security/acme-client: unable to get ipv6 certificate

[ElectronicViking]

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

[ y] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
[ y] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
[ y] The title contains the plugin to which this issue belongs

Describe the bug

Acme client is unable to obtain a certificate for an IPv6 address. Letsencrypt reports a connection timeout when using the http-01 and tls-alpn-01 challenge type

To Reproduce
Steps to reproduce the behavior:

1. Go to acme client, challenge types, create a tls or http challenge
2. Uncheck IP Auto-Discovery, select the WAN interface, enter the WAN IP address (ipv6)
3. Go to certificates, add the WAN ipv6 address to a new or existing certificate
4. Select the tls or http challenge type.
5. Save, and issue or reissue the certificate

Expected behavior
Expect the same behavior with an IPv6 address as we get with an IPv4 address: a successfully issued certificate, with the router's WAN IP address in the certificate's SAN field.

Relevant log files
2026-02-15T15:15:36-07:00
opnsense
AcmeClient: validation for certificate failed: 2001:56a:aaaa:bbbb:cccc:dddd:eeee:ffff
2026-02-15T15:15:36-07:00
opnsense
AcmeClient: domain validation failed (tlsalpn01)
2026-02-15T15:15:36-07:00
opnsense
AcmeClient: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --issue --syslog 6 --log-level 1 --server 'letsencrypt_test' --alpn --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/6992416071cc65.00410618' --certpath '/var/etc/acme-client/certs/6992416071cc65.00410618/cert.pem' --keypath '/var/etc/acme-client/keys/6992416071cc65.00410618/private.key' --capath '/var/etc/acme-client/certs/6992416071cc65.00410618/chain.pem' --fullchainpath '/var/etc/acme-client/certs/6992416071cc65.00410618/fullchain.pem' --domain '2001:56a:aaaa:bbbb:cccc:dddd:eeee:ffff' --days '60' --force --cert-profile 'shortlived' --keylength 'ec-256' --tlsport '43581' --accountconf '/var/etc/acme-client/accounts/67b0ff51844b34.65852370_stg/account.conf''
2026-02-15T15:15:22-07:00
opnsense
AcmeClient: using challenge type: tls
2026-02-15T15:15:22-07:00
opnsense
AcmeClient: using IPv4 address: 50.99.xxx.yyy

Additional context
I have confirmed incoming requests on port 80 and 443 using tcpdump, as well as no response from the router. Based on the log, it appears that the acme client is not respecting the listen IP address from the challenge config and is using the WAN ipv4 address instead of the WAN ipv6 address. Not only is autodetect IP not working, manually setting it isn't either.

Environment
OPNsense 26.1.1-amd64
FreeBSD 14.3-RELEASE-p8
OpenSSL 3.0.19
os-acme-client 4.13

[fraenki]

Probably related to #3023.

FWIW, os-acme-client won't get any proper IPv6 support without community contributions (pull requests!). I don't have an IPv6 test setup, hence I can't develop or test anything.

[ElectronicViking]

No promises since I'm not familiar with the codebase, but I'll give it a shot. It's worth noting I just had it issue an ipv6 cert using HTTP-01 & HAproxy, so at least there's a workaround and the rest of the cert code works.

[pgerber]

I've started looking into the issue. Looks like at least one issue is that the meaning of an unset ipv6allow seems to have changed but I've not yet managed to get it working.

Here is what I found so far:

https://github.com/pgerber/opnsense-plugins/commits/ipv6/

[pgerber]

Quick update, managed to issue IPv6-only certificates via HTTP-01 and TLS-ALPN-01. See branch linked above. I thought I remembered something about rewriting to ::1 not being allowed.

IPv6 address discovery is still broken, at least for finding addresses on the interface. I'll look at that next.