I would encourage additional ipv6 testing where possible. The original diff only had rudimentary v6 testing done (acquire/revoke), courtesy of one of the other developers who had an ipv6-accessible host and was gracious enough to try it out.


Regards
Lloyd

Stuart Henderson wrote:

> > Diff below merges this to -current. Works for me with a shortlived IP
> > address cert on letsencrypt staging, with a standard cert on letsencrypt
> > prod, and src/regress/usr.sbin/acme-client (using pebble) is still
> > happy.
> 
> 
> this is now live in prod on letsencrypt, but beware if testing, there
> is a bug.
> 
> if you list IPv6 addresses, it hits "domain list changed, forcing
> renewal" on every renewal.
> 
> this is because, when setting up found_altnames, it's doing a memcmp()
> between the expanded v6 address and the compressed one, i.e.
> 
> memcmp("xxxx:xxxx:0001:0101:0000:0000:0000:0002", "xxxx:xxxx:1:101::2", 39
> 
> updated diff below uses inet_ntop, rather than hand-rolled functions,
> to generate strings from the addresses in an existing cert.
> I also dropped the "with cn" option and setting Subject in the CSR.
> 
> (I think v6 addresses probably ought to be normalised to the inet_ntop
> form when read from the config file too - I haven't done that in this
> diff. Looks like letsencrypt won't issue a cert if you try to use the
> expanded form anyway).
>