Merge pull request #2488 from openziti/fix.order.of.enrollment.cert.l…

…ookup search for SANs in the cert closest to the http listener
openziti · Oct 17, 2024 · d3272dc · d3272dc
2 parents 46605be + 30cd086
commit d3272dc
Showing 1 changed file with 11 additions and 7 deletions.
diff --git a/controller/env/appenv.go b/controller/env/appenv.go
@@ -296,14 +296,9 @@ func (ae *AppEnv) getEnrollmentTlsCert() (*tls.Certificate, error) {
 		return nil, fmt.Errorf("could not parse edge.api.address for host and port during enrollment signer selection [%s]", ae.GetConfig().Edge.Api.Address)
 	}
 
-	tlsCert, err := ae.getCertForHostname(ae.GetConfig().Id.ServerCert(), host)
-
-	if err == nil {
-		return tlsCert, nil
-	} else {
-		hostnameErrors = append(hostnameErrors, err)
-	}
+	var tlsCert *tls.Certificate
 
+	//look at xweb instances and search
 	for _, serverConfig := range ae.GetHostController().GetXWebInstance().GetConfig().ServerConfigs {
 		clientApiFound := false
 		for _, curApi := range serverConfig.APIs {
@@ -326,6 +321,15 @@ func (ae *AppEnv) getEnrollmentTlsCert() (*tls.Certificate, error) {
 		}
 	}
 
+	//default to root
+	tlsCert, err = ae.getCertForHostname(ae.GetConfig().Id.ServerCert(), host)
+
+	if err == nil {
+		return tlsCert, nil
+	} else {
+		hostnameErrors = append(hostnameErrors, err)
+	}
+
 	pfxlog.Logger().WithField("hostnameErrors", hostnameErrors).Errorf("could not find a server certificate for the edge.api.address host [%s]", host)
 
 	return nil, fmt.Errorf("could not find a configured server certificate that matches hostname [%s] in root controller identity nor in xweb identities", host)