Alright, I can confirm having a Subject CN does make a difference for iOS 9.3, and Safari does work with a cert having a Subject Common Name!
Here iOS 9 Safari works with a certificate generated after applying your patch:
With Subject CN: working
And it does not work with another certificate I generated after restoring the original crypto_util.py
:
Without Subject CN: not working
Patching certbot that comes from the apt package manager on Debian
I'm on Debian, so the file I patched was /usr/lib/python3/dist-packages/acme
, found using find / -name "crypto_util.py"
. There are two files with this name, go for the one under the acme
folder. I had to edit the patch from @Osiris to reflect the different path, basically replaced acme/acme
with just acme
: add-cn-to-csr-v1.12.0.patch.txt (2.4 KB). Then:
cd /usr/lib/python3/dist-packages/acme
patch -b -p2 < ~/add-cn-to-csr-v1.12.0.patch.txt
I agree, the documentation is misleading and only adds to confusion.
While that's an easy way out, there are still people using iOS 9 who didn't upgrade for some reason. We're still having visitors on our site who are on iOS 9 - not a lot, but non-zero. And on a scale of certbot, there could be many more. When Google launched their own CA, they said they specifically support the wide range of all kinds of devices, and by using their CA the webmasters can benefit from that. (I can't find the exact link, here's the closest paraphrase I could find.)
Buypass is the only free ACME CA that ticks all three:
- offers more than just a few free certififcates per account
- supports UTF8 domain names (IDN), unlike Google CA
- has the root cert valid from 2010 until 2040
The only thing that's missing is the Subject Common Name coming from Certbot. I think if we could pass a flag asking it to include a CN, that would be enough. I admit however, I do not realise the scale of the change required to implement that and have no idea about all possible consequences that may follow. On the other hand,
… simply because Let's Encrypt already does automatically include the CN anyway – just does it on the server side, this means it's generally safe to automatically include the CN?
Lastly, having been released in 2016, I think it's too early to consider iOS 9 that much ancient and obsolete.