fix: accept loopback addresses for DoH and add IP SANs to TLS cert

The DoH endpoint rejected requests with Host: 127.0.0.1/::1/localhost, and the generated TLS cert had no IP SANs — so browsers couldn't use https://127.0.0.1/dns-query even with the CA trusted. - is_doh_host now accepts 127.0.0.1, ::1, localhost (with optional port) - TLS cert includes 127.0.0.1 and ::1 IP SANs, plus bare TLD DNS SAN Closes #87
2026-04-12 17:56:39 +03:00
parent c074d728e9
commit 3665deb56b
2 changed files with 37 additions and 10 deletions
--- a/src/tls.rs
+++ b/src/tls.rs
@@ -186,6 +186,20 @@ fn generate_service_cert(
        }
    }

+    // Loopback IP SANs so browsers can reach DoH at https://127.0.0.1/dns-query
+    sans.push(SanType::IpAddress(std::net::IpAddr::V4(
+        std::net::Ipv4Addr::LOCALHOST,
+    )));
+    sans.push(SanType::IpAddress(std::net::IpAddr::V6(
+        std::net::Ipv6Addr::LOCALHOST,
+    )));
+
+    // Bare TLD (e.g. "numa") for DoH via https://numa/dns-query
+    match tld.to_string().try_into() {
+        Ok(ia5) => sans.push(SanType::DnsName(ia5)),
+        Err(e) => warn!("invalid SAN {}: {}", tld, e),
+    }
+
    if sans.is_empty() {
        return Err("no valid service names for TLS cert".into());
    }