New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
investigate certificates that cablint complains about #1439
Comments
I think the certlint code that leads to the CN too long warning is: https://github.com/awslabs/certlint/blob/master/lib/certlint/namelint.rb#L55 |
There are 2 error messages given over 4 certs. 3 are for "DNSName is not FQDN" which seems to be wrong. It seems that certlint just doesn't handle '-' at the end of a part of a domain. I think that's a bug on its part, but maybe someone else knows better than me. I'm asking pzb where he got the 64 from. |
People are citing RFC 5280 in support of the 64 number, but I know we had a discussion about that RFC being about CRLs and overridden by other RFCs that either cited bigger numbers or left it undefined. |
Folks have pointed out that 5280 seems to be the not-obsoleted RFC involved. So now we need to decided what to do about these certs when they come up for renewal. |
Yeah, looks like we're wrong to allow the '-' at the end. RFC 952: "The last character must not be a minus sign or period." Made a ticket: #1440 |
So, in summary, we have to fix both errors. Given how the ACME API works, the most reasonable fix for the CN length one is to just not emit CNs at all. The second easiest fix is to select a CN from the given domains that fits in the CN and not emit a CN if no domain given can fit into 64 bits. The other is just us writing some code to check for that case and maybe making a ticket for Go's Followup: do these bugs deserve the audit-compliance label? I'm not so sure. |
Remove the DNS name from the CN; and place it in the SAN. Also see Issue 40 for background reading on the rules governing DNS names and where they should be located.
As far as I know, neither the CA/B Baseline Requirements nor the IETF PKIX profile place a length limit on the field. If cablint is broke, then file a bug report against it. They need to fix their defective software. |
Done. |
There are some certs here that cablint thinks have issues:
https://crt.sh/?caid=7395&opt=cablint
The issues are things like:
ERROR: DNSName is not FQDN 3
WARNING: CN is too long 1
The text was updated successfully, but these errors were encountered: