feat: choose a network stack for challenges (#2832)

2026-03-14 22:45:48 +01:00 · 2026-01-30 18:15:53 +01:00 · 2026-01-30 18:15:53 +01:00 · 7be56482f9
commit 7be56482f9
parent 66932a641c
6 changed files with 58 additions and 11 deletions
--- a/challenge/network.go
+++ b/challenge/network.go
@ -3,16 +3,16 @@ package challenge
 type NetworkStack int

 const (
-	dualStack NetworkStack = iota
-	ipv4only
-	ipv6only
+	DualStack NetworkStack = iota
+	IPv4Only
+	IPv6Only
 )

 func (s NetworkStack) Network(proto string) string {
 	switch s {
-	case ipv4only:
+	case IPv4Only:
 		return proto + "4"
-	case ipv6only:
+	case IPv6Only:
 		return proto + "6"
 	default:
 		return proto
--- a/cmd/cmd_renew.go
+++ b/cmd/cmd_renew.go
@ -47,7 +47,7 @@ func createRenew() *cli.Command {
 				log.Fatal(fmt.Sprintf("--%s only works with --%s/-d, --%s/-c doesn't support this option.", flgForceCertDomains, flgDomains, flgCSR))
 			}

-			return ctx, nil
+			return ctx, validateNetworkStack(cmd)
 		},
 		Flags: createRenewFlags(),
 	}
--- a/cmd/cmd_run.go
+++ b/cmd/cmd_run.go
@ -31,7 +31,7 @@ func createRun() *cli.Command {
 				log.Fatal("Please specify --domains/-d (or --csr/-c if you already have a CSR)")
 			}

-			return ctx, nil
+			return ctx, validateNetworkStack(cmd)
 		},
 		Action: run,
 		Flags:  createRunFlags(),
@ -172,3 +172,11 @@ func newObtainForCSRRequest(cmd *cli.Command, csr *x509.CertificateRequest) cert
 		AlwaysDeactivateAuthorizations: cmd.Bool(flgAlwaysDeactivateAuthorizations),
 	}
 }
+
+func validateNetworkStack(cmd *cli.Command) error {
+	if cmd.Bool(flgIPv4Only) && cmd.Bool(flgIPv6Only) {
+		return fmt.Errorf("cannot specify both --%s and --%s", flgIPv4Only, flgIPv6Only)
+	}
+
+	return nil
+}
--- a/cmd/flags.go
+++ b/cmd/flags.go
@ -57,6 +57,12 @@ const (
 	flgUserAgent           = "user-agent"
 )

+// Flag names related to the network stack.
+const (
+	flgIPv4Only = "ipv4only"
+	flgIPv6Only = "ipv6only"
+)
+
 // Flag names related to HTTP-01 challenge.
 const (
 	flgHTTP              = "http"
@ -184,10 +190,26 @@ func CreateChallengesFlags() []cli.Flag {
 	flags = append(flags, CreateHTTPChallengeFlags()...)
 	flags = append(flags, CreateTLSChallengeFlags()...)
 	flags = append(flags, CreateDNSChallengeFlags()...)
+	flags = append(flags, CreateNetworkStackFlags()...)

 	return flags
 }

+func CreateNetworkStackFlags() []cli.Flag {
+	return []cli.Flag{
+		&cli.BoolFlag{
+			Name:    flgIPv4Only,
+			Aliases: []string{"4"},
+			Usage:   "Use IPv4 only.",
+		},
+		&cli.BoolFlag{
+			Name:    flgIPv6Only,
+			Aliases: []string{"6"},
+			Usage:   "Use IPv6 only.",
+		},
+	}
+}
+
 func CreateHTTPChallengeFlags() []cli.Flag {
 	return []cli.Flag{
 		&cli.BoolFlag{
--- a/cmd/setup_challenges.go
+++ b/cmd/setup_challenges.go
@ -103,8 +103,7 @@ func setupHTTPProvider(cmd *cli.Command) challenge.Provider {
 		}

 		srv := http01.NewProviderServerWithOptions(http01.Options{
-			// TODO(ldez): set network stack
-			Network: "tcp",
+			Network: getNetworkStack(cmd).Network("tcp"),
 			Address: net.JoinHostPort(host, port),
 		})

@ -116,8 +115,7 @@ func setupHTTPProvider(cmd *cli.Command) challenge.Provider {

 	case cmd.Bool(flgHTTP):
 		srv := http01.NewProviderServerWithOptions(http01.Options{
-			// TODO(ldez): set network stack
-			Network: "tcp",
+			Network: getNetworkStack(cmd).Network("tcp"),
 			Address: net.JoinHostPort("", ":80"),
 		})

@ -187,6 +185,8 @@ func setupDNS(cmd *cli.Command, client *lego.Client) error {
 		opts.Timeout = time.Duration(cmd.Int(flgDNSTimeout)) * time.Second
 	}

+	opts.NetworkStack = getNetworkStack(cmd)
+
 	dns01.SetDefaultClient(dns01.NewClient(opts))

 	err = client.Challenge.SetDNS01Provider(provider,
@ -224,3 +224,16 @@ func checkPropagationExclusiveOptions(cmd *cli.Command) error {
 func isSetBool(cmd *cli.Command, name string) bool {
 	return cmd.IsSet(name) && cmd.Bool(name)
 }
+
+func getNetworkStack(cmd *cli.Command) challenge.NetworkStack {
+	switch {
+	case cmd.Bool(flgIPv4Only):
+		return challenge.IPv4Only
+
+	case cmd.Bool(flgIPv6Only):
+		return challenge.IPv6Only
+
+	default:
+		return challenge.DualStack
+	}
+}
--- a/docs/data/zz_cli_help.toml
+++ b/docs/data/zz_cli_help.toml
@ -69,6 +69,8 @@ OPTIONS:
   --dns.propagation-wait duration                                By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead. (default: 0s)
   --dns.resolvers string [ --dns.resolvers string ]              Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined.
   --dns-timeout int                                              Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries. (default: 10)
+   --ipv4only, -4                                                 Use IPv4 only.
+   --ipv6only, -6                                                 Use IPv6 only.
   --csr string, -c string                                        Certificate signing request filename, if an external CSR is to be used.
   --no-bundle                                                    Do not create a certificate bundle by adding the issuers certificate to the new certificate.
   --must-staple                                                  Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego.
@ -129,6 +131,8 @@ OPTIONS:
   --dns.propagation-wait duration                                By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead. (default: 0s)
   --dns.resolvers string [ --dns.resolvers string ]              Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined.
   --dns-timeout int                                              Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries. (default: 10)
+   --ipv4only, -4                                                 Use IPv4 only.
+   --ipv6only, -6                                                 Use IPv6 only.
   --csr string, -c string                                        Certificate signing request filename, if an external CSR is to be used.
   --no-bundle                                                    Do not create a certificate bundle by adding the issuers certificate to the new certificate.
   --must-staple                                                  Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego.