diff options
| -rw-r--r-- | changelog.d/13071.misc | 1 | ||||
| -rwxr-xr-x | docker/complement/conf/start_for_complement.sh | 22 |
2 files changed, 20 insertions, 3 deletions
diff --git a/changelog.d/13071.misc b/changelog.d/13071.misc new file mode 100644 index 0000000000..a6e1e6b3a8 --- /dev/null +++ b/changelog.d/13071.misc @@ -0,0 +1 @@ +Add a Subject Alternative Name to the certificate generated for Complement tests. \ No newline at end of file diff --git a/docker/complement/conf/start_for_complement.sh b/docker/complement/conf/start_for_complement.sh index 65da99b8da..773c7db22f 100755 --- a/docker/complement/conf/start_for_complement.sh +++ b/docker/complement/conf/start_for_complement.sh @@ -73,14 +73,30 @@ fi # Generate a TLS key, then generate a certificate by having Complement's CA sign it # Note that both the key and certificate are in PEM format (not DER). + +# First generate a configuration file to set up a Subject Alternative Name. +cat > /conf/server.tls.conf <<EOF +.include /etc/ssl/openssl.cnf + +[SAN] +subjectAltName=DNS:${SERVER_NAME} +EOF + +# Generate an RSA key openssl genrsa -out /conf/server.tls.key 2048 -openssl req -new -key /conf/server.tls.key -out /conf/server.tls.csr \ - -subj "/CN=${SERVER_NAME}" +# Generate a certificate signing request +openssl req -new -config /conf/server.tls.conf -key /conf/server.tls.key -out /conf/server.tls.csr \ + -subj "/CN=${SERVER_NAME}" -reqexts SAN +# Make the Complement Certificate Authority sign and generate a certificate. openssl x509 -req -in /conf/server.tls.csr \ -CA /complement/ca/ca.crt -CAkey /complement/ca/ca.key -set_serial 1 \ - -out /conf/server.tls.crt + -out /conf/server.tls.crt -extfile /conf/server.tls.conf -extensions SAN + +# Assert that we have a Subject Alternative Name in the certificate. +# (grep will exit with 1 here if there isn't a SAN in the certificate.) +openssl x509 -in /conf/server.tls.crt -noout -text | grep DNS: export SYNAPSE_TLS_CERT=/conf/server.tls.crt export SYNAPSE_TLS_KEY=/conf/server.tls.key |