测试申请IP证书

Let’s Encrypt 1月份时宣布在年内正式支持签发 IP 证书，7月1日签发了第一个 IP 证书，目前开放了 staging 申请，但是需要 ACME client 支持新的 draft ACME Profiles specification。

lego 目前已经支持了 profile 功能，但是它会在申请证书时将 IP 作为 CN 字段写入 csr 文件，而 CN 字段明确不被 shortlived 和 tlsserver 配置支持（也意味着未来证书可能不再有 CN 字段）。错误如下：

➜  ~ ./lego --server https://acme-staging-v02.api.letsencrypt.org/directory \
     --accept-tos \
     --email [email protected] \
     --http \
     --domains 47.79.x.x \
     --path ./certs \
     run\
     --profile shortlived

2025/07/04 20:00:43 [INFO] [47.79.x.x] acme: Obtaining bundled SAN certificate
2025/07/04 20:00:44 [INFO] [47.79.x.x] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/xxxx
2025/07/04 20:00:44 [INFO] [47.79.x.x] acme: Could not find solver for: tls-alpn-01
2025/07/04 20:00:44 [INFO] [47.79.x.x acme: use http-01 solver
2025/07/04 20:00:44 [INFO] [47.79.x.x] acme: Trying to solve HTTP-01
2025/07/04 20:00:44 [INFO] [47.79.x.x] Served key authentication
2025/07/04 20:00:44 [INFO] [47.79.x.x] Served key authentication
2025/07/04 20:00:44 [INFO] [47.79.x.x] Served key authentication
2025/07/04 20:00:44 [INFO] [47.79.x.x] Served key authentication
2025/07/04 20:00:44 [INFO] [47.79.x.x] Served key authentication
2025/07/04 20:00:48 [INFO] [47.79.x.x] The server validated our request
2025/07/04 20:00:48 [INFO] [47.79.x.x] acme: Validations succeeded; requesting certificates
2025/07/04 20:00:48 Could not obtain certificates:
        error: one or more domains had a problem:
47.79.x.x: acme: error: 400 :: POST :: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/xxx :: urn:ietf:params:acme:error:badCSR :: Error finalizing order :: CSR contains IP address in Common Name

所以目前需要手动生成一个不含 CN 字段的 csr 用于申请证书：

openssl ecparam -name secp384r1 -genkey -noout -out ec384.key

openssl req -new -key ec384.key -out ec384.csr -subj "/CN=" -addext "subjectAltName = IP:47.79.x.x"

再通过 lego 申请证书：

➜  ~ ./lego --server https://acme-staging-v02.api.letsencrypt.org/directory \
     --accept-tos \
     --email [email protected] \
     --http \
     -c ec384.csr \
     --path ./certs \
     run\
     --profile shortlived

2025/07/04 20:40:55 [INFO] [47.79.x.x] acme: Obtaining bundled SAN certificate given a CSR
2025/07/04 20:40:55 [INFO] [47.79.x.x] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/xxx
2025/07/04 20:40:55 [INFO] [47.79.x.x] acme: authorization already valid; skipping challenge
2025/07/04 20:40:55 [INFO] [47.79.x.x] acme: Validations succeeded; requesting certificates
2025/07/04 20:40:56 [INFO] Wait for certificate [timeout: 30s, interval: 500ms]
2025/07/04 20:40:57 [INFO] [47.79.x.x] Server responded with a certificate.