smallstep
Step ca sign doesn't allow CSR having empty subject with valid sans using acme provisioner
Step ca sign command doesn't allow CSR with empty subject with valid sans using acme provisioner.
step ca sign acmet1.localstepca.com.csr acmet1.localstepca.com.crt --acme https://localstepca.com/acme/acme/directory
error creating new ACME order: The request message was malformed
step ca sign acmet1.localstepca.com.csr acmet1.localstepca.com.crt --provisioner acme
✔ What DNS names or IP addresses would you like to use? (e.g. internal.smallstep.com): acmet1.localstepca.com
✔ Provisioner: acme (ACME)
error creating new ACME order: The request message was malformed
DNS names validation failed at Step ca acme server:
WARN[58728] duration="746.54µs" duration-ns=746540 error="invalid DNS name: " fields.time="2024-09-23T11:43:40+05:30" method=POST name=ca nonce=TjBXeFBONFVheUs0TnlHN1I5WHhvbkc3N05PbWRleDE path=/acme/acme/new-order protocol=HTTP/1.1 referer= remote-address=127.0.0.1 request-id=42498344-ef1a-41e9-901c-2f47b389ee5b response="{"type":"urn:ietf:params:acme:error:malformed","detail":"The request message was malformed"}" size=93 status=400 user-agent="Smallstep CLI/0.27.2 (darwin/amd64)" user-id=
This is happening due to cli is adding empty subject to dns identifiers in new-order acme request here: https://github.com/smallstep/cli/blob/cd6758c91df547d0039768c9413b94e96e55ff24/utils/cautils/acmeutils.go#L376C11-L382C4
Sample CSR to reproduce: acmet1.localstepca.com.csr.txt
Fix would be to add subject commonName from CSR only if it is not empty.
