-
-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is FallbackServerName still experimental? #278
Comments
Been a while, but IIRC, even without setting FallbackServerName or using the linked workaround, CertMagic should still at least be able to serve up IP certificates in response to a handshake without a ServerName.
Do you mean, that you can't tell the server to manage a certificate for an IP address, because you don't know the IP address? If you don't know the domain names (or IPs, whatever the SANs are) before starting the server, you need On-Demand TLS (or you have to reload the config once you do know the server name / IP). Most of CertMagic and TLS handshake stuff is the same whether it's IP or DNS, it's just the nuances of getting an IP certificate are more tricky than that of DNS names. |
Ah it was a silly error on my part, I was inadvertently setting the I don't need to use Problem solved!
As a side note if you're interested - I wasn't aware of this at the time, I only came across it yesterday. I have been calling |
Glad you figured it out then 👍 |
What is your question?
Is FallbackServerName still experimental?
certmagic/config.go
Lines 76 to 81 in c61a4fe
Include any other information or discussion.
I want to serve a domain cert despite visiting via an IP address, like in this issue.
A proposed solution in that thread overrides the
ServerName
for known IP addresses and that works great, but in my case the IP(s) are unknown.Simply removing the IP check from the proposed solution and unconditionally overriding the
ServerName
would causeTLS-ALPN
challenges to fail.What have you already tried?
I have 2 (seemingly) working solutions
Set
FallbackServerName
, it seems to work well for my use case, but it's listed as experimental.Override
ServerName
only whereSupportedProtos
does not includeacme-tls/1
The text was updated successfully, but these errors were encountered: