From: Lloyd Subject: Re: acme-client(1): add support for let's encrypt iPAddress certificates To: Stuart Henderson Cc: Peter Hessler , "tech@openbsd.org" Date: Wed, 17 Dec 2025 17:13:26 +0000 I would encourage additional ipv6 testing where possible. The original diff only had rudimentary v6 testing done (acquire/revoke), courtesy of one of the other developers who had an ipv6-accessible host and was gracious enough to try it out. Regards Lloyd Stuart Henderson wrote: > > Diff below merges this to -current. Works for me with a shortlived IP > > address cert on letsencrypt staging, with a standard cert on letsencrypt > > prod, and src/regress/usr.sbin/acme-client (using pebble) is still > > happy. > > > this is now live in prod on letsencrypt, but beware if testing, there > is a bug. > > if you list IPv6 addresses, it hits "domain list changed, forcing > renewal" on every renewal. > > this is because, when setting up found_altnames, it's doing a memcmp() > between the expanded v6 address and the compressed one, i.e. > > memcmp("xxxx:xxxx:0001:0101:0000:0000:0000:0002", "xxxx:xxxx:1:101::2", 39 > > updated diff below uses inet_ntop, rather than hand-rolled functions, > to generate strings from the addresses in an existing cert. > I also dropped the "with cn" option and setting Subject in the CSR. > > (I think v6 addresses probably ought to be normalised to the inet_ntop > form when read from the config file too - I haven't done that in this > diff. Looks like letsencrypt won't issue a cert if you try to use the > expanded form anyway). >