summary refs log tree commit diff
diff options
context:
space:
mode:
authorreivilibre <oliverw@matrix.org>2022-06-16 12:43:21 +0100
committerGitHub <noreply@github.com>2022-06-16 12:43:21 +0100
commit90cadcd403a5652a3f789ccfa8b608c639c0cc6d (patch)
tree046d8adef30f584bc7c96fd903e447da0db2446b
parentImprove URL previews for sites with only Twitter card information. (#13056) (diff)
downloadsynapse-90cadcd403a5652a3f789ccfa8b608c639c0cc6d.tar.xz
Add a Subject Alternative Name to the certificate generated for Complement tests. (#13071)
-rw-r--r--changelog.d/13071.misc1
-rwxr-xr-xdocker/complement/conf/start_for_complement.sh22
2 files changed, 20 insertions, 3 deletions
diff --git a/changelog.d/13071.misc b/changelog.d/13071.misc
new file mode 100644
index 0000000000..a6e1e6b3a8
--- /dev/null
+++ b/changelog.d/13071.misc
@@ -0,0 +1 @@
+Add a Subject Alternative Name to the certificate generated for Complement tests.
\ No newline at end of file
diff --git a/docker/complement/conf/start_for_complement.sh b/docker/complement/conf/start_for_complement.sh
index 65da99b8da..773c7db22f 100755
--- a/docker/complement/conf/start_for_complement.sh
+++ b/docker/complement/conf/start_for_complement.sh
@@ -73,14 +73,30 @@ fi
 
 # Generate a TLS key, then generate a certificate by having Complement's CA sign it
 # Note that both the key and certificate are in PEM format (not DER).
+
+# First generate a configuration file to set up a Subject Alternative Name.
+cat > /conf/server.tls.conf <<EOF
+.include /etc/ssl/openssl.cnf
+
+[SAN]
+subjectAltName=DNS:${SERVER_NAME}
+EOF
+
+# Generate an RSA key
 openssl genrsa -out /conf/server.tls.key 2048
 
-openssl req -new -key /conf/server.tls.key -out /conf/server.tls.csr \
-  -subj "/CN=${SERVER_NAME}"
+# Generate a certificate signing request
+openssl req -new -config /conf/server.tls.conf -key /conf/server.tls.key -out /conf/server.tls.csr \
+  -subj "/CN=${SERVER_NAME}" -reqexts SAN
 
+# Make the Complement Certificate Authority sign and generate a certificate.
 openssl x509 -req -in /conf/server.tls.csr \
   -CA /complement/ca/ca.crt -CAkey /complement/ca/ca.key -set_serial 1 \
-  -out /conf/server.tls.crt
+  -out /conf/server.tls.crt -extfile /conf/server.tls.conf -extensions SAN
+
+# Assert that we have a Subject Alternative Name in the certificate.
+# (grep will exit with 1 here if there isn't a SAN in the certificate.)
+openssl x509 -in /conf/server.tls.crt -noout -text | grep DNS:
 
 export SYNAPSE_TLS_CERT=/conf/server.tls.crt
 export SYNAPSE_TLS_KEY=/conf/server.tls.key