let a user specify his own DNS IP records

README.md

@@ -29,6 +29,8 @@ used by the client in order to validate the server's certificate.
 - generate CA certificate if does not find any
 - always generate server certificate on startup to ensure all IP addresses
   are in x509 SAN
+- optionally, a user can specify his own IP or DNS SAN records
+  (i.e. ``--san-dns localhost,minio.site.com``)
 - write CN to x509 SAN which is a must
 - warn if the CA certificate is about to expire (<30 days till expiration)
 - regenerate the CA certificate if it finds it has expired

gencert.sh

@@ -2,7 +2,7 @@
 # Filename: gencert.sh
 # Description: This script generates x509 server certificate (with all IPs in
 #              SAN) signed by a self-signed CA.
-# Version: 1.5 - 2018 October 12
+# Version: 1.6 - 2018 December 27
 # Author: Andrey Arapov <andrey.arapov@nixaid.com>
 # License: GPLv3
 
@@ -18,8 +18,9 @@ print_help() {
   --cakey     - CA key name\t\t\t(default: ca.key)
   --ca        - CA cert name\t\t\t(default: ca.crt)
   --cadays    - CA cert expiration in days\t(default: 3650)\n
-  --nosan     - do not write SAN records\n
-  --san-ip    - specify custom SAN IP records manually. Implies --nosan\n
+  --noautosan - do not automatically discover IPs for SAN records\n
+  --san-ip    - specify custom SAN IP records manually. Implies --noautosan\n
+  --san-dns   - specify custom SAN DNS records manually.\n
   --debug     - show extra information\n
   --rsa       - generate RSA keys instead of ECDSA\n
   --rsa-size  - set RSA key size\n"
@@ -34,7 +35,7 @@ parse_arguments() {
   
   # read arguments
   opts=$(getopt \
-      --longoptions "help,cn:,key:,cert:,days:,cakey:,ca:,cadays:,nosan,san-ip:,debug,rsa,rsa-size:" \
+      --longoptions "help,cn:,key:,cert:,days:,cakey:,ca:,cadays:,noautosan,san-ip:,san-dns:,debug,rsa,rsa-size:" \
       --name "$(basename "$0")" \
       --options "" \
       -- "$@"
@@ -84,16 +85,22 @@ parse_arguments() {
         shift 2
         ;;
   
-      --nosan)
-        ARG_NOSAN=1
+      --noautosan)
+        ARG_NOAUTOSAN=1
         shift 1
         ;;
 
       --san-ip)
+        ARG_NOAUTOSAN=1
         ARG_SAN_IP=$2
         shift 2
         ;;
 
+      --san-dns)
+        ARG_SAN_DNS=$2
+        shift 2
+        ;;
+
       --debug)
         ARG_DEBUG=1
         shift 1
@@ -126,8 +133,9 @@ parse_arguments() {
   SERVER_KEY="${ARG_KEY:-private.key}"
   SERVER_CERT="${ARG_CERT:-public.crt}"
   DAYS="${ARG_DAYS:-365}"
-  NOSAN="${ARG_NOSAN}"
+  NOAUTOSAN="${ARG_NOAUTOSAN}"
   SAN_IP="${ARG_SAN_IP}"
+  SAN_DNS="${ARG_SAN_DNS}"
   DEBUG="${ARG_DEBUG}"
   RSA="${ARG_RSA}"
   RSA_SIZE="${ARG_RSA_SIZE:-2048}"
@@ -147,8 +155,9 @@ parse_arguments() {
     echo CAKEY=$CAKEY
     echo CA=$CA
     echo CADAYS=$CADAYS
-    echo NOSAN=$NOSAN
+    echo NOAUTOSAN=$NOAUTOSAN
     echo SAN_IP=$SAN_IP
+    echo SAN_DNS=$SAN_DNS
     echo DEBUG=$DEBUG
     echo RSA=$RSA
     echo RSA_SIZE=$RSA_SIZE
@@ -250,14 +259,22 @@ DNS.1=${CN}"
     IFS=,
     PAYLOAD="$(for IP in $SAN_IP; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
     unset IFS
-  elif [ -z "$NOSAN" ]; then
+  fi
+  if [ ! -z "$SAN_DNS" ]; then
+    echo "[${ME}] Using user-provided SAN records: " ${SAN_DNS}
+    i=1
+    IFS=,
+    PAYLOAD="${PAYLOAD}\n$(for DNS in $SAN_DNS; do echo "DNS.${i} = ${DNS}" ; i=$((i + 1)); done)"
+    unset IFS
+  fi
+  if [ -z "$NOAUTOSAN" ]; then
     # Gather IPs for SAN
     
     i=1
     IPS="$( (getent ahostsv4 $(hostname) 2>/dev/null || getent hosts $(hostname) 2>/dev/null) | awk '{print $1}' |sort | uniq)"
 
     echo "[${ME}] Found these IPs: " ${IPS}
-    PAYLOAD="$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
+    PAYLOAD="${PAYLOAD}\n$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
   fi
   
   printf "${OPENSSL_CONFIG_CONTENT}\n${PAYLOAD}\n" > "${OPENSSL_CONFIG}"