pebble icon indicating copy to clipboard operation
pebble copied to clipboard
verified publisher icon letsencrypt

ca: allow the promotion of first domain/IP to CN in profile

Open vancluever opened this issue 8 months ago • 5 comments

This adds the ability to flag a profile to promote the first domain/IP to the common name. This was previously removed when promotion was deprecated, but is still allowed in the Let's Encrypt "classic" profile, so this helps mock this behavior (and also allows it to be mocked in CAs that still do the same).

vancluever avatar Mar 26 '25 02:03 vancluever

PS: let me know if any additional tests are needed too (from what I saw, the profile functionality is not really tested so I didn't add anything in that regard).

Main rationale/motive for this PR: after I upgraded https://github.com/vancluever/terraform-provider-acme to test using the latest pebble, all of my existing tests broke, since they don't supply a profile. I'm also adding profile support, so having these additional options help me emulate Let's Encrypt specifically a bit better.

vancluever avatar Mar 26 '25 02:03 vancluever

@aarongable I guess I can take that out and I'll just set up different instances on my side with different profiles (I already do that for EAB tests). I'll adjust and update when I have time tomorrow!

PS: Do you have details on this?

even Let's Encrypt's current "just pick the default" behavior is in the process of changing.

Does this mean the classic profile is going away or will profile by required in the future?

vancluever avatar Mar 26 '25 04:03 vancluever

We're in the process of launching IP-address certs, and if the new-order request contains an IP identifier, it will be defaulted to the shortlived profile rather than defaulted to the classic profile. So the defaulting logic is going to be more complex than just "pick the one marked as the default". Clients shouldn't assume that there's one default that applies across all requests, which is why Pebble chooses a profile at random.

aarongable avatar Mar 26 '25 04:03 aarongable

@aarongable updates complete; let me know if you need anything else!

vancluever avatar Mar 26 '25 17:03 vancluever

In https://github.com/letsencrypt/pebble/pull/491#issuecomment-2753241990 @aarongable wrote:

Clients shouldn't assume that there's one default that applies across all requests, which is why Pebble chooses a profile at random.

I was surprised to read here that Pebble chooses a random profile. The sample configuration gave me a false impression that the profile named "default" would be used for clients which do not specify a profile.

https://github.com/letsencrypt/pebble/blob/39dbb64e14b8e3ef2ee8b6a2234f7b9a592da49e/test/config/pebble-config.json#L16-L25

https://github.com/letsencrypt/pebble/blob/39dbb64e14b8e3ef2ee8b6a2234f7b9a592da49e/cmd/pebble/main.go#L106-L114

wallrj avatar Jun 01 '25 06:06 wallrj

Thanks for the merge y'all!

vancluever avatar Sep 09 '25 17:09 vancluever