SafeBrowsing error should include all failing SANs


#1

The SafeBrowsing check only reports one listed SAN in a multi-SAN request while It would be more helpful if it would report all of them. For example, on a requests for a SAN cert with example1.com, example2.com, example3.com and with 1 and 3 listed on SafeBrowsing, the ACME v2 endpoint reports only one SAN as failing (which one is seemingly random):

 "error": {
  "type": "urn:ietf:params:acme:error:unauthorized",
  "detail": "\"example1.com\" was considered an unsafe domain by a third-party API",
  "status": 403  
}

#2

Hi @silverwind

Thanks for the feature request. I agree that the way the V2 API groups identifiers into one order object but only delivers errors about the identifiers singularly during finalization is an unfortunate/frustrating experience. The problem is broader than just Google Safebrowsing, as one concrete example a similar problem can happen with CAA rechecking.

The solution we would like to implement is to deliver a top-level problem that contains per-identifier failure information as sub-problems. The Boulder issue to follow for this is https://github.com/letsencrypt/boulder/issues/3247 - You’ll note that it has been bumped out of our sprint a number of times. It’s something we’d love to get to but haven’t had much success scheduling yet. If a community member was interested in working on a PR we would be happy to support the effort.

Thanks!


#3

Good to know that it’s something you’re aware off. I’m working around it now by querying the SafeBrowsing API after such a error is received and re-request with unsafe domain names removed, but this requires a Google API Key, which is not trivial to obtain.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.