In short, domains with '--' can not be issued certs from LetsEncrypt because they are interpreted as R-LDH domains (RFC5890). See http://www.faqs.org/rfcs/rfc5890.html section 2.3.1

LetsEncrypt recently changed their policy here: https://github.com/letsencrypt/boulder/pull/2976

A small change to hosting_alias_automatic_aliases() with stop replacing '-' with '--'.

I'm not sure of what the original desire was to replace '-' with '--'. This change would also change the aliases of sites when they are verified for users using this feature with no backwards compatibility.

I'll upload a patch later today.

CommentFileSizeAuthor
#7 automatic_hosting-2915508-7.patch2.25 KBhelmo
#6 2915508-selectable_double_dashes_in_automatic_aliases-3.patch2.1 KBkienan
#2 2915508-no_double_dashes_in_automatic_aliases.patch674 byteskienan

Comments

kienan created an issue. See original summary.

kienan’s picture

kienan commented
Status: Active » Needs review
StatusFileSize
new 2915508-no_double_dashes_in_automatic_aliases.patch674 bytes
helmo’s picture

helmo commented
Status: Needs review » Needs work

I've never really liked the looks of those double dashes, so +1 for this patch.

Breaking previous sites is a valid concern however. To be safe we'd have to make it configurable and let old installations default to the old behaviour.

memtkmcc’s picture

memtkmcc commented

It was intended as a way to clearly identify the extra, special aliases, and not confuse them with other subdomains with single dashes. But it could be done with some extra keyword instead of a double dash, perhaps, if we are going to change this. Making it look like a "normal" subdomain is not only a change which breaks old aliases, but also adds some confusion, in my opinion.

memtkmcc’s picture

memtkmcc commented

By the way, we should perhaps exclude these extra aliases from LE certs, by default? That way we don't need to worry about breaking LE certs auto-renewal.

kienan’s picture

kienan commented
Status: Needs work » Needs review
StatusFileSize
new 2915508-selectable_double_dashes_in_automatic_aliases-3.patch2.1 KB

Here's a patch which lets the behaviour and the dash replacement string be configured. Default behaviour is to replace dashes with '--'.

I find it's useful to have HTTPs on automatic aliases, but I could that it'd be a good thing to have it be optional (but outside the scope of this ticket).

helmo’s picture

helmo commented
StatusFileSize
new automatic_hosting-2915508-7.patch2.25 KB

Looks great... I only add a 'states' section to collapse the Dash substitute field when the checkbox is not selected. RTBC?

memtkmcc’s picture

memtkmcc commented
Status: Needs review » Reviewed & tested by the community

Looks good to me. Thanks!

  • helmo committed ae0d892 on 7.x-3.x 
    Issue #2915508 by kienan, helmo: Automatic hosting aliases for domains...
helmo’s picture

helmo commented
Status: Reviewed & tested by the community » Fixed

committed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.