qa/tasks/openssl_keys.py: add subjectAltName to certificates

Get rid of this annoying teuthology log message which appears many many times: .../urllib3/connection.py:395: SubjectAltNameWarning: Certificate for <some_host> has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.) I'm also adding the ip address, which also allows https://IPaddress/ This is part of the standard and works with most clients, but python ignores this. C'est la vie. Fixes: https://tracker.ceph.com/issues/48177 Signed-off-by: Marcus Watts <mwatts@redhat.com>
2025-01-19 17:41:39 +00:00 · 2020-11-05 20:52:30 -05:00 · 2020-11-05 20:52:30 -05:00 · 1c18808b07
commit 1c18808b07
parent 871404a709
1 changed files with 27 additions and 9 deletions
--- a/qa/tasks/openssl_keys.py
+++ b/qa/tasks/openssl_keys.py
@ -108,11 +108,21 @@ class OpenSSLKeys(Task):

        cert.remote.run(args=['mkdir', '-p', self.cadir])

-        cert.key = '{}/{}.key'.format(self.cadir, cert.name)
-        cert.certificate = '{}/{}.crt'.format(self.cadir, cert.name)
+        cert.key = f'{self.cadir}/{cert.name}.key'
+        cert.certificate = f'{self.cadir}/{cert.name}.crt'
+
+        san_ext = []
+        add_san_default = False
+        cn = config.get('cn', '')
+        if cn == '':
+            cn = cert.remote.hostname
+            add_san_default = True
+        if config.get('add-san', add_san_default):
+            ext = f'{self.cadir}/{cert.name}.ext'
+            san_ext = ['-extfile', ext]

        # provide the common name in -subj to avoid the openssl command prompts
-        subject = '/CN={}'.format(config.get('cn', cert.remote.hostname))
+        subject = f'/CN={cn}'

        # if a ca certificate is provided, use it to sign the new certificate
        ca = config.get('ca', None)
@ -120,25 +130,33 @@ class OpenSSLKeys(Task):
            # the ca certificate must have been created by a prior ssl task
            ca_cert = self.ctx.ssl_certificates.get(ca, None)
            if not ca_cert:
-                raise ConfigError('ssl: ca {} not found for certificate {}'
-                        .format(ca, cert.name))
+                raise ConfigError(f'ssl: ca {ca} not found for certificate {cert.name}')
+
+            csr = f'{self.cadir}/{cert.name}.csr'
+            srl = f'{self.cadir}/{ca_cert.name}.srl'
+            remove_files = ['rm', csr, srl]

            # these commands are run on the ca certificate's client because
            # they need access to its private key and cert

            # generate a private key and signing request
-            csr = '{}/{}.csr'.format(self.cadir, cert.name)
            ca_cert.remote.run(args=['openssl', 'req', '-nodes',
                '-newkey', cert.key_type, '-keyout', cert.key,
                '-out', csr, '-subj', subject])

+            if san_ext:
+                remove_files.append(ext)
+                ca_cert.remote.write_file(path=ext,
+                    data='subjectAltName = DNS:{},IP:{}'.format(
+                        cn,
+                        config.get('ip', cert.remote.ip_address)))
+
            # create the signed certificate
            ca_cert.remote.run(args=['openssl', 'x509', '-req', '-in', csr,
                '-CA', ca_cert.certificate, '-CAkey', ca_cert.key, '-CAcreateserial',
-                '-out', cert.certificate, '-days', '365', '-sha256'])
+                '-out', cert.certificate, '-days', '365', '-sha256'] + san_ext)

-            srl = '{}/{}.srl'.format(self.cadir, ca_cert.name)
-            ca_cert.remote.run(args=['rm', csr, srl]) # clean up the signing request and serial
+            ca_cert.remote.run(args=remove_files) # clean up the signing request and serial

            # verify the new certificate against its ca cert
            ca_cert.remote.run(args=['openssl', 'verify',