@@ -990,23 +990,26 @@ func (cfg *Config) generateCSR(privateKey crypto.PrivateKey, sans []string, useC
990990 csrTemplate := new (x509.CertificateRequest )
991991
992992 for _ , name := range sans {
993+ // identifiers should be converted to punycode before going into the CSR
994+ // (convert IDNs to ASCII according to RFC 5280 section 7)
995+ normalizedName , err := idna .ToASCII (name )
996+ if err != nil {
997+ return nil , fmt .Errorf ("converting identifier '%s' to ASCII: %v" , name , err )
998+ }
999+
9931000 // TODO: This is a temporary hack to support ZeroSSL API...
994- if useCN && csrTemplate .Subject .CommonName == "" && len (name ) <= 64 {
995- csrTemplate .Subject .CommonName = name
1001+ if useCN && csrTemplate .Subject .CommonName == "" && len (normalizedName ) <= 64 {
1002+ csrTemplate .Subject .CommonName = normalizedName
9961003 continue
9971004 }
998- if ip := net .ParseIP (name ); ip != nil {
1005+
1006+ if ip := net .ParseIP (normalizedName ); ip != nil {
9991007 csrTemplate .IPAddresses = append (csrTemplate .IPAddresses , ip )
1000- } else if strings .Contains (name , "@" ) {
1001- csrTemplate .EmailAddresses = append (csrTemplate .EmailAddresses , name )
1002- } else if u , err := url .Parse (name ); err == nil && strings .Contains (name , "/" ) {
1008+ } else if strings .Contains (normalizedName , "@" ) {
1009+ csrTemplate .EmailAddresses = append (csrTemplate .EmailAddresses , normalizedName )
1010+ } else if u , err := url .Parse (normalizedName ); err == nil && strings .Contains (normalizedName , "/" ) {
10031011 csrTemplate .URIs = append (csrTemplate .URIs , u )
10041012 } else {
1005- // convert IDNs to ASCII according to RFC 5280 section 7
1006- normalizedName , err := idna .ToASCII (name )
1007- if err != nil {
1008- return nil , fmt .Errorf ("converting identifier '%s' to ASCII: %v" , name , err )
1009- }
10101013 csrTemplate .DNSNames = append (csrTemplate .DNSNames , normalizedName )
10111014 }
10121015 }
@@ -1015,6 +1018,16 @@ func (cfg *Config) generateCSR(privateKey crypto.PrivateKey, sans []string, useC
10151018 csrTemplate .ExtraExtensions = append (csrTemplate .ExtraExtensions , mustStapleExtension )
10161019 }
10171020
1021+ // IP addresses aren't printed here because I'm too lazy to marshal them as strings, but
1022+ // we at least print the incoming SANs so it should be obvious what became IPs
1023+ cfg .Logger .Debug ("created CSR" ,
1024+ zap .Strings ("identifiers" , sans ),
1025+ zap .Strings ("san_dns_names" , csrTemplate .DNSNames ),
1026+ zap .Strings ("san_emails" , csrTemplate .EmailAddresses ),
1027+ zap .String ("common_name" , csrTemplate .Subject .CommonName ),
1028+ zap .Int ("extra_extensions" , len (csrTemplate .ExtraExtensions )),
1029+ )
1030+
10181031 csrDER , err := x509 .CreateCertificateRequest (rand .Reader , csrTemplate , privateKey )
10191032 if err != nil {
10201033 return nil , err
0 commit comments