Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix subjectAltName for self-signed certificates #1128

Merged
merged 1 commit into from
Dec 12, 2019
Merged

Fix subjectAltName for self-signed certificates #1128

merged 1 commit into from
Dec 12, 2019

Conversation

swalkinshaw
Copy link
Member

Ref: #1117

In some cases the subjectAltName for self-signed SSL certificates were
invalid due to DNS: being both prepended and appended to each domain
when it should only be a prefix.

This tweaks regex_replace to anchor at the start of the string only.

Before:

subjectAltName = DNS:example.testDNS:,DNS:www.example.testDNS:

After:

subjectAltName = DNS:example.test,DNS:www.example.test

@swalkinshaw
Fix subjectAltName for self-signed certificates
4fe4e66 
In some cases the `subjectAltName` for self-signed SSL certificates were
invalid due to `DNS:` being both prepended *and* appended to each domain
when it should only be a prefix.

This tweaks `regex_replace` to anchor at the start of the string only.

Before:

```
subjectAltName = DNS:example.testDNS:,DNS:www.example.testDNS:
```

After:

```
subjectAltName = DNS:example.test,DNS:www.example.test
```
@swalkinshaw
Copy link
Member Author

@robrecord want to try this out?

tangrufus added a commit to tangrufus/trellis that referenced this pull request Dec 12, 2019
@tangrufus
Test roots#1128
07e3caf 
```bash
ansible-playbook test.yml
```

`.cnf` should be generated under `test` directory.
@tangrufus
Copy link
Collaborator

tangrufus commented Dec 12, 2019
edited
Loading

How do you reproduce the extraneous DNS:?

This is my setup: tangrufus@07e3caf

➜ ansible --version
ansible 2.7.14
  config file = /Users/rufus/Desktop/trellis/ansible.cfg
  configured module search path = [u'/Users/rufus/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python2.7/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 2.7.17 (default, Oct 24 2019, 12:57:38) [GCC 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.8)]

➜ ansible --version
ansible 2.8.7
  config file = /Users/rufus/Desktop/trellis/ansible.cfg
  configured module search path = [u'/Users/rufus/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python2.7/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 2.7.17 (default, Oct 24 2019, 12:57:38) [GCC 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.8)]

@tangrufus
Copy link
Collaborator

Please ignore me.

I can reproduce the issue using python 3 and this pull request fixes it.

@swalkinshaw
Copy link
Member Author

Ah glad to know it was the Python version that mattered and thanks for testing 🎉

As long as this still works as it should in Python 2 as well...

@tangrufus
Copy link
Collaborator

This patch also works on python 2 + anisble v2.7 & v2.8 👏

@swalkinshaw swalkinshaw merged commit 73cbfb9 into master Dec 12, 2019
@swalkinshaw swalkinshaw deleted the fix-self-signed-ssl-certificate-subject-alternate-names branch December 12, 2019 17:48
@robrecord
Copy link
Contributor

robrecord commented Feb 4, 2020
edited
Loading

I am just now upgrading an old trellis install with the DNS: problem, and after doing all the things, I can confirm your fix works for me. Python 3.7.6, Ansible v2.8.8

Things I did — not sure if all necessary:

  • upgrade trellis
  • remove old ssl certs inside vagrant (vagrant ssh & sudo rm -r /etc/nginx/ssl)
  • removed old cert from the keychain app
  • re-provisioned vagrant (SKIP_GALAXY=true ANSIBLE_TAGS=wordpress vagrant reload --provision)
  • re-trust the certificate (vagrant trellis-cert trust)
  • restarted browser

Thanks @swalkinshaw & @tangrufus , somehow I didn't see this PR at the time.
It was driving me crazy; I'm so pleased there is a fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@swalkinshaw @tangrufus @robrecord