SAN sort order?

Hello,

Does LE honor the order of domains given in an order’s CSR, or does it apply its own sort order? (Or is this aspect of its policy undefined?)

The current behavior appears to be a server-defined sort (e.g., I’m seeing *.example.com sorted before example.com, regardless of the order of the CSR’s SAN), but I’m curious if this is a reliable behavior.

Thank you!

2 Likes

One of the CSR normalizations that Boulder does is to lowercase, deduplicate and sort (in increasing order) the SANs.

I’d say that the behavior is not reliable, because afaik it is not required by ACME or BRs or anything like that. But in practice, I think that aspect has not changed since day 1.

2 Likes

Interesting … Boulder deduplicates? I thought it rejected dupes.

It will reject duplicates in the API itself, but you can submit a CSR at finalization time that contains duplicate SANs, and it won’t complain - it will just normalize them.

I did so in this post, but since the CAA re-checking bug and subsequent fixes, things might have changed.

1 Like

Even when creating the order object, the boulder accepts the same identifier multiple times.