Correct CN field certificate (!3) · Merge requests · Neutrinet / renew_cert

Tharyrok requested to merge fix/correct-cn-certificates into master Apr 13, 2020

For ispng to recognize the certificate as a renewal and not as a new client, the CN field of the certificate must match.

When the CN changes, ISPng can become crazy and not recognize the client. Instead, it will create a brand new IPv6-only client.

The idea is to retrieve the CN from ISPng for the first IPv4 client that we find.
If there isn't any IPv4 client, then we retrieve the CN from the first IPv6-only client.
Otherwise, we set the CN to the user's login.

This MR introduces some new arguments:

-f --force: Force the certificate renewal, even when it's not needed
-e --email: Set the certificate's email. This might be useful for debugging.
-n --common_name: Set the certificate's CN. With this argument, we can override the CN discovery described above, which might be useful for debugging.

A bug might still occur if the user has more than one IPv4 clients... A workaround would be to search a client with the current tun0 IP, but we don't really know if this case actually exists...

Edited Apr 25, 2020 by HgO

Correct CN field certificate

Merge request reports