mirror of https://github.com/hashicorp/consul
tls: allow to add ip addresses as Subject Alternative Names when creating certificates (#5602)
parent
cb0b9665df
commit
fe938e6e28
|
@ -33,6 +33,7 @@ type cmd struct {
|
|||
domain string
|
||||
help string
|
||||
dnsnames flags.AppendSliceValue
|
||||
ipaddresses flags.AppendSliceValue
|
||||
prefix string
|
||||
}
|
||||
|
||||
|
@ -47,7 +48,9 @@ func (c *cmd) init() {
|
|||
c.flags.StringVar(&c.dc, "dc", "dc1", "Provide the datacenter. Matters only for -server certificates. Defaults to dc1.")
|
||||
c.flags.StringVar(&c.domain, "domain", "consul", "Provide the domain. Matters only for -server certificates.")
|
||||
c.flags.Var(&c.dnsnames, "additional-dnsname", "Provide an additional dnsname for Subject Alternative Names. "+
|
||||
"127.0.0.1 and localhost are always included. This flag may be provided multiple times.")
|
||||
"localhost is always included. This flag may be provided multiple times.")
|
||||
c.flags.Var(&c.ipaddresses, "additional-ipaddress", "Provide an additional ipaddress for Subject Alternative Names. "+
|
||||
"127.0.0.1 is always included. This flag may be provided multiple times.")
|
||||
c.help = flags.Usage(help, c.flags)
|
||||
}
|
||||
|
||||
|
@ -86,16 +89,22 @@ func (c *cmd) Run(args []string) int {
|
|||
}
|
||||
}
|
||||
|
||||
for _, i := range c.ipaddresses {
|
||||
if len(i) > 0 {
|
||||
IPAddresses = append(IPAddresses, net.ParseIP(strings.TrimSpace(i)))
|
||||
}
|
||||
}
|
||||
|
||||
if c.server {
|
||||
name = fmt.Sprintf("server.%s.%s", c.dc, c.domain)
|
||||
DNSNames = append(DNSNames, []string{name, "localhost"}...)
|
||||
IPAddresses = []net.IP{net.ParseIP("127.0.0.1")}
|
||||
IPAddresses = append(IPAddresses, net.ParseIP("127.0.0.1"))
|
||||
extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}
|
||||
prefix = fmt.Sprintf("%s-server-%s", c.dc, c.domain)
|
||||
} else if c.client {
|
||||
name = fmt.Sprintf("client.%s.%s", c.dc, c.domain)
|
||||
DNSNames = append(DNSNames, []string{name, "localhost"}...)
|
||||
IPAddresses = []net.IP{net.ParseIP("127.0.0.1")}
|
||||
IPAddresses = append(IPAddresses, net.ParseIP("127.0.0.1"))
|
||||
extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}
|
||||
prefix = fmt.Sprintf("%s-client-%s", c.dc, c.domain)
|
||||
} else if c.cli {
|
||||
|
|
|
@ -51,6 +51,8 @@ Usage: `consul tls cert create [filename-prefix] [options]`
|
|||
|
||||
- `-additional-dnsname=<string>` - Provide additional dnsname for Subject Alternative Names.
|
||||
|
||||
- `-additional-ipaddress=<string>` - Provide additional ipaddress for Subject Alternative Names.
|
||||
|
||||
- `-ca=<string>` - Provide path to the ca
|
||||
|
||||
- `-cli` - Generate cli certificate
|
||||
|
|
|
@ -281,8 +281,8 @@ respond as expected.
|
|||
Using `localhost` and `127.0.0.1` as `Subject Alternative Names` in server
|
||||
and client certificates allows tools like `curl` to be able to communicate with
|
||||
Consul's HTTPS API when run on the same host. Other SANs may be added during
|
||||
server/client certificates creation with `-additional-dnsname` to allow remote
|
||||
HTTPS requests from other hosts.
|
||||
server/client certificates creation with `-additional-dnsname` or
|
||||
`-additional-ipaddress`to allow remote HTTPS requests from other hosts.
|
||||
|
||||
## Configuring the Consul UI for HTTPS
|
||||
|
||||
|
|
Loading…
Reference in New Issue