From 3bc852e539b624f78819d14620eb73c4fc41fd31 Mon Sep 17 00:00:00 2001
From: Peter Gerber <peter@arbitrary.ch>
Date: Wed, 25 Feb 2026 15:10:24 +0000
Subject: [PATCH] security/acme-client: include all IPs on interface, including
 any IPv6 address

Note that this will still not include virtual IPs but only the
main IPs.
---
 .../AcmeClient/LeValidation/HttpOpnsense.php        | 13 +++++--------
 .../AcmeClient/LeValidation/TlsalpnAcme.php         | 13 +++++--------
 2 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
index 3db1dae60..9216823ca 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
@@ -79,14 +79,11 @@ class HttpOpnsense extends Base implements LeValidationInterface
             $backend = new \OPNsense\Core\Backend();
             $interface = (string)$this->config->http_opn_interface;
             $response = json_decode($backend->configdpRun('interface address', [$interface]));
-            // XXX Returns both IPv4 and IPv6 now. While "[0]" and
-            // "[1]" should remain in this order it would make sense
-            // to ensure "family" matches "inet" or "inet6" and/or
-            // pull both addresses for missing IPv6 support depending
-            // on how this should work.
-            if (!empty($response->$interface[0]->address)) {
-                $iplist[] = $response->$interface[0]->address;
-            }
+            foreach ($response->$interface as $if) {
+                if (!empty($if->address)) {
+                    $iplist[] = $if->address;
+                }
+	    }
         }
 
         // Generate rules for all IP addresses
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
index fb9d4794d..dacae5f9b 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
@@ -80,14 +80,11 @@ class TlsalpnAcme extends Base implements LeValidationInterface
             $backend = new \OPNsense\Core\Backend();
             $interface = (string)$this->config->tlsalpn_acme_interface;
             $response = json_decode($backend->configdpRun('interface address', [$interface]));
-            // XXX Returns both IPv4 and IPv6 now. While "[0]" and
-            // "[1]" should remain in this order it would make sense
-            // to ensure "family" matches "inet" or "inet6" and/or
-            // pull both addresses for missing IPv6 support depending
-            // on how this should work.
-            if (!empty($response->$interface[0]->address)) {
-                $iplist[] = $response->$interface[0]->address;
-            }
+            foreach ($response->$interface as $if) {
+                if (!empty($if->address)) {
+                    $iplist[] = $if->address;
+                }
+	    }
         }
 
         // Generate rules for all IP addresses