Skip to content

[Bug]: hostname only policy #2318

New issue
New issue
Open
Open
[Bug]: hostname only policy#2318
Assignees
hslatman
Labels
bugneeds triageWaiting for discussion / prioritization by team
@keros

Description

@keros
keros
opened on Jun 24, 2025

Steps to Reproduce

We use in our internal LAN our own internal doman (ourdomain.internal).
Because it is annoying to always type the FQDN we use the dns serach suffix feature.

This allows us to connect to our servers via the FQDN and the shorter hostname:

curl "https://srv01.ourdomain.internal/index.html"
curl "https://srv01/index.html"

I tried to setup a policy on our step ca server so that only certificates can be issued with our FQDN (*.ourdomain.internal) or the hostname (*):

...
                "policy": {
                        "x509": {
                                "allow": {
                                        "dns": ["*", "*.ourdomain.internal"]
                                },
                                "allowWildcardNames": true
                        }
                }
...

Your Environment

  • OS -
  • step-ca Version - 0.28.3-1
  • step-cliVersion - 0.28.6-1

Expected Behavior

The policy should allow this.

Actual Behavior

The config currently leads to this error.

cannot parse permitted domain constraint "*": domain constraint "*" can not be converted to ASCII: idna: disallowed rune U+002A

Additional Context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

Metadata

Metadata

Assignees

Labels

bugneeds triageWaiting for discussion / prioritization by team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions