extenginx: update self-signed key to use subjectAltName

Signed-off-by: Joel Savitz <[email protected]>
underground-software · Feb 21, 2025 · b3a63f9 · b3a63f9
1 parent c18a131
commit b3a63f9
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 10 deletions.
diff --git a/extenginx/Containerfile b/extenginx/Containerfile
@@ -5,30 +5,35 @@ RUN apk update && apk upgrade && apk add \
     openssl \
     ;
 
+
+ARG NGINX_HOSTNAME=localhost
+
 RUN mkdir /etc/ssl/nginx && \
 	cd /etc/ssl/nginx && \
 	openssl \
 		genpkey \
 		-genparam \
 		-algorithm DH \
 		-pkeyopt dh_paramgen_prime_len:2048 \
-		-out ssl-dhparams.pem \
+		-out ssl-dhparams.pem && \
+	 printf "[req]\n \
+distinguished_name=req\n \
+[ v3_ext ]\n \
+subjectAltName=DNS:${NGINX_HOSTNAME},IP:127.0.0.1\n" > openssl.cnf \
 	&& \
 	:
 
-ARG NGINX_HOSTNAME=localhost
-
 RUN cd /etc/ssl/nginx && \
-	openssl \
-		req \
-		-sha256 \
-		-newkey rsa:4096 \
+	openssl req \
 		-x509 \
+		-nodes \
 		-days 133337 \
-		-subj "/CN=${NGINX_HOSTNAME}" \
-		-noenc \
+		-newkey rsa:2048 \
 		-keyout privkey.pem \
 		-out fullchain.pem \
+		-subj "/CN=${NGINX_HOSTNAME}" \
+		-extensions v3_ext \
+		-config openssl.cnf \
 	&& \
 	:
 

diff --git a/test/general_test.py b/test/general_test.py
@@ -39,7 +39,7 @@ def _new_conn(self):
         """Create a new wrapped SSL connection over a Unix domain socket."""
         sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
         sock.connect(self.unix_socket_path)
-        return self.ssl_context.wrap_socket(sock, server_hostname="localhost")
+        return self.ssl_context.wrap_socket(sock, server_hostname="localhost.localdomain")
 
 
 class SSLUnixSocketConnectionPool(HTTPConnectionPool):