(Note: This post is also cross-posted on the Let’s Encrypt blog) As announced earlier this year, Let’s Encrypt now issues IP address and six-day certificates to the general public. The Certbot team here at the Electronic Frontier Foundation has been working on two improvements to support these features: the --preferred-profile flag released last year in Certbot 4.0, and the --ip-address flag, new in Certbot 5.3. With these improvements together, you can now use Certbot to get those IP address certificates! If you want to try getting an IP address certificate using Certbot, install version 5.4 or higher (for webroot support with IP addresses), and run this command: sudo certbot certonly --staging \ --preferred-profile shortlived \ --webroot \ --webroot-path <filesystem path to webserver root> \ --ip-address <your ip address>Two things of note:
This will request a non-trusted certificate from the Let’s Encrypt staging server. Once you’ve got things working the way you want, run without the --staging flag to get a publicly trusted certificate. This requests a certificate with Let’s Encrypt’s “shortlived” profile, which will be good for 6 days. This is a Let’s Encrypt requirement for IP address certificates.
As of right now, Certbot only supports getting IP address certificates, not yet installing them in your web server. There’s work to come on that front. In the meantime, edit your webserver configuration to load the newly issued certificate from[…]
You must log in or # to comment.
IMO we should get away from using IP addresses for identification entirely.
Use IPv6 and DNS for addressing everything.I wholeheartedly disagree, DNS needs servers running, which can go down or their configuration break, this makes it less reliable for certain use cases where reliability is of the essence.
For example, I’m a maintainer of a server virtualization platform, where communication between hosts is done using IP only because DNS is simply not reliable enough, this means having to use IPs as subjects.
