diff --git a/README.md b/README.md index f14663f..cfd8c3f 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,8 @@ used by the client in order to validate the server's certificate. - generate CA certificate if does not find any - always generate server certificate on startup to ensure all IP addresses are in x509 SAN +- optionally, a user can specify his own IP or DNS SAN records + (i.e. ``--san-dns localhost,minio.site.com``) - write CN to x509 SAN which is a must - warn if the CA certificate is about to expire (<30 days till expiration) - regenerate the CA certificate if it finds it has expired diff --git a/gencert.sh b/gencert.sh index 6d6c953..651b5d8 100755 --- a/gencert.sh +++ b/gencert.sh @@ -2,7 +2,7 @@ # Filename: gencert.sh # Description: This script generates x509 server certificate (with all IPs in # SAN) signed by a self-signed CA. -# Version: 1.5 - 2018 October 12 +# Version: 1.6 - 2018 December 27 # Author: Andrey Arapov # License: GPLv3 @@ -18,8 +18,9 @@ print_help() { --cakey - CA key name\t\t\t(default: ca.key) --ca - CA cert name\t\t\t(default: ca.crt) --cadays - CA cert expiration in days\t(default: 3650)\n - --nosan - do not write SAN records\n - --san-ip - specify custom SAN IP records manually. Implies --nosan\n + --noautosan - do not automatically discover IPs for SAN records\n + --san-ip - specify custom SAN IP records manually. Implies --noautosan\n + --san-dns - specify custom SAN DNS records manually.\n --debug - show extra information\n --rsa - generate RSA keys instead of ECDSA\n --rsa-size - set RSA key size\n" @@ -34,7 +35,7 @@ parse_arguments() { # read arguments opts=$(getopt \ - --longoptions "help,cn:,key:,cert:,days:,cakey:,ca:,cadays:,nosan,san-ip:,debug,rsa,rsa-size:" \ + --longoptions "help,cn:,key:,cert:,days:,cakey:,ca:,cadays:,noautosan,san-ip:,san-dns:,debug,rsa,rsa-size:" \ --name "$(basename "$0")" \ --options "" \ -- "$@" @@ -84,16 +85,22 @@ parse_arguments() { shift 2 ;; - --nosan) - ARG_NOSAN=1 + --noautosan) + ARG_NOAUTOSAN=1 shift 1 ;; --san-ip) + ARG_NOAUTOSAN=1 ARG_SAN_IP=$2 shift 2 ;; + --san-dns) + ARG_SAN_DNS=$2 + shift 2 + ;; + --debug) ARG_DEBUG=1 shift 1 @@ -126,8 +133,9 @@ parse_arguments() { SERVER_KEY="${ARG_KEY:-private.key}" SERVER_CERT="${ARG_CERT:-public.crt}" DAYS="${ARG_DAYS:-365}" - NOSAN="${ARG_NOSAN}" + NOAUTOSAN="${ARG_NOAUTOSAN}" SAN_IP="${ARG_SAN_IP}" + SAN_DNS="${ARG_SAN_DNS}" DEBUG="${ARG_DEBUG}" RSA="${ARG_RSA}" RSA_SIZE="${ARG_RSA_SIZE:-2048}" @@ -147,8 +155,9 @@ parse_arguments() { echo CAKEY=$CAKEY echo CA=$CA echo CADAYS=$CADAYS - echo NOSAN=$NOSAN + echo NOAUTOSAN=$NOAUTOSAN echo SAN_IP=$SAN_IP + echo SAN_DNS=$SAN_DNS echo DEBUG=$DEBUG echo RSA=$RSA echo RSA_SIZE=$RSA_SIZE @@ -250,14 +259,22 @@ DNS.1=${CN}" IFS=, PAYLOAD="$(for IP in $SAN_IP; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)" unset IFS - elif [ -z "$NOSAN" ]; then + fi + if [ ! -z "$SAN_DNS" ]; then + echo "[${ME}] Using user-provided SAN records: " ${SAN_DNS} + i=1 + IFS=, + PAYLOAD="${PAYLOAD}\n$(for DNS in $SAN_DNS; do echo "DNS.${i} = ${DNS}" ; i=$((i + 1)); done)" + unset IFS + fi + if [ -z "$NOAUTOSAN" ]; then # Gather IPs for SAN i=1 IPS="$( (getent ahostsv4 $(hostname) 2>/dev/null || getent hosts $(hostname) 2>/dev/null) | awk '{print $1}' |sort | uniq)" echo "[${ME}] Found these IPs: " ${IPS} - PAYLOAD="$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)" + PAYLOAD="${PAYLOAD}\n$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)" fi printf "${OPENSSL_CONFIG_CONTENT}\n${PAYLOAD}\n" > "${OPENSSL_CONFIG}"