ClusterIssuer/Issuer failed for domain > 64 char. CSR doesn't contain a SAN short enough to fit in CN

[codedumper]

Describe the bug:
ClusterIssuer is unable to generate certificate due to Order error:
Failed to finalize Order: 400 urn:ietf:params:acme:error:badCSR: Error finalizing order :: issuing precertificate: CSR doesn't contain a SAN short enough to fit in CN

Expected behaviour:
Certificate generated.

Steps to reproduce the bug:
Use ClusterIssuer/Issuer to generate a Certificate for a FQDN longer than 64 chars with Acme (letsencrypt).

API Version:  acme.cert-manager.io/v1alpha3
Kind:         Order
....
Status:
  Failure Time:  2020-04-09T16:47:02Z
  Finalize URL:  https://acme-staging-v02.api.letsencrypt.org/acme/finalize/13088958/84103314
  Reason:        Failed to finalize Order: 400 urn:ietf:params:acme:error:badCSR: Error finalizing order :: issuing precertificate: CSR doesn't contain a SAN short enough to fit in CN
  State:         errored
  URL:           https://acme-staging-v02.api.letsencrypt.org/acme/order/13088958/84103314

Environment details::

• Kubernetes version (e.g. v1.10.2): 1.15.9-gke.24
• Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): GKE
• cert-manager version (e.g. v0.4.0): 0.14.1
• Install method (e.g. helm or static manifests): helm

/kind bug

[meyskens]

I think this is an issue with Let's Encrypt rather than cert-manager as cert-manager does not set the CN in the CSR. Let's Encrypt does that on their side, which is where this error comes from.

[codedumper]

Yes, i just realized that.
I solved the limitation by using wildcard subdomain certificate.

Thanks @meyskens. I'm closing this one.

[varac]

For a LE discussion about this issue see certbot/certbot#1915.