certs: generate_csr: allow to set CN explicit

Else, when used with ACME, the SAN is always sorted so we always get
the Subject Alternative Name sorting alphabetically first, which
doesn't necessarily has to be the "primary" domain. While this is
rather cosmetically (all SANs are equal) it could still result it
flapping CN when SANs and thus possibly the order changes, e.g., in
our CDN mirror pool. It also doesn't costs anything to allow control
over this, so why not..

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/src/PVE/Certificate.pm b/src/PVE/Certificate.pm
index 2421f3f1574368b26b0df28486826d763faffe99..5bc9848f15bbe7cf13eb05b16272358267bfba49 100644 (file)
--- a/src/PVE/Certificate.pm
+++ b/src/PVE/Certificate.pm
@@ -336,6 +336,9 @@ sub generate_csr {
     my $san = [ map { $_->{value} } grep { $_->{type} eq 'dns' } @$identifiers ];
     die "DNS identifiers are required to generate a CSR.\n" if !scalar @$san;
 
     my $san = [ map { $_->{value} } grep { $_->{type} eq 'dns' } @$identifiers ];
     die "DNS identifiers are required to generate a CSR.\n" if !scalar @$san;
 

+    # optional
+    my $common_name = delete($attr{common_name}) // $san->[0];
+

     my $md = eval { Net::SSLeay::EVP_get_digestbyname($dig_alg) };
     die "Invalid digest algorithm '$dig_alg'\n" if !$md;
 
     my $md = eval { Net::SSLeay::EVP_get_digestbyname($dig_alg) };
     die "Invalid digest algorithm '$dig_alg'\n" if !$md;
 


@@ -366,7 +369,7 @@ sub generate_csr {
        }
     };
 
        }
     };
 

-    $add_name_entry->('CN', @$san[0]);
+    $add_name_entry->('CN', $common_name);

     for (qw(C ST L O OU)) {
         if (defined(my $v = $attr{$_})) {
            $add_name_entry->($_, $v);
     for (qw(C ST L O OU)) {
         if (defined(my $v = $attr{$_})) {
            $add_name_entry->($_, $v);