Upgrade to Pro — share decks privately, control downloads, hide ads and more …

255オクテットのドメインはツラみがある! / endless-work

255オクテットのドメインはツラみがある! / endless-work

Jun Watanabe

March 31, 2019
Tweet

More Decks by Jun Watanabe

Other Decks in Technology

Transcript

  1. ఆٛจࣈ௕ ΦΫςοτ ϥϕϧจࣈྻ NBY ΦΫςοτ  XPSLXPSLXPSLXPSLXPSLXPSL  XPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSL 

    XPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSL  XPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSL  XPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSLXPSL  XPSL  0DUFU 0DUFU   workworkworkworkworkwork.workworkworkworkworkworkworkworkworkwork.workworkworkworkwor kworkworkworkworkworkworkworkworkworkwork.workworkworkworkworkworkworkworkworkworkwor kworkworkworkwork.workworkworkworkworkworkworkworkworkworkworkworkworkworkwork.work ↓ = 255 octet = 253จࣈ(υοτؚ)
  2. DNS

  3. vi nginx.conf ———- server { listen 80; server_name workworkworkworkworkwork.workworkworkworkworkworkworkworkworkwork.workworkwor kworkworkworkworkworkworkworkworkworkworkworkwork.workworkworkworkworkworkwor

    kworkworkworkworkworkworkworkwork.workworkworkworkworkworkworkworkworkworkwor kworkworkworkwork.work; } —————— nginx -t nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size: 32 nginx: configuration file /etc/nginx/nginx.conf test failed nginx.conf server_name͕௕͗͢Δ
  4. DNS name too long # /usr/local/certbot/certbot-auto certonly --webroot -w /work.work

    - d workworkworkworkworkwork.workworkworkworkworkworkworkworkworkwork.wo rkworkworkworkworkworkworkworkworkworkworkworkworkworkwork.workworkw orkworkworkworkworkworkworkworkworkworkworkworkwork.workworkworkwork workworkworkworkworkworkworkworkworkworkwork.work Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate An unexpected error occurred: The request message was malformed :: Error creating new authz :: DNS name too long Please see the logfiles in /var/log/letsencrypt for more details.
  5. ಺෦తʹJSONͷϝλ৘ใͰ 25จࣈ࢖ͬͯ͠·͏ͨΊ letsencrypt/boulder.git/policy/pa.go@126 // TODO(#3237): Right now our schema for

    the authz table only allows 255 characters // for identifiers, including JSON wrapping, which takes up 25 characters. For // now, we only allow identifiers up to 230 characters in length. When we are // able to do a migration to update this table, we can allow DNS names up to // 253 characters in length. maxLabelLength = 63 maxDNSIdentifierLength = 230 `identifier` varchar(255) NOT NULL, {"type":"dns","value":"example.com"} https://community.letsencrypt.org/t/i-want-use-max-255-octet-domain/51279
  6. # openssl req -new -key key.pem -out key.csr Common Name

    (eg, fully qualified host name) []:workworkworkworkworkwork.workworkworkworkworkworkworkworkworkwork .workworkworkworkworkworkworkworkworkworkworkworkworkworkwork.workwo rkworkworkworkworkworkworkworkworkworkworkworkworkwork.workworkworkw orkworkworkworkworkworkworkworkworkworkworkwork.work OpenSSLͰCSRൃߦ΍!
  7. CN was longer than 64 bytes ./certbot-auto certonly —manual -d

    *.workworkworkworkworkworkworkworkworkwork.workworkworkworkworkworkw orkworkworkworkworkworkworkworkwork.workworkworkworkworkworkworkwork workworkworkworkworkworkwork.workworkworkworkworkworkworkworkworkwor kworkworkworkworkwork.work -m [email protected] --agree-tos --manual- public-ip --preferred-challenges dns-01 --server https://acme- v02.api.letsencrypt.org/directory An unexpected error occurred: The request message was malformed :: Error finalizing order :: issuing precertificate: CN was longer than 64 bytes
  8. Congratulations! ./certbot-auto certonly --manual -d workworkworkworkwork.work -d *.workworkworkworkworkworkworkworkworkwork.workworkworkworkworkworkw orkworkworkworkworkworkworkworkwork.workworkworkworkworkworkworkwork workworkworkworkworkworkwork.workworkworkworkworkworkworkworkworkwor

    kworkworkworkworkwork.work -m [email protected] --agree-tos --manual- public-ip --preferred-challenges dns-01 --server https://acme- v02.api.letsencrypt.org/directory IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/workworkworkworkwork.work/fullchain.pem