OrderDuplicator fails on default request due to API issue

riboseinc / digicert

Ruby bindings for the Digicert Services API

https://www.digicert.com/services/v2/documentation

MIT License

8 stars 10 forks source link

OrderDuplicator fails on default request due to API issue #135

Closed kwkwan closed 6 years ago

kwkwan commented 6 years ago

# This order has product_name_id: "ssl_ev_plus"
order = Digicert::Order.find(order_id)
order.dns_names # => ["www.myhost.com", "myhost.com"] # <=== this is the problem
duplicate_request = order.duplicate

This fails with error:

Digicert::Errors::RequestError: A request to Digicert API failed:
[{"code":"invalid_dns_name_on_duplicate","message":"Invalid DNS name on duplicate request. The DNS names must match what was on the original order."}]

But if we only use the first hostname in dns_names, it works:

duplicate_request = order.duplicate(
  dns_names: ["www.myhost.com"]
)

I believe the problem is an EV SSL certificate should not have two dns_names when returned:

order.dns_names # => ["www.myhost.com", "myhost.com"] # <=== this is the problem

@ronaldtse @abunashir can you confirm this is a Digicert API issue?

ronaldtse commented 6 years ago

Thanks @kwkwan .

Perhaps @clintwilson could confirm if this is an API problem? Thanks!

abunashir commented 6 years ago

@ronaldtse: Any update on this one?

abunashir commented 6 years ago

ping @ronaldtse

clintwilson commented 6 years ago

Apologies for missing this one! The issue ( or feature! ;) here is that the EV SSL (and Standard SSL and Wildcard) products have a "plus" feature (hence the old name still in the API product_name_id). The Plus feature will automatically add a second dNSName value to any of the above products when the first provided dNSName value is either 1) a base domain (e.g. example.com) or 2) the "www" subdomain of a base domain (e.g. www.example.com). The added dNSName that's added will be whichever of the above two isn't the first provided name (e.g. if www.example.com is provided, we add example.com; if example.com is provided, we add www.example.com). The product itself is configured to only allow a single name be provided; if both of the dNSName values are submitted, the system interprets that as trying to order a cert with multiple SANs and rejects it. This behavior is a little more intuitive in the UI, but where the API accepts/expects an array, it's a bit misleading. This is further complicated by the fact that the other two "plus" products don't have this issue. Wildcard certs do accept multiple SANs on Duplicates, as long as the SANs are subdomains to the wildcard name and Standard SSL don't allow Duplicates; so this is only behavior encountered with the EV SSL product.

I don't have a way to turn off the "plus" feature, unfortunately. A potential, though non-ideal fix, would be to implement the logic noted above, i.e. if the product being duplicated is EV SSL, only use the first value in the dns_names array when creating the Duplicate.

ronaldtse commented 6 years ago

Thank you @clintwilson for the detailed explanation (and @abunashir 's ping) !

I agree that the most appropriate fix is to implement this "exception" logic in this gem. @abunashir could you help implement this check? Thanks!

abunashir commented 6 years ago

Thanks a lot, @clintwilson, @ronaldtse: I just created a PR to resolve this issue, could you please have a look and let me know if there is anything else we should consider?

cc: @kwkwan

ronaldtse commented 6 years ago

@kwkwan could you help verify? Thanks!

kwkwan commented 6 years ago

@ronaldtse It has been verified in #145 .

ronaldtse commented 6 years ago

Thanks @kwkwan !