Comments (3)
Hi @Coleman0701. I agree that this section is a bit difficult to mentally parse partially because it assumes some additional knowledge about the potential contents of CSRs and the nature of ACME being a protocol that will likely be expanded upon in the future. It's also trying to account for the legacy nature of the CN field in CSRs.
How I interpret this is also based on how it seems to be implemented in the well known public ACME servers.
-
The newOrder endpoint is sent a set of 1 or more "identifiers". Currently in the vast majority of cases, these are DNS names. However, there are also ACME extensions that allow for IP addresses and it's likely there will be future extensions that support additional types of identifiers.
-
For DNS identifiers specifically, that same set of identifiers must exist in the CSR that is sent during finalization and those identifiers can reside in a CN field, SAN field, or both. (I could be wrong, but I don't think CSRs actually support having more than one CN in the Subject).
-
(Implied by the MUST wording) Any identifiers found in the CSR that were not contained in the set from newOrder should be considered an error and rejected.
Where this gets hazy (as your examples show) is how the ACME server interprets what qualifies as an identifier or not in the CN field.
- Example 1 has a
google.org
CN that was not sent with newOrder which seems like an error. - Example 2 has a
Ryan Bolger
CN that could not be confused with a DNS FQDN and could probably be ignored. - Example 3 has multiple CN values, but I'm not sure this is actually possible to create. Even if it is, the
Google
single word CN could still potentially be interpreted as an FQDN (think of TLDs like com, net, and org) in which case, it would be an error. - Example 4 would definitely get rejected because the explicit DNS SAN
google.test.com
was not included with the newOrder identifiers.
I'd be curious how Boulder or Pebble (Let's Encrypts ACME server implementations) actually respond to these examples.
from posh-acme.
If you'd like more opinions from knowledgeable folks, I'd bring up the topic on the LE Community Forums.
from posh-acme.
You could also debate that the CSR is largely included "because it should be" as a throwback to the conventional way of ordering certificates. As most of it is discarded by ACME CAs (for domain validated certs) it could have been omitted from the ACME process altogether. I believe the reason things are ignored/discarded is because the process itself cannot validate them (but they could have been validated prior using some offline process and linked to ACME via EAB). As far as I'm aware CN has long been deprecated for domain validated certs and only the SAN list is considered authoritative.
from posh-acme.
Related Issues (20)
- Timeout with WebSelfHost on Server 2022 and some 2019 HOT 4
- Feature Request - Function `Test-PAAccount` HOT 4
- ClouDNS PlugIn Fails GET Requeset HOT 2
- Set-PAOrder revokes certificate when -Force used, even with -RevokeCert:$false HOT 1
- [WebRoot Plugin] Support for Network Share Credentials HOT 3
- Is there a reason that the (Get-PACertificate).RenewAfter property is a [System.String] when the NotBefore and NotAfter are [datetime]? HOT 2
- How to use with PowerDNS, can't fins DNS-plugin? HOT 12
- Feedback Request: Dropping Support for PowerShell 5.1 HOT 5
- 1year / 365 days cert ZeroSSL (aka Lifetime LifetimeDays variable) HOT 8
- WEDOS DNS support ? HOT 5
- Multiple Accounts with DigiCert HOT 4
- Cloudflare Plug In fails to convert String to SecureString HOT 7
- Submit-Renewal doesn't appear to follow ErrorAction HOT 2
- Is there a full list of supported fields for -Subject? HOT 3
- 404 on Submit-ChallengeValidation when using LetsEncrypt Staging HOT 1
- OVH plugin using DnsAlias fails if not using subdomain of the OVHdomain HOT 2
- Trying to use ZeroSSL HOT 4
- Problem with OVH plugin for creating/renewing certificates HOT 8
- Error requesting certificate with WebRoot plugin HOT 5
- FullChainFile doesn't contain ISRG Root X1 HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from posh-acme.