Fix ACME HTTP-01 challenge for IPv6 literal addresses

Replace certmagic with a fork that strips brackets from bare IPv6 addresses in the HTTP Host header, fixing HTTP-01 challenge matching for IPv6 literal address certificates. Fixes https://github.com/SagerNet/sing-box/issues/3964
Add ACME profile support for IP address certificates
2026-04-13 20:28:32 +10:00 · 2026-03-29 14:48:08 +08:00 · 2026-03-29 14:48:08 +08:00 · 2026-03-29 14:28:29 +08:00
9 changed files with 55 additions and 4 deletions
--- a/.fpm_systemd
+++ b/.fpm_systemd
@@ -4,6 +4,7 @@
 --license GPL-3.0-or-later
 --description "The universal proxy platform."
 --url "https://sing-box.sagernet.org/"
+--vendor SagerNet
 --maintainer "nekohasekai <contact-git@sekai.icu>"
 --deb-field "Bug: https://github.com/SagerNet/sing-box/issues"
 --no-deb-generate-changes
--- a/common/tls/acme.go
+++ b/common/tls/acme.go
@@ -69,10 +69,21 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 		Storage:           storage,
 		Logger:            zapLogger,
 	}
+	profile := options.Profile
+	if profile == "" && acmeServer == certmagic.LetsEncryptProductionCA {
+		for _, domain := range options.Domain {
+			if certmagic.SubjectIsIP(domain) {
+				profile = "shortlived"
+				break
+			}
+		}
+	}
+
 	acmeConfig := certmagic.ACMEIssuer{
 		CA:                      acmeServer,
 		Email:                   options.Email,
 		Agreed:                  true,
+		Profile:                 profile,
 		DisableHTTPChallenge:    options.DisableHTTPChallenge,
 		DisableTLSALPNChallenge: options.DisableTLSALPNChallenge,
 		AltHTTPPort:             int(options.AlternativeHTTPPort),
--- a/docs/configuration/shared/certificate-provider/acme.md
+++ b/docs/configuration/shared/certificate-provider/acme.md
@@ -6,6 +6,7 @@ icon: material/new-box

    :material-plus: [account_key](#account_key)  
    :material-plus: [key_type](#key_type)  
+    :material-plus: [profile](#profile)  
    :material-plus: [detour](#detour)

 # ACME
@@ -37,6 +38,7 @@ icon: material/new-box
  },
  "dns01_challenge": {},
  "key_type": "",
+  "profile": "",
  "detour": ""
 }
 ```
@@ -141,6 +143,16 @@ The private key type to generate for new certificates.
 | `rsa2048`  | RSA     |
 | `rsa4096`  | RSA     |

+#### profile
+
+!!! question "Since sing-box 1.14.0"
+
+The ACME profile name to use for certificate orders.
+
+See [ACME Profiles](https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/) for details.
+
+When using Let's Encrypt with IP address identifiers, the `shortlived` profile is automatically selected if not set.
+
 #### detour

 !!! question "Since sing-box 1.14.0"
--- a/docs/configuration/shared/certificate-provider/acme.zh.md
+++ b/docs/configuration/shared/certificate-provider/acme.zh.md
@@ -6,6 +6,7 @@ icon: material/new-box

    :material-plus: [account_key](#account_key)  
    :material-plus: [key_type](#key_type)  
+    :material-plus: [profile](#profile)  
    :material-plus: [detour](#detour)

 # ACME
@@ -37,6 +38,7 @@ icon: material/new-box
  },
  "dns01_challenge": {},
  "key_type": "",
+  "profile": "",
  "detour": ""
 }
 ```
@@ -136,6 +138,16 @@ ACME DNS01 质询字段。如果配置，将禁用其他质询方法。
 | `rsa2048` | RSA     |
 | `rsa4096` | RSA     |

+#### profile
+
+!!! question "自 sing-box 1.14.0 起"
+
+用于证书订单的 ACME 配置文件名称。
+
+参阅 [ACME Profiles](https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/)。
+
+当使用 Let's Encrypt 且包含 IP 地址标识符时，如果未设置，将自动选择 `shortlived` 配置文件。
+
 #### detour

 !!! question "自 sing-box 1.14.0 起"
--- a/go.mod
+++ b/go.mod
@@ -6,6 +6,7 @@ require (
 	github.com/anthropics/anthropic-sdk-go v1.26.0
 	github.com/anytls/sing-anytls v0.0.11
 	github.com/caddyserver/certmagic v0.25.2
+	github.com/caddyserver/zerossl v0.1.5
 	github.com/coder/websocket v1.8.14
 	github.com/cretz/bine v0.2.0
 	github.com/database64128/tfo-go/v2 v2.3.2
@@ -19,6 +20,7 @@ require (
 	github.com/libdns/acmedns v0.5.0
 	github.com/libdns/alidns v1.0.6
 	github.com/libdns/cloudflare v0.2.2
+	github.com/libdns/libdns v1.1.1
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/mdlayher/netlink v1.9.0
 	github.com/metacubex/utls v1.8.4
@@ -69,7 +71,6 @@ require (
 	github.com/akutz/memconn v0.1.0 // indirect
 	github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa // indirect
 	github.com/andybalholm/brotli v1.1.0 // indirect
-	github.com/caddyserver/zerossl v0.1.5 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 // indirect
 	github.com/database64128/netx-go v0.1.1 // indirect
@@ -96,7 +97,6 @@ require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
-	github.com/libdns/libdns v1.1.1 // indirect
 	github.com/mdlayher/socket v0.5.1 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
@@ -166,3 +166,5 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.3.0 // indirect
 )
+
+replace github.com/caddyserver/certmagic v0.25.2 => github.com/sagernet/certmagic v0.0.0-20260328164746-42c454dfd829
--- a/go.sum
+++ b/go.sum
@@ -14,8 +14,6 @@ github.com/anthropics/anthropic-sdk-go v1.26.0 h1:oUTzFaUpAevfuELAP1sjL6CQJ9HHAf
 github.com/anthropics/anthropic-sdk-go v1.26.0/go.mod h1:qUKmaW+uuPB64iy1l+4kOSvaLqPXnHTTBKH6RVZ7q5Q=
 github.com/anytls/sing-anytls v0.0.11 h1:w8e9Uj1oP3m4zxkyZDewPk0EcQbvVxb7Nn+rapEx4fc=
 github.com/anytls/sing-anytls v0.0.11/go.mod h1:7rjN6IukwysmdusYsrV51Fgu1uW6vsrdd6ctjnEAln8=
-github.com/caddyserver/certmagic v0.25.2 h1:D7xcS7ggX/WEY54x0czj7ioTkmDWKIgxtIi2OcQclUc=
-github.com/caddyserver/certmagic v0.25.2/go.mod h1:llW/CvsNmza8S6hmsuggsZeiX+uS27dkqY27wDIuBWg=
 github.com/caddyserver/zerossl v0.1.5 h1:dkvOjBAEEtY6LIGAHei7sw2UgqSD6TrWweXpV7lvEvE=
 github.com/caddyserver/zerossl v0.1.5/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
@@ -160,6 +158,8 @@ github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1 h1:qi+ijeREa0yfAaO
 github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1/go.mod h1:JULDuzTMn2gyZFcjpTVZP4/UuwAdbHJ0bum2RdjXojU=
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkkD2QgdTuzQG263YZ+2emfpeyGqW0=
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
+github.com/sagernet/certmagic v0.0.0-20260328164746-42c454dfd829 h1:qrQmXUTAhGfPNvjZlE9F1Y3mrBCoqaK/kz8v4VJSMkI=
+github.com/sagernet/certmagic v0.0.0-20260328164746-42c454dfd829/go.mod h1:llW/CvsNmza8S6hmsuggsZeiX+uS27dkqY27wDIuBWg=
 github.com/sagernet/cors v1.2.1 h1:Cv5Z8y9YSD6Gm+qSpNrL3LO4lD3eQVvbFYJSG7JCMHQ=
 github.com/sagernet/cors v1.2.1/go.mod h1:O64VyOjjhrkLmQIjF4KGRrJO/5dVXFdpEmCW/eISRAI=
 github.com/sagernet/cronet-go v0.0.0-20260309100020-c128886ff3fc h1:YK7PwJT0irRAEui9ASdXSxcE2BOVQipWMF/A1Ogt+7c=
--- a/option/acme.go
+++ b/option/acme.go
@@ -24,6 +24,7 @@ type ACMECertificateProviderOptions struct {
 	ExternalAccount         *ACMEExternalAccountOptions        `json:"external_account,omitempty"`
 	DNS01Challenge          *ACMEProviderDNS01ChallengeOptions `json:"dns01_challenge,omitempty"`
 	KeyType                 ACMEKeyType                        `json:"key_type,omitempty"`
+	Profile                 string                             `json:"profile,omitempty"`
 	Detour                  string                             `json:"detour,omitempty"`
 }

--- a/option/tls_acme.go
+++ b/option/tls_acme.go
@@ -20,6 +20,7 @@ type InboundACMEOptions struct {
 	AlternativeTLSPort      uint16                      `json:"alternative_tls_port,omitempty"`
 	ExternalAccount         *ACMEExternalAccountOptions `json:"external_account,omitempty"`
 	DNS01Challenge          *ACMEDNS01ChallengeOptions  `json:"dns01_challenge,omitempty"`
+	Profile                 string                      `json:"profile,omitempty"`
 }

 type ACMEExternalAccountOptions struct {
--- a/service/acme/service.go
+++ b/service/acme/service.go
@@ -114,11 +114,22 @@ func NewCertificateProvider(ctx context.Context, logger log.ContextLogger, tag s
 		config.KeySource = certmagic.StandardKeyGenerator{KeyType: keyType}
 	}

+	profile := options.Profile
+	if profile == "" && acmeServer == certmagic.LetsEncryptProductionCA {
+		for _, domain := range options.Domain {
+			if certmagic.SubjectIsIP(domain) {
+				profile = "shortlived"
+				break
+			}
+		}
+	}
+
 	acmeIssuer := certmagic.ACMEIssuer{
 		CA:                      acmeServer,
 		Email:                   options.Email,
 		AccountKeyPEM:           options.AccountKey,
 		Agreed:                  true,
+		Profile:                 profile,
 		DisableHTTPChallenge:    options.DisableHTTPChallenge,
 		DisableTLSALPNChallenge: options.DisableTLSALPNChallenge,
 		AltHTTPPort:             int(options.AlternativeHTTPPort),