Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Invalid ACME HTTP validation when using --acme-strict-fqdn #2027

Open
Expyron opened this issue Oct 10, 2024 · 2 comments
Open

[Bug]: Invalid ACME HTTP validation when using --acme-strict-fqdn #2027

Expyron opened this issue Oct 10, 2024 · 2 comments
Assignees
@maraino
Labels
bug needs triage Waiting for discussion / prioritization by team

Comments

@Expyron
Copy link

Expyron commented Oct 10, 2024

Steps to Reproduce

  • Enable strict FQDN with the flag --acme-strict-fqdn
  • Use any ACME client to try to generate or renew a certificate through ACME

Your Environment

  • OS - Linux
  • step-ca Version - 0.27.4

Expected Behavior

The Host header sent by the step-ca server should contain exactly the domain requested by the ACME client.
This works properly when flag --acme-strict-fqdn is disabled.

Sample valid HTTP request:

GET /.well-known/acme-challenge/<token> HTTP/1.1
Host: www.example.com
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Actual Behavior

When --acme-strict-fqdn is enabled, the Host header sent by the step-ca server has a trailing dot (.).

This causes an issue for some of our ACME clients, especially behind Microsoft IIS, as IIS has a known limitation with trailing dots.
I do not know if other ACME clients or web servers are impacted as well.

It is also not compliant with the ACME specification, as the domain in the HTTP validation request must match exactly what is provided by the ACME client.

Sample invalid HTTP request:

GET /.well-known/acme-challenge/<token> HTTP/1.1
Host: www.example.com.
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Additional Context

While trailing dots are not a problem when making DNS requests, they are not very well specified in HTTP, and the behavior of web servers can vary wildly when receiving them: some transparently remove the trailing dot, some consider it as a different domain, and some reject requests completely.

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@Expyron Expyron added bug needs triage Waiting for discussion / prioritization by team labels Oct 10, 2024
@tschibutti
Copy link

tschibutti commented Oct 17, 2024
edited
Loading

In version 0.27.1 there was no paramter to change the step-ca behaviour - there is always a trailing dot behind the hostname. We was not able to get win-acme Client with the SelfHosting Pluging working.
With version 0.27.4 not enabling the parameter --acme-strict-fqdn all is working fine.

@768kb
Copy link

768kb commented Oct 17, 2024

Good lecture about this trailing dot:
https://webmasters.stackexchange.com/questions/73989/how-should-websites-handle-hostname-with-trailing-dot#74099

I think, it is by design that this dot comes if you enable --acme-strict-fqdn - lets see what the owner guys say.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maraino maraino

Labels
bug needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@maraino @Expyron @768kb @tschibutti