Closed kwkwan closed 6 years ago
Thanks @kwkwan .
Perhaps @clintwilson could confirm if this is an API problem? Thanks!
@ronaldtse: Any update on this one?
ping @ronaldtse
Apologies for missing this one! The issue ( or feature! ;) here is that the EV SSL (and Standard SSL and Wildcard) products have a "plus" feature (hence the old name still in the API product_name_id). The Plus feature will automatically add a second dNSName value to any of the above products when the first provided dNSName value is either 1) a base domain (e.g. example.com) or 2) the "www" subdomain of a base domain (e.g. www.example.com). The added dNSName that's added will be whichever of the above two isn't the first provided name (e.g. if www.example.com is provided, we add example.com; if example.com is provided, we add www.example.com). The product itself is configured to only allow a single name be provided; if both of the dNSName values are submitted, the system interprets that as trying to order a cert with multiple SANs and rejects it. This behavior is a little more intuitive in the UI, but where the API accepts/expects an array, it's a bit misleading. This is further complicated by the fact that the other two "plus" products don't have this issue. Wildcard certs do accept multiple SANs on Duplicates, as long as the SANs are subdomains to the wildcard name and Standard SSL don't allow Duplicates; so this is only behavior encountered with the EV SSL product.
I don't have a way to turn off the "plus" feature, unfortunately. A potential, though non-ideal fix, would be to implement the logic noted above, i.e. if the product being duplicated is EV SSL, only use the first value in the dns_names array when creating the Duplicate.
Thank you @clintwilson for the detailed explanation (and @abunashir 's ping) !
I agree that the most appropriate fix is to implement this "exception" logic in this gem. @abunashir could you help implement this check? Thanks!
Thanks a lot, @clintwilson, @ronaldtse: I just created a PR to resolve this issue, could you please have a look and let me know if there is anything else we should consider?
cc: @kwkwan
@kwkwan could you help verify? Thanks!
@ronaldtse It has been verified in #145 .
Thanks @kwkwan !
This fails with error:
But if we only use the first hostname in
dns_names
, it works:I believe the problem is an EV SSL certificate should not have two
dns_names
when returned:@ronaldtse @abunashir can you confirm this is a Digicert API issue?