From b3ae42215bfaf2c9b6905abedb802c001b4cfacd Mon Sep 17 00:00:00 2001
From: Echo <echo@moon-dragon.us>
Date: Mon, 18 May 2026 16:19:39 +0000
Subject: [PATCH] fix(ca): strip CIDR netmask from IP before adding to server
 cert SANs

---
 crates/pm-ca/src/ca.rs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/crates/pm-ca/src/ca.rs b/crates/pm-ca/src/ca.rs
index 348d0e7..403e55a 100644
--- a/crates/pm-ca/src/ca.rs
+++ b/crates/pm-ca/src/ca.rs
@@ -351,7 +351,9 @@ impl CertAuthority {
         let mut sans = vec![SanType::DnsName(
             Ia5String::try_from(hostname.to_owned()).context("hostname is not valid IA5")?,
         )];
-        if let Ok(ip) = ip_address.parse::<IpAddr>() {
+        // Strip CIDR netmask (e.g. "192.168.3.36/32") before parsing
+        let ip_str = ip_address.split('/').next().unwrap_or(ip_address);
+        if let Ok(ip) = ip_str.parse::<IpAddr>() {
             sans.push(SanType::IpAddress(ip));
         } else {
             tracing::warn!(