I wrote boulder patch for IP SAN

it runs floats enough to sign a cert with ipaddress, but currently ratelimit is broken
tested with modified certbot certbot/certbot#8029 for ipv4 addresses, and ipv6 just before actual signing
pa and CFSSL blocks signing certificate for reserved IP address, and I don’t have ipv6 internet connectivity, I couldn’t test actual ipv6 cert:

P.S what kind of IP should be used for integrate testing that isn’t Reserved IP address and free to use in test context? this sound self contradict

1 Like

I think it makes sense to just steal a public range, route it inside the docker-compose setup and use it for testing. Boulder already steals the public .wtf gTLD for testing purposes, so there is no big new sin being committed. A similar approach could probably be used for testing for IPv6 integration tests.

IP Address SANs are the first item on the public roadmap (https://letsencrypt.org/upcoming-features/), it might be worth asking one of the Boulder developers their thoughts on accepting a contribution like this.

2 Likes