Skip to content

PKI ACME error IP Address SANs #5550

New issue
New issue
Closed
#5771
Closed
PKI ACME error IP Address SANs#5550
#5771
@FelixKLG

Description

@FelixKLG
FelixKLG
opened on Feb 26, 2026

Describe the bug

The Infisical PKI ACME implementation doesn't support issuance of IP certificates.
Alt: This limitation isn't documented

To Reproduce

Steps to reproduce the behavior:

  1. Create Root CA in Infisical
  2. Create Certificate Policy (all all IP & DNS SANs)
  3. Create Certificate Profile (use ACME, use EAB, & skip validation)
  4. Copy EAB & Directory resources
  5. Run the following lego -d 127.0.0.1 -s https://eu.infisical.com/api/v1/cert-manager/acme/profiles/REPLACEME/directory -a -eab --kid REPLACEME --hmac REPLACEME --http run
  6. See Only DNS identifiers are supported urn:ietf:params:acme:error:unsupportedIdentifier :: Only DNS identifiers are supported

Expected behavior

ACME issuer to approve a new order containing IP addresses in the SAN.
This is rather critical for internal PKI usage.

Platform you are having the issue on:

Infisical Cloud + Linux Desktop

Additional context

You'll need to install the Lego ACME client to validate issue since certbot rejects IP addresses: https://go-acme.github.io/lego/

I believe this is the issue:

infisical/backend/src/ee/services/pki-acme/pki-acme-service.ts

Line 999 in c81cc13

throw new AcmeBadCSRError({ message: "Invalid CSR: Only DNS subject alternative names are supported" });

Not sure if this is an intended mechanic really, but seemed unintuitive for internal PKI.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions