Scope IPv6 literal handling to challenge lookups

nekohasekai · nekohasekai · commit 2ba2129be3e1 · 2026-04-21T16:59:11.000+08:00
diff --git a/certificates.go b/certificates.go
@@ -651,9 +651,6 @@ func isInternalIP(addr string) bool {
 func hostOnly(hostport string) string {
 	host, _, err := net.SplitHostPort(hostport)
 	if err != nil {
-		if len(hostport) > 2 && hostport[0] == '[' && hostport[len(hostport)-1] == ']' {
-			return hostport[1 : len(hostport)-1]
-		}
 		return hostport // OK; probably had no port to begin with
 	}
 	return host
diff --git a/httphandlers.go b/httphandlers.go
@@ -64,6 +64,16 @@ func (am *ACMEIssuer) HandleHTTPChallenge(w http.ResponseWriter, r *http.Request
 	return am.distributedHTTPChallengeSolver(w, r)
 }
 
+func challengeIdentifierHost(hostport string) string {
+	host := hostOnly(hostport)
+	if inner, ok := strings.CutPrefix(host, "["); ok {
+		if inner, ok := strings.CutSuffix(inner, "]"); ok {
+			return inner
+		}
+	}
+	return host
+}
+
 // distributedHTTPChallengeSolver checks to see if this challenge
 // request was initiated by this or another instance which uses the
 // same storage as am does, and attempts to complete the challenge for
@@ -72,7 +82,7 @@ func (am *ACMEIssuer) distributedHTTPChallengeSolver(w http.ResponseWriter, r *h
 	if am == nil {
 		return false
 	}
-	host := hostOnly(r.Host)
+	host := challengeIdentifierHost(r.Host)
 	chalInfo, distributed, err := am.config.getACMEChallengeInfo(r.Context(), host, !am.DisableDistributedSolvers)
 	if err != nil {
 		if am.DisableDistributedSolvers {
@@ -178,7 +188,7 @@ func allBase64URL(s string) bool {
 func solveHTTPChallenge(logger *zap.Logger, w http.ResponseWriter, r *http.Request, challenge acme.Challenge, distributed bool) bool {
 	challengeReqPath := challenge.HTTP01ResourcePath()
 	if r.URL.Path == challengeReqPath &&
-		strings.EqualFold(hostOnly(r.Host), challenge.Identifier.Value) && // mitigate DNS rebinding attacks
+		strings.EqualFold(challengeIdentifierHost(r.Host), challenge.Identifier.Value) && // mitigate DNS rebinding attacks
 		r.Method == http.MethodGet {
 		w.Header().Add("Content-Type", "text/plain")
 		w.Write([]byte(challenge.KeyAuthorization))
@@ -249,7 +259,7 @@ func (iss *ZeroSSLIssuer) distributedHTTPValidationAnswer(w http.ResponseWriter,
 	if logger == nil {
 		logger = zap.NewNop()
 	}
-	host := hostOnly(r.Host)
+	host := challengeIdentifierHost(r.Host)
 	valInfo, distributed, err := iss.getDistributedValidationInfo(r.Context(), host)
 	if err != nil {
 		logger.Warn("looking up info for HTTP validation",
