Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't create CSRs with a Common Name that is longer than 64 bytes #2049

Closed
3 tasks done
mcpherrinm opened this issue Nov 8, 2023 · 3 comments · Fixed by #2054
Closed
3 tasks done

Don't create CSRs with a Common Name that is longer than 64 bytes #2049

mcpherrinm opened this issue Nov 8, 2023 · 3 comments · Fixed by #2054
Labels
area/lib enhancement

Comments

@mcpherrinm
Copy link
Contributor

mcpherrinm commented Nov 8, 2023
edited
Loading

Welcome

  • Yes, I'm using a binary release within 2 latest releases.
  • Yes, I've searched similar issues on GitHub and didn't find any.
  • Yes, I've included all information below (version, config, etc).

What did you expect to see?

Lego creates CSRs by taking the first domain flag passed in and using it as the Common Name.

If that is longer than 64 bytes, Let's Encrypt (and potentially other CAs) reject the CSR as it is invalid.

If one of your names is shorter, you could ensure it is passed in first. But if all your names are too long, it always fails.

As a bigger ecosystem thing, the common name is going to start going away in more contexts, and it's likely that at some point in the future Let's Encrypt will start issuing certificates with no CN in the certificate if the CSR doesn't have one, or possibly even dropping CN support totally. There's no timeline for this, but I mention it as a direction this is likely to go in.

As a result, I would suggest the following changes:

  1. Don't put a CN in CSRs by default
  2. Add a flag to include a CSR if a user has some need for that.

The CN flag might not be required, so it's worth considering just omitting that.

What did you see instead?

urn:ietf:params:acme:error:badCSR :: Error finalizing order :: CN was longer than 64 bytes

How do you use lego?

Binary

Reproduction steps

works:

./lego -a --dns manual -d test.example.ca -d thisisthesongthatneverendsyesitgoesonandonmyfriends.somepeoplestartedsingingitnotknowingwhatitwas.andtheyllcontinuesingingitforeverjustbecause.example.ca run

doesn't work:

./lego -a --dns manual -d thisisthesongthatneverendsyesitgoesonandonmyfriends.somepeoplestartedsingingitnotknowingwhatitwas.andtheyllcontinuesingingitforeverjustbecause.example.ca -d test.example.ca  run

Version of lego

d51b5e408bff268bd3386c39a765be40e996c9b1 (current head)

Logs

2023/11/08 14:49:15 Could not obtain certificates:
        error: one or more domains had a problem:
thisisthesongthatneverendsyesitgoesonandonmyfriends.somepeoplestartedsingingitnotknowingwhatitwas.andtheyllcontinuesingingitforeverjustbecause.example.ca: acme: error: 400 :: POST :: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/104658544/12129366254 :: urn:ietf:params:acme:error:badCSR :: Error finalizing order :: CN was longer than 64 bytes

Go environment (if applicable)

go version go1.20.1 linux/amd64
@mcpherrinm mcpherrinm added the bug label Nov 8, 2023
@ldez ldez mentioned this issue Nov 16, 2023
Merged
@dmke

This comment was marked as off-topic.

Sign in to view
@mcpherrinm

This comment was marked as off-topic.

Sign in to view
@dmke

This comment was marked as off-topic.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/lib enhancement
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: support simplified issuance for very long domain names at Let's Encrypt MartinWeindel/lego
3 participants
@mcpherrinm @dmke @ldez