Skip to content

Add RFC 8738 IP address identifiers #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
djc merged 3 commits into from
Mar 27, 2025
Merged

Add RFC 8738 IP address identifiers #97

djc merged 3 commits into from
Mar 27, 2025

Conversation

@cpu
Copy link
Collaborator

@cpu cpu commented Mar 27, 2025

While Let's Encrypt has announced upcoming support for issuing certificates for IP address subjects, it isn't available yet.

Fortunately, Pebble does support this, so we can implement the feature now and have it ready for Let's Encrypt's staging and production environments.

See RFC 8738.

@cpu
pebble: bind challtestsrv on IPv4 and IPv6
e7116c0 
Previously we only set the pebble-challtestsrv to bind its challenge
interfaces to the IPv6 loopback. We want both IPv4 and IPv6 so we can
issue for both.
@cpu

This comment was marked as resolved.

Sign in to view
cpu
cpu commented Mar 27, 2025
View reviewed changes
src/types.rs
Comment on lines +647 to +649
/// This is only relevant for DNS identifiers and must be false for other
/// types of identifiers (e.g. IP addresses).
Copy link
Collaborator Author

@cpu cpu Mar 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comes from a combination of RFC 8555 7.1.4 where it says (emphasis mine):

This field MUST be present and true for authorizations created as a result of a newOrder request containing a DNS identifier with a value that was a wildcard domain name. For other authorizations, it MUST be absent.

and a verified errata that further clarified it could be absent, or explicitly set false.

djc
djc reviewed Mar 27, 2025
View reviewed changes
@djc
Copy link
Owner

djc commented Mar 27, 2025

One random thought: should we proactively try and enforce not using DNS-01 for IP identifiers somewhere or is it sufficient to let the CA return a problem if it's attempted? RFC 8738 forbids it, and LE only plans to offer support for HTTP-01 and TLS-ALPN-01.

Typically the server decides what types of challenge are available for a given authorization, right? So I don't think there's anything for us to do here...

@cpu
Copy link
Collaborator Author

cpu commented Mar 27, 2025

Typically the server decides what types of challenge are available for a given authorization, right?

Oh yeah, you're totally right 💡 Ok!

@cpu cpu force-pushed the cpu-ip-idents-ci branch from f116611 to ac91d9d Compare March 27, 2025 19:00
djc
djc reviewed Mar 27, 2025
View reviewed changes
cpu added 2 commits March 27, 2025 15:54
@cpu
types: add Identifier::Ip
1166d3e 
This commit implements support for RFC 8738, the Automated Certificate
Management Environment (ACME) IP Identifier Validation Extension.
@cpu
pebble: add IP identifiers to HTTP-01 test
32ef3e7 
Adds an IPv4 and IPv6 address to the HTTP-01 issuance test.
@cpu cpu force-pushed the cpu-ip-idents-ci branch from ac91d9d to 32ef3e7 Compare March 27, 2025 19:54
@djc djc merged commit 4573529 into djc:main Mar 27, 2025
9 checks passed
@cpu cpu deleted the cpu-ip-idents-ci branch March 27, 2025 20:23
@djc djc mentioned this pull request Jul 9, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djc djc djc approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cpu @djc