1. devstack
  2. Commit 0137703825ea5f493e7486e19c2d83b328ca2998
Browse code

Allow IP-based subject alt names

... even when no other subject alt names provided

Previously, a non-voting job in barbican's gate would fail with something like

X509 V3 routines:X509V3_parse_list:invalid null name:v3_utl.c:319:
X509 V3 routines:DO_EXT_NCONF:invalid extension string:v3_conf.c:140:name=subjectAltName,section=DNS:pykmip-server,,IP:198.72.124.103
X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=subjectAltName, value=DNS:pykmip-server,,IP:198.72.124.103

because we'd have an invalid empty string.

Change-Id: I5459b8976539924cd6cc6c1e681b6753a76b804c

Tim Burke authored on 2018/12/01 07:40:12
Showing 1 changed files
lib/tls
History View file @ 0137703
... ... 
@@ -252,7 +252,11 @@ function make_cert {
252 252
253 253 
     if [ "$common_name" != "$SERVICE_HOST" ]; then
254 254 
         if is_ipv4_address "$SERVICE_HOST" ; then
255 
-            alt_names="$alt_names,IP:$SERVICE_HOST"
255 
+            if [[ -z "$alt_names" ]]; then
256 
+                alt_names="IP:$SERVICE_HOST"
257 
+            else
258 
+                alt_names="$alt_names,IP:$SERVICE_HOST"
259 
+            fi
256 260 
         fi
257 261 
     fi
258 262