kanidm: add hostname SAN to ACME certificate
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Include both auth.home.2rjus.net (CNAME) and kanidm01.home.2rjus.net (A record) as SANs in the TLS certificate. This fixes Prometheus scraping which connects via the hostname, not the CNAME. Fixes: x509: certificate is valid for auth.home.2rjus.net, not kanidm01.home.2rjus.net Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -39,9 +39,11 @@
|
|||||||
users.users.kanidm.extraGroups = [ "acme" ];
|
users.users.kanidm.extraGroups = [ "acme" ];
|
||||||
|
|
||||||
# ACME certificate from internal CA
|
# ACME certificate from internal CA
|
||||||
|
# Include both the CNAME (auth) and A record (kanidm01) for Prometheus scraping
|
||||||
security.acme.certs."auth.home.2rjus.net" = {
|
security.acme.certs."auth.home.2rjus.net" = {
|
||||||
listenHTTP = ":80";
|
listenHTTP = ":80";
|
||||||
reloadServices = [ "kanidm" ];
|
reloadServices = [ "kanidm" ];
|
||||||
|
extraDomainNames = [ "${config.networking.hostName}.home.2rjus.net" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Vault secret for idm_admin password
|
# Vault secret for idm_admin password
|
||||||
|
|||||||
Reference in New Issue
Block a user