I may have found a small bug with how LE handles subjectAltNames


#1

I wrote a client based on reading multiple clients instead of docs. Because of that, I made a mistake – but that mistake works on the staging server (I haven’t used the full server yet).

The issue: according to specs shared on this forum when submitting a CSR for multiple domains, the “subject” should be domains[0] and the “subjectAlternativeNames” should be domains (and that the domain must appear in subjectAlternativeNames)

ie:
domains = [example.com, a.example.com, …]
subject = example.com
subjectAlternativeNames = example.com, a.example.com, …

My code was submitting an empty subject ("/’), yet still being signed.

The subject then appears as the serial number . in text view it appears as the serial without the colons:

Serial Number:
        fa:65:0e:03:50:b5:98:e2:37:3f:97:33:62:30:8d:ff:e6:80
Subject: serialNumber=fa650e0350b598e2373f973362308dffe680

Based on my understanding, should the acme signing authority reject the certificate because it does not have a domain in the subject?


#2

No, using a CommonName in the Subject is actually considered deprecated behaviour, although most certs still include it anyway for various reasons.


#3

Hello @jvanasco,

As @cool110 said, this is not a bug. It’s worth to take a look to this post Certificates with serialNumber in subject.

Cheers,
sahsanu


#4

Thanks for all this info!

Glad to know what I wrote was actually right!


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.