diff options
Diffstat (limited to 'sign-request.in')
-rwxr-xr-x | sign-request.in | 26 |
1 files changed, 22 insertions, 4 deletions
diff --git a/sign-request.in b/sign-request.in index 331815f..191bbea 100755 --- a/sign-request.in +++ b/sign-request.in @@ -87,13 +87,31 @@ while read -r csr; do ok_sans=$( printf '%s\n' "${cn}" "${sans}" \ | while read -r san; do - if ! curl --connect-timeout 10 -Ss --insecure "${csr%%://*}"'://'"${san}/${csr#*//*/}" \ - | diff -q - "${csr_local}"; then + resolved=false + for address in $( + dig +short "${san}" A \ + | grep -x '\([0-9]\+\.\)\{3\}[0-9]\+' + dig +short "${san}" AAAA \ + | grep -x '[0-9a-f:]\+' \ + | sed 's/^.*$/[\0]/' + ); do + if curl -Ss \ + --resolve "${san}:80:${address}" \ + --resolve "${san}:443:${address}" \ + --connect-timeout 10 \ + --insecure \ + "${csr%%://*}"'://'"${san}/${csr#*//*/}" \ + | diff -q - "${csr_local}"; then + resolved=true + break + fi + done + if ${resolved}; then + printf '%s\n' "${san}" + else >&2 printf 'invalid san "%s" - skipping\n' "${san}" rm "${csr_local}" - break fi - printf '%s\n' "${san}" done ) if [ ! -f "${csr_local}" ]; then |