feat: IPv6 support for standalone challenge config (#1267)

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

Author: 2 people

.github/workflows/test.yml

@@ -118,6 +118,9 @@ jobs:
           - test-name: debug_acmesh_log
             setup: 2containers
             pebble-config: pebble-config.json
+          - test-name: standalone_ipv6
+            setup: 2containers
+            pebble-config: pebble-config.json
     runs-on: ubuntu-latest
 
     steps:

app/functions.sh

@@ -135,10 +135,14 @@ function add_standalone_configuration {
         add_location_configuration "$domain"
     else
         # Else use the standalone configuration.
+        local listen_directives='    listen 80;'
+        if parse_true "${ENABLE_IPV6:-false}"; then
+            listen_directives+=$'\n    listen [::]:80;'
+        fi
         cat > "/etc/nginx/conf.d/standalone-cert-$domain.conf" << EOF
 server {
     server_name $domain;
-    listen 80;
+${listen_directives}
     access_log /var/log/nginx/access.log vhost;
     location ^~ /.well-known/acme-challenge/ {
         auth_basic off;

docs/Container-configuration.md

@@ -40,6 +40,8 @@ You can also create test certificates per container (see [Test certificates](./L
 
 * `ACME_HTTP_CHALLENGE_LOCATION` - Previously **acme-companion** automatically added the ACME HTTP challenge location to the nginx configuration through files generated in `/etc/nginx/vhost.d`. Recent versions of **nginx-proxy** (>= `1.6`) already include the required location configuration, which remove the need for **acme-companion** to attempt to dynamically add them. If you're running and older version of **nginx-proxy** (or **docker-gen** with an older version of the `nginx.tmpl` file), you can re-enable this behaviour by setting `ACME_HTTP_CHALLENGE_LOCATION` to `true`.
 
+* `ENABLE_IPV6` - Set it to `true` to make the **standalone** ACME HTTP challenge configuration (used for domains not served by **nginx-proxy**, e.g. `LETSENCRYPT_STANDALONE_CERTS`) also listen over IPv6 (`listen [::]:80;`) in addition to IPv4. This matches **nginx-proxy**'s [`ENABLE_IPV6`](https://github.com/nginx-proxy/nginx-proxy#ipv6-support) option, so set the same value on both containers. Leave it unset (or `false`) unless your host and its Docker networking actually support IPv6, otherwise nginx may fail to bind the IPv6 socket. Only the standalone challenge config is affected; challenges served through nginx-proxy already follow nginx-proxy's own IPv6 setting.
+
 * `RELOAD_NGINX_ONLY_ONCE` - The companion reload nginx configuration after every new or renewed certificate. Previously this was done only once per service loop, at the end of the loop (this was causing delayed availability of HTTPS enabled application when multiple new certificates where requested at once, see [issue #1147](https://github.com/nginx-proxy/acme-companion/issues/1147)). You can restore the previous behaviour if needed by setting the environment variable `RELOAD_NGINX_ONLY_ONCE` to `true`.
 
 * `DOCKER_CONTAINER_FILTERS` -  You can filter which containers are considered by acme-companion by using the `DOCKER_CONTAINER_FILTERS` environment variable (by default, acme-companion will consider all running containers). It takes a comma separated list of `key=value` pairs. For example, setting `DOCKER_CONTAINER_FILTERS` environment variable to `network=mynetwork` will cause acme-companion to consider only containers connected to the `mynetwork` network. See the [Docker CLI documentation](https://docs.docker.com/reference/cli/docker/container/ls/#filter) for details on available filters.

test/config.sh

@@ -10,6 +10,7 @@ globalTests+=(
 	certs_san
 	certs_single_domain
 	certs_standalone
+	standalone_ipv6
 	force_renew
 	acme_accounts
 	private_keys

test/tests/standalone_ipv6/expected-std-out.txt

@@ -0,0 +1,43 @@
+## ipv6-enabled
+server {
+    server_name ipv6.example.test;
+    listen 80;
+    listen [::]:80;
+    access_log /var/log/nginx/access.log vhost;
+    location ^~ /.well-known/acme-challenge/ {
+        auth_basic off;
+        auth_request off;
+        allow all;
+        root /usr/share/nginx/html;
+        try_files $uri =404;
+        break;
+    }
+}
+## ipv6-disabled
+server {
+    server_name plain.example.test;
+    listen 80;
+    access_log /var/log/nginx/access.log vhost;
+    location ^~ /.well-known/acme-challenge/ {
+        auth_basic off;
+        auth_request off;
+        allow all;
+        root /usr/share/nginx/html;
+        try_files $uri =404;
+        break;
+    }
+}
+## ipv6-unset
+server {
+    server_name unset.example.test;
+    listen 80;
+    access_log /var/log/nginx/access.log vhost;
+    location ^~ /.well-known/acme-challenge/ {
+        auth_basic off;
+        auth_request off;
+        allow all;
+        root /usr/share/nginx/html;
+        try_files $uri =404;
+        break;
+    }
+}

test/tests/standalone_ipv6/run.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+## Test that standalone challenge configs listen over IPv6 only when ENABLE_IPV6 is set. See #710.
+
+commands="$(cat <<'EOF'
+source /app/functions.sh
+mkdir -p /etc/nginx/conf.d
+printf 'server { server_name other.example.test; }\n' > /etc/nginx/conf.d/other.conf
+
+echo '## ipv6-enabled'
+( export ENABLE_IPV6=true; add_standalone_configuration 'ipv6.example.test' )
+cat /etc/nginx/conf.d/standalone-cert-ipv6.example.test.conf
+echo '## ipv6-disabled'
+( export ENABLE_IPV6=false; add_standalone_configuration 'plain.example.test' )
+cat /etc/nginx/conf.d/standalone-cert-plain.example.test.conf
+echo '## ipv6-unset'
+( unset ENABLE_IPV6; add_standalone_configuration 'unset.example.test' )
+cat /etc/nginx/conf.d/standalone-cert-unset.example.test.conf
+EOF
+)"
+
+docker run --rm "$1" bash -c "$commands" 2>&1