I may have found a small bug with how LE handles subjectAltNames

jvanasco · April 3, 2016, 8:04pm

I wrote a client based on reading multiple clients instead of docs. Because of that, I made a mistake – but that mistake works on the staging server (I haven’t used the full server yet).

The issue: according to specs shared on this forum when submitting a CSR for multiple domains, the “subject” should be domains[0] and the “subjectAlternativeNames” should be domains (and that the domain must appear in subjectAlternativeNames)

ie:
domains = [example.com, a.example.com, …]
subject = example.com
subjectAlternativeNames = example.com, a.example.com, …

My code was submitting an empty subject ("/’), yet still being signed.

The subject then appears as the serial number . in text view it appears as the serial without the colons:

Serial Number:
        fa:65:0e:03:50:b5:98:e2:37:3f:97:33:62:30:8d:ff:e6:80
Subject: serialNumber=fa650e0350b598e2373f973362308dffe680

Based on my understanding, should the acme signing authority reject the certificate because it does not have a domain in the subject?

cool110 · April 3, 2016, 9:15pm

No, using a CommonName in the Subject is actually considered deprecated behaviour, although most certs still include it anyway for various reasons.

sahsanu · April 3, 2016, 9:55pm

Hello @jvanasco,

As @cool110 said, this is not a bug. It's worth to take a look to this post Certificates with serialNumber in subject.

Cheers,
sahsanu

jvanasco · April 3, 2016, 10:46pm

Thanks for all this info!

Glad to know what I wrote was actually right!

system · May 3, 2016, 10:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.