diff options
| author | Erich Eckner <git@eckner.net> | 2020-03-12 11:35:55 +0100 |
|---|---|---|
| committer | Erich Eckner <git@eckner.net> | 2020-03-12 11:36:20 +0100 |
| commit | f54344c044c60d6510efaee3fa1fd3e7e2bed825 (patch) | |
| tree | 6e3d6fbdfc6bda9dba28d71bcfc568082e5eec35 | |
| parent | 3618806fe36159b877a77ced032f1620fe653a03 (diff) | |
| download | simple-pki-f54344c044c60d6510efaee3fa1fd3e7e2bed825.tar.xz | |
sign-request: check *all* addresses of a given san - one working address is sufficient
| -rwxr-xr-x | sign-request.in | 26 |
1 files changed, 22 insertions, 4 deletions
diff --git a/sign-request.in b/sign-request.in index 331815f..191bbea 100755 --- a/sign-request.in +++ b/sign-request.in @@ -87,13 +87,31 @@ while read -r csr; do ok_sans=$( printf '%s\n' "${cn}" "${sans}" \ | while read -r san; do - if ! curl --connect-timeout 10 -Ss --insecure "${csr%%://*}"'://'"${san}/${csr#*//*/}" \ - | diff -q - "${csr_local}"; then + resolved=false + for address in $( + dig +short "${san}" A \ + | grep -x '\([0-9]\+\.\)\{3\}[0-9]\+' + dig +short "${san}" AAAA \ + | grep -x '[0-9a-f:]\+' \ + | sed 's/^.*$/[\0]/' + ); do + if curl -Ss \ + --resolve "${san}:80:${address}" \ + --resolve "${san}:443:${address}" \ + --connect-timeout 10 \ + --insecure \ + "${csr%%://*}"'://'"${san}/${csr#*//*/}" \ + | diff -q - "${csr_local}"; then + resolved=true + break + fi + done + if ${resolved}; then + printf '%s\n' "${san}" + else >&2 printf 'invalid san "%s" - skipping\n' "${san}" rm "${csr_local}" - break fi - printf '%s\n' "${san}" done ) if [ ! -f "${csr_local}" ]; then |