diff options
author | reivilibre <oliverw@matrix.org> | 2022-06-16 12:43:21 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-06-16 12:43:21 +0100 |
commit | 90cadcd403a5652a3f789ccfa8b608c639c0cc6d (patch) | |
tree | 046d8adef30f584bc7c96fd903e447da0db2446b /docker/complement/conf | |
parent | Improve URL previews for sites with only Twitter card information. (#13056) (diff) | |
download | synapse-90cadcd403a5652a3f789ccfa8b608c639c0cc6d.tar.xz |
Add a Subject Alternative Name to the certificate generated for Complement tests. (#13071)
Diffstat (limited to 'docker/complement/conf')
-rwxr-xr-x | docker/complement/conf/start_for_complement.sh | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/docker/complement/conf/start_for_complement.sh b/docker/complement/conf/start_for_complement.sh index 65da99b8da..773c7db22f 100755 --- a/docker/complement/conf/start_for_complement.sh +++ b/docker/complement/conf/start_for_complement.sh @@ -73,14 +73,30 @@ fi # Generate a TLS key, then generate a certificate by having Complement's CA sign it # Note that both the key and certificate are in PEM format (not DER). + +# First generate a configuration file to set up a Subject Alternative Name. +cat > /conf/server.tls.conf <<EOF +.include /etc/ssl/openssl.cnf + +[SAN] +subjectAltName=DNS:${SERVER_NAME} +EOF + +# Generate an RSA key openssl genrsa -out /conf/server.tls.key 2048 -openssl req -new -key /conf/server.tls.key -out /conf/server.tls.csr \ - -subj "/CN=${SERVER_NAME}" +# Generate a certificate signing request +openssl req -new -config /conf/server.tls.conf -key /conf/server.tls.key -out /conf/server.tls.csr \ + -subj "/CN=${SERVER_NAME}" -reqexts SAN +# Make the Complement Certificate Authority sign and generate a certificate. openssl x509 -req -in /conf/server.tls.csr \ -CA /complement/ca/ca.crt -CAkey /complement/ca/ca.key -set_serial 1 \ - -out /conf/server.tls.crt + -out /conf/server.tls.crt -extfile /conf/server.tls.conf -extensions SAN + +# Assert that we have a Subject Alternative Name in the certificate. +# (grep will exit with 1 here if there isn't a SAN in the certificate.) +openssl x509 -in /conf/server.tls.crt -noout -text | grep DNS: export SYNAPSE_TLS_CERT=/conf/server.tls.crt export SYNAPSE_TLS_KEY=/conf/server.tls.key |