ACMECert v3.7.0

- added support for IP address certificates
- added option to disable grouping of dns-01 challenges

Author: skoerfgen

README.md

@@ -1,4 +1,4 @@
-# ACMECert v3.6.0
+# ACMECert v3.7.0
 
 PHP client library for [Let's Encrypt](https://letsencrypt.org/) and other [ACME v2 - RFC 8555](https://tools.ietf.org/html/rfc8555) compatible Certificate Authorities.  
 
@@ -23,6 +23,7 @@ It is self contained and contains a set of functions allowing you to:
 - [parse certificates](#acmecertparsecertificate) / get the [remaining days](#acmecertgetremainingdays) or [percentage](#acmecertgetremainingpercent) a certificate is still valid
 - get/use [ACME Renewal Information](#acmecertgetari) (ARI)
 - get/use [ACME certificate profiles](#acmecertgetprofiles)
+- issue IP address certificates
 - and more..
 > see [Function Reference](#function-reference) for a full list
 
@@ -268,6 +269,7 @@ $handler=function($opts) use ($ac){
         // Stop ALPN Responder
         fclose($pipes[0]);
         fclose($pipes[1]);
+        proc_terminate($resource);
         proc_close($resource);
         shell_exec('/etc/init.d/apache2 start');
       };
@@ -733,22 +735,34 @@ public string ACMECert::getCertificateChain ( mixed $pem, array $domain_config,
 >> ```php
 >> array( 'notAfter' => '1970-01-01T01:22:17+01:00' )
 >> ```
->>
+>
 >> **`replaces`** (string)
 >>
 >> The ARI CertID uniquely identifying a previously-issued certificate which this order is intended to replace.
 >>
 >> Use: [getARI](#acmecertgetari) to get the ARI CertID for a certificate.
 >>
 >> Example: [Get/Use ACME Renewal Information](#getuse-acme-renewal-information)
->> 
+>
 >> **`profile`** (string)
 >>
 >> The name of the profile to use.
 >>
 >> Use: [getProfiles](#acmecertgetprofiles) to get a list of available profiles.
 >>
 >> Example: [ACME certificate profiles](#acme-certificate-profiles)
+>
+>> **`group`** (boolean / default: `TRUE`)
+>>
+>> When issuing certificates using the `dns-01` challenge for multiple domains that share the same `_acme-challenge` subdomain, such as:
+>> - example.com
+>> - *.example.com (wildcard)
+>>
+>> two distinct TXT records must be created under the same DNS name `_acme-challenge.example.com`
+>>
+>> By default, ACMECert groups these challenges together. This means all required TXT records for `_acme-challenge.example.com` are set simultaneously, and validation is triggered only after all records are in place. This approach prevents validation failures due to DNS caching delays.
+>>
+>> If set to `FALSE` challenges are handled independently. Each TXT record gets set and validated one at a time.
 
 
 

composer.json

@@ -1,6 +1,6 @@
 {
 	"name": "skoerfgen/acmecert",
-	"version": "3.6.0",
+	"version": "3.7.0",
 	"description": "PHP client library for Let's Encrypt and other ACME v2 - RFC 8555 compatible Certificate Authorities",
 	"license": "MIT",
 	"authors": [

src/ACMECert.php

@@ -205,7 +205,7 @@ public function getCertificateChain($pem,$domain_config,$callback,$settings=arra
 				$groups[
 					$domain_config[$domain]['challenge'].
 					'|'.
-					ltrim($domain,'*.')
+					(($settings['group'])?ltrim($domain,'*.'):$domain)
 				][$domain]=array($auth_url,$authorization);
 			}
 
@@ -335,7 +335,7 @@ public function generateCSR($domain_key_pem,$domains){
 		$fn=$this->tmp_ssl_cnf($domains);
 		$cn=reset($domains);
 		$dn=array();
-		if (strlen($cn)<=64){
+		if (!filter_var($cn,FILTER_VALIDATE_IP) && strlen($cn)<=64){
 			$dn['commonName']=$cn;
 		}
 		$csr=openssl_csr_new($dn,$domain_key,array(
@@ -536,10 +536,11 @@ private function parseSettings($opts){
 		// authz_reuse: backwards compatibility to ACMECert v3.1.2 or older
 		if (!is_array($opts)) $opts=array('authz_reuse'=>(bool)$opts);
 		if (!isset($opts['authz_reuse'])) $opts['authz_reuse']=true;
+		if (!isset($opts['group'])) $opts['group']=true;
 
 		$diff=array_diff_key(
 			$opts,
-			array_flip(array('authz_reuse','notAfter','notBefore','replaces','profile'))
+			array_flip(array('authz_reuse','notAfter','notBefore','replaces','profile','group'))
 		);
 
 		if (!empty($diff)){
@@ -561,7 +562,11 @@ private function makeOrder($domains,$opts){
 		$order=array(
 			'identifiers'=>array_map(
 				function($domain){
-					return array('type'=>'dns','value'=>$domain);
+					if (filter_var($domain,FILTER_VALIDATE_IP)){
+						return array('type'=>'ip','value'=>$domain);
+					}else{
+						return array('type'=>'dns','value'=>$domain);
+					}
 				},
 				$domains
 			)
@@ -681,7 +686,12 @@ private function tmp_ssl_cnf($domains=null,$extension=''){
 				'[SAN]'."\n".
 				'subjectAltName='.
 				implode(',',array_map(function($domain){
-					return 'DNS:'.$domain;
+					if (filter_var($domain,FILTER_VALIDATE_IP)){
+						return 'IP:'.$domain;
+					}else{
+						return 'DNS:'.$domain;
+					}
+
 				},$domains))."\n"
 			:
 				''

src/ACMEv2.php

@@ -308,7 +308,7 @@ protected function http_request($url,$data=null){
 		}
 
 		$method=$data===false?'HEAD':($data===null?'GET':'POST');
-		$user_agent='ACMECert v3.6.0 (+https://github.com/skoerfgen/ACMECert)';
+		$user_agent='ACMECert v3.7.0 (+https://github.com/skoerfgen/ACMECert)';
 		$header=($data===null||$data===false)?array():array('Content-Type: application/jose+json');
 		if ($this->ch) {
 			$headers=array();