grindsa
commented
6 months ago Thank you for raising a PR. Although i merged it i will do some refactoring to avoid code-duplication across the different handlers.
Reviewing the code i came across. the following issue and would be interested in your feedback how a2c should behave in such situation:
Currently the handler reads the allowed_domainlist parameter and expects a list of allowed domains/regex. In case the parameter is other than a list parsing fails the allowed_domainlist parameter will be left empty which would disable the domain list check completely. That means that any fqdn can be send as part of a CSR and would pass the handler, which might not be in your interest.
I am wondering if this is the right behavior or if we should rather change the implementation in a way that the domain_check always fails.
Any thoughts?
I added the allowed_domainlist functionality from acme_ca_handler.py to the mscert_srv.py to add the option to restrict to allowed domains for microsoft cert server usage
https://github.com/grindsa/acme2certifier/issues/160