summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorErich Eckner <git@eckner.net>2020-03-12 11:35:55 +0100
committerErich Eckner <git@eckner.net>2020-03-12 11:36:20 +0100
commitf54344c044c60d6510efaee3fa1fd3e7e2bed825 (patch)
tree6e3d6fbdfc6bda9dba28d71bcfc568082e5eec35
parent3618806fe36159b877a77ced032f1620fe653a03 (diff)
downloadsimple-pki-f54344c044c60d6510efaee3fa1fd3e7e2bed825.tar.xz
sign-request: check *all* addresses of a given san - one working address is sufficient
-rwxr-xr-xsign-request.in26
1 files changed, 22 insertions, 4 deletions
diff --git a/sign-request.in b/sign-request.in
index 331815f..191bbea 100755
--- a/sign-request.in
+++ b/sign-request.in
@@ -87,13 +87,31 @@ while read -r csr; do
ok_sans=$(
printf '%s\n' "${cn}" "${sans}" \
| while read -r san; do
- if ! curl --connect-timeout 10 -Ss --insecure "${csr%%://*}"'://'"${san}/${csr#*//*/}" \
- | diff -q - "${csr_local}"; then
+ resolved=false
+ for address in $(
+ dig +short "${san}" A \
+ | grep -x '\([0-9]\+\.\)\{3\}[0-9]\+'
+ dig +short "${san}" AAAA \
+ | grep -x '[0-9a-f:]\+' \
+ | sed 's/^.*$/[\0]/'
+ ); do
+ if curl -Ss \
+ --resolve "${san}:80:${address}" \
+ --resolve "${san}:443:${address}" \
+ --connect-timeout 10 \
+ --insecure \
+ "${csr%%://*}"'://'"${san}/${csr#*//*/}" \
+ | diff -q - "${csr_local}"; then
+ resolved=true
+ break
+ fi
+ done
+ if ${resolved}; then
+ printf '%s\n' "${san}"
+ else
>&2 printf 'invalid san "%s" - skipping\n' "${san}"
rm "${csr_local}"
- break
fi
- printf '%s\n' "${san}"
done
)
if [ ! -f "${csr_local}" ]; then