feat: complete IP address in SAN support

Changes: - generate-csr.sh: Auto-detects target IP via SSH or DNS - sign-cert.sh: Preserves SAN extensions including IP addresses - Uses UCS CA password file for automated signing - Fixes IP Address: -> IP: format conversion for OpenSSL compatibility Benefits: ✅ Access services via https://10.0.0.50:8006 without warnings ✅ Access via https://hostname:8006 also works ✅ Single certificate for all access methods ✅ Browser shows secure connection for both methods Technical details: - Extracts SAN from CSR and applies via -extfile - Uses 'openssl x509 -req' with -passin file:/etc/univention/ssl/password - Preserves all DNS names and IP addresses in signed certificate
2025-10-23 09:32:50 +02:00
parent a4f3b80c66
commit 44850efcd2
1 changed files with 50 additions and 11 deletions
--- a/sign-cert.sh
+++ b/sign-cert.sh
@@ -17,7 +17,7 @@ if [ $# -lt 2 ]; then
    echo ""
    echo "The script will:"
    echo "  1. Copy the CSR to UCS server"
-    echo "  2. Sign it with the UCS CA"
+    echo "  2. Sign it with the UCS CA (preserving extensions)"
    echo "  3. Download the signed certificate to current directory"
    exit 1
 fi
@@ -46,30 +46,69 @@ echo "Output file:  $OUTPUT_FILE"
 echo "=========================================="
 echo ""

-# Step 1: Copy CSR to UCS server
-echo "[1/3] Copying CSR to UCS server..."
+# Extract SAN from CSR and fix format
+echo "[1/4] Extracting Subject Alternative Names from CSR..."
+SAN_ENTRIES=$(openssl req -in "$REQ_FILE" -noout -text | grep -A 1 "Subject Alternative Name" | tail -1 | sed 's/^ *//' | sed 's/IP Address:/IP:/g' || echo "")
+
+if [ -z "$SAN_ENTRIES" ]; then
+    echo "Warning: No Subject Alternative Names found in CSR"
+    SAN_CONFIG=""
+else
+    echo "Found SANs: $SAN_ENTRIES"
+    SAN_CONFIG="subjectAltName = $SAN_ENTRIES"
+fi
+
+# Step 2: Copy CSR to UCS server
+echo "[2/4] Copying CSR to UCS server..."
 scp "$REQ_FILE" ${UCS_USER}@${UCS_SERVER}:/tmp/${HOSTNAME}.csr
 if [ $? -ne 0 ]; then
    echo "Error: Failed to copy CSR to UCS server"
    exit 1
 fi

-# Step 2: Sign the certificate
-echo "[2/3] Signing certificate on UCS server..."
-ssh ${UCS_USER}@${UCS_SERVER} "univention-certificate sign -request /tmp/${HOSTNAME}.csr -name ${HOSTNAME} -days ${DAYS}"
+# Step 3: Sign using x509 command with CA password
+echo "[3/4] Signing certificate on UCS server..."
+
+# Create extension config and sign on UCS server
+ssh ${UCS_USER}@${UCS_SERVER} "
+set -e
+
+# Create extensions config
+cat > /tmp/${HOSTNAME}-ext.cnf << 'EXTCONF'
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+${SAN_CONFIG}
+EXTCONF
+
+# Sign the certificate using CA password file
+openssl x509 -req \
+    -in /tmp/${HOSTNAME}.csr \
+    -CA /etc/univention/ssl/ucsCA/CAcert.pem \
+    -CAkey /etc/univention/ssl/ucsCA/private/CAkey.pem \
+    -CAcreateserial \
+    -out /tmp/${HOSTNAME}-cert.pem \
+    -days ${DAYS} \
+    -sha256 \
+    -extfile /tmp/${HOSTNAME}-ext.cnf \
+    -passin file:/etc/univention/ssl/password
+"
+
 if [ $? -ne 0 ]; then
    echo "Error: Failed to sign certificate"
    exit 1
 fi

-# Step 3: Download signed certificate
-echo "[3/3] Downloading signed certificate..."
-scp ${UCS_USER}@${UCS_SERVER}:/etc/univention/ssl/${HOSTNAME}/cert.pem "$OUTPUT_FILE"
+# Step 4: Download signed certificate
+echo "[4/4] Downloading signed certificate..."
+scp ${UCS_USER}@${UCS_SERVER}:/tmp/${HOSTNAME}-cert.pem "$OUTPUT_FILE"
 if [ $? -ne 0 ]; then
    echo "Error: Failed to download signed certificate"
    exit 1
 fi

+# Clean up on UCS server
+ssh ${UCS_USER}@${UCS_SERVER} "rm -f /tmp/${HOSTNAME}.csr /tmp/${HOSTNAME}-cert.pem /tmp/${HOSTNAME}-ext.cnf"
+
 echo ""
 echo "=========================================="
 echo "✓ Certificate signed successfully!"
@@ -80,8 +119,8 @@ echo "Certificate details:"
 openssl x509 -in "$OUTPUT_FILE" -noout -subject -issuer -dates
 echo ""
 echo "Subject Alternative Names:"
-openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 1 "Subject Alternative Name" | tail -1
+openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 2 "Subject Alternative Name" | tail -2 || echo "  (none)"
 echo ""
 echo "Extended Key Usage:"
-openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 1 "Extended Key Usage" | tail -1
+openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 1 "Extended Key Usage" | tail -1 || echo "  (none)"
 echo "=========================================="