[ARVADOS] created: 1.3.0-2496-g7eb530d63

Git user git at public.arvados.org
Fri Apr 17 14:54:24 UTC 2020 

        at  7eb530d63f6264216ba326408bba4bcf84f8dcbf (commit)


commit 7eb530d63f6264216ba326408bba4bcf84f8dcbf
Author: Lucas Di Pentima <lucas at di-pentima.com.ar>
Date:   Fri Apr 17 11:52:59 2020 -0300

    16029: Creates SSL certificate with -listen-host as alternate name.
    
    This allows to run arvados boot on a docker container and access it
    from the outside without the browser complaining about invalid certs.
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas at di-pentima.com.ar>

diff --git a/lib/boot/cert.go b/lib/boot/cert.go
index 4b12c72ed..f0797c2ac 100644
--- a/lib/boot/cert.go
+++ b/lib/boot/cert.go
@@ -6,7 +6,9 @@ package boot
 
 import (
 	"context"
+	"fmt"
 	"io/ioutil"
+	"net"
 	"path/filepath"
 )
 
@@ -23,6 +25,13 @@ func (createCertificates) String() string {
 }
 
 func (createCertificates) Run(ctx context.Context, fail func(error), super *Supervisor) error {
+	var san string
+	if net.ParseIP(super.ListenHost) != nil {
+		san = fmt.Sprintf("IP:%s", super.ListenHost)
+	} else {
+		san = fmt.Sprintf("DNS:%s", super.ListenHost)
+	}
+
 	// Generate root key
 	err := super.RunProgram(ctx, super.tempdir, nil, nil, "openssl", "genrsa", "-out", "rootCA.key", "4096")
 	if err != nil {
@@ -43,10 +52,7 @@ func (createCertificates) Run(ctx context.Context, fail func(error), super *Supe
 	if err != nil {
 		return err
 	}
-	err = ioutil.WriteFile(filepath.Join(super.tempdir, "server.cfg"), append(defaultconf, []byte(`
-[SAN]
-subjectAltName=DNS:localhost,DNS:localhost.localdomain
-`)...), 0644)
+	err = ioutil.WriteFile(filepath.Join(super.tempdir, "server.cfg"), append(defaultconf, []byte(fmt.Sprintf("\n[SAN]\nsubjectAltName=DNS:localhost,DNS:localhost.localdomain,%s\n", san))...), 0644)
 	if err != nil {
 		return err
 	}
@@ -56,7 +62,7 @@ subjectAltName=DNS:localhost,DNS:localhost.localdomain
 		return err
 	}
 	// Sign certificate
-	err = super.RunProgram(ctx, super.tempdir, nil, nil, "openssl", "x509", "-req", "-in", "server.csr", "-CA", "rootCA.crt", "-CAkey", "rootCA.key", "-CAcreateserial", "-out", "server.crt", "-days", "3650", "-sha256")
+	err = super.RunProgram(ctx, super.tempdir, nil, nil, "openssl", "x509", "-req", "-in", "server.csr", "-CA", "rootCA.crt", "-CAkey", "rootCA.key", "-CAcreateserial", "-out", "server.crt", "-extfile", "server.cfg", "-extensions", "SAN", "-days", "3650", "-sha256")
 	if err != nil {
 		return err
 	}

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list