Hi @bigspace,
Certbot displays this warning when you use --manual
because it’s more likely that people using --manual
are running Certbot on a different machine from their web server. (If you’re running directly on your web server, you can often use a different method to prove your control over the domain name.) In that case, you might not have considered that the machine interacting directly with the certificate authority is, for example, your personal laptop as opposed to your web server, and hence it’s the IP address of your personal laptop that will end up in Let’s Encrypt’s logs.
OK, so…
Let’s Encrypt itself is required by its policies and auditors to maintain a lot of logs related to certificate requests, in case the validity of a particular request or of Let’s Encrypt’s practices comes into serious question in the future. There is no way to prevent Let’s Encrypt from logging your IP address and other information when you request a certificate. (If you did want to hide it from the certificate authority, you could try to request the certificate via an anonymous proxy.)
The text about public logging relates to something that we were thinking about doing in the past to help security researchers investigate patterns of attacks and malicious use of certificate authorities. The idea is that the researchers could determine if there were particular methods that were being used routinely to obtain fraudulent certificates, or to attempt to. However, this public logging concept has never been implemented in practice.
It seems like that makes Certbot’s privacy warning here confusing because it relates to a hypothetical disclosure of information that doesn’t actually occur. I’ll try to follow up on this to see if we might want to get a definitive decision from the CA of whether this public logging is planned or not—and, if not, to remove this warning from Certbot entirely.
Answering yes to this question doesn’t affect Certbot’s (or Let’s Encrypt’s) behavior in any way; it’s just a requirement in order to use Certbot’s --manual
mode because of the idea that IP addresses of users of --manual
are more likely to be sensitive or not otherwise visible to the public than IP addresses of users of other methods.