From 0218018cee90ae5e450b6bf8b12a3622abc09056 Mon Sep 17 00:00:00 2001 From: Oleksandr Kovalchuk Date: Thu, 14 May 2020 13:23:42 +0300 Subject: [PATCH] Generate Subject if `forceCN` and Subject is empty When `forceCN` is set in provisioner configuration and Subject.CommonName is empty, set Subject.CommonName to the first SAN from the CSR to follow the letsencrypt's boulder behavior. This is done in order to support system which require certificate's Subject field to be non-empty. N.B. certbot does not send Subject in its certificate request and relies on similar behavior of letsencrypt. Closes https://github.com/smallstep/certificates/issues/259 --- acme/order.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/acme/order.go b/acme/order.go index 27e030e9..ba0f3104 100644 --- a/acme/order.go +++ b/acme/order.go @@ -262,6 +262,13 @@ func (o *order) finalize(db nosql.DB, csr *x509.CertificateRequest, auth SignAut if csr.Subject.CommonName != "" { csr.DNSNames = append(csr.DNSNames, csr.Subject.CommonName) } + + // Generate Subject CommonName for supporting `conservative` systems + // which does not accept certificates with empty subject + if csr.Subject.CommonName == "" && p.(*provisioner.ACME).ForceCN { + csr.Subject.CommonName = csr.DNSNames[0] + } + csr.DNSNames = uniqueLowerNames(csr.DNSNames) orderNames := make([]string, len(o.Identifiers)) for i, n := range o.Identifiers {