Fix the invalid use of SAN in the CSR

[breard-r]

The current Certificate Signing Request (CSR) implementation include one
instance of the Subject Alternative Name (SAN) extension per domain name
after the Common Name (CN). This is forbidden by RFC 5280 which state,
in section 4.2, that "A certificate MUST NOT include more than one
instance of a particular extension".
This causes a bug when requesting a certificate for more than two domain
names since the ACME servers are likely to consider only the first SAN.
For instance, Let's Encrypt does that and, when requesting a
certificate for three or more domains, refuse to issue it and returns
"Order includes different number of names than CSR specifies" since it
can read only two domains in the CSR (one as the CN and one as the first
SAN).
Considering this issue, this commit changes the way acme-lib builds the
CSR. All domain names are now set up in one SAN. Please note that, since
the RFC 8555 (ACME protocol) does not differentiate domain names set in
the CN and domain names set in the SAN, this commit does not provide a
CN. This approach is simpler and does not affect the issuing process.
https://tools.ietf.org/html/rfc5280
https://tools.ietf.org/html/rfc8555

[lolgesten]

Good point! I just need to glance over that I don't use the CN somewhere else.

[breard-r]

I just need to glance over that I don't use the CN somewhere else.

It's quite unlikely: as far as i know, the CSR is built, sent to the ACME server and then discarded. After that, the server issue a certificate with the first SAN as the CN. I tested the patched version and it works just fine.
By the way, not setting a CN is the way most ACME client works (example: certbot).

[lolgesten]

Alright. Thank you so much!