Golang x/crypto/acme/autocert: NewOrder request did not include a SAN short enough to fit in CN

Using golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e, autocert.Manager requesting a domain with a length of 68 (including 5 . if that's relevant) gives an error that I think originates from Let's encrypt: 400 urn:ietf:params:acme:error:rejectedIdentifier: NewOrder request did not include a SAN short enough to fit in CN.

It might be possible to work around by allowing a shorter domain name to be provided, or somehow providing an alternate value to Let's Encrypt for the CN. I found https://community.letsencrypt.org/t/a-certificate-for-a-63-character-domain/78870 and https://github.com/letsencrypt/boulder/issues/2093 that discuss this.

I experimented with passing in a shorter domain name that was also pointing to the same server, but the autocert code appears set on handling a single domain at a time and I wasn't able to change the final error.

Comment From: anacrolix

Here's a simple workaround I've implemented: https://github.com/golang/crypto/compare/master...anacrolix:shortsan?expand=1.

Comment From: seankhliao

cc @bradfitz @golang/security

Comment From: seankhliao

I think this is no longer a problem https://community.letsencrypt.org/t/simplifying-issuance-for-very-long-domain-names/207924