Certbot 2.11.0 Release

2.11.0 was just released! Here's the changelog:

Changed

  • In anticipation of backwards incompatible changes, certbot-dns-cloudflare now
    requires less than version 2.20 of Cloudflare's python library.

Fixed

  • Fixed a bug in Certbot where a CSR's SANs did not always follow the order of
    the domain names that the user requested interactively. In some cases, the
    resulting cert's common name might seem picked up randomly from the SANs
    when it should be the first item the user had in mind.

More details about these changes can be found on our GitHub repo.

3 Likes

For some reason I thought LE sorted the SANs alphabetically for the cert and therefore one shouldn't rely upon the order in the CSR. :thinking:

I could be wrong.

3 Likes

While Let's Encrypt might do that (I don't know and didn't check :slight_smile: ) there are other ACME CAs that depend on the order. I had a similar bug report for the Ansible acme_certificate module recently; I stored the names in a set (which has a 'random' order) and thus sent them in a different order when creating the ACME order than they were in the CSR. Since the CA the reported used was using the names from the order and not the submitted CSR, it resulted in certificates issued that caused problems due to having the wrong common name.

2 Likes

Let’s Encrypt promotes the first eligible domain from the CSR to the CN, unless a CN is provided in the CSR. The names are eventually sorted to produce the SANs in the certificate. There was an unintentional change in 2023 that used the sorted list instead but that was quickly reverted.

(Eligible: has to be short enough to fit in a CN)

5 Likes

A post was split to a new topic: OCSP not working any longer

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.