Short names are used instead of FQDNs for subjAltNames in certificates

For a given unit a short name returned from gethostname will be requested as a SAN (subjAltName) when a cert is requested from a CA (Vault, easyrsa).

Instead getnameinfo((ingress-address, 0), 0) needs to be used to get FQDNs on a per-space basis.

socket.getnameinfo(('192.0.2.13', 0), 0)
('hostname-for-a-per-space-ingress-address.example.com', '0')

Example from a generated cert:

            X509v3 Subject Alternative Name:
                DNS:192.0.2.17, DNS:pretty-turkey, IP Address:192.0.2.17

While fqdn is pretty-turkey.maas.example

Code: https://github.com/juju-solutions/layer-etcd/blob/19eb3a1/reactive/etcd.py#L114
    sans.add(socket.gethostname())

If Name Constraints (https://tools.ietf.org/html/rfc5280#section-4.2.1.10) are used in an (intermediate) CA certificate Vault will only be able to issue certificates restricted by those constraints (e.g. for subdomains or a certain domain only). Therefore, the intermediate CA will not be able to issue certs for short names requested by different units (etcd, kubernetes-master etc.).

With self-signed CA certificates similar constraints may apply.
https://github.com/openstack/charm-vault/blob/stable/18.11/src/actions/actions.py#L97-L102
        allow_any_name=action_config['allow-any-name'],
        allowed_domains=action_config['allowed-domains'],
        allow_bare_domains=action_config['allow-bare-domains'],
        allow_subdomains=action_config['allow-subdomains'],
        allow_glob_domains=action_config['allow-glob-domains'],
        enforce_hostnames=action_config['enforce-hostnames'],

getnameinfo is a proper way to retrieve an fqdn provided that a DNS setup is correct for a given node.

Also:
http://man7.org/linux/man-pages/man3/gethostbyname.3.html
" The gethostbyname*(), gethostbyaddr*(), herror(), and hstrerror() functions are obsolete."

getnameinfo RFC and manpage:
https://tools.ietf.org/html/rfc3493#section-6.2
http://man7.org/linux/man-pages/man3/getnameinfo.3.html