https://serverfault.com/questions/623880/how-do-i-specify-subjectaltname-in-the-openssl-cli
https://moxo.io/blog/2017/08/01/problem-missing-subjectaltname-while-makeing-self-signed-cert/
https://ningyu1.github.io/site/post/51-ssl-cert/
https://www.jianshu.com/p/ea5bc56211ee/
https://superuser.com/questions/1499401/ssl-cert-does-not-work-with-ip-address-for-san
[ alt_names ] DNS.1 = * {% for host in ansible_play_hosts_all %} {% if isuseipv6 is defined and isuseipv6|bool %} IP.{{loop.index+1}} = {{(hostvars[host]['ansible_'+interface]['ipv6'] | selectattr('scope', 'equalto', 'global') | list | first).address}} {% else %} {% if hostvars[host]['ansible_facts']['default_ipv4'] is defined %} IP.{{loop.index+1}} = {{hostvars[host]['ansible_facts']['default_ipv4']['address']}} {% else %} IP.{{loop.index+1}} = {{hostvars[host]['ansible_default_ipv4']['address']}} {% endif %} {% endif %} {% if loop.last %} IP.{{loop.index+1}} = 127.0.0.1 {% set dassl_last=loop.index %} {% if global_vip_list != None and global_vip_list != '' %} {%for item in global_vip_list.split(',') %} IP.{{loop.index+dassl_last+1}}={{item}} {% endfor %} {% endif %} {% endif %} {% endfor %} [ v3_ext ] authorityKeyIdentifier=keyid,issuer:always basicConstraints=CA:false keyUsage=keyEncipherment,dataEncipherment extendedKeyUsage=serverAuth,clientAuth subjectAltName=@alt_names
- name: San openssl config delegate_to: localhost run_once: yes template: src: openssl.conf.j2 dest: "{{event_dir}}/{{event_id}}/dassl/openssl.conf" - name: Generate an client certificate when: "not is_tls_cert_exists.stat.exists or not is_tls_key_exists.stat.exists" become: no delegate_to: localhost run_once: yes shell: cmd: | openssl genrsa -out 127.0.0.1.key 2048 openssl req -new -key 127.0.0.1.key -out 127.0.0.1.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=Qianxin/OU=Zion/CN=127.0.0.1" openssl x509 -req -days 36500 -CA {{da_ssl_oid}}.crt -CAkey {{da_ssl_oid}}.key -CAcreateserial -in 127.0.0.1.csr -out 127.0.0.1.crt \ -extensions v3_ext -extfile openssl.conf args: chdir: "{{event_dir}}/{{event_id}}/dassl" - name: Generate an ca certificate when: "not is_tls_cert_exists.stat.exists or not is_tls_key_exists.stat.exists" delegate_to: localhost run_once: yes shell: cmd: | cat CA.crt {{da_ssl_oid}}.crt > QAX-ATS-CA.crt args: chdir: "{{event_dir}}/{{event_id}}/dassl"
标签:index,127.0,exists,证书,0.1,openssl,签名,loop From: https://www.cnblogs.com/tiantao36/p/18428169