mirror of
https://github.com/go-acme/lego.git
synced 2025-01-03 15:23:32 +02:00
feat: support simplified issuance for very long domain names at Let's Encrypt (#2054)
Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com>
This commit is contained in:
Martin Weindel
GitHub
parent
ad6e38e7db
commit
d263a28c64
@ -216,6 +216,26 @@ func ParsePEMCertificate(cert []byte) (*x509.Certificate, error) {
|
|||||||
return x509.ParseCertificate(pemBlock.Bytes)
|
return x509.ParseCertificate(pemBlock.Bytes)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func GetCertificateMainDomain(cert *x509.Certificate) (string, error) {
|
||||||
|
return getMainDomain(cert.Subject, cert.DNSNames)
|
||||||
|
}
|
||||||
|
|
||||||
|
func GetCSRMainDomain(cert *x509.CertificateRequest) (string, error) {
|
||||||
|
return getMainDomain(cert.Subject, cert.DNSNames)
|
||||||
|
}
|
||||||
|
|
||||||
|
func getMainDomain(subject pkix.Name, dnsNames []string) (string, error) {
|
||||||
|
if subject.CommonName == "" && len(dnsNames) == 0 {
|
||||||
|
return "", errors.New("missing domain")
|
||||||
|
}
|
||||||
|
|
||||||
|
if subject.CommonName != "" {
|
||||||
|
return subject.CommonName, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return dnsNames[0], nil
|
||||||
|
}
|
||||||
|
|
||||||
func ExtractDomains(cert *x509.Certificate) []string {
|
func ExtractDomains(cert *x509.Certificate) []string {
|
||||||
var domains []string
|
var domains []string
|
||||||
if cert.Subject.CommonName != "" {
|
if cert.Subject.CommonName != "" {
|
||||||
|
|||||||
@ -243,8 +243,10 @@ func (c *Certifier) getForOrder(domains []string, order acme.ExtendedOrder, bund
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Determine certificate name(s) based on the authorization resources
|
commonName := ""
|
||||||
commonName := domains[0]
|
if len(domains[0]) <= 64 {
|
||||||
|
commonName = domains[0]
|
||||||
|
}
|
||||||
|
|
||||||
// RFC8555 Section 7.4 "Applying for Certificate Issuance"
|
// RFC8555 Section 7.4 "Applying for Certificate Issuance"
|
||||||
// https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
|
// https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
|
||||||
@ -252,7 +254,12 @@ func (c *Certifier) getForOrder(domains []string, order acme.ExtendedOrder, bund
|
|||||||
// Clients SHOULD NOT make any assumptions about the sort order of
|
// Clients SHOULD NOT make any assumptions about the sort order of
|
||||||
// "identifiers" or "authorizations" elements in the returned order
|
// "identifiers" or "authorizations" elements in the returned order
|
||||||
// object.
|
// object.
|
||||||
san := []string{commonName}
|
|
||||||
|
var san []string
|
||||||
|
if commonName != "" {
|
||||||
|
san = append(san, commonName)
|
||||||
|
}
|
||||||
|
|
||||||
for _, auth := range order.Identifiers {
|
for _, auth := range order.Identifiers {
|
||||||
if auth.Value != commonName {
|
if auth.Value != commonName {
|
||||||
san = append(san, auth.Value)
|
san = append(san, auth.Value)
|
||||||
@ -274,9 +281,8 @@ func (c *Certifier) getForCSR(domains []string, order acme.ExtendedOrder, bundle
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
commonName := domains[0]
|
|
||||||
certRes := &Resource{
|
certRes := &Resource{
|
||||||
Domain: commonName,
|
Domain: domains[0],
|
||||||
CertURL: respOrder.Certificate,
|
CertURL: respOrder.Certificate,
|
||||||
PrivateKey: privateKeyPem,
|
PrivateKey: privateKeyPem,
|
||||||
}
|
}
|
||||||
@ -598,8 +604,13 @@ func (c *Certifier) Get(url string, bundle bool) (*Resource, error) {
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
domain, err := certcrypto.GetCertificateMainDomain(x509Certs[0])
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
return &Resource{
|
return &Resource{
|
||||||
Domain: x509Certs[0].Subject.CommonName,
|
Domain: domain,
|
||||||
Certificate: cert,
|
Certificate: cert,
|
||||||
IssuerCertificate: issuer,
|
IssuerCertificate: issuer,
|
||||||
CertURL: url,
|
CertURL: url,
|
||||||
|
|||||||
@ -84,10 +84,15 @@ func listCertificates(ctx *cli.Context) error {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
name, err := certcrypto.GetCertificateMainDomain(pCert)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
if names {
|
if names {
|
||||||
fmt.Println(pCert.Subject.CommonName)
|
fmt.Println(name)
|
||||||
} else {
|
} else {
|
||||||
fmt.Println(" Certificate Name:", pCert.Subject.CommonName)
|
fmt.Println(" Certificate Name:", name)
|
||||||
fmt.Println(" Domains:", strings.Join(pCert.DNSNames, ", "))
|
fmt.Println(" Domains:", strings.Join(pCert.DNSNames, ", "))
|
||||||
fmt.Println(" Expiry Date:", pCert.NotAfter)
|
fmt.Println(" Expiry Date:", pCert.NotAfter)
|
||||||
fmt.Println(" Certificate Path:", filename)
|
fmt.Println(" Certificate Path:", filename)
|
||||||
|
|||||||
@ -228,7 +228,10 @@ func renewForCSR(ctx *cli.Context, client *lego.Client, certsStorage *Certificat
|
|||||||
log.Fatal(err)
|
log.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
domain := csr.Subject.CommonName
|
domain, err := certcrypto.GetCSRMainDomain(csr)
|
||||||
|
if err != nil {
|
||||||
|
log.Fatalf("Error: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
// load the cert resource from files.
|
// load the cert resource from files.
|
||||||
// We store the certificate, private key and metadata in different files
|
// We store the certificate, private key and metadata in different files
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user