From fe938e6e287d2975164983ecc1467fc16672aaf2 Mon Sep 17 00:00:00 2001 From: tristan-weil <49060873+tristan-weil@users.noreply.github.com> Date: Thu, 4 Apr 2019 14:32:02 +0200 Subject: [PATCH] tls: allow to add ip addresses as Subject Alternative Names when creating certificates (#5602) --- command/tls/cert/create/tls_cert_create.go | 41 +++++++++++-------- .../source/docs/commands/tls/cert.html.md.erb | 2 + .../docs/guides/creating-certificates.html.md | 4 +- 3 files changed, 29 insertions(+), 18 deletions(-) diff --git a/command/tls/cert/create/tls_cert_create.go b/command/tls/cert/create/tls_cert_create.go index 01b337e11e..6a4c3f0533 100644 --- a/command/tls/cert/create/tls_cert_create.go +++ b/command/tls/cert/create/tls_cert_create.go @@ -21,19 +21,20 @@ func New(ui cli.Ui) *cmd { } type cmd struct { - UI cli.Ui - flags *flag.FlagSet - ca string - key string - server bool - client bool - cli bool - dc string - days int - domain string - help string - dnsnames flags.AppendSliceValue - prefix string + UI cli.Ui + flags *flag.FlagSet + ca string + key string + server bool + client bool + cli bool + dc string + days int + domain string + help string + dnsnames flags.AppendSliceValue + ipaddresses flags.AppendSliceValue + prefix string } func (c *cmd) init() { @@ -47,7 +48,9 @@ func (c *cmd) init() { c.flags.StringVar(&c.dc, "dc", "dc1", "Provide the datacenter. Matters only for -server certificates. Defaults to dc1.") c.flags.StringVar(&c.domain, "domain", "consul", "Provide the domain. Matters only for -server certificates.") c.flags.Var(&c.dnsnames, "additional-dnsname", "Provide an additional dnsname for Subject Alternative Names. "+ - "127.0.0.1 and localhost are always included. This flag may be provided multiple times.") + "localhost is always included. This flag may be provided multiple times.") + c.flags.Var(&c.ipaddresses, "additional-ipaddress", "Provide an additional ipaddress for Subject Alternative Names. "+ + "127.0.0.1 is always included. This flag may be provided multiple times.") c.help = flags.Usage(help, c.flags) } @@ -86,16 +89,22 @@ func (c *cmd) Run(args []string) int { } } + for _, i := range c.ipaddresses { + if len(i) > 0 { + IPAddresses = append(IPAddresses, net.ParseIP(strings.TrimSpace(i))) + } + } + if c.server { name = fmt.Sprintf("server.%s.%s", c.dc, c.domain) DNSNames = append(DNSNames, []string{name, "localhost"}...) - IPAddresses = []net.IP{net.ParseIP("127.0.0.1")} + IPAddresses = append(IPAddresses, net.ParseIP("127.0.0.1")) extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth} prefix = fmt.Sprintf("%s-server-%s", c.dc, c.domain) } else if c.client { name = fmt.Sprintf("client.%s.%s", c.dc, c.domain) DNSNames = append(DNSNames, []string{name, "localhost"}...) - IPAddresses = []net.IP{net.ParseIP("127.0.0.1")} + IPAddresses = append(IPAddresses, net.ParseIP("127.0.0.1")) extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth} prefix = fmt.Sprintf("%s-client-%s", c.dc, c.domain) } else if c.cli { diff --git a/website/source/docs/commands/tls/cert.html.md.erb b/website/source/docs/commands/tls/cert.html.md.erb index 924375024f..6188ac3cc7 100644 --- a/website/source/docs/commands/tls/cert.html.md.erb +++ b/website/source/docs/commands/tls/cert.html.md.erb @@ -51,6 +51,8 @@ Usage: `consul tls cert create [filename-prefix] [options]` - `-additional-dnsname=` - Provide additional dnsname for Subject Alternative Names. +- `-additional-ipaddress=` - Provide additional ipaddress for Subject Alternative Names. + - `-ca=` - Provide path to the ca - `-cli` - Generate cli certificate diff --git a/website/source/docs/guides/creating-certificates.html.md b/website/source/docs/guides/creating-certificates.html.md index 60d2820916..8601ad6547 100644 --- a/website/source/docs/guides/creating-certificates.html.md +++ b/website/source/docs/guides/creating-certificates.html.md @@ -281,8 +281,8 @@ respond as expected. Using `localhost` and `127.0.0.1` as `Subject Alternative Names` in server and client certificates allows tools like `curl` to be able to communicate with Consul's HTTPS API when run on the same host. Other SANs may be added during -server/client certificates creation with `-additional-dnsname` to allow remote -HTTPS requests from other hosts. +server/client certificates creation with `-additional-dnsname` or +`-additional-ipaddress`to allow remote HTTPS requests from other hosts. ## Configuring the Consul UI for HTTPS