在「L(O*62).ONG: Make your URL longer (looooooooooooooooooooooooooooooooooooooo...)」這邊看到的有趣東西,網站是「L(o*62).ong - Make your URL longer」,網站的主人還在搞事就被貼到 Hacker News 上,所以他就上來說明一下發生了什麼事情...
在 id=40543697 這邊提到網域名稱過長導致撞到 TLS certificate 中 commonName (CN) 欄位長度限制的問題:
The longest segment of a domain name is 63 characters. The maximum length of an HTTPS certificate commonName is 64 characters.
This caused Cloudflare, Vercel, and Netlify to be unable to use Let's Encrypt to sign HTTPS certificates (because they used the domain name as the commonName), but Zeabur can use Let's Encrypt to sign HTTPS certificates.
Finally, the Cloudflare certificate was switched to Google Trust Services LLC to successfully sign.
不過後面有人提到 commonName 在網頁用的 TLS certificate 已經 deprecated 很久了,而 Let's Encrypt 在 2023 年的時候已經支援 commonName 留空,改用 Subject Alternative Name,可以到 255 chars。
留言裡面所連結的 Let's Encrypt 公告上面也提到了類似的事情:「Simplifying Issuance for Very Long Domain Names」。
Additionally, the CN is limited to at most 64 characters, while SANs can be significantly longer. This means that the CN is not only redundant, but actively restrictive: a certificate which has a Common Name cannot contain only very long domain names, because none of them would fit in the CN. For these reasons, the BRs state that for Domain Validated certificates, the Common Name field is "not recommended".
所以看起來是各家系統還沒有跟著改 (因為 Let's Encrypt 先前需要 CN 有值),但如果是自己申請的應該是可以自己避開了 (生 csr 的時候就改用 SAN)?