Mixing HTTP header ContentType and Accept

recently finished development of an Java based ACME server and found one obvious bug (even in the latest version) and one controversial “feature”.
The bug is located in certbot/acme/acme/client.py at line 497:
content_type = DER_CONTENT_TYPE # TODO: make it a param
The problem is that ContentType is bound to request and should be ‘application/jose+json’ and not ‘application/pkix-cert’ as defined at line 45 in the same file.
I understand that boulder may ignore ContentType, but correct server implementation should obey the value in this attribute. Accept header tells what client accepts as a response and server can ignore it (by ACME spec)
Controversial feature is decision to drop CN in CSR subject. Even though (in theory) everything but signature is optional in CSR and that Chrome and other browser ignores CN, use of the CN is security feature in enterprise environments. Since having CN in CSR Subject attribute doesn’t harm but widen possible acceptance of the ACME in enterprises, I really don’t see the problem having it back, something like:
csr.get_subject().CN = domains[0] (after the line 179 in certbot/acme/acme/crypto_util.py)

Just my five cents :slight_smile:

1 Like

Hi @vproot,

I think this feedback would be better as an issue on the Certbot repository: https://github.com/certbot/certbot/issues

It’s more likely to be seen by the developers responsible over there.


1 Like

Thank you @cpu I’ll do it

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.