From 85c4ec56541c59fabdffda19961bd95faf4a0b7b Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Mon, 29 Mar 2021 14:29:42 -0400 Subject: [PATCH] Skip fqdn in cert generation There are scenarios where getqfdn can induce a hang. The certificate having FQDN isn't that useful anyway, since confluent never uses it and external use of it may need more carefully crafted certificate to have a good chance of matching it anyway. Also, the chances a user would import our cert as a CA to something like a browser are low. --- confluent_server/confluent/certutil.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/confluent_server/confluent/certutil.py b/confluent_server/confluent/certutil.py index b5b8af20..373680aa 100644 --- a/confluent_server/confluent/certutil.py +++ b/confluent_server/confluent/certutil.py @@ -72,7 +72,7 @@ def create_certificate(keyout=None, certout=None): if not keyout: raise Exception('Unable to locate TLS certificate path automatically') shortname = socket.gethostname().split('.')[0] - longname = socket.getfqdn() + longname = shortname # socket.getfqdn() subprocess.check_call( ['openssl', 'ecparam', '-name', 'secp384r1', '-genkey', '-out', keyout]) @@ -81,7 +81,7 @@ def create_certificate(keyout=None, certout=None): # there exists non-compliant clients that fail with them as IP san.extend(['DNS:{0}'.format(x) for x in get_ip_addresses()]) san.append('DNS:{0}'.format(shortname)) - san.append('DNS:{0}'.format(longname)) + #san.append('DNS:{0}'.format(longname)) san = ','.join(san) sslcfg = get_openssl_conf_location() tmpconfig = tempfile.mktemp()