SSL for very-long named domain


#1

Hello!
I want to order windcard SSL for my friend. His domain name is:
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll.xyz
This is real, registered domain.
So, I tried out command:
/acme.sh/acme.sh --issue --force -d ‘*.lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll.xyz’ -d ‘lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll.xyz’  --dns --yes-I-know-dns-manual-mode-
enough-go-ahead-please --debug
But it failed:

[Срд Фев 20 15:37:59 MSK 2019] _createcsr
[Срд Фев 20 15:37:59 MSK 2019] Multi domain=‘DNS:*.lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll.xyz,DNS:lll
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllll.xyz’
problems making Certificate Request
140344761886536:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:154:maxsize=64
[Срд Фев 20 15:37:59 MSK 2019] Create CSR error.


#2

Is that name the only one of the certificate?

The common name of a certificate is limited to 63 char. To create a certificate for a domain longer than that, you need to create a certificate with at lieast two SAN names where the common name (usually the first SAN name) is less than 63 char.

In your case, it should looks like:

/acme.sh/acme.sh --issue --force -d small-other-domain-you-control.example.com -d ‘*.lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll.xyz’ -d ‘lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll.xyz’  --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --debug

#3

For what it’s worth, the CA Buypass will issue certificates without a Common Name field. Then you wouldn’t have to use a second domain.

Some TLS clients may not accept such certificates, though.

I’m not certain if acme.sh will easily request a certificate without a Common Name. I think yes but I’m not sure.

On the other hand, Buypass’s production environment does not offer wildcard certificates yet. (They don’t allow you to use two domains, either! At least on their free certificates.)

For that matter, I’m uncertain Buypass actually allows super long domains. They could have a policy restriction.

https://www.buypass.com/ssl/products/acme

https://www.buypass.com/ssl/resources/acme-free-ssl

Edit: The thread tdelmas linked to is really good, especially jsha’s post laying out the situation, in general and from Let’s Encrypt’s perspective.


closed #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.