Skip to content

Commit

Permalink
Support host names in TLS certificates (#948)
Browse files Browse the repository at this point in the history
This commit updates TLS certificate generator to detect if IP address or
host name was used as host value. If host name is detected field `DNSNames`
of x509 SAN extenstion is used instead of `IPAddresses`.

* https://en.wikipedia.org/wiki/Subject_Alternative_Name
* https://tools.ietf.org/html/rfc5280#section-4.2.1.6

This contributes towards fixing #337.

Co-authored-by: SIGSEGV <gnu.crazier@gmail.com>
  • Loading branch information
fln and lucklove authored Dec 1, 2020
1 parent 214441a commit 5296e8f
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions pkg/cluster/task/tls.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ package task
import (
"encoding/pem"
"fmt"
"net"
"path/filepath"

"github.com/pingcap/errors"
Expand All @@ -38,8 +39,13 @@ func (c *TLSCert) Execute(ctx *Context) error {
if err != nil {
return err
}
// we don't support hostname yet, only iplist is used
csr, err := privKey.CSR(c.inst.Role(), c.inst.ComponentName(), []string{}, []string{c.inst.GetHost()})

hosts := []string{c.inst.GetHost()}
ips := []string{}
if net.ParseIP(c.inst.GetHost()) != nil {
hosts, ips = ips, hosts
}
csr, err := privKey.CSR(c.inst.Role(), c.inst.ComponentName(), hosts, ips)
if err != nil {
return err
}
Expand Down

0 comments on commit 5296e8f

Please sign in to comment.