Lego: Cannot issue for "": Domain name is empty, when CommonName is empty
CommonName has been deprecated for almost a decade now (https://tools.ietf.org/html/rfc2818) and is basically optional, as the more useful SAN extension has taken its place.
I am encountering a problem trying to call certificate.ObtainForCSR() with a CSR with an empty CommonName field, because ExtractDomainsCSR() requires a CommonName, in violation of RFC.
As a result, I get log messages:
[INFO] [, test-1.lightcodelabs.com] acme: Obtaining bundled SAN certificate given a CSR
And subsequent errors:
acme: error: 400 :: POST :: https://acme-staging-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for "": Domain name is empty, url:
If the linked line was changed to:
var domains []string
if cert.Subject.CommonName != "" {
domains = append(domains, cert.Subject.CommonName)
}
then I think we'd be good to go. 馃憣
mholt
All 3 comments
https://github.com/containous/traefik/issues/4988
Until such a time as Let's Encrypt is able to issue certificates without the deprecated CN field (this is blocked on CA/B Forum wrangling, likely to be a long time out) ACME clients must take care to arrange the CSR such that a name less <64 bytes in length is used as the subject common name.
ldez
on 21 Feb 2020
I know that the CN is deprecated since a long time, your proposal since good to me.
The change need to be applied on ExtractDomainsCSR and ExtractDomains.
ldez
on 21 Feb 2020
Cool, just making sure I provided some context in case it wasn't there already, but I guess there was. :)
mholt
on 21 Feb 2020
Related issues
moomerman
路
4Comments
lenovouser
路
5Comments
bouwerp
路
3Comments
voltagex
路
3Comments
athanp
路
3Comments