[Bug]: Invalid ACME HTTP validation when using --acme-strict-fqdn #2027
Description
Steps to Reproduce
- Enable strict FQDN with the flag
--acme-strict-fqdn - Use any ACME client to try to generate or renew a certificate through ACME
Your Environment
- OS - Linux
step-caVersion - 0.27.4
Expected Behavior
The Host header sent by the step-ca server should contain exactly the domain requested by the ACME client.
This works properly when flag --acme-strict-fqdn is disabled.
Sample valid HTTP request:
GET /.well-known/acme-challenge/<token> HTTP/1.1
Host: www.example.com
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
Actual Behavior
When --acme-strict-fqdn is enabled, the Host header sent by the step-ca server has a trailing dot (.).
This causes an issue for some of our ACME clients, especially behind Microsoft IIS, as IIS has a known limitation with trailing dots.
I do not know if other ACME clients or web servers are impacted as well.
It is also not compliant with the ACME specification, as the domain in the HTTP validation request must match exactly what is provided by the ACME client.
Sample invalid HTTP request:
GET /.well-known/acme-challenge/<token> HTTP/1.1
Host: www.example.com.
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
Additional Context
While trailing dots are not a problem when making DNS requests, they are not very well specified in HTTP, and the behavior of web servers can vary wildly when receiving them: some transparently remove the trailing dot, some consider it as a different domain, and some reject requests completely.
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).