From 047afbc09628f928810fd8ae6a3fee96acaaddad Mon Sep 17 00:00:00 2001
From: Xifeng Zou <90731+zouxifeng@users.noreply.github.com>
Date: Mon, 23 Oct 2023 16:23:34 +0800
Subject: [PATCH 1/2] add subjectAltName field into self signed certificate

Current install script only fills CN field with PUBLIC_HOST value. When
trying to access api and provide the self signed certificate to verify
server certificate, the request will fail with SSL:
CERTIFICATE_VERIFY_FAILED error.

To prevent this error, the install script should add "subjectAltName =
IP.1:${PUBLIC_HOST}" when generating self signed certificate.

```python
import requests
requests.get('https://${API_PREFIX}/access-keys',verify='shadowbox-selfsigned.crt')
```
---
 src/server_manager/install_scripts/install_server.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/server_manager/install_scripts/install_server.sh b/src/server_manager/install_scripts/install_server.sh
index e2c125c62..9ff3dea72 100755
--- a/src/server_manager/install_scripts/install_server.sh
+++ b/src/server_manager/install_scripts/install_server.sh
@@ -265,6 +265,7 @@ function generate_certificate() {
   declare -a openssl_req_flags=(
     -x509 -nodes -days 36500 -newkey rsa:4096
     -subj "/CN=${PUBLIC_HOSTNAME}"
+    -addext "subjectAltName = IP.1:${PUBLIC_HOSTNAME}"
     -keyout "${SB_PRIVATE_KEY_FILE}" -out "${SB_CERTIFICATE_FILE}"
   )
   openssl req "${openssl_req_flags[@]}" >&2

From eb766ebdac40e0df262158f8d7c9b5ce52e92259 Mon Sep 17 00:00:00 2001
From: Xifeng Zou <90731+zouxifeng@users.noreply.github.com>
Date: Wed, 25 Oct 2023 12:25:50 +0800
Subject: [PATCH 2/2] add hostname into the self signed certificate use IP or
 DNS in SAN field

Use a regex to test whether input hostname is an IP address. If it's an
IP address, use "IP" prefix. Otherwise, use "DNS".
---
 src/server_manager/install_scripts/install_server.sh | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/server_manager/install_scripts/install_server.sh b/src/server_manager/install_scripts/install_server.sh
index 9ff3dea72..747131f09 100755
--- a/src/server_manager/install_scripts/install_server.sh
+++ b/src/server_manager/install_scripts/install_server.sh
@@ -262,12 +262,20 @@ function generate_certificate() {
   local -r CERTIFICATE_NAME="${STATE_DIR}/shadowbox-selfsigned"
   readonly SB_CERTIFICATE_FILE="${CERTIFICATE_NAME}.crt"
   readonly SB_PRIVATE_KEY_FILE="${CERTIFICATE_NAME}.key"
+  local SAN_FIELD_PREFIX=""
+  if [[ ${PUBLIC_HOSTNAME} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+    SAN_FIELD_PREFIX="IP"
+  else
+    SAN_FIELD_PREFIX="DNS"
+  fi
+
   declare -a openssl_req_flags=(
     -x509 -nodes -days 36500 -newkey rsa:4096
     -subj "/CN=${PUBLIC_HOSTNAME}"
-    -addext "subjectAltName = IP.1:${PUBLIC_HOSTNAME}"
+    -addext "subjectAltName=${SAN_FIELD_PREFIX}:${PUBLIC_HOSTNAME}"
     -keyout "${SB_PRIVATE_KEY_FILE}" -out "${SB_CERTIFICATE_FILE}"
   )
+
   openssl req "${openssl_req_flags[@]}" >&2
 }