From 4cdb4c2090ce2547a2e7920ae2d049644507936a Mon Sep 17 00:00:00 2001
From: Evgeny Khramtsov <ekhramtsov@process-one.net>
Date: Fri, 20 Sep 2019 13:03:25 +0300
Subject: [PATCH] Don't auto request certificate for localhost and IP-like
 domains

---
 src/ejabberd_acme.erl | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/ejabberd_acme.erl b/src/ejabberd_acme.erl
index bedf7b792..b9e7ce10e 100644
--- a/src/ejabberd_acme.erl
+++ b/src/ejabberd_acme.erl
@@ -565,7 +565,8 @@ request_on_start() ->
 		_ ->
 		    case lists:filter(
 			   fun(Host) ->
-				   not have_cert_for_domain(Host)
+				   not (have_cert_for_domain(Host)
+					orelse is_ip_or_localhost(Host))
 			   end, all_domains()) of
 			[] -> false;
 			Hosts ->
@@ -591,6 +592,15 @@ well_known() ->
 have_cert_for_domain(Host) ->
     ejabberd_pkix:get_certfile_no_default(Host) /= error.
 
+-spec is_ip_or_localhost(binary()) -> boolean().
+is_ip_or_localhost(Host) ->
+    Parts = binary:split(Host, <<".">>),
+    TLD = binary_to_list(lists:last(Parts)),
+    case inet:parse_address(TLD) of
+	{ok, _} -> true;
+	_ -> TLD == "localhost"
+    end.
+
 -spec have_acme_listener() -> boolean().
 have_acme_listener() ->
     lists:any(