ACME: assume "mailto:" scheme by default for contact URLs.

bavshin-f5 · bavshin-f5 · commit 27111ff182cd · 2025-07-28T17:38:58.000-07:00
The only contact URL scheme required in RFC8555 is mailto:. While other
schemes are allowed and can be accepted by an ACME server, most of the
clients ignore that.

The "contact" directive parser is updated to prepend mailto: to any URLs
without a scheme. This can be resolved unambiguously, as ':' is not
allowed in the email address unquoted, and quotes are forbidden in the
URL scheme.
diff --git a/README.md b/README.md
@@ -54,7 +54,7 @@ resolver 127.0.0.1:53;
 
 acme_issuer example {
     uri         https://acme.example.com/directory;
-    contact     mailto:admin@example.test;
+    contact     admin@example.test;
     state_path  /var/lib/nginx/acme-example;
     accept_terms_of_service;
 }
@@ -134,7 +134,8 @@ restart unless [](#state_path) is configured.
 **Context:** acme_issuer
 
 An array of URLs that the ACME server can use to contact the client for issues
-related to this account.
+related to this account. The `mailto:` scheme will be assumed unless specified
+explicitly.
 
 Can be specified multiple times.
 
diff --git a/src/conf.rs b/src/conf.rs
@@ -317,6 +317,24 @@ extern "C" fn cmd_issuer_add_contact(
     _cmd: *mut ngx_command_t,
     conf: *mut c_void,
 ) -> *mut c_char {
+    const MAILTO: &[u8] = b"mailto:";
+
+    fn has_scheme(val: &[u8]) -> bool {
+        // scheme      = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )
+        if !val[0].is_ascii_alphabetic() {
+            return false;
+        }
+
+        for c in val {
+            if c.is_ascii_alphanumeric() || matches!(c, b'+' | b'-' | b'.') {
+                continue;
+            }
+            return *c == b':';
+        }
+
+        false
+    }
+
     let cf = unsafe { cf.as_mut().expect("cf") };
     let issuer = unsafe { conf.cast::<Issuer>().as_mut().expect("issuer conf") };
 
@@ -327,11 +345,25 @@ extern "C" fn cmd_issuer_add_contact(
     // NGX_CONF_TAKE1 ensures that args contains 2 elements
     let args = cf.args();
 
-    if core::str::from_utf8(args[1].as_bytes()).is_err() {
-        return c"contains invalid UTF-8 sequence".as_ptr().cast_mut();
+    if args[1].is_empty() || core::str::from_utf8(args[1].as_bytes()).is_err() {
+        return c"invalid value".as_ptr().cast_mut();
     };
 
-    issuer.contacts.push(args[1]);
+    if has_scheme(args[1].as_ref()) {
+        issuer.contacts.push(args[1]);
+    } else {
+        let mut value = ngx_str_t::empty();
+        value.len = MAILTO.len() + args[1].len;
+        value.data = cf.pool().alloc_unaligned(value.len).cast();
+        if value.data.is_null() {
+            return NGX_CONF_ERROR;
+        }
+
+        value.as_bytes_mut()[..MAILTO.len()].copy_from_slice(MAILTO);
+        value.as_bytes_mut()[MAILTO.len()..].copy_from_slice(args[1].as_ref());
+
+        issuer.contacts.push(value);
+    }
 
     NGX_CONF_OK
 }
diff --git a/t/acme_conf_issuer.t b/t/acme_conf_issuer.t
@@ -67,7 +67,7 @@ acme_shared_zone zone=ngx_acme_shared:1M;
 acme_issuer example {
     uri https://localhost:%%PORT_9000%%/dir;
     account_key ecdsa:256;
-    contact mailto:admin@example.test;
+    contact admin@example.test;
     resolver 127.0.0.1:%%PORT_8980_UDP%%;
     resolver_timeout 5s;
     ssl_verify off;
