[BlueOnyx:25078] Re: Problem Lets Encrypt SSL Certificate Subdomain - fixed

[Michael Stauber]

Hi Gerrit,

> I tried to create an  SSL Certificate via Lets Encrypt using additional
> subdomains.
> Problem is: only the subdomain is transmitted in the request. The domain and
> TLD part is missing.

My apologies for the delay. I finally had a chance to debug this deeply
enough to find the root cause of the issue.

YUM Updates have been published for 5209R and 5210R which fix this issue.

Here is how the problem came about:

In the past the CCEd Object 'Subdomain' only had a 'hostname' field, as
it was directly tied into the Vsite. Recently it also inherited a
'domainname' field, which is usually set to the domainname of the Vsite
that it belongs to.

This was necessary, because sometimes the domain name of a subdomain is
NOT equal to the domain name of the Vsite, but to the FQDN of the Vsite
instead (long story). Like when the Vsite itself doesn't have a
'www'-hostname.

On the "SSL" / "Let's Encrypt" GUI page where you request the SSL
certificate we aggregate the FQDNs of Subdomains into the aliases that
we want to request a SSL certificate for. Provided you also request the
SSL certificate to be valid for all or certain Subdomains.

If a Subdomain was created BEFORE the CODB Schema change of the
'Subdomain' Object, then the 'domainname' field may be empty, because
previously (when the Subdomain was created) that field didn't exist.

Subsequently a Cert request would then attempt to acquire a SSL
certificate with validity for a Subdomain where the hostname part was
missing from the request.

In the updated base-ssl for 5209R and 5210R that GUI page now checks if
the 'Subdomain' Object in question has an empty 'domainname' field. If
so, it will be augmented with the hostname of the Vsite to form a
complete and working request.

-- 
With best regards

Michael Stauber