Can I get a certificate if only have a public IP address?

I don't have a domain name.I just have a public IP address. Can I have a certificate? First time here, thanks!

2 Likes

No. Let's Encrypt provides only Domain Validation certificates, which (as the name suggests) validate control of a public domain name.

6 Likes

Thanks for response. Then how can I get my server accessed via HTTPS if it only has an IP address?

2 Likes

Unfortunately you might need to weigh the options:

  1. Buy a cheap domain name
  2. Buy an expensive certificate.
  3. Use a self-signed certificate
    :wink:
6 Likes

OR
Use a FREE DDNS name.
[And use it to point to your IP address]

6 Likes

I like that approach the best. The certs I found in an extremely short time-span are incredibly expensive..

4 Likes

You can get a free 90 day certificate for a bare IP address from https://zerossl.com/. You won't be able to make it automatically renewing without paying, though.

7 Likes

Is using a self-signed certificate essentially safe? Will this method be stolen or tampered with by an intermediary?

if you actually check the publickey, I'd say it's safer then 'trust by green padlock': think about SSH publickey auth.

5 Likes

This community is here to support Let's Encrypt issued certificates by LE supported ACME Clients.

That said, a properly generated self-signed certificate is as "safe" as any other cert issued by a commercial entity. They are useful in many ways...Here's the catch....
Self-Signed Certificates ARE NOT "TRUSTED" by any major browser at all. Which means every time someone visits the site they will have to "accept the risks" associated with a cert of this type.
YOU must do the research before deciding to use a self signed cert.
Example, Google Chrome:

This is probably not the site you are looking for!
The site's security certificate is not trusted!

I recommend using another approach.

OR:

If you are the only one to use the ip/site... OK, but don't expect anyone else to appreciate the perceived hazards when they attempt to use the site and wade through warnings and exceptions that will most likely result in a serious lack of users confidence.
IMHO -- Get a domain name (as @rg305 mentions above). Use certbot and get a real FREE certificate from LE. You will be happier for it. (And we are here to help).
My 2 cents
:coin: :coin:

6 Likes

Oh I see! It's very kind of you all! Thank you very much!:handshake:

2 Likes

Hello, Rip. I'm very sorry to bother you again. I am asking for a free 90 day certificate for a bare IP address from https://zerossl.com/. It says that I need to verify ownership of my domain before installing the certificate. I have to choose the second Verification Method (HTTP File Upload) because I don't have a domain name. The steps are as follows:

To verify your domain using HTTP File Upload, please follow the steps below:

  1. Download your Auth File using the following link: Download Auth File
  2. Upload the Auth File to your HTTP server under: /.well-known/pki-validation/
  3. Make sure your file is available under the following link: http://[My IP Adress]/.well-known/pki-validation/xxxxxxxxxxxxxxxxxxxxxxxxxxxx.txt
  4. Click "Next Step" to continue.

Do you have any suggestions for the third step above? I tried to use nginx to implement it, but unfortunately, the default port 80 port of the web server does not seem to work. I have tried my best, and at present I can only access the auth file through the following link ([My IP Adress]:[Other Port Number]): http://[My IP Adress]:xxxx/.well-known/pki-validation/xxxxxxxxxxxxxxxxxxxxxxxxxxxx.txt.

Can you give me some advice on this? Thank you very much!

2 Likes

Does your ISP block port 80?

5 Likes

If port 80 isn't availabe/possible, I don't see another way how ZeroSSL can validate the IP address. The site also gives a CNAME-option, but I'm pretty sure it's not possible to resolve _randomvalue.1.2.3.4..

4 Likes

I guess the problem should be here. :thinking:

1 Like

:sob:So do I have to get a domain name before I can use it? Or can't even if there is a domain name?

If port 80 is being blocked (or being used by some other device), then HTTP-01 validation is not an option for you.

That leaves DNS-01 validation.
But that requires making required changes to a real (Internet accessible) DNS zone.

[ There is also TLS-ALPN-01 authentication - but most ACME clients don't support it :frowning: ]

6 Likes

Thank you! Unfortunately, that's beyond my current ability, and I may need some more time to learn... Maybe I'd better get a free domain name first. Do you have any recommended way to get it?

3 Likes

Do a web search.
Look for one that allows for DNS TXT records.

6 Likes

if they have broken enough UI to add cname of ip address you may able to use email challenge to admin@[IP] it's valid email address, while it would be mississuance from them.

4 Likes