Skip to content

Support IP-SAN certificates#83

Merged
sorah merged 5 commits into
sorah:masterfrom
hanazuki:ip-san
Mar 20, 2026
Merged

Support IP-SAN certificates#83
sorah merged 5 commits into
sorah:masterfrom
hanazuki:ip-san

Conversation

@hanazuki

@hanazuki hanazuki commented Mar 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor
  • acmesmith order/add-san/autorenew commands gain support for IP-SANs.
  • subject_name_cidr is introduced. Because an IP address has multiple string representations, prefix matching as a string won't work.
  • Integration tests with pebble.

Limitation: acmesmith order must have a DNS identifier as the first SAN. acmesmith uses the first SAN as CN when generating a CSR, but CN cannot be an IP address.

hanazuki added 5 commits March 18, 2026 17:50
@hanazuki
gemspec: require acme-client >= 2.0.29
77d9c3c 
acme-client gained support for IP-SAN certificates at 2.0.29.
@hanazuki
ChallengeResponders::PebbleChalltestsrvHttp for integration tests
8a71cca
@hanazuki
Certificate#ip_sans
7ffc2ed 
Certificate#ip_sans returns all iPAddress entries in subjectAltName.
@hanazuki
subject_name_cidr filter to match IP addresses
2d2c0c2
@hanazuki
support certificates with IP SANs
c57f4ae 
acmesmith order/autorenew/add-san commands can now handle IP addresses
in subject alternative name.
@hanazuki hanazuki marked this pull request as ready for review March 19, 2026 19:53
@sorah sorah merged commit e72511a into sorah:master Mar 20, 2026
6 checks passed
@hanazuki hanazuki deleted the ip-san branch March 21, 2026 07:03
hanazuki added a commit to hanazuki/acmesmith that referenced this pull request Apr 6, 2026
@hanazuki
ordering_service: normalize ip identifiers
ae77b05 
RFC 8738 requires IPv6 identifiers to follow the textual form defined
in RFC 5952 §4 (lowercase hex, compressed). The raw input string was
previously sent as-is to the CA.

This causes renewal to fail when a certificate was previously issued with
an IPv6 SAN: OpenSSL renders IPv6 addresses with uppercase hex digits, so
when acmesmith reads the existing certificate's SANs to build the renewal
order, the uppercase form is passed through unchanged and rejected by the
CA as a malformed identifier.

Fixup: sorah#83
@hanazuki hanazuki mentioned this pull request Apr 6, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sorah sorah sorah approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hanazuki @sorah