internal/tlscheck/tlscheck.go

@@ -27,6 +27,12 @@ var ErrUnexpectedConnType = errors.New(
 	"unexpected connection type",
 )
 
+// ErrNoPeerCertificates indicates the TLS connection had no peer
+// certificates.
+var ErrNoPeerCertificates = errors.New(
+	"no peer certificates",
+)
+
 // CertificateInfo holds information about a TLS certificate.
 type CertificateInfo struct {
 	CommonName              string
@@ -144,7 +150,7 @@ func (c *Checker) CheckCertificate(
 		)
 	}
 
-	return c.extractCertInfo(tlsConn), nil
+	return c.extractCertInfo(tlsConn)
 }
 
 func (c *Checker) buildTLSConfig(
@@ -165,16 +171,20 @@ func (c *Checker) buildTLSConfig(
 
 func (c *Checker) extractCertInfo(
 	conn *tls.Conn,
-) *CertificateInfo {
+) (*CertificateInfo, error) {
 	state := conn.ConnectionState()
 	if len(state.PeerCertificates) == 0 {
-		return &CertificateInfo{}
+		return nil, ErrNoPeerCertificates
 	}
 
 	cert := state.PeerCertificates[0]
 
-	sans := make([]string, len(cert.DNSNames))
-	copy(sans, cert.DNSNames)
+	sans := make([]string, 0, len(cert.DNSNames)+len(cert.IPAddresses))
+	sans = append(sans, cert.DNSNames...)
+
+	for _, ip := range cert.IPAddresses {
+		sans = append(sans, ip.String())
+	}
 
 	return &CertificateInfo{
 		CommonName:              cert.Subject.CommonName,
@@ -182,5 +192,5 @@ func (c *Checker) extractCertInfo(
 		NotAfter:                cert.NotAfter,
 		SubjectAlternativeNames: sans,
 		SerialNumber:            cert.SerialNumber.String(),
-	}
+	}, nil
 }