Unable to request cert for IPv6 address via HTTP challenge

[eest]

Welcome

• Yes, I'm using a binary release within 2 latest releases.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've included all information below (version, config, etc).

What did you expect to see?

Trying to get a cert for an IPv6 address via step-ca ACME service like so:

./lego --email [email protected] -d '2001:db8::1' --accept-tos --server https://my-step-ca.example.com:9000/acme/acme/directory --http --http.port [2001:db8::1]:80 run

Was thinking this would yield me a cert valid for that IPv6 address.

What did you see instead?

2024/11/11 09:22:51 [INFO] [2001:db8::1] acme: Obtaining bundled SAN certificate
2024/11/11 09:22:51 [INFO] [2001:db8::1] AuthURL: https://my-step-ca.example.com:9000/acme/acme/authz/XYZ
2024/11/11 09:22:51 [INFO] [2001:db8::1] acme: Could not find solver for: tls-alpn-01
2024/11/11 09:22:51 [INFO] [2001:db8::1] acme: use http-01 solver
2024/11/11 09:22:51 [INFO] [2001:db8::1] acme: Trying to solve HTTP-01
2024/11/11 09:22:51 [WARN] Received request for domain [2001:db8::1] with method GET but the domain did not match any challenge. Please ensure you are passing the Host header properly.
2024/11/11 09:22:51 [INFO] Deactivating auth: https://my-step-ca.example.com:9000/acme/acme/authz/XYZ
2024/11/11 09:22:51 [INFO] Unable to deactivate the authorization: https://my-step-ca.example.com:9000/acme/acme/authz/XYZ
2024/11/11 09:22:51 Could not obtain certificates:
	error: one or more domains had a problem:
[2001:db8::1] acme: error: 0 :: urn:ietf:params:acme:error:rejectedIdentifier :: The server will not issue certificates for the identifier

If I modify my -d command to include brackets myself this fails like so instead (note double brackets):

2024/11/11 10:52:09 [INFO] [[2001:db8::1]] acme: Obtaining bundled SAN certificate
2024/11/11 10:52:09 Could not obtain certificates:
	acme: error: 400 :: POST :: https://my-step-ca.example.com:9000/acme/acme/new-order :: urn:ietf:params:acme:error:malformed :: The request message was malformed

The problem seems to be that the domain that is compared against is missing the brackets, []. I was able to work around this problem by hacking up challenge/http01/http_challenge_server.go doing this:

	domain = "[" + domain + "]"
	go s.serve(domain, token, keyAuth)

... so it appears that at some point lego might need to check if a domain parses as an IPv6 address and if it does it should include the brackets when creating the domain matcher.

How do you use lego?

Binary

Reproduction steps

1. Request cert for IPv6 address.
2. lego is unable to match the hostname of the challenge with the name it is trying to get a cert for.

Version of lego

lego version 98371c4695dd4e45d7458d8ba42272f6fa0c625d linux/amd64

Logs

See above

Go environment (if applicable)

No response

[eest]

@ldez i got a notice via mail that you asked if I had tried adding brackets to -d, the question seems gone now but since the issue labels still point to waiting for feedback I will respond: Yes, i tried that, I mentioned that this will result in another error (as well as double-brackets in the ouput). See the middle part of my report above.

[ldez]

I deleted my message because the answer was inside your issue description, sorry misread it.