From 80bb9a843fe5af2eafd1d94d989b03ec12f26b13 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Wed, 4 Sep 2024 15:23:55 -0600 Subject: [PATCH] Debug log when creating CSR --- config.go | 35 ++++++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/config.go b/config.go index 4910fac3..a7771848 100644 --- a/config.go +++ b/config.go @@ -990,23 +990,26 @@ func (cfg *Config) generateCSR(privateKey crypto.PrivateKey, sans []string, useC csrTemplate := new(x509.CertificateRequest) for _, name := range sans { + // identifiers should be converted to punycode before going into the CSR + // (convert IDNs to ASCII according to RFC 5280 section 7) + normalizedName, err := idna.ToASCII(name) + if err != nil { + return nil, fmt.Errorf("converting identifier '%s' to ASCII: %v", name, err) + } + // TODO: This is a temporary hack to support ZeroSSL API... - if useCN && csrTemplate.Subject.CommonName == "" && len(name) <= 64 { - csrTemplate.Subject.CommonName = name + if useCN && csrTemplate.Subject.CommonName == "" && len(normalizedName) <= 64 { + csrTemplate.Subject.CommonName = normalizedName continue } - if ip := net.ParseIP(name); ip != nil { + + if ip := net.ParseIP(normalizedName); ip != nil { csrTemplate.IPAddresses = append(csrTemplate.IPAddresses, ip) - } else if strings.Contains(name, "@") { - csrTemplate.EmailAddresses = append(csrTemplate.EmailAddresses, name) - } else if u, err := url.Parse(name); err == nil && strings.Contains(name, "/") { + } else if strings.Contains(normalizedName, "@") { + csrTemplate.EmailAddresses = append(csrTemplate.EmailAddresses, normalizedName) + } else if u, err := url.Parse(normalizedName); err == nil && strings.Contains(normalizedName, "/") { csrTemplate.URIs = append(csrTemplate.URIs, u) } else { - // convert IDNs to ASCII according to RFC 5280 section 7 - normalizedName, err := idna.ToASCII(name) - if err != nil { - return nil, fmt.Errorf("converting identifier '%s' to ASCII: %v", name, err) - } csrTemplate.DNSNames = append(csrTemplate.DNSNames, normalizedName) } } @@ -1015,6 +1018,16 @@ func (cfg *Config) generateCSR(privateKey crypto.PrivateKey, sans []string, useC csrTemplate.ExtraExtensions = append(csrTemplate.ExtraExtensions, mustStapleExtension) } + // IP addresses aren't printed here because I'm too lazy to marshal them as strings, but + // we at least print the incoming SANs so it should be obvious what became IPs + cfg.Logger.Debug("created CSR", + zap.Strings("identifiers", sans), + zap.Strings("san_dns_names", csrTemplate.DNSNames), + zap.Strings("san_emails", csrTemplate.EmailAddresses), + zap.String("common_name", csrTemplate.Subject.CommonName), + zap.Int("extra_extensions", len(csrTemplate.ExtraExtensions)), + ) + csrDER, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, privateKey) if err != nil { return nil, err