tls: allow to add ip addresses as Subject Alternative Names when creating certificates (#5602)

2019-04-04 14:32:02 +02:00 · 2019-04-04 14:32:02 +02:00 · fe938e6e28
parent cb0b9665df
commit fe938e6e28
3 changed files with 29 additions and 18 deletions
--- a/command/tls/cert/create/tls_cert_create.go
+++ b/command/tls/cert/create/tls_cert_create.go
@ -21,19 +21,20 @@ func New(ui cli.Ui) *cmd {
 }

 type cmd struct {
-	UI       cli.Ui
-	flags    *flag.FlagSet
-	ca       string
-	key      string
-	server   bool
-	client   bool
-	cli      bool
-	dc       string
-	days     int
-	domain   string
-	help     string
-	dnsnames flags.AppendSliceValue
-	prefix   string
+	UI          cli.Ui
+	flags       *flag.FlagSet
+	ca          string
+	key         string
+	server      bool
+	client      bool
+	cli         bool
+	dc          string
+	days        int
+	domain      string
+	help        string
+	dnsnames    flags.AppendSliceValue
+	ipaddresses flags.AppendSliceValue
+	prefix      string
 }

 func (c *cmd) init() {
@ -47,7 +48,9 @@ func (c *cmd) init() {
 	c.flags.StringVar(&c.dc, "dc", "dc1", "Provide the datacenter. Matters only for -server certificates. Defaults to dc1.")
 	c.flags.StringVar(&c.domain, "domain", "consul", "Provide the domain. Matters only for -server certificates.")
 	c.flags.Var(&c.dnsnames, "additional-dnsname", "Provide an additional dnsname for Subject Alternative Names. "+
-		"127.0.0.1 and localhost are always included. This flag may be provided multiple times.")
+		"localhost is always included. This flag may be provided multiple times.")
+	c.flags.Var(&c.ipaddresses, "additional-ipaddress", "Provide an additional ipaddress for Subject Alternative Names. "+
+		"127.0.0.1 is always included. This flag may be provided multiple times.")
 	c.help = flags.Usage(help, c.flags)
 }

@ -86,16 +89,22 @@ func (c *cmd) Run(args []string) int {
 		}
 	}

+	for _, i := range c.ipaddresses {
+		if len(i) > 0 {
+			IPAddresses = append(IPAddresses, net.ParseIP(strings.TrimSpace(i)))
+		}
+	}
+
 	if c.server {
 		name = fmt.Sprintf("server.%s.%s", c.dc, c.domain)
 		DNSNames = append(DNSNames, []string{name, "localhost"}...)
-		IPAddresses = []net.IP{net.ParseIP("127.0.0.1")}
+		IPAddresses = append(IPAddresses, net.ParseIP("127.0.0.1"))
 		extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}
 		prefix = fmt.Sprintf("%s-server-%s", c.dc, c.domain)
 	} else if c.client {
 		name = fmt.Sprintf("client.%s.%s", c.dc, c.domain)
 		DNSNames = append(DNSNames, []string{name, "localhost"}...)
-		IPAddresses = []net.IP{net.ParseIP("127.0.0.1")}
+		IPAddresses = append(IPAddresses, net.ParseIP("127.0.0.1"))
 		extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}
 		prefix = fmt.Sprintf("%s-client-%s", c.dc, c.domain)
 	} else if c.cli {
--- a/website/source/docs/commands/tls/cert.html.md.erb
+++ b/website/source/docs/commands/tls/cert.html.md.erb
@ -51,6 +51,8 @@ Usage: `consul tls cert create [filename-prefix] [options]`

 - `-additional-dnsname=<string>` - Provide additional dnsname for Subject Alternative Names.

+- `-additional-ipaddress=<string>` - Provide additional ipaddress for Subject Alternative Names.
+
 - `-ca=<string>` - Provide path to the ca

 - `-cli` - Generate cli certificate
--- a/website/source/docs/guides/creating-certificates.html.md
+++ b/website/source/docs/guides/creating-certificates.html.md
@ -281,8 +281,8 @@ respond as expected.
 Using `localhost` and `127.0.0.1` as `Subject Alternative Names` in server
 and client certificates allows tools like `curl` to be able to communicate with
 Consul's HTTPS API when run on the same host. Other SANs may be added during
-server/client certificates creation with `-additional-dnsname` to allow remote
-HTTPS requests from other hosts.
+server/client certificates creation with `-additional-dnsname` or 
+`-additional-ipaddress`to allow remote HTTPS requests from other hosts.

 ## Configuring the Consul UI for HTTPS