From e5c704de6903f6f7936e296a888e8d2b737fed75 Mon Sep 17 00:00:00 2001 From: Joseph Doherty Date: Mon, 1 Jun 2026 07:52:48 -0400 Subject: [PATCH] feat(gateway): add machine FQDN to self-signed cert SANs Best-effort resolve the host FQDN via Dns.GetHostEntry and add it as a DNS SAN when it differs (OrdinalIgnoreCase) from the short machine name and "localhost". SocketException / ArgumentException are caught and silently skipped so cert generation remains robust when DNS is absent. --- .../Tls/SelfSignedCertificateProvider.cs | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/ZB.MOM.WW.MxGateway.Server/Security/Tls/SelfSignedCertificateProvider.cs b/src/ZB.MOM.WW.MxGateway.Server/Security/Tls/SelfSignedCertificateProvider.cs index 9fa8640..17b33cb 100644 --- a/src/ZB.MOM.WW.MxGateway.Server/Security/Tls/SelfSignedCertificateProvider.cs +++ b/src/ZB.MOM.WW.MxGateway.Server/Security/Tls/SelfSignedCertificateProvider.cs @@ -1,4 +1,5 @@ using System.Net; +using System.Net.Sockets; using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; using Microsoft.Extensions.Logging; @@ -55,6 +56,21 @@ public sealed class SelfSignedCertificateProvider san.AddDnsName(machine); } + // Best-effort: add the machine FQDN when it differs from the short name and "localhost". + // GetHostEntry may fail if DNS is unavailable; skip silently in that case. + try + { + string fqdn = Dns.GetHostEntry(machine).HostName; + if (!string.IsNullOrWhiteSpace(fqdn) + && !fqdn.Equals("localhost", StringComparison.OrdinalIgnoreCase) + && !fqdn.Equals(machine, StringComparison.OrdinalIgnoreCase)) + { + san.AddDnsName(fqdn); + } + } + catch (SocketException) { /* DNS not resolvable — FQDN SAN is optional */ } + catch (ArgumentException) { /* invalid host name — skip */ } + foreach (string extra in _options.AdditionalDnsNames) { if (!string.IsNullOrWhiteSpace(extra))