255オクテットのドメインはツラみがある! / endless-work

255オクテットのドメインはツラみがある! / endless-work

6f36ff3943be908c5d2259f4aef09ea6?s=128

Jun Watanabe

March 31, 2019
Tweet

Transcript

  1. 6.
  2. 13.
  3. 16.
  4. 24.
  5. 36.

    ఆٛจࣈ௕ ΦΫςοτ ϥϕϧจࣈྻ NBY ΦΫςοτ  XPSLXPSLXPSLXPSLXPSLXPSL  XPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSL 

    XPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSL  XPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSL  XPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSL  XPSL  0DUFU 0DUFU   workworkworkworkworkwork.workworkworkworkworkworkworkworkworkwork.workworkworkworkwor kworkworkworkworkworkworkworkworkworkwork.workworkworkworkworkworkworkworkworkworkwor kworkworkworkwork.workworkworkworkworkworkworkworkworkworkworkworkworkworkwork.work ↓ = 255 octet = 253จࣈ(υοτؚ)
  6. 42.

    DNS

  7. 43.
  8. 48.
  9. 49.

    vi nginx.conf ———- server { listen 80; server_name workworkworkworkworkwork.workworkworkworkworkworkworkworkworkwork.workworkwor kworkworkworkworkworkworkworkworkworkworkworkwork.workworkworkworkworkworkwor

    kworkworkworkworkworkworkworkwork.workworkworkworkworkworkworkworkworkworkwor kworkworkworkwork.work; } —————— nginx -t nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size: 32 nginx: configuration file /etc/nginx/nginx.conf test failed nginx.conf server_name͕௕͗͢Δ
  10. 51.
  11. 52.
  12. 53.
  13. 54.

    DNS name too long # /usr/local/certbot/certbot-auto certonly --webroot -w /work.work

    - d workworkworkworkworkwork.workworkworkworkworkworkworkworkworkwork.wo rkworkworkworkworkworkworkworkworkworkworkworkworkworkwork.workworkw orkworkworkworkworkworkworkworkworkworkworkworkwork.workworkworkwork workworkworkworkworkworkworkworkworkworkwork.work Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate An unexpected error occurred: The request message was malformed :: Error creating new authz :: DNS name too long Please see the logfiles in /var/log/letsencrypt for more details.
  14. 56.

    ಺෦తʹJSONͷϝλ৘ใͰ 25จࣈ࢖ͬͯ͠·͏ͨΊ letsencrypt/boulder.git/policy/pa.go@126 // TODO(#3237): Right now our schema for

    the authz table only allows 255 characters // for identifiers, including JSON wrapping, which takes up 25 characters. For // now, we only allow identifiers up to 230 characters in length. When we are // able to do a migration to update this table, we can allow DNS names up to // 253 characters in length. maxLabelLength = 63 maxDNSIdentifierLength = 230 `identifier` varchar(255) NOT NULL, {"type":"dns","value":"example.com"} https://community.letsencrypt.org/t/i-want-use-max-255-octet-domain/51279
  15. 57.
  16. 58.
  17. 59.
  18. 62.

    # openssl req -new -key key.pem -out key.csr Common Name

    (eg, fully qualified host name) []:workworkworkworkworkwork.workworkworkworkworkworkworkworkworkwork .workworkworkworkworkworkworkworkworkworkworkworkworkworkwork.workwo rkworkworkworkworkworkworkworkworkworkworkworkworkwork.workworkworkw orkworkworkworkworkworkworkworkworkworkworkwork.work OpenSSLͰCSRൃߦ΍!
  19. 68.
  20. 74.
  21. 85.
  22. 86.
  23. 89.
  24. 94.
  25. 97.
  26. 99.

    CN was longer than 64 bytes ./certbot-auto certonly —manual -d

    *.workworkworkworkworkworkworkworkworkwork.workworkworkworkworkworkw orkworkworkworkworkworkworkworkwork.workworkworkworkworkworkworkwork workworkworkworkworkworkwork.workworkworkworkworkworkworkworkworkwor kworkworkworkworkwork.work -m jun@harine.jp --agree-tos --manual- public-ip --preferred-challenges dns-01 --server https://acme- v02.api.letsencrypt.org/directory An unexpected error occurred: The request message was malformed :: Error finalizing order :: issuing precertificate: CN was longer than 64 bytes
  27. 104.

    Congratulations! ./certbot-auto certonly --manual -d workworkworkworkwork.work -d *.workworkworkworkworkworkworkworkworkwork.workworkworkworkworkworkw orkworkworkworkworkworkworkworkwork.workworkworkworkworkworkworkwork workworkworkworkworkworkwork.workworkworkworkworkworkworkworkworkwor

    kworkworkworkworkwork.work -m jun@harine.jp --agree-tos --manual- public-ip --preferred-challenges dns-01 --server https://acme- v02.api.letsencrypt.org/directory IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/workworkworkworkwork.work/fullchain.pem
  28. 105.
  29. 106.