tls: Normalization IPv6 addresses in r.Host for ACME challenge

[u5surf]

Fixes: #7399

go https host IPv6 addresses written in r.Host has brackets, it has caused mismatch in ACME challenge, because it verified without bracket IPv6 addresses.

Assistance Disclosure

• Claude generated the code, but I read, verified, understand all of their written code.

[steadytao]

I think there may still be one gap here in the actual HTTP-challenge serving path.

This normalises r.Host for getAutomationPolicyForName() and certmagic.GetACMEChallenge() but both solver calls still receive the original request with the raw bracketed host:

• acmeIssuer.GetACMEIssuer().issuer.HandleHTTPChallenge(w, r)
• certmagic.SolveHTTPChallenge(t.logger, w, r, challenge.Challenge)

In CertMagic, the final HTTP-challenge check still compares hostOnly(r.Host) against the identifier. For a bracketed IPv6 host without a port, hostOnly(r.Host) seems to stay bracketed so it looks like the lookup can now succeed while the actual challenge response may still fail the host match.

So I’m not sure this fully fixes the remaining #7399 path yet. It seems like the request passed into the solver may need the same host normalisation too, unless that normalisation belongs in CertMagic instead.

[mohammed90]

Please disclose the use of LLM appropriately. That part of the PR template seems to be malformed.

[u5surf]

@steadytao Hello, Are you saying we need to fix the CertMagic side as well?

[steadytao]

Not necessarily CertMagic itself but I do think there is still one more place that needs the same normalisation.

Right now this PR normalizes r.Host for:

• getAutomationPolicyForName()
• certmagic.GetACMEChallenge()

But the actual solver calls still receive the original request with the raw bracketed host:

• acmeIssuer.GetACMEIssuer().issuer.HandleHTTPChallenge(w, r)
• certmagic.SolveHTTPChallenge(t.logger, w, r, challenge.Challenge)

So my concern is that the lookup can now succeed but the final HTTP-challenge serving step may still fail because those paths still read r.Host.

That could be fixed either here in Caddy by passing a cloned request with the normalised host into the solver path or in CertMagic by normalising there more centrally. I just don’t think the current PR fully closes the loop yet.

[steadytao]

LGTM.

The test coverage could be expanded a bit further with a more integration-style case but otherwise this looks good to me.

[mholt]

Thanks for the PR.

What if we just fix the normalization in CertMagic rather than cloning the request to hack around it?

[u5surf]

@mholt Thanks reviewing. That's suggestive. I opened the new PR in certmagic. Please take a look this.

caddyserver/certmagic#376