Additional Reasons for Issuing Certificates to IP Addresses

I have noticed several discussions over the past three years about whether it is necessary, feasible, or appropriate to issue SSL certificates for IP addresses. In fact, I have a similar need. Therefore, I would like to provide some additional reasons that have not been fully discussed yet.

As far as I know, currently only ZeroSSL can issue free certificates for IP addresses, but each issuance is only for three months, and each account can only issue three times, which is quite inconvenient. Of course, it is acceptable, and this is the method I am currently using.

In general, this is a rare demand because using domain names is usually cheap and convenient. Therefore, I fully understand the delay in related plans.

However, in mainland China, there are very strict regulations on the management of websites/domains. Any domain name resolved to a server in mainland China must be registered and approved by the relevant government authorities, otherwise the resolution will be blocked. This registration process is very cumbersome, requiring written identification materials, guarantees, expected website plans, etc., and individuals are not allowed to set up some common websites (such as blogs) without written permission (which is almost impossible to obtain). Cloud service providers and regulatory authorities also conduct regular checks on the content of registered domain names to ensure it complies with the initially approved content, so you cannot easily change the website content.

Of course, this also means that you cannot easily change domain names, and some domain suffixes (such as some free or cheap suffixes) are not included in the list of registrable domain suffixes published by the government. This increases the cost of obtaining domain names.

Other alternatives that do not use domain names (such as DDNS) are also subject to the same degree of regulation.

By the end of 2023, there were nearly 1.3 billion internet users in China. I believe many of these 1.3 billion people, who try to set up small websites/services on cloud servers to provide convenience for themselves, their families, and friends, are troubled by the difficulty of obtaining domain names. However, they still need SSL certificates for HTTPS secure communication. After all, in 2024, using HTTP communication is indeed too unsafe.

In summary, I believe this is a long-ignored situation/need that has not been mentioned here. Therefore, I am posting this in the hope that someone will see it and bring about some discussion.

Of course, this is a demand caused by strict regulations from the internet authorities of specific countries, and no one is obligated to pay for their mistakes. I am not asking you to introduce features for such special needs or to increase the workload, possibly bringing additional risks to public services. But it does cause inconvenience for many people, and many internet activities are forced to be exposed to risks. I just hope that the next time you consider whether to implement this feature, you take into account what I have mentioned here.

1 Like

slowly building

6 Likes

Thanks.This is very exciting. I didn't notice this before. I just saw a related post in the community from January this year, but it has been closed and can't be replied to, so I decided to start a new one.

4 Likes

Exciting to see that this is being worked on.

Has it been decided what the maximum duration of IP certificates will be?

1 Like

10/7 days, because it's planned to only allow IP san on short lifetime ones

3 Likes

Likely something slightly less than 7 days, maybe 150 or 160 hours.

We aren’t launching IP certs until after short-lived certs, which we aren’t launching until at least we horizontally shard our database and add support for certificate profiles, both of which are big multi-month projects.

So there’s a number of blockers to resolve, and thus no timeline commitment yet.

5 Likes

If I trust github issue about certificate profile it is almost done except webpage document and actually having non-default profile: not sure what to write on Ford catalog when only thing sell is black Ford T

2 Likes

Google Trust Services might be able to issue certificates to IP addresses, according to their FAQ.

2 Likes

Yep, technical support for multi-profile issuance is basically complete. We're not talking about it publicly until after June 6, to avoid adding any confusion to the changes happening on that date. Support for profile selection will require client-side changes, so there will be outreach to describe how clients can implement it, and encouragement for website operators to update their clients.

Support for short-lived certs requires a couple pieces beyond that, largely around ensuring our infrastructure can support the increased issuance volume, and perhaps implementation of an allow-list to ensure that issuance volume doesn't grow too quickly.

Then support for IP Address certs requires quite a bit more work, to ensure we are fully compliant when conducting validation of IP addresses and when formatting IP addresses in certificates. We have internal goals/timelines for when we'll issue our first IP address certificate, but we're not committing to those in public yet.

4 Likes

Hello, thank you for your response. I have reviewed more specific documents, and it turns out that Google Trust Services can indeed issue certificates containing IP addresses. However, this is currently limited to customers who control an IANA assigned IP address block. So, for general users, this doesn't seem feasible.

Moreover, as far as I know, due to internet restrictions, servers in mainland China cannot directly connect to Google's ACME API services.

Relevant Google cloud blog

2 Likes

@aarongable Will you include IPv6 support when IP adddress certs will become available?

2 Likes

Yes, I don’t expect any difference between v4 and v6, beyond some rate limit details probably.

4 Likes

Oops, I didn't read the 2nd half of that carefully enough & wasted 4 hours playing around with Google's CA, oh well. Learning experience.

I did discover something interesting though...

It appears that certbot still displays the same "The Let's Encrypt certificate authority will not issue certificates for a bare IP address." even when you're requesting from another CA? Seems like no attempt is made to contact the CA's server so I guess the message is hard-coded into certbot?

checked Github and it seems to be in util.py, doesn't seem to check which CA is actually being used so the message will always say "Let's Encrypt"

2 Likes

Certbot also always directs people to this forum for help with failures, regardless of which CA they're using.

(I don't personally particularly object to this forum being the de-facto Certbot support forum for all CAs, but it does seem a little weird how it presumes that people here would be able to help regardless.)

3 Likes

The link to the forum is sensible however the explicit reference "The Let's Encrypt certificate authority will not issue certificates for a bare IP address" seems inappropriate when using a different Certificate Authority to which the statement about bare IP addresses might or might not actually apply.

3 Likes

Oh yes, wasn't trying to disagree with you in the slightest. Just saying that there are multiple places where certbot still seems to assume that Let's Encrypt is the entire ACME world. :slight_smile:

3 Likes