From 18b3fd681ef80d75de04dce86c3054ca9526c4b4 Mon Sep 17 00:00:00 2001 From: Aleksei Bavshin Date: Thu, 18 Dec 2025 23:17:24 -0800 Subject: [PATCH] ACME: remove Subject Common Name from CSR. Baseline Requirements discouraged the use of Subject commonName in Subscriber Certificates since v1.0 (2011). Certbot has been omitting the attribute from CSRs since v0.14.0 (2017). There are valid reasons for this, including redundancy (subjectAltName is required, and Subject commonName MUST match one of the subjectAltName entries) and a 64 byte length limit. However, some _very_ old HTTP clients and some not-so-old clients for other protocols (email) take exception to certificates without commonName. Let's Encrypt now decided to aggressively encourage ACME clients to stop setting commonName as a part of their IP identifier support rollout with the following error: urn:ietf:params:acme:error:badCSR: Error finalizing order :: CSR contains IP address in Common Name We already attempt to pick a DNS name for CN, but that is not possible if the list of identifiers has only IP addresses. Let's just stop doing that and always send an empty Subject. --- src/acme.rs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/acme.rs b/src/acme.rs index c55517f..1c0e44f 100644 --- a/src/acme.rs +++ b/src/acme.rs @@ -631,9 +631,7 @@ pub fn make_certificate_request( ) -> Result { let mut req = X509Req::builder()?; - let mut x509_name = x509::X509NameBuilder::new()?; - x509_name.append_entry_by_text("CN", identifiers[0].value())?; - let x509_name = x509_name.build(); + let x509_name = x509::X509NameBuilder::new()?.build(); req.set_subject_name(&x509_name)?; let mut extensions = openssl::stack::Stack::new()?;