Step ca sign doesn't allow CSR having empty subject with valid sans using acme provisioner #1283
Assignees
Comments
avineshk09
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Step ca sign command doesn't allow CSR with empty subject with valid sans using acme provisioner.
step ca sign acmet1.localstepca.com.csr acmet1.localstepca.com.crt --acme https://localstepca.com/acme/acme/directoryerror creating new ACME order: The request message was malformed
step ca sign acmet1.localstepca.com.csr acmet1.localstepca.com.crt --provisioner acme✔ What DNS names or IP addresses would you like to use? (e.g. internal.smallstep.com): acmet1.localstepca.com
✔ Provisioner: acme (ACME)
error creating new ACME order: The request message was malformed
DNS names validation failed at Step ca acme server:
WARN[58728] duration="746.54µs" duration-ns=746540 error="invalid DNS name: " fields.time="2024-09-23T11:43:40+05:30" method=POST name=ca nonce=TjBXeFBONFVheUs0TnlHN1I5WHhvbkc3N05PbWRleDE path=/acme/acme/new-order protocol=HTTP/1.1 referer= remote-address=127.0.0.1 request-id=42498344-ef1a-41e9-901c-2f47b389ee5b response="{"type":"urn:ietf:params:acme:error:malformed","detail":"The request message was malformed"}" size=93 status=400 user-agent="Smallstep CLI/0.27.2 (darwin/amd64)" user-id=
This is happening due to cli is adding empty subject to dns identifiers in new-order acme request here:
https://github.com/smallstep/cli/blob/cd6758c91df547d0039768c9413b94e96e55ff24/utils/cautils/acmeutils.go#L376C11-L382C4
Sample CSR to reproduce:
acmet1.localstepca.com.csr.txt
Fix would be to add subject commonName from CSR only if it is not empty.
The text was updated successfully, but these errors were encountered: