SafeBrowsing error should include all failing SANs


The SafeBrowsing check only reports one listed SAN in a multi-SAN request while It would be more helpful if it would report all of them. For example, on a requests for a SAN cert with,, and with 1 and 3 listed on SafeBrowsing, the ACME v2 endpoint reports only one SAN as failing (which one is seemingly random):

 "error": {
  "type": "urn:ietf:params:acme:error:unauthorized",
  "detail": "\"\" was considered an unsafe domain by a third-party API",
  "status": 403  


Hi @silverwind

Thanks for the feature request. I agree that the way the V2 API groups identifiers into one order object but only delivers errors about the identifiers singularly during finalization is an unfortunate/frustrating experience. The problem is broader than just Google Safebrowsing, as one concrete example a similar problem can happen with CAA rechecking.

The solution we would like to implement is to deliver a top-level problem that contains per-identifier failure information as sub-problems. The Boulder issue to follow for this is - You’ll note that it has been bumped out of our sprint a number of times. It’s something we’d love to get to but haven’t had much success scheduling yet. If a community member was interested in working on a PR we would be happy to support the effort.



Good to know that it’s something you’re aware off. I’m working around it now by querying the SafeBrowsing API after such a error is received and re-request with unsafe domain names removed, but this requires a Google API Key, which is not trivial to obtain.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.