OrderDuplicator fails on default request due to API issue about digicert HOT 9 CLOSED

@ronaldtse It has been verified in #145 .

from digicert.

Thanks @kwkwan .

Perhaps @clintwilson could confirm if this is an API problem? Thanks!

from digicert.

@ronaldtse: Any update on this one?

from digicert.

ping @ronaldtse

from digicert.

Apologies for missing this one!
The issue ( or feature! ;) here is that the EV SSL (and Standard SSL and Wildcard) products have a "plus" feature (hence the old name still in the API product_name_id). The Plus feature will automatically add a second dNSName value to any of the above products when the first provided dNSName value is either 1) a base domain (e.g. example.com) or 2) the "www" subdomain of a base domain (e.g. www.example.com). The added dNSName that's added will be whichever of the above two isn't the first provided name (e.g. if www.example.com is provided, we add example.com; if example.com is provided, we add www.example.com).
The product itself is configured to only allow a single name be provided; if both of the dNSName values are submitted, the system interprets that as trying to order a cert with multiple SANs and rejects it.
This behavior is a little more intuitive in the UI, but where the API accepts/expects an array, it's a bit misleading.
This is further complicated by the fact that the other two "plus" products don't have this issue. Wildcard certs do accept multiple SANs on Duplicates, as long as the SANs are subdomains to the wildcard name and Standard SSL don't allow Duplicates; so this is only behavior encountered with the EV SSL product.

I don't have a way to turn off the "plus" feature, unfortunately. A potential, though non-ideal fix, would be to implement the logic noted above, i.e. if the product being duplicated is EV SSL, only use the first value in the dns_names array when creating the Duplicate.

from digicert.

Thank you @clintwilson for the detailed explanation (and @abunashir 's ping) !

I agree that the most appropriate fix is to implement this "exception" logic in this gem. @abunashir could you help implement this check? Thanks!

from digicert.

Thanks a lot, @clintwilson, @ronaldtse: I just created a PR to resolve this issue, could you please have a look and let me know if there is anything else we should consider?

cc: @kwkwan

from digicert.

@kwkwan could you help verify? Thanks!

from digicert.

Thanks @kwkwan !

from digicert.