Shortlived IPv6 certificates

magsys · November 18, 2025, 5:00pm

I support a Delphi component library issued Acme certificates, and I am testing issuing IPv4 and IPv6 address certificates and accessing them using OpenSSL.

OpenSSL reports the SANs of one of my Let's Encrypt certificates as:

X509v3 Subject Alternative Name: critical
IP Address:217.146.102.153, IP Address:2A00:1940:2:2:0:0:0:153

The issue is how the IPv6 address can be verified against the expected host name, which is usually abbreviated, ie 2a00:1940:2:2::153.

I understand the RFCs say X509 certificates should have non-abbreviated IPv6 addresses, no leading zeros removed and no ::. I don't know if the OpenSSL representation is wrong, also the capital letters, or if it is merely showing what the certificate encoded.

OpenSSL is consistent with Digicert certificates, this is from a Quad9 certificate:
IP Address:2620:FE:0:0:0:0:FE:15.

So not sure if this is a certificate issue problem or OpenSSL?

Angus

.

mcpherrinm · November 18, 2025, 5:09pm

The IP address in a certificate is encoded as the full bytes of the address, not as a string.

So if you have a string like "2a00:1940:2:2::153", you need to expand that into the 16-byte binary representation.

You should not do a string comparison. Usually, your TLS library should do this for you.

magsys · November 18, 2025, 5:30pm

So it's an OpenSSL issue, the handshake gives an X509_V_ERR_HOSTNAME_MISMATCH error, so I do a second comparison with the abbreviated versions. Or am I supposed to set the host to the strange certificate format?

BTW, I'm using staging server certificates on my public server, is it possible for my live account to issue shortlived for testing? My component is already handling GTS seven day certificates.

Angus

mcpherrinm · November 18, 2025, 5:42pm

There’s another thread on this forum where you can request access for production certificates on the short lived profile.

I don’t know the OpenSSL API off the top of my head so I’m not going to be too much further help in using it.

magsys · November 18, 2025, 5:49pm

Thanks, I guess the rarity of IP certificates makes testing harder, GTS does not issue them via ACME yet.

Angus

mcpherrinm · November 18, 2025, 5:53pm

I think GTS does issue them via ACME, but you have to ask them to enable it and have a "valid business need" (I don't know what that means, or even how you ask them.)

webprofusion · November 19, 2025, 2:25am

@magsys keep in mind you can use the Let's Encrypt staging API to test both shortlived and IP certificates. [Edit: sorry, missed that you were already using that]

magsys · November 19, 2025, 9:28am

The GTS order fails with "Could not issue 217.146.102.157; IP addresses are not supported.".

I searched everywhere on GTS for a way to request developer access, but there are no free text email forms for certificate problems and did not find any support forums.

But GTS ACME does work very well with variable certificate lifes, so one of my live servers has been ordering four certificates every three days for a few months.

Next project will be supporting boht LE and GTS at the same time, as a fail safe for when shortlived becomes mandatory.

Angus

mcpherrinm · November 19, 2025, 5:32pm

I think you'd probably want to talk to your Google Cloud Account Manager. I don't really know for sure, but that's generally how you get special access to stuff from the cloud companies.

Topic		Replies	Views
LetsEncrypt Certs is not recognizing IPv6 Client dev	3	1992	July 25, 2017
Can your services be used in "only IP" servers? Feature Requests	6	980	August 25, 2018
Certificate did not match expected hostname: acme-v01.api.letsencrypt.org Server	2	4253	May 3, 2018
About certificates with subjectAltName for IP addresses Feature Requests	10	5479	December 6, 2020
Ignoring IPv6 in domain validation on testing Feature Requests	9	3995	July 30, 2017

Shortlived IPv6 certificates

Related topics