support ip cert: rfc https://tools.ietf.org/html/rfc8738

diff --git a/acme.sh b/acme.sh
index 9d57614361302c76b00746099d9423e72b31b71e..2ddad09ebe960312f170b9f7f4ca0fb927c1976c 100755 (executable)
--- a/acme.sh
+++ b/acme.sh
@@ -59,6 +59,9 @@ VTYPE_HTTP="http-01"
 VTYPE_DNS="dns-01"
 VTYPE_ALPN="tls-alpn-01"
 
+ID_TYPE_DNS="dns"
+ID_TYPE_IP="ip"
+
 LOCAL_ANY_ADDRESS="0.0.0.0"
 
 DEFAULT_RENEW=60
@@ -1222,19 +1225,26 @@ _createcsr() {
 
   if [ "$acmeValidationv1" ]; then
     domainlist="$(_idn "$domainlist")"
-    printf -- "\nsubjectAltName=DNS:$domainlist" >>"$csrconf"
+    _debug2 domainlist "$domainlist"
+    for dl in $(echo "$domainlist" | tr "," ' '); do
+      if [ "$alt" ]; then
+        alt="$alt,$(_getIdType "$dl" | _upper_case):$dl"
+      else
+        alt="$(_getIdType "$dl" | _upper_case):$dl"
+      fi
+    done
+    printf -- "\nsubjectAltName=$alt" >>"$csrconf"
   elif [ -z "$domainlist" ] || [ "$domainlist" = "$NO_VALUE" ]; then
     #single domain
     _info "Single domain" "$domain"
-    printf -- "\nsubjectAltName=DNS:$(_idn "$domain")" >>"$csrconf"
+    printf -- "\nsubjectAltName=$(_getIdType "$domain" | _upper_case):$(_idn "$domain")" >>"$csrconf"
   else
     domainlist="$(_idn "$domainlist")"
     _debug2 domainlist "$domainlist"
-    if _contains "$domainlist" ","; then
-      alt="DNS:$(_idn "$domain"),DNS:$(echo "$domainlist" | sed "s/,,/,/g" | sed "s/,/,DNS:/g")"
-    else
-      alt="DNS:$(_idn "$domain"),DNS:$domainlist"
-    fi
+    alt="$(_getIdType "$domain" | _upper_case):$domain"
+    for dl in $(echo "$domainlist" | tr "," ' '); do
+      alt="$alt,$(_getIdType "$dl" | _upper_case):$dl"
+    done
     #multi
     _info "Multi domain" "$alt"
     printf -- "\nsubjectAltName=$alt" >>"$csrconf"
@@ -4174,6 +4184,36 @@ _match_issuer() {
   _contains "$_rootissuer" "$_missuer"
 }
 
+#ip
+_isIPv4() {
+  for seg in $(echo "$1" | tr '.' ' '); do
+    if [ $seg -ge 0 ] 2>/dev/null && [ $seg -le 255 ] 2>/dev/null; then
+      continue
+    fi
+    return 1
+  done
+  return 0
+}
+
+#ip6
+_isIPv6() {
+  _contains "$1" ":"
+}
+
+#ip
+_isIP() {
+  _isIPv4 "$1" || _isIPv6 "$1"
+}
+
+#identifier
+_getIdType() {
+  if _isIP "$1"; then
+    echo "$ID_TYPE_IP";
+  else
+    echo "$ID_TYPE_DNS";
+  fi
+}
+
 #webroot, domain domainlist  keylength
 issue() {
   if [ -z "$2" ]; then
@@ -4330,7 +4370,7 @@ issue() {
   dvsep=','
   if [ -z "$vlist" ]; then
     #make new order request
-    _identifiers="{\"type\":\"dns\",\"value\":\"$(_idn "$_main_domain")\"}"
+    _identifiers="{\"type\":\"$(_getIdType "$_main_domain")\",\"value\":\"$(_idn "$_main_domain")\"}"
     _w_index=1
     while true; do
       d="$(echo "$_alt_domains," | cut -d , -f "$_w_index")"
@@ -4339,7 +4379,7 @@ issue() {
       if [ -z "$d" ]; then
         break
       fi
-      _identifiers="$_identifiers,{\"type\":\"dns\",\"value\":\"$(_idn "$d")\"}"
+      _identifiers="$_identifiers,{\"type\":\"$(_getIdType "$d")\",\"value\":\"$(_idn "$d")\"}"
     done
     _debug2 _identifiers "$_identifiers"
     if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then