I need to create a new certificate. Can Let's Encrypt issue a certificate for an IP address (static) instead of for an URL? I've found mixed and contradictory info about it.
If it's possible, I'd like to know your opinion on the subject, since the LE certificate data is public (transparency), then, the IP will be published, too (I know, the IP itself is public, and if reached, the certificate will be shown. But the more places an IP is published, the more easily it will be found and targeted). Would you find this a privacy or a security issue? Or am I being overly paranoid?
Unfortunately, no. It was planned, but even the planning was halted some time ago.
There existed a Chinese CA that offered free certificates using ACME, including IP addresses, but that CA is "gone" now for some reason. Not sure if it'll ever come back online again.
As far as I know, no other free CA using ACME offers certs for IP addresses, although Google is a relative new kid on the block, so I don't know what they offer. I don't have the requirements to get a free Google ACME cert, so I can't test it.
IMO you're being overly paranoïd. Regular hostnames resolve to IP addresses anyway. An IP address is public, point. (It's always funny to see people here on the Community post a screenshot of something containing both their hostname and an IP address where the IP address is blurred but the hostname isn't. It prooves that person does not have a clue about how the internet, hostnames and IP addresses work...)
Even if it wasn't publicly advertised, it would be targeted due to scanners sweeping entire IP address ranges. You should count on your IP address being targeted, either directly or not.
Okay. Got it. Thx!
I know about scanning, I suffer it haha. I just didn't want it to get worse.
And it's dumb to publish the hostname but not the IP, as you say. You should blur both, or neither.
Everybody "suffers" from scanning, but IMO it's not a big deal as long as you have your security in order. Always keep your software up to date, especially don't run legacy/end-of-life software and immediately update software if an exploit is found.
Personally, I don't care about scanners. They can scan all they want. My software is bleeding edge (Gentoo) and I get reports if a piece of software installed on my server is vulnerable to an exploit/bug.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.