Step ca sign doesn't allow CSR having empty subject with valid sans using acme provisioner

Question

Step ca sign doesn't allow CSR having empty subject with valid sans using acme provisioner

Opened this issue 8 days ago · 0 comments

Step ca sign command doesn't allow CSR with empty subject with valid sans using acme provisioner.

step ca sign acmet1.localstepca.com.csr acmet1.localstepca.com.crt --acme https://localstepca.com/acme/acme/directory
error creating new ACME order: The request message was malformed

step ca sign acmet1.localstepca.com.csr acmet1.localstepca.com.crt --provisioner acme
✔ What DNS names or IP addresses would you like to use? (e.g. internal.smallstep.com): acmet1.localstepca.com
✔ Provisioner: acme (ACME)
error creating new ACME order: The request message was malformed

DNS names validation failed at Step ca acme server:

WARN[58728] duration="746.54µs" duration-ns=746540 error="invalid DNS name: " fields.time="2024-09-23T11:43:40+05:30" method=POST name=ca nonce=TjBXeFBONFVheUs0TnlHN1I5WHhvbkc3N05PbWRleDE path=/acme/acme/new-order protocol=HTTP/1.1 referer= remote-address=127.0.0.1 request-id=42498344-ef1a-41e9-901c-2f47b389ee5b response="{"type":"urn:ietf:params:acme:error:malformed","detail":"The request message was malformed"}" size=93 status=400 user-agent="Smallstep CLI/0.27.2 (darwin/amd64)" user-id=

This is happening due to cli is adding empty subject to dns identifiers in new-order acme request here:
https://github.com/smallstep/cli/blob/cd6758c91df547d0039768c9413b94e96e55ff24/utils/cautils/acmeutils.go#L376C11-L382C4

Sample CSR to reproduce:
acmet1.localstepca.com.csr.txt

Fix would be to add subject commonName from CSR only if it is not empty.