From ae77b05bf0c6cd21fca8550de53aaf2d5035387a Mon Sep 17 00:00:00 2001
From: Kasumi Hanazuki <kasumi@rollingapple.net>
Date: Mon, 6 Apr 2026 09:05:20 +0000
Subject: [PATCH] ordering_service: normalize ip identifiers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RFC 8738 requires IPv6 identifiers to follow the textual form defined
in RFC 5952 §4 (lowercase hex, compressed). The raw input string was
previously sent as-is to the CA.

This causes renewal to fail when a certificate was previously issued with
an IPv6 SAN: OpenSSL renders IPv6 addresses with uppercase hex digits, so
when acmesmith reads the existing certificate's SANs to build the renewal
order, the uppercase form is passed through unchanged and rejected by the
CA as a malformed identifier.

Fixup: https://github.com/sorah/acmesmith/pull/83
---
 lib/acmesmith/ordering_service.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/acmesmith/ordering_service.rb b/lib/acmesmith/ordering_service.rb
index 0f975d0..e0ce2f2 100644
--- a/lib/acmesmith/ordering_service.rb
+++ b/lib/acmesmith/ordering_service.rb
@@ -141,8 +141,8 @@ def acme_identifier(name)
       end
 
       begin
-        IPAddr.new(name)  # Test if it parses
-        { type: 'ip', value: name }
+        addr = IPAddr.new(name)
+        { type: 'ip', value: addr.to_s }  # IPAddr#to_s normalizes IPv6 address to RFC 5952 form as required by RFC 8738 \S 3
       rescue IPAddr::InvalidAddressError
         { type: 'dns', value: name }
       end