Allow issuance of root certs no AIA when templating is enabled #21209
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When templating is enabled in
config/urls
, with a URL that includes the best-practice suggestion of{{issuer_id}}
, we fail to generate root CAs because there is no issuer ID yet. While this is true, the best practice is to include{{issuer_id}}
on the AIA info, but Root CAs need not specify AIA info; indeed, most public root CAs do not.Instead of erring, allow this issuance to silently succeed with no AIA information; if AIA information is necessary, it can be manually specified (e.g., using
enable_templating=false
or without{{issuer_id}}
, such as with a fixed, manually-specified name for this one root certificate).