hello all!
as announced in Blocking Some On-Demand Issuance Caused by Internet Scanning by @mcpherrinm I think there might be a common scenario causing problems with the usual certification.
Example:
- a domain for some third party domain.foo shall have a certificate
- domain.foo is not configured properly with DNS, examples for this are: domain.foo is not theirs but subdomains are, domain.foo is indeed another site, people just see www.domain.foo as a valid address and not domain.foo (way more common)
- now certification happens for domain.foo and www.domain.foo with the option to ignore certification when DNS is invalid
The usual procedure is that a new certificate was issued for domain.foo and www.domain.foo
Should a third party use www.domain.foo as the domain, hence www. is the domain to issue a certificate for, then this now returns an error, as www. is prepended which results in www.www.domain.foo
With www.domain.foo being the only known domain to us with www. being added automatically, the certification fails.
Besides manually renaming the domain from www.domain.foo to domain.foo one may consider the option to handle www.www. prefixes as valid requests, as this imho should not run into the recently introduced change.
Also I may add to this that many providers are adding www. to any domain one may submit for certification. This usually leads to exactly that same example with www.www. when a customer names www.domain.foo as their domain.