x/crypto/acme/autocert: add support for ACME profiles and LetsEncrypt public ip certificates

[cthayer]

This PR adds support for automated management of ACME certificates for public ip addresses.

In July 2025, LetsEncrypt announced the first certificate for a public ip address (https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate)
and their intention to support short lived certificates for public ip addresses.

In December 2025, LetsEncrypt announced general availability of certificates
for public ip addresses in production (https://community.letsencrypt.org/t/upcoming-changes-to-let-s-encrypt-certificates/243873).

These type of certificates are particularly helpful for infrastructure projects that
have a static public ip address but no domain name and need to create a secure
and trusted connection with external clients (like one of the projects that I'm working on).

In order for LetsEncrypt to issue a certificate for a public ip address, one of the
requirements is that the "shortlived" (https://letsencrypt.org/docs/profiles/#shortlived)
profile be used when ordering the certificate.

Profiles are a relatively new addition to the ACME protocol, but a Draft RFC (https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/)
does exist. I did not research if any ACME providers other than LetsEncrypt support
this Draft RFC, but a) LetsEncrypt does, b) this package seems primarily intended to
work with LetsEncrypt, and c) supporting profiles via the Draft RFC does not impact
existing functionality for other ACME providers that don't support profiles.

In order to manage certificates for public ip addresses using this PR, you a) add the
"shortlived" profile when defining the "autocert.Manager", b) add a public ip address
to the manager's "HostPolicy", and c) wrap the manager's "tlsConf.GetCertificate"
function to set the "clientHello.ServerName" to the public ip address as most browsers/clients
do not set the SNI server name for a request to an ip address.

For example:

publicIp := "xxx.xxx.xxx.xxx"

manager := &autocert.Manager{
...
HostPolicy: autocert.HostWhiteList(publicIp),
Profile: "shortlived",
...
}

tlsConfig := &tls.Config{
...
NextProtos: manager.NextProtos,
GetCertificate: func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
if hello.ServerName == "" {
// if SNI is not set, assume the request was made to the public ip address
hello.ServerName = publicIp
}
return manager.GetCertificate(hello)
},
...
}

This PR is currently in use in one of the infrastructure projects I'm working on and is successfully
managing short lived LetsEncrypt certificates for public ip addresses.

I would love to get feedback on the implementation and ultimately see this functionality get added
to the "x/crypto/acme" and "x/crypto/acme/autocert" packages as I'm sure I'm not the only one
whose projects would benefit from this feature.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[cthayer]

CLA signed and check passed

[gopherbot]

This PR (HEAD: 8bdfc72) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/crypto/+/741240.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Gopher Robot:

Patch Set 1:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/741240.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Gopher Robot:

Patch Set 1:

Congratulations on opening your first change. Thank you for your contribution!

Next steps:
A maintainer will review your change and provide feedback. See
https://go.dev/doc/contribute#review for more info and tips to get your
patch through code review.

Most changes in the Go project go through a few rounds of revision. This can be
surprising to people new to the project. The careful, iterative review process
is our way of helping mentor contributors and ensuring that their contributions
have a lasting impact.

During May-July and Nov-Jan the Go project is in a code freeze, during which
little code gets reviewed or merged. If a reviewer responds with a comment like
R=go1.11 or adds a tag like "wait-release", it means that this CL will be
reviewed as part of the next development cycle. See https://go.dev/s/release
for more details.

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/741240.
After addressing review feedback, remember to publish your drafts!