Vault 1.8.1 PKI backend stopped accepting email as CN

[bitfehler]

Describe the bug
Hi there! We have a PKI backend where devs can issue themselves certificates. For every dev, the common name is enforced to be the email address. The setup has worked up to (including) Vault 1.7.3. See below for all the details. It stopped working in Vault 1.8.1 (see below for error message).

I could not find anything in the release notes related to this.

To Reproduce
Steps to reproduce the behavior:

PKI role configuration:

$ vault read pki-vpn-eng-2020/roles/a9c56069-8de5-4284-b8c5-322ac89608d0
Key                                   Value
---                                   -----
allow_any_name                        false
allow_bare_domains                    true
allow_glob_domains                    false
allow_ip_sans                         false
allow_localhost                       false
allow_subdomains                      false
allow_token_displayname               false
allowed_domains                       [[email protected]]
allowed_domains_template              false
allowed_other_sans                    []
allowed_serial_numbers                []
allowed_uri_sans                      []
basic_constraints_valid_for_non_ca    false
client_flag                           true
code_signing_flag                     false
country                               []
email_protection_flag                 false
enforce_hostnames                     false
ext_key_usage                         [ClientAuth]
ext_key_usage_oids                    []
generate_lease                        false
key_bits                              2048
key_type                              rsa
key_usage                             [DigitalSignature KeyAgreement KeyEncipherment]
locality                              []
max_ttl                               171h
no_store                              false
not_before_duration                   0s
organization                          [Example]
ou                                    [Engineering]
policy_identifiers                    []
postal_code                           []
province                              []
require_cn                            true
server_flag                           false
street_address                        []
ttl                                   171h
use_csr_common_name                   true
use_csr_sans                          true

Trying to issue cert:

$ vault write  "pki-vpn-eng-2020/issue/a9c56069-8de5-4284-b8c5-322ac89608d0" "[email protected]"
Error writing data to pki-vpn-eng-2020/issue/a9c56069-8de5-4284-b8c5-322ac89608d0: Error making API request.

URL: PUT https://vault.example.net/v1/pki-vpn-eng-2020/issue/a9c56069-8de5-4284-b8c5-322ac89608d0
Code: 400. Errors:

* common name [email protected] not allowed by this role

Expected behavior
A certificate should have been issued (worked with same config in Vault 1.73).
Note specifically that the role has enforce_hostnames set to false.

Environment:

• Vault Server Version 1.7.3
• Vault CLI Version 1.7.3
• Server Operating System/Architecture: Linux amd64 (client and server)

[bitfehler]

Oops, I am very sorry, this is most likely a duplicate of #12336 - I was just confused by its title.