diff options
| author | Paul Buetow <paul@buetow.org> | 2026-01-29 09:23:27 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-01-29 09:23:27 +0200 |
| commit | 1ce56549f1d5dc11022e827c365bf68719e6ffac (patch) | |
| tree | 11204d90bce7e6cf21e21e3ed8b91fd5f743e198 /frontends | |
| parent | a555c5040738a6ed100ca59dc01f7161a45705ab (diff) | |
Include ipv4/ipv6 subdomains as SANs in parent cert
Amp-Thread-ID: https://ampcode.com/threads/T-019c086d-c760-779d-b740-0f748094b62a
Co-authored-by: Amp <amp@ampcode.com>
Diffstat (limited to 'frontends')
| -rw-r--r-- | frontends/etc/acme-client.conf.tpl | 16 | ||||
| -rw-r--r-- | frontends/etc/relayd.conf.tpl | 5 |
2 files changed, 18 insertions, 3 deletions
diff --git a/frontends/etc/acme-client.conf.tpl b/frontends/etc/acme-client.conf.tpl index 12dd9d4..473fae3 100644 --- a/frontends/etc/acme-client.conf.tpl +++ b/frontends/etc/acme-client.conf.tpl @@ -24,9 +24,21 @@ authority buypass-test { } <% for my $host (@$acme_hosts) { - next if $host eq 'blowfish.buetow.org' or $host eq 'fishfinger.buetow.org'; -%> + next if $host eq 'blowfish.buetow.org' or $host eq 'fishfinger.buetow.org'; + # Skip ipv4/ipv6 subdomains - they're included as SANs in parent cert + next if $host =~ /^(ipv4|ipv6)\./; +-%> +<% # Check if this host has ipv4/ipv6 subdomains that need to be included as SANs + my @alt_names = ("www.$host"); + for my $sub_host (@$acme_hosts) { + if ($sub_host =~ /^(ipv4|ipv6)\.\Q$host\E$/) { + push @alt_names, $sub_host; + } + } + my $alt_names_str = join(' ', @alt_names); +-%> domain <%= $host %> { - alternative names { www.<%= $host %> } + alternative names { <%= $alt_names_str %> } domain key "/etc/ssl/private/<%= $host %>.key" domain full chain certificate "/etc/ssl/<%= $host %>.fullchain.pem" sign with letsencrypt diff --git a/frontends/etc/relayd.conf.tpl b/frontends/etc/relayd.conf.tpl index 88467bd..3a76edb 100644 --- a/frontends/etc/relayd.conf.tpl +++ b/frontends/etc/relayd.conf.tpl @@ -24,7 +24,10 @@ table <localhost> { http protocol "https" { <% for my $host (@$acme_hosts) { # Skip server hostnames - each server only has its own cert, handled by dedicated keypair below - next if $host eq 'blowfish.buetow.org' or $host eq 'fishfinger.buetow.org'; -%> + next if $host eq 'blowfish.buetow.org' or $host eq 'fishfinger.buetow.org'; + # Skip ipv4/ipv6 subdomains - they use the parent cert as SANs + next if $host =~ /^(ipv4|ipv6)\./; + -%> tls keypair <%= $host %> <% unless (grep { $_ eq $host } @$f3s_hosts) { -%> tls keypair standby.<%= $host %> |