openssl-with-ips.sh

# This should be run as root
# this creates a self-signed certificate with the IP addresses as IP SANS
# Todo - see if we want to roll this into https://github.com/hashicorp/linux-packaging/blob/master/products/vault/scripts/postinst

# dump interfaces to file to work with
ifconfig > ifconfig.txt

# Get number of IPs returned, excluding the ip6 loopback for now
grep "inet" ifconfig.txt | grep -v "::1" | awk -F' ' '{print $2}' | wc -l

# Put how many IPs into var
IP_COUNT=$(grep "inet" ifconfig.txt | grep -v "::1" | awk -F' ' '{print $2}' | wc -l )

# Put IPs into IP:1.1.1.1 format for openssl
IP_LIST=$(for (( c=1; c<=$IP_COUNT; c++ )); do echo -n IP.$c:$(grep "inet" ifconfig.txt | grep -v "::1" | awk -F' ' '{print $2}' | awk -v ipcount="$c" 'FNR~ ipcount'), " " ; done)

echo $IP_LIST
# >> IP.1:172.17.0.1, IP.2:192.168.1.230, IP.3:fe80::b699:baff:fe03:ebda, IP.4:127.0.0.1,

# Clean last comma
IP_LIST=$(echo ${IP_LIST%,*})
echo $IP_LIST
# >> IP.1:172.17.0.1, IP.2:192.168.1.230, IP.3:fe80::b699:baff:fe03:ebda, IP.4:127.0.0.1

CERT_IPS="-addext \"subjectAltName = $IP_LIST\""

# Set usual openssl command options
OPEN_SSL_PREFIX="openssl req -out tls.crt -new -keyout tls.key -newkey rsa:4096 -nodes -sha256 -x509 -subj "/O=HashiCorp/CN=Vault" -days 1095 "

# Make bash script to run - workaround as openssl will not accept variables via CLI
echo $OPEN_SSL_PREFIX $CERT_IPS > openssl.sh

# Generate cert with openssl
chmod +x openssl.sh
source ./openssl.sh

# Copy cert to system ca-certificates and update 
cp tls.key tls.crt /usr/local/share/ca-certificates/
update-ca-certificates

# Move cert and key to Vault TLS folder, and set owner
mv tls.key tls.crt /opt/vault/tls/
chown vault:vault -R /opt/vault/tls/

# display cert 
openssl x509 -in /opt/vault/tls/tls.crt -text

# reload certs within Vault
killall -s SIGHUP vault