feat: add option to disable common name in CSR (#2570)

2026-03-14 22:45:48 +01:00 · 2025-07-08 17:23:31 +02:00 · 2025-07-08 17:23:31 +02:00 · 40baed291c
commit 40baed291c
parent d9bba80a19
5 changed files with 19 additions and 2 deletions
--- a/certificate/certificates.go
+++ b/certificate/certificates.go
@ -125,6 +125,7 @@ type CertifierOptions struct {
 	KeyType             certcrypto.KeyType
 	Timeout             time.Duration
 	OverallRequestLimit int
+	DisableCommonName   bool
 }

 // Certifier A service to obtain/renew/revoke certificates.
@ -301,7 +302,7 @@ func (c *Certifier) getForOrder(domains []string, order acme.ExtendedOrder, requ
 	}

 	commonName := ""
-	if len(domains[0]) <= 64 {
+	if len(domains[0]) <= 64 && !c.options.DisableCommonName {
 		commonName = domains[0]
 	}

--- a/cmd/flags.go
+++ b/cmd/flags.go
@ -16,6 +16,7 @@ const (
 	flgServer                   = "server"
 	flgAcceptTOS                = "accept-tos"
 	flgEmail                    = "email"
+	flgDisableCommonName        = "disable-cn"
 	flgCSR                      = "csr"
 	flgEAB                      = "eab"
 	flgKID                      = "kid"
@ -88,6 +89,11 @@ func CreateFlags(defaultPath string) []cli.Flag {
 			EnvVars: []string{envEmail},
 			Usage:   "Email used for registration and recovery contact.",
 		},
+		&cli.StringFlag{
+			Name:    flgDisableCommonName,
+			EnvVars: []string{flgDisableCommonName},
+			Usage:   "Disable the use of the common name in the CSR.",
+		},
 		&cli.StringFlag{
 			Name:    flgCSR,
 			Aliases: []string{"c"},
--- a/cmd/setup.go
+++ b/cmd/setup.go
@ -50,6 +50,7 @@ func newClient(ctx *cli.Context, acc registration.User, keyType certcrypto.KeyTy
 		KeyType:             keyType,
 		Timeout:             time.Duration(ctx.Int(flgCertTimeout)) * time.Second,
 		OverallRequestLimit: ctx.Int(flgOverallRequestLimit),
+		DisableCommonName:   ctx.Bool(flgDisableCommonName),
 	}
 	config.UserAgent = getUserAgent(ctx)

--- a/lego/client.go
+++ b/lego/client.go
@ -53,7 +53,15 @@ func NewClient(config *Config) (*Client, error) {
 	solversManager := resolver.NewSolversManager(core)

 	prober := resolver.NewProber(solversManager)
-	certifier := certificate.NewCertifier(core, prober, certificate.CertifierOptions{KeyType: config.Certificate.KeyType, Timeout: config.Certificate.Timeout, OverallRequestLimit: config.Certificate.OverallRequestLimit})
+
+	options := certificate.CertifierOptions{
+		KeyType:             config.Certificate.KeyType,
+		Timeout:             config.Certificate.Timeout,
+		OverallRequestLimit: config.Certificate.OverallRequestLimit,
+		DisableCommonName:   config.Certificate.DisableCommonName,
+	}
+
+	certifier := certificate.NewCertifier(core, prober, options)

 	return &Client{
 		Certificate:  certifier,
--- a/lego/client_config.go
+++ b/lego/client_config.go
@ -64,6 +64,7 @@ type CertificateConfig struct {
 	KeyType             certcrypto.KeyType
 	Timeout             time.Duration
 	OverallRequestLimit int
+	DisableCommonName   bool
 }

 // createDefaultHTTPClient Creates an HTTP client with a reasonable timeout value