well if you can do txt records for IP addresses you could set up something similar to DNS challenge just for IP but I personally think that http-01 shouldnt be used anyway and much less for IP addresses. wouldnt be nice if I could make a cert for a shared server would it?
You probably wouldn’t have access to the webroot of just the IP in a shared environment
well host configs can be pretty funny, especially considering the question “what host is the default”.
I’m running a development server. we won’t launch the site for some time but I still want to test out LE. Should I purchase/acquire a cheap/free domain to test? forgo crypto until we launch? install LE on the server for the domain name but not redirect DNS until launch?
I’d suggest either using a subdomain, or purchase a free domain ( freenom.com ) for testing you are happy with everything.
Any updates about it? I saw this feature from “paid” SSL Certificates: https://www.globalsign.com/en/ssl/intranetssl/
So I’ll be happy if I could do same with Let’s encrypt.
Well, they use “non-public GlobalSign root”. So, the normal root stores won’t include that root certificate presumably. Thus, this is no different compared with you running your own CA. Which is quite easily with OpenSSL btw…
So, why should Let’s Encrypt provide a non-public root and non-trusted certificates?
It make sense. Thanks for detaild explanation!
Yes, it s possible to get a certificate for an IP address. It is not possible to do so from Let’s Encrypt, for a variety of reasons that have been described on other threads on this forum.
This is correct - you cannot issue a certificate for an IP address through Let’s Encrypt. That is a policy decision that has been made by Let’s Encrypt due to a large number of security and practicality implications surrounding how IP addresses are allocated as opposed to how domain names are allocated. There are several commercial certificate authorities who do offer certificates covering IP addresses, if you have an absolute requirement for such a certificate, but you will not be able to do so with Let’s Encrypt. As the Certbot error message explains, you must provide a domain name ending in a public suffix, that is to say something like .com, .net, .us, etc.
I think that there is no need to verify you “own” the IP before issuing a IP certificate.
Just like domain validation certificate, it just need to verify that you have full control over this IP address at this time.
I suggest using a method similar to http-01 to verify the control over this ip address.
To solve the security concern of dynamic ip, you can just issue IP certificates with very short valid period, for example 2 hours or 1 day. (That’s a solution, just like letsencrypt can’t ensure the owner of a domain will still own this domain in the next 90 days)
As IP certificates can’t perform MitM attacks on any hosts on this IP, I think issuing IP certificates won’t cause much security problems.
Then… why not provide IP certificates?
… with ipv4 - and ipv6 - addresses:
I think IP address certificates have to be supported eventually. They are pretty much required for running a DNS-over-HTTPS server because with hostnames you run into a chicken-or-egg problem on a DNS server.
A DNS challenge could be done on the reverse zone, and HTTP is even simpler than for hostnames.
That’s definitely an important use case, but for example Cloudflare’s is issued by DigiCert, so it doesn’t necessarily absolutely have to be done by Let’s Encrypt.
I’m sure you can get IP certicates from other CAs if you pester them enough. I’m worried that CAs will probably attempt to charge a premium for them, which could hinder adoption of DoH.
It is possible to purchase certificates for IP addresses, but not from Let’s Encrypt. Let’s Encrypt may offer IP address certificates in the future, but as of September 2018 we do not.