x/crypto/acme/autocert: NewOrder request did not include a SAN short enough to fit in CN #53194
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Comments
|
Here's a simple workaround I've implemented: https://github.com/golang/crypto/compare/master...anacrolix:shortsan?expand=1. |
seankhliao
added
the
NeedsInvestigation
|
cc @bradfitz @golang/security |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Using
golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e,autocert.Managerrequesting a domain with a length of 68 (including 5.if that's relevant) gives an error that I think originates from Let's encrypt:400 urn:ietf:params:acme:error:rejectedIdentifier: NewOrder request did not include a SAN short enough to fit in CN.It might be possible to work around by allowing a shorter domain name to be provided, or somehow providing an alternate value to Let's Encrypt for the CN. I found https://community.letsencrypt.org/t/a-certificate-for-a-63-character-domain/78870 and letsencrypt/boulder#2093 that discuss this.
I experimented with passing in a shorter domain name that was also pointing to the same server, but the autocert code appears set on handling a single domain at a time and I wasn't able to change the final error.
The text was updated successfully, but these errors were encountered: