aljaz/aperture
1
1
Fork 0
mirror of https://github.com/lightninglabs/aperture.git synced 2025-12-17 00:54:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

aperture: filter empty TLS SAN hostnames

Browse Source 
Go 1.25 tightened x509 validation and now rejects empty dNSName entries, causing
the default self-signed cert generation to fail when ServerName is left unset
(`x509: SAN dNSName is malformed`). Filter out empty host names before calling
cert.GenCertPair and reuse the same SAN list when renewing, allowing the default
config to keep working. Add a unit test that reproduces the failure.
This commit is contained in:
Boris Nagaev
2025-11-26 13:54:35 -03:00
parent fc00f171a8
commit e9515c1ddd
2 changed files with 28 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
aperture.go
View File

@@ -693,7 +693,15 @@ func getTLSConfig(serverName, baseDir string, autoCert bool) (
// exist).
tlsKeyFile := filepath.Join(apertureDir, defaultTLSKeyFilename)
tlsCertFile := filepath.Join(apertureDir, defaultTLSCertFilename)
tlsExtraDomains := []string{serverName}
// Go 1.25 tightened x509 SAN validation and now rejects empty dNSName
// entries (`x509: SAN dNSName is malformed`). When users rely on the
// default config (no server name), we still want to generate a usable
// self-signed cert, so we only append non-empty hostnames.
var tlsExtraDomains []string
if serverName != "" {
tlsExtraDomains = append(tlsExtraDomains, serverName)
}
if !fileExists(tlsCertFile) && !fileExists(tlsKeyFile) {
log.Infof("Generating TLS certificates...")
certBytes, keyBytes, err := cert.GenCertPair(
@@ -754,7 +762,7 @@ func getTLSConfig(serverName, baseDir string, autoCert bool) (
log.Infof("Renewing TLS certificates...")
certBytes, keyBytes, err := cert.GenCertPair(
selfSignedCertOrganization, nil, nil, false,
selfSignedCertOrganization, nil, tlsExtraDomains, false,
selfSignedCertValidity,
)
if err != nil {

18
aperture_test.go Normal file
View File

@@ -0,0 +1,18 @@
package aperture
import (
"testing"
"github.com/stretchr/testify/require"
)
// TestGetTLSConfigAllowsEmptyServerName ensures that generating a default
// self-signed TLS cert without a server name succeeds. This used to work
// before Go 1.25 tightened SAN validation, so we rely on Aperture handling it.
func TestGetTLSConfigAllowsEmptyServerName(t *testing.T) {
t.Parallel()
cfg, err := getTLSConfig("", t.TempDir(), false)
require.NoError(t, err)
require.NotNil(t, cfg)
}