Comments (3)
Hi @Coleman0701. I agree that this section is a bit difficult to mentally parse partially because it assumes some additional knowledge about the potential contents of CSRs and the nature of ACME being a protocol that will likely be expanded upon in the future. It's also trying to account for the legacy nature of the CN field in CSRs.
How I interpret this is also based on how it seems to be implemented in the well known public ACME servers.
-
The newOrder endpoint is sent a set of 1 or more "identifiers". Currently in the vast majority of cases, these are DNS names. However, there are also ACME extensions that allow for IP addresses and it's likely there will be future extensions that support additional types of identifiers.
-
For DNS identifiers specifically, that same set of identifiers must exist in the CSR that is sent during finalization and those identifiers can reside in a CN field, SAN field, or both. (I could be wrong, but I don't think CSRs actually support having more than one CN in the Subject).
-
(Implied by the MUST wording) Any identifiers found in the CSR that were not contained in the set from newOrder should be considered an error and rejected.
Where this gets hazy (as your examples show) is how the ACME server interprets what qualifies as an identifier or not in the CN field.
- Example 1 has a
google.org
CN that was not sent with newOrder which seems like an error. - Example 2 has a
Ryan Bolger
CN that could not be confused with a DNS FQDN and could probably be ignored. - Example 3 has multiple CN values, but I'm not sure this is actually possible to create. Even if it is, the
Google
single word CN could still potentially be interpreted as an FQDN (think of TLDs like com, net, and org) in which case, it would be an error. - Example 4 would definitely get rejected because the explicit DNS SAN
google.test.com
was not included with the newOrder identifiers.
I'd be curious how Boulder or Pebble (Let's Encrypts ACME server implementations) actually respond to these examples.
from posh-acme.
If you'd like more opinions from knowledgeable folks, I'd bring up the topic on the LE Community Forums.
from posh-acme.
You could also debate that the CSR is largely included "because it should be" as a throwback to the conventional way of ordering certificates. As most of it is discarded by ACME CAs (for domain validated certs) it could have been omitted from the ACME process altogether. I believe the reason things are ignored/discarded is because the process itself cannot validate them (but they could have been validated prior using some offline process and linked to ACME via EAB). As far as I'm aware CN has long been deprecated for domain validated certs and only the SAN list is considered authoritative.
from posh-acme.
Related Issues (20)
- Problem with OVH plugin for creating/renewing certificates HOT 8
- Error requesting certificate with WebRoot plugin HOT 5
- FullChainFile doesn't contain ISRG Root X1 HOT 9
- Active24 plugin no longer working HOT 25
- Pull cert into local certificate store using FQDN and Subsequent renew HOT 5
- CmdLets Repeatedly asking for DNS Text Records HOT 3
- Running "Get-PACertificate" can cause a long stream of errors HOT 4
- OVH plugin is not compatible with PowerShell 5.1
- DNSimple Plugin not removing dns challange HOT 3
- DNSimple Plugin regression HOT 3
- DNSPod Argument Names HOT 3
- Gandi API change HOT 3
- Question - Problems loading bouncy castle HOT 6
- NameCom plugin - Domain not found HOT 8
- Plugin request: Scaleway.com/Online.net HOT 10
- How do you check for current installed version of Posh-ACME client and how do you upgrade the Posh-ACME client HOT 3
- Cannot indicate an order replaces certificate with serial <code>, which already has a replacement order HOT 4
- Submit-Renewal throws errors checking ARI on certs with no AKI HOT 3
- Azure IMDS authentication doesn't work on Arc-enabled servers HOT 17
- Feature Request: Add DNS Plugin Support for dynv6 in Posh-ACME HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from posh-acme.