ACME v2 - Wildcard Requests and SANs?

Quick question to anybody who knows such things:

Should the Subject Alternative Names of the CSR include the wildcard domain (e.g. *.test.com)? Currently CN=*test.com is enough for the order to finalize but including *.test.com in the SAN list results in an error from the API (CSR contains domains not in Order).

The CSR should contain the same names as there are DNS identifiers in the order.

Technically it does contain the DNS identifier because the wildcard domain is included as subject name. Maybe the SAN list should include test.com if the subject name is *.test.com (but SAN list should not contain *.test.com?)

Going by a v2 implementation I know is working, including *.test.com as both the Subject (CN=) and a SAN DNS Name should work:

https://github.com/eggsampler/acme/blob/master/example/certbot.go#L172-L178

The spec says

The CSR MUST indicate the exact same
set of requested identifiers as the initial new-order request, either
in the commonName portion of the requested subject name, or in an
extensionRequest attribute [RFC2985] requesting a subjectAltName
extension

So if your new-order was

"identifiers": [{"type:"dns","value":"*.test.com"}]

then a CSR that includes *.test.com as both the subject and subjAltName should work just fine.

Can you show an order and CSR pair that is failing, as well as any error message?

1 Like

Thanks, found the problem!

I was adding the dns identifiers that we get back from authorization into the SAN list, turns out they get stripped of the *. prefix so I was actually just adding test.com instead of *.test.com (which caused the error), what confused me was that it worked fine when I left the SAN list blank and just set the subject name.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.