Closed mcpherrinm closed 5 months ago
(ignore this, I've misread the issue)
A domain name is a list of labels. While each label is limited to 63 characters, a domain name can be longer.
The limitation on CN length is from RFC5280, appendix A.1: ub-common-name INTEGER ::= 64
Yep, that's where I had my mental disconnect. Thanks for pointing that out!
Welcome
What did you expect to see?
Lego creates CSRs by taking the first domain flag passed in and using it as the Common Name.
If that is longer than 64 bytes, Let's Encrypt (and potentially other CAs) reject the CSR as it is invalid.
If one of your names is shorter, you could ensure it is passed in first. But if all your names are too long, it always fails.
As a bigger ecosystem thing, the common name is going to start going away in more contexts, and it's likely that at some point in the future Let's Encrypt will start issuing certificates with no CN in the certificate if the CSR doesn't have one, or possibly even dropping CN support totally. There's no timeline for this, but I mention it as a direction this is likely to go in.
As a result, I would suggest the following changes:
The CN flag might not be required, so it's worth considering just omitting that.
What did you see instead?
How do you use lego?
Binary
Reproduction steps
works:
doesn't work:
Version of lego
Logs
Go environment (if applicable)