From 03e251391989ed2f9c56e790ddd1da6cce560cf4 Mon Sep 17 00:00:00 2001
From: AJ ONeal <coolaj86@gmail.com>
Date: Mon, 1 Apr 2019 23:11:56 -0600
Subject: [PATCH] updates for wildcards

---
 lib/core.js | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/lib/core.js b/lib/core.js
index beb81ce..fb0cbe7 100644
--- a/lib/core.js
+++ b/lib/core.js
@@ -223,17 +223,28 @@ module.exports.create = function (gl) {
         var challengeDefaults = gl['_challengeOpts_' + (args.challengeType || gl.challengeType)] || {};
         var copy = utils.merge(args, challengeDefaults || {});
         copy = utils.merge(copy, gl);
+        if (!copy.subject) { copy.subject = copy.domains[0]; }
+        if (!copy.domain) { copy.domain = copy.domains[0]; }
         args = utils.tplCopy(copy);
 
         if (!Array.isArray(args.domains)) {
           return PromiseA.reject(new Error('args.domains should be an array of domains'));
         }
-
+        //if (-1 === args.domains.indexOf(args.subject)) // TODO relax the constraint once acme-v2 handles subject?
+        if (args.subject !== args.domains[0]) {
+          console.warn("The certificate's subject (primary domain) should be first in the list of opts.domains");
+          console.warn('\topts.subject: (set by you approveDomains(), falling back to opts.domain) ' + args.subject);
+          console.warn('\topts.domain: (set by SNICallback()) ' + args.domain);
+          console.warn('\topts.domains: (set by you in approveDomains()) ' + args.domains.join(','));
+          console.warn("Updating your code will prevent weird, random, hard-to-repro bugs during renewals");
+          console.warn("(also this will be required in the next major version of greenlock)");
+          //return PromiseA.reject(new Error('certificate subject (primary domain) must be the first in opts.domains'));
+        }
         if (!(args.domains.length && args.domains.every(utils.isValidDomain))) {
           // NOTE: this library can't assume to handle the http loopback
           // (or dns-01 validation may be used)
           // so we do not check dns records or attempt a loopback here
-          err = new Error("invalid domain name(s): '" + args.domains + "'");
+          err = new Error("invalid domain name(s): '(" + args.subject + ') ' + args.domains.join(',') + "'");
           err.code = "INVALID_DOMAIN";
           return PromiseA.reject(err);
         }
@@ -326,6 +337,7 @@ module.exports.create = function (gl) {
 
               , accountKeypair: RSA.import(account.keypair)
               , domainKeypair: domainKeypair
+              , subject: args.subject // TODO handle this in acme-v2
               , domains: args.domains
               , challengeType: args.challengeType
               };
@@ -358,7 +370,7 @@ module.exports.create = function (gl) {
                 gl.challenges[args.challengeType].remove(copy, domain, key, done);
               };
 
-              log(args.debug, 'calling greenlock.acme.getCertificateAsync', certReq.domains);
+              log(args.debug, 'calling greenlock.acme.getCertificateAsync', certReq.subject, certReq.domains);
 
               // TODO acme-v2/nocompat
               return gl.acme.getCertificateAsync(certReq).then(utils.attachCertInfo);