7 @@
# Filename: gencert.sh
# Description: This script generates x509 server certificate (with all IPs in
# SAN) signed by a self-signed CA.
# Version: 1.5 - 2018 October 12
# Version: 1.6 - 2018 December 27
# Author: Andrey Arapov <andrey.arapov@nixaid.com>
# License: GPLv3
@ -18,8 +18,9 @@ print_help() {
--cakey - CA key name\t\t\t(default: ca.key)
--ca - CA cert name\t\t\t(default: ca.crt)
--cadays - CA cert expiration in days\t(default: 3650)\n
--nosan - do not write SAN records\n
--san-ip - specify custom SAN IP records manually. Implies --nosan\n
--noautosan - do not automatically discover IPs for SAN records\n
--san-ip - specify custom SAN IP records manually. Implies --noautosan\n
--san-dns - specify custom SAN DNS records manually.\n
--debug - show extra information\n
--rsa - generate RSA keys instead of ECDSA\n
--rsa-size - set RSA key size\n"
@ -34,7 +35,7 @@ parse_arguments() {
# read arguments
opts=$(getopt \
--longoptions "help,cn:,key:,cert:,days:,cakey:,ca:,cadays:,nosan,san-ip:,debug,rsa,rsa-size:" \
--longoptions "help,cn:,key:,cert:,days:,cakey:,ca:,cadays:,noautosan,san-ip:,san-dns:,debug,rsa,rsa-size:" \
--name "$(basename "$0")" \
--options "" \
-- "$@"
@ -84,16 +85,22 @@ parse_arguments() {
shift 2
;;
--nosan)
ARG_NOSAN=1
--noautosan)
ARG_NOAUTOSAN=1
shift 1
;;
--san-ip)
ARG_NOAUTOSAN=1
ARG_SAN_IP=$2
shift 2
;;
--san-dns)
ARG_SAN_DNS=$2
shift 2
;;
--debug)
ARG_DEBUG=1
shift 1
@ -126,8 +133,9 @@ parse_arguments() {
SERVER_KEY="${ARG_KEY:-private.key}"
SERVER_CERT="${ARG_CERT:-public.crt}"
DAYS="${ARG_DAYS:-365}"
NOSAN="${ARG_NOSAN}"
NOAUTOSAN="${ARG_NOAUTOSAN}"
SAN_IP="${ARG_SAN_IP}"
SAN_DNS="${ARG_SAN_DNS}"
DEBUG="${ARG_DEBUG}"
RSA="${ARG_RSA}"
RSA_SIZE="${ARG_RSA_SIZE:-2048}"
@ -147,8 +155,9 @@ parse_arguments() {
echo CAKEY=$CAKEY
echo CA=$CA
echo CADAYS=$CADAYS
echo NOSAN=$NOSAN
echo NOAUTOSAN=$NOAUTOSAN
echo SAN_IP=$SAN_IP
echo SAN_DNS=$SAN_DNS
echo DEBUG=$DEBUG
echo RSA=$RSA
echo RSA_SIZE=$RSA_SIZE
@ -250,14 +259,22 @@ DNS.1=${CN}"
IFS=,
PAYLOAD="$(for IP in $SAN_IP; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
unset IFS
elif [ -z "$NOSAN" ]; then
fi
if [ ! -z "$SAN_DNS" ]; then
echo "[${ME}] Using user-provided SAN records: " ${SAN_DNS}
i=1
IFS=,
PAYLOAD="${PAYLOAD}\n$(for DNS in $SAN_DNS; do echo "DNS.${i} = ${DNS}" ; i=$((i + 1)); done)"
unset IFS
fi
if [ -z "$NOAUTOSAN" ]; then
# Gather IPs for SAN
i=1
IPS="$( (getent ahostsv4 $(hostname) 2>/dev/null || getent hosts $(hostname) 2>/dev/null) | awk '{print $1}' |sort | uniq)"
echo "[${ME}] Found these IPs: " ${IPS}
PAYLOAD="$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
PAYLOAD="${PAYLOAD}\n$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
fi
printf "${OPENSSL_CONFIG_CONTENT}\n${PAYLOAD}\n" > "${OPENSSL_CONFIG}"