I tried again but could not find.
In /etc/ssl/openssl.cnf the directives for SAN are all commented:
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
There is no section alt_names…
But the host certificates generated have a SAN with IPs, some of them removed ages ago, and no longer existing in the DNS area:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:zzzzz.domain.tld, IP Address:192.168.yyy.2, IP Address:192.168.xxx.1, IP Address:192.168.xxx.2, IP Address:192.168.xxx.4, IP...
Did somebody find where and how it does that ? Of course it works, but this is messy.
Thanks, Best regards.