Avoid sending LetsEncrypt requests for domains that are too long (!139584) · Merge requests · GitLab.org / GitLab

Daniel requested to merge xFuture603/gitlab:issue_394984_check_if_SAN_fits_CN into master Dec 12, 2023

What does this MR do and why?

This MR fixes issue #394984 (closed) (Acme::Client::Error::RejectedIdentifier: NewOrder request did not include a SAN short enough to fit in CN)

In this MR we set a limit of 64 characters, which is currently the standard for Let's Encrypt (https://community.letsencrypt.org/t/the-server-will-not-issue-certificates-for-the-identifier-neworder-request-did-not-include-a-san-short-enough-to-fit-in-cn/156353). We also check the byte size of the specified domain to see if it is larger than 64 characters and log an error message if this is the case.

Screenshots or screen recordings

No visual changes.

How to set up and validate locally

You can't set a local test environment for issue #394984 (closed) due to the content of this comment: #394984 (comment 1670322416)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Avoid sending LetsEncrypt requests for domains that are too long

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports