The current DOMAIN option is a bit too restrictive, as it only allows registering one Subject Alt Name on the self-signed TLS certificate, and it must be a DNS domain. When c-lightning-REST is hosted on a machine without an associated domain these certificates cannot be used to validate the responses.
The new IP configuration option allows setting an static IP as Subject Alt Name. Its default value is 127.0.0.1, which is backwards compatible.
Additionally, I've tweaked both options to allow multiple comma-separated values, as the openssl tool also supports multiple SANs.
Examples
openssl x509 -in certs/certificate.pem -text -noout has been used to decode these certificates.
master branch, default DOMAIN:
...
X509v3 Subject Alternative Name:
DNS:localhost
Multi SAN PR, default DOMAIN and IP:
...
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1
The current
DOMAIN
option is a bit too restrictive, as it only allows registering one Subject Alt Name on the self-signed TLS certificate, and it must be a DNS domain. When c-lightning-REST is hosted on a machine without an associated domain these certificates cannot be used to validate the responses.The new
IP
configuration option allows setting an static IP as Subject Alt Name. Its default value is127.0.0.1
, which is backwards compatible.Additionally, I've tweaked both options to allow multiple comma-separated values, as the openssl tool also supports multiple SANs.
Examples
openssl x509 -in certs/certificate.pem -text -noout
has been used to decode these certificates.master branch, default DOMAIN:
Multi SAN PR, default DOMAIN and IP:
Multi SAN PR, custom DOMAIN and IP:
DOMAIN:
localhost,example.com,ln.example.com
IP:127.0.0.1,1.2.3.4