Fix the invalid use of SAN in the CSR #3
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The current Certificate Signing Request (CSR) implementation include one
instance of the Subject Alternative Name (SAN) extension per domain name
after the Common Name (CN). This is forbidden by RFC 5280 which state,
in section 4.2, that "A certificate MUST NOT include more than one
instance of a particular extension".
This causes a bug when requesting a certificate for more than two domain
names since the ACME servers are likely to consider only the first SAN.
For instance, Let's Encrypt does that and, when requesting a
certificate for three or more domains, refuse to issue it and returns
"Order includes different number of names than CSR specifies" since it
can read only two domains in the CSR (one as the CN and one as the first
SAN).
Considering this issue, this commit changes the way acme-lib builds the
CSR. All domain names are now set up in one SAN. Please note that, since
the RFC 8555 (ACME protocol) does not differentiate domain names set in
the CN and domain names set in the SAN, this commit does not provide a
CN. This approach is simpler and does not affect the issuing process.
https://tools.ietf.org/html/rfc5280
https://tools.ietf.org/html/rfc8555