qa/tasks/openssl_keys.py: add subjectAltName to certificates

Get rid of this annoying teuthology log message which appears many many times: .../urllib3/connection.py:395: SubjectAltNameWarning: Certificate for <some_host> has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See urllib3/urllib3#497 for details.) I'm also adding the ip address, which also allows https://IPaddress/ This is part of the standard and works with most clients, but python ignores this. C'est la vie. Fixes: https://tracker.ceph.com/issues/48177 Signed-off-by: Marcus Watts <mwatts@redhat.com>
mdw-at-linuxbox · Nov 22, 2020 · a116ac4 · a116ac4
1 parent 2d58306
commit a116ac4
Showing 1 changed file with 27 additions and 9 deletions.
diff --git a/qa/tasks/openssl_keys.py b/qa/tasks/openssl_keys.py
@@ -108,37 +108,55 @@ def create_cert(self, name, config):
 
         cert.remote.run(args=['mkdir', '-p', self.cadir])
 
-        cert.key = '{}/{}.key'.format(self.cadir, cert.name)
-        cert.certificate = '{}/{}.crt'.format(self.cadir, cert.name)
+        cert.key = f'{self.cadir}/{cert.name}.key'
+        cert.certificate = f'{self.cadir}/{cert.name}.crt'
+
+        san_ext = []
+        add_san_default = False
+        cn = config.get('cn', '')
+        if cn == '':
+            cn = cert.remote.hostname
+            add_san_default = True
+        if config.get('add-san', add_san_default):
+            ext = f'{self.cadir}/{cert.name}.ext'
+            san_ext = ['-extfile', ext]
 
         # provide the common name in -subj to avoid the openssl command prompts
-        subject = '/CN={}'.format(config.get('cn', cert.remote.hostname))
+        subject = f'/CN={cn}'
 
         # if a ca certificate is provided, use it to sign the new certificate
         ca = config.get('ca', None)
         if ca:
             # the ca certificate must have been created by a prior ssl task
             ca_cert = self.ctx.ssl_certificates.get(ca, None)
             if not ca_cert:
-                raise ConfigError('ssl: ca {} not found for certificate {}'
-                        .format(ca, cert.name))
+                raise ConfigError(f'ssl: ca {ca} not found for certificate {cert.name}')
+
+            csr = f'{self.cadir}/{cert.name}.csr'
+            srl = f'{self.cadir}/{ca_cert.name}.srl'
+            remove_files = ['rm', csr, srl]
 
             # these commands are run on the ca certificate's client because
             # they need access to its private key and cert
 
             # generate a private key and signing request
-            csr = '{}/{}.csr'.format(self.cadir, cert.name)
             ca_cert.remote.run(args=['openssl', 'req', '-nodes',
                 '-newkey', cert.key_type, '-keyout', cert.key,
                 '-out', csr, '-subj', subject])
 
+            if san_ext:
+                remove_files.append(ext)
+                ca_cert.remote.write_file(path=ext,
+                    data='subjectAltName = DNS:{},IP:{}'.format(
+                        cn,
+                        config.get('ip', cert.remote.ip_address)))
+
             # create the signed certificate
             ca_cert.remote.run(args=['openssl', 'x509', '-req', '-in', csr,
                 '-CA', ca_cert.certificate, '-CAkey', ca_cert.key, '-CAcreateserial',
-                '-out', cert.certificate, '-days', '365', '-sha256'])
+                '-out', cert.certificate, '-days', '365', '-sha256'] + san_ext)
 
-            srl = '{}/{}.srl'.format(self.cadir, ca_cert.name)
-            ca_cert.remote.run(args=['rm', csr, srl]) # clean up the signing request and serial
+            ca_cert.remote.run(args=remove_files) # clean up the signing request and serial
 
             # verify the new certificate against its ca cert
             ca_cert.remote.run(args=['openssl', 'verify',