Matching certificate by IP address about certmagic HOT 8 CLOSED

I am asking to serve domain.com certificate for the associated IP address X.X.X.X.

@vmihailenco Assuming you're integrating certmagic using its TLSConfig, you should be able to do this by overriding TLSConfig.GetCertificate.

Something like (untested):

tlsCfg := certm.TLSConfig()
getCrt := tlsCfg.GetCertificate
tlsCfg.GetCertificate = func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
	if hello.ServerName=="x.x.x.x" {
		hello.ServerName = "domain.com"
	}
	return getCrt(hello)
}

from certmagic.

Also the comment

	// CertSelection chooses one of the certificates
	// with which the ClientHello will be completed;
	// if not set, DefaultCertificateSelector will
	// be used
	CertSelection CertificateSelector

is not quite right. DefaultCertificateSelector is only used as default when getAllMatchingCerts returns at least one certificate. If there are no matches DefaultCertificateSelector is not used. That is how I read the code at https://github.com/caddyserver/certmagic/blob/master/handshake.go#L189-L193

from certmagic.

Hi, thanks for the issue!

hello.ServerName contains IP address

That is an invalid use of ServerName:

the only server names supported are DNS hostnames

— RFC 6066

(Accordingly, most clients like Firefox leave ServerName empty when accessing a site by IP address.)

So what this means:

if SNI is empty, prefer matching IP address

is that the server's (local) IP address will be the fallback matching attempt if there's no ServerName to match on.

DefaultCertificateSelector is only used as default when getAllMatchingCerts returns at least one certificate. If there are no matches DefaultCertificateSelector is not used. That is how I read the code at https://github.com/caddyserver/certmagic/blob/master/handshake.go#L189-L193

That's correct; by default, CertMagic will not select a certificate that does not match the server name (or IP address), because that would be an invalid match and the client should reject it. I can update the godoc.

from certmagic.

Thanks for the answer! I trust you that certmagic is following the spec, but is there anything I can do to better handle such invalid requests?

It looks like setting certmagic.Default.CertSelection = certmagic.DefaultCertificateSelector does the trick since I no longer see those errors. Hard to tell whether that improves the situation or not but I feel better without the errors in the log.

is that the server's (local) IP address will be the fallback matching attempt if there's no ServerName to match on.

This makes sense and I guess it means that there should be some way to register a certificate for an IP address?

As an idea certmagic could automatically register certificate for domain's IP address, .e.g.

certmagic.Register("domain.com", someCert)
addrs := net.LookupHost("domain.com")
for _, addr := range addrs {
  certmagic.Register(addr, someCert)
}

I am not asking to add this to certmagic, but perhaps I can do something like that in user space? I've tried searching through the code but could not find anything...

from certmagic.

CertMagic is already capable of managing certificates for IP addresses: just pass in an IP address instead of (or in addition to) a domain name. Of course, good luck finding a CA that's willing to issue a certificate for your IP address (that's a very rare edge case, typically). But it's common with internal infrastructures when you use your own internal ACME CA.

from certmagic.

I am asking to serve domain.com certificate for the associated IP address X.X.X.X.

from certmagic.

@DisposaBoy thanks - that seems to be exactly what I need.

from certmagic.

That's clever @DisposaBoy -- I never even considered that. Thanks!

from certmagic.