proxmox-mirrors/pve-common
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-common synced 2025-08-11 21:49:43 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

certs: generate_csr: allow to set CN explicit

Browse Source 
Else, when used with ACME, the SAN is always sorted so we always get
the Subject Alternative Name sorting alphabetically first, which
doesn't necessarily has to be the "primary" domain. While this is
rather cosmetically (all SANs are equal) it could still result it
flapping CN when SANs and thus possibly the order changes, e.g., in
our CDN mirror pool. It also doesn't costs anything to allow control
over this, so why not..

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2020-01-13 17:25:10 +01:00
parent 055f076be5
commit 0e4d81adb8
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/PVE/Certificate.pm
View File

@ -336,6 +336,9 @@ sub generate_csr {
my $san = [ map { $_->{value} } grep { $_->{type} eq 'dns' } @$identifiers ];
die "DNS identifiers are required to generate a CSR.\n" if !scalar @$san;
# optional
my $common_name = delete($attr{common_name}) // $san->[0];
my $md = eval { Net::SSLeay::EVP_get_digestbyname($dig_alg) };
die "Invalid digest algorithm '$dig_alg'\n" if !$md;
@ -366,7 +369,7 @@ sub generate_csr {
}
};
$add_name_entry->('CN', @$san[0]);
$add_name_entry->('CN', $common_name);
for (qw(C ST L O OU)) {
if (defined(my $v = $attr{$_})) {
$add_name_entry->($_, $v);