Skip to content

Add ACME profile support for IP address certificates#3958

Open
nekohasekai wants to merge 9 commits intotestingfrom
fix-acme-http-tls-challenge
Open

Add ACME profile support for IP address certificates#3958
nekohasekai wants to merge 9 commits intotestingfrom
fix-acme-http-tls-challenge

Conversation

@nekohasekai
Copy link
Copy Markdown
Member

@nekohasekai nekohasekai commented Mar 26, 2026

Summary

  • Auto-select shortlived ACME profile for Let's Encrypt when domain list contains IP addresses, fixing rejectedIdentifier errors
  • Expose profile option for manual override (custom CA servers)
  • Applied to both new certificate provider path and deprecated inline ACME path

Test plan

  • Configure ACME with an IP address identifier against Let's Encrypt and verify the order succeeds
  • Configure ACME with domain-only identifiers and verify no profile is set (default behavior unchanged)
  • Configure ACME with explicit profile field and verify it takes precedence over auto-detection

@nekohasekai
Fix ACME HTTP-01 challenge for IPv6 literal addresses
4143800 
Replace certmagic with a fork that strips brackets from bare IPv6
addresses in the HTTP Host header, fixing HTTP-01 challenge matching
for IPv6 literal address certificates.

Fixes #3964
@nekohasekai nekohasekai force-pushed the fix-acme-http-tls-challenge branch from 6342fb3 to 4143800 Compare March 28, 2026 16:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nekohasekai