Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ACME is not working with IPv6 in SAN #28480

Closed
M0NsTeRRR opened this issue Sep 23, 2024 · 2 comments
Closed

ACME is not working with IPv6 in SAN #28480

M0NsTeRRR opened this issue Sep 23, 2024 · 2 comments
Labels
bug Used to indicate a potential bug reproduced This issue has been reproduced by a Vault engineer secret/pki

Comments

@M0NsTeRRR
Copy link

M0NsTeRRR commented Sep 23, 2024
edited
Loading

Describe the bug
The HTTP-01 & challenge does not format properly domain when it's set to the IPv6 address must be enclosed in brackets.
https://github.com/hashicorp/vault/blob/main/builtin/logical/pki/acme_challenges.go#L126

Challenge fail with this error in lego

[INFO] [2a0c:b641:2c0:110::21] acme: Trying to solve HTTP-01\n2024/09/23 22:06:14 [INFO] Skipping deactivating of valid auth: https://vault.unicornafk.fr:8200/v1/pki/acme/authorization/2784580b-b852-4fce-8ed3-3ab805c816f9\n2024/09/23 22:06:14 [INFO] Skipping deactivating of valid auth: https://vault.unicornafk.fr:8200/v1/pki/acme/authorization/55e91f06-fb6e-aec0-e303-7769a202817a\n2024/09/23 22:06:14 [INFO] Deactivating auth: https://vault.unicornafk.fr:8200/v1/pki/acme/authorization/7c59f2a2-b0bf-7e70-0d77-e5a50af70a8c\n2024/09/23 22:06:14 [INFO] Unable to deactivate the authorization: https://vault.unicornafk.fr:8200/v1/pki/acme/authorization/7c59f2a2-b0bf-7e70-0d77-e5a50af70a8c\n2024/09/23 22:06:14 Could not obtain certificates:\n\terror: one or more domains had a problem:\n[2a0c:b641:2c0:110::21] acme: error: 400 :: urn:ietf:params:acme:error:incorrectResponse :: Response received didn\'t match the challenge\'s requirements: error validating http-01 challenge 7c59f2a2-b0bf-7e70-0d77-e5a50af70a8c-http-01: http-01: failed to fetch path http://2a0c:b641:2c0:110::21/.well-known/acme-challenge/JJqdDgTEKYUUksBUhT9hWeo9eVkM: Get "http://2a0c:b641:2c0:110::21/.well-known/acme-challenge/JJqdDgTEKYUUksBUhT9hWeo9eVkM": dial tcp: lookup 2a0c:b641:2c0:110:: no such host; this may occur if the validation target was misconfigured: check that challenge responses are available at the required locations and retry.\n

To Reproduce
Steps to reproduce the behavior:

  1. Configure pki with ACME
  2. Try to get a certificate through vault ACME with lego (for example) with an IPv6 in the SAN.

Expected behavior
Vault should connect properly to my IPv6 webserver

Environment:

  • Vault Server Version (retrieve with vault status): 1.17.5
  • Vault CLI Version (retrieve with vault version):
  • Server Operating System/Architecture: Ubuntu 22.04 Server LTS
@cipherboy cipherboy mentioned this issue Sep 24, 2024
Closed
@heatherezell heatherezell added secret/pki bug Used to indicate a potential bug labels Sep 26, 2024
@stevendpclark stevendpclark added the reproduced This issue has been reproduced by a Vault engineer label Oct 8, 2024
@stevendpclark
Copy link
Contributor

Hi @M0NsTeRRR, thanks for reporting the issue!

PR #28718, should address the issue and be included in the next round of Vault releases.

@M0NsTeRRR
Copy link
Author

Thanks you very much for the fix @stevendpclark :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to indicate a potential bug reproduced This issue has been reproduced by a Vault engineer secret/pki
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stevendpclark @M0NsTeRRR @heatherezell