Can your services be used in "only IP" servers?


#1

Hi.
I have some development servers that I want to use SSL on them,
Can I do that with Let’s Encrypt ?
Is there any difference with using it on a server that has a domain name?


#2

Let’s Encrypt can’t issue certificates for IP addresses, not only because ACME doesn’t yet support non-DNS identifiers, but it may just also be out of scope for the project.

You may find that some other certificate authorities have the ability to do so, assuming you are the owner of the IP delegation from ARIN/APNIC/whoever.


#3

The answer from @_az is correct (as always! Thanks @_az :slight_smile: )

For folks interested in this portion of the problem space there is a draft in process in the ACME working group to add IP address identifiers: https://datatracker.ietf.org/doc/draft-ietf-acme-ip/

It isn’t far enough along for Let’s Encrypt to consider implementing it or providing IP address certificates but the standards work in progress may be interested regardless.


#4

Isn’t a “domain validated” certificate per definition limited to cover only hostnames in validated domains?

AFAIK IP addresses in Subject Alternate Name Extension are allowed in OV and EV certificates only (e.g. https://1.1.1.1/ -> https://crt.sh/?id=371015548 -> OV certifiate)


#5

I don’t know. I can’t find the outright regulation that states that ipAddress SANs are only allowed to appear on OV.

With the below query I was able to find some certificates (e.g. https://crt.sh/?id=179755654) that “looks” like DV to me (at least, it contains the policy OID for domain validation as written in the BRs: 2.23.140.1.2.1).

select ci.* from certificate_identity ci left join certificate c on c.id = ci.certificate_id where x509_notBefore(c.certificate) > '2017-01-01T00:00:00Z' and ci.name_type = 'iPAddress' and ci.certificate_id not in (select certificate_id from certificate_identity cii where ci.certificate_id = cii.certificate_id and cii.name_type = ANY('{organizationName,emailAddress,organizationalUnitName}'::name_type[]));

There are some others too but I feel bad hammering the crt.sh database to list them all :stuck_out_tongue: .

Edit: here’s a way better list: https://censys.io/certificates?q=trusted+AND+parsed.extensions.subject_alt_name.ip_addresses%3A*+AND+parsed.extensions.certificate_policies.id%3A+2.23.140.1.2.1 - and it contains plenty of active IP SAN certificates with the DV CABF policy extension, including major CAs like Comodo.


#6

Ah, thanks. Never seen an DV certificate with IP address before, and haven’t found a way to search for them.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.