Can I get a certificate if only have a public IP address?

I don't have a domain name.I just have a public IP address. Can I have a certificate? First time here, thanks!


No. Let's Encrypt provides only Domain Validation certificates, which (as the name suggests) validate control of a public domain name.


Thanks for response. Then how can I get my server accessed via HTTPS if it only has an IP address?


Unfortunately you might need to weigh the options:

  1. Buy a cheap domain name
  2. Buy an expensive certificate.
  3. Use a self-signed certificate

Use a FREE DDNS name.
[And use it to point to your IP address]


I like that approach the best. The certs I found in an extremely short time-span are incredibly expensive..


You can get a free 90 day certificate for a bare IP address from You won't be able to make it automatically renewing without paying, though.


Is using a self-signed certificate essentially safe? Will this method be stolen or tampered with by an intermediary?

if you actually check the publickey, I'd say it's safer then 'trust by green padlock': think about SSH publickey auth.


This community is here to support Let's Encrypt issued certificates by LE supported ACME Clients.

That said, a properly generated self-signed certificate is as "safe" as any other cert issued by a commercial entity. They are useful in many ways...Here's the catch....
Self-Signed Certificates ARE NOT "TRUSTED" by any major browser at all. Which means every time someone visits the site they will have to "accept the risks" associated with a cert of this type.
YOU must do the research before deciding to use a self signed cert.
Example, Google Chrome:

This is probably not the site you are looking for!
The site's security certificate is not trusted!

I recommend using another approach.


If you are the only one to use the ip/site... OK, but don't expect anyone else to appreciate the perceived hazards when they attempt to use the site and wade through warnings and exceptions that will most likely result in a serious lack of users confidence.
IMHO -- Get a domain name (as @rg305 mentions above). Use certbot and get a real FREE certificate from LE. You will be happier for it. (And we are here to help).
My 2 cents
:coin: :coin:


Oh I see! It's very kind of you all! Thank you very much!:handshake:


Hello, Rip. I'm very sorry to bother you again. I am asking for a free 90 day certificate for a bare IP address from It says that I need to verify ownership of my domain before installing the certificate. I have to choose the second Verification Method (HTTP File Upload) because I don't have a domain name. The steps are as follows:

To verify your domain using HTTP File Upload, please follow the steps below:

  1. Download your Auth File using the following link: Download Auth File
  2. Upload the Auth File to your HTTP server under: /.well-known/pki-validation/
  3. Make sure your file is available under the following link: http://[My IP Adress]/.well-known/pki-validation/xxxxxxxxxxxxxxxxxxxxxxxxxxxx.txt
  4. Click "Next Step" to continue.

Do you have any suggestions for the third step above? I tried to use nginx to implement it, but unfortunately, the default port 80 port of the web server does not seem to work. I have tried my best, and at present I can only access the auth file through the following link ([My IP Adress]:[Other Port Number]): http://[My IP Adress]:xxxx/.well-known/pki-validation/xxxxxxxxxxxxxxxxxxxxxxxxxxxx.txt.

Can you give me some advice on this? Thank you very much!


Does your ISP block port 80?


If port 80 isn't availabe/possible, I don't see another way how ZeroSSL can validate the IP address. The site also gives a CNAME-option, but I'm pretty sure it's not possible to resolve _randomvalue.


I guess the problem should be here. :thinking:

1 Like

:sob:So do I have to get a domain name before I can use it? Or can't even if there is a domain name?

If port 80 is being blocked (or being used by some other device), then HTTP-01 validation is not an option for you.

That leaves DNS-01 validation.
But that requires making required changes to a real (Internet accessible) DNS zone.

[ There is also TLS-ALPN-01 authentication - but most ACME clients don't support it :frowning: ]


Thank you! Unfortunately, that's beyond my current ability, and I may need some more time to learn... Maybe I'd better get a free domain name first. Do you have any recommended way to get it?


Do a web search.
Look for one that allows for DNS TXT records.


if they have broken enough UI to add cname of ip address you may able to use email challenge to admin@[IP] it's valid email address, while it would be mississuance from them.