dns-certify: allow [`raw] Domain_name.t in signing requests

The previous restriction for [`host] Domain_name.t disallows to request
wildcard certificates. In a X509 sisning request and certificate, the
subjectAlternativeName (of typ DNS) is a string list (since General_name.t
is used for NameConstraints (allowing leading dot, IP addresses, IP/netmask)).

app/ocertify.ml

@@ -151,7 +151,7 @@ let hostname =
 
 let more_hostnames =
   let doc = "Additional hostnames to be included in the certificate as SubjectAlternativeName extension" in
-  Arg.(value & opt_all Dns_cli.name_c [] & info ["additional"] ~doc ~docv:"HOSTNAME")
+  Arg.(value & opt_all Dns_cli.domain_name_c [] & info ["additional"] ~doc ~docv:"HOSTNAME")
 
 let csr =
   let doc = "certificate signing request filename (defaults to hostname.req)" in

certify/dns_certify.mli

@@ -1,7 +1,7 @@
 open Dns
 
 val signing_request : [`host] Domain_name.t ->
-  ?more_hostnames:([`host] Domain_name.t list) ->
+  ?more_hostnames:([`raw] Domain_name.t list) ->
   X509.Private_key.t -> X509.Signing_request.t
 (** [signing_request name ~more_hostnames key] creates a X509 signing request
     where [name] will be the common name in its subject, and if [more_hostnames]

mirage/certify/dns_certify_mirage.mli

@@ -3,7 +3,7 @@ module Make (R : Mirage_random.S) (P : Mirage_clock.PCLOCK) (T : Mirage_time.S)
 
   val retrieve_certificate :
     S.t -> dns_key:string -> hostname:[ `host ] Domain_name.t ->
-    ?additional_hostnames:[ `host ] Domain_name.t list -> ?key_seed:string ->
+    ?additional_hostnames:[ `raw ] Domain_name.t list -> ?key_seed:string ->
     S.TCPV4.ipaddr -> int -> (Tls.Config.own_cert, [ `Msg of string ]) result Lwt.t
   (** [retrieve_certificate stack ~dns_key ~hostname ~key_seed server_ip port]
      generates a RSA private key (using the [key_seed]), a certificate