Certificate for public IP without domain name

My1, while I agree that it is potentially harder to verify, perhaps there could be a requirement that a site be visited FROM the IP in question, in order to show control over it. As an example:

My Cisco router is at (theoretically a public routable IP), the CA would tell me to access https://verify.CA.com/randomstring/verify.txt from IP to confirm control. on my Cisco, I would just enter the following command in the CLI:
copy https://verify.CA.com/randomstring/verify.txt verify.txt

well that would make it not much better because everyone on a hoster can invoke a curl or whatever on PHP to access the file and get a cert for the entire hoster.

I dont know what you can set in reverse-DNS but if you can make txt records for IPs you could do that, that requires a lot more control.

Why would CURL be able to do that, the Random String would be generated on demand hwen the users requests an IP cert, and then dumped afterwards (not to mention, the system would disregard it if it wasn’t accessed by the IP in question).

The problem is, the IP address doesn’t have to be unique to that user.

Imagine a server with 100 users and only one IP address. Every user which would envoke curl or copy would be able to “be the owner” of that IP address in your situation, because every connection from that server would be from that single IP address. Therefore, that method could never be used to uniquely identify the owner of the IP address…

Dont underestimate the power of some nice php, i could easily craft a form where i enter the url and that gets curl’d.
Or i just write the url in the code after i got it from the ca.

Obviously @Osiris answer is exactly what i am saying. Anybody with curl, or fsockopen or similar (which most hosters actually have so users can use cms or forum software better (auto updates etc)

But, unless they have the issued http link that would only be valid one time, it would be just noise to the server, and in fact, if it were me, I would set a connection limit to prevent spamming of the server.

Basically, the IP may not be unique, but the http link would be, and would be expired as soon as either the link was confirmed, or the connection limit was reached.

As I said above, the link that LE (or other CA) would be a one time use, self expiring link (either expires once used, or some configured failed number of attempts from an IP). Yes, I get that there are situations where it’s not useful, but there are many times where it would be, such as firewalls/routers, etc, where you typically would not assign a DNS name, but just access the IP address.

Unless I am missing something, here is how I see it:

  1. IP certificates are not against the rules, but is also not required
  2. There are ways for the CA to ensure that the person requesting the certificate are actually authorized to use the IP address, some ways are, unique, one-time use https links to CA’s verification website (server side), require posting of an HTML/TXT file with a specific name & data in it to the IP web server (client side), rate limiting requests in general to prevent automated processes from trying to guess the server side web link
  3. There are many use cases where using a domain name would not be preferable or pointless, such as for device management (i.e., routers, firewalls, etc)
  4. At this time, it appears that LE has decided to NOT allow this, which is perfectly within their purview to allow or disallow, as it is not required, but I do hope that they revisit that decision at a later time
  5. Even if multiple people had a “valid” certificate to the IP address, only the users that are actually connected to the IP could use the certificate, which would also require cooperation with the user that controls the gateway, so that argument is moot, as the gateway controller would have to forward the appropriate ports to the inside users. This would also mean that anyone who got a certificate from a dynamic IP pool would not be able to continue using the certificate (at least not without triggering the browser warning alarms that the DN was not valid) once that user’s IP had changed.

A possibility is for people in @pavel_odintsov’s situation to assign domain names to the customer as subdomains of a domain that the company controls, much the way ISPs may assign domain names like ip-192-168-17-23.example.net under the ISP’s own domain. In that case the software run by the customer would be able to obtain the cert and then the organization would be able to access the customer’s device via that domain name.

It’s true that right now Let’s Encrypt’s rate limiting would make this impractical for an organization with more than a handful of customers, because they would hit the rate limit very quickly, but we’ve also been clear that we would like to grant exceptions to the rate limiting where it’s useful. So I think people should make proposals about using subdomains this way and we can discuss whether we can accommodate them somehow.

1 Like

I think there are other threads about this from embedded device vendors and I think I made the same suggestion to them. Just to be clear, we have not yet made any kind of agreement with a vendor to do this and we’d have to think about it and discuss it within Let’s Encrypt. But I would be happy to have such a proposal to discuss. (If you want to try it experimentally at a slow rate that doesn’t run up against the rate limit, you should be able to start doing that today. The rate limit is the only problem I’m aware of for this kind of scheme.)

@wb6vpm in every environment where IPs are shared and/or dynamic anyone can get IP certs for IPs they might have access to, but dont belong to them.

if you want a cert for you home internet IP you can literally just open a browser and open the link.

if you are in shared hosting you can make a simple one-line PHP which does the connect for you, and especially in shared environments an IP cert can really hurt because MITMing is a LOT easier.

in my opinion for both IP and domain it should not be validated the control of the host BEHIND the ip/domian but rather the IP/Domain ITSELF (DNS, whois-mail etc.)

But there is only one site, which gets served without any Host: header. So just like another virtual hosting domain. OTOH for any virtual hosting the hosting provider could issue certificates for all domains, which are pointing at his server.

we are hoster to and we have us owner datacenter and we have don it that eache server have are master hostname frome us, like xyl.yourhostdomaine.com then you can use are ssl for that hostname that work easy and have no issus withe letsencrypt

Problem is that most hosters do not have single domain and some have no explicit default domain.
So with the IP it is good luck wich domain serves the response.
Same stupid argument as with check challenge via https request.
Because the challenge could be easy to sign the servernonce + clientnonce with the doma/ip private
key that match the certificate that serves the https connection.
But and the end it is the same topic like why no email certificates, simply it is an decission of the ca.

@tlussnig dont forget that more than enough IPs are dynamic and therefore anyone who would have the IP for 1day could have a whole year to MITM everyone else who suddenly got that IP.

Hi, this does not count. Same as IP’s are for one day is with the FQDN assigned my most providers to these dynamic ip’s.
To solve this you would need to blacklist all Domains based on dynamic ip’s.

but you cant “see” what IPs are dynamic and from some provider because there are way too many in this world and it is hard to impossible to blacklist them all…

It is the same like Dynamic domains. Most provider have domain names for their IP’s (reverse lookup).
So there is no real difference.

yeah but getting the domain names of all providers in the world, even those that do offer static IPs along with dynamic ones (like 1und1 can do in their DSL) is close to impossible.

if it would be possible to create reverse lookup TXT entries to prove you actually control the IP it would be an entirely different story.

My1 reverse lookup TXT entries are possible.
If you own an /24 or /16 or /8 than you have the mathing “.in-addr.arpa” zone.
For different CIDR there are two options:
a) Provider point an NS for the full reverse entry to use (<24) or for the next smaller sub zone.
b) you can ask the IP provider to ad the TXT record.
But than the record should not be dynamic. For example it contain the Checksum of the public key.
And you need than to prove than you can sign an nonce with an private key that match the anounced public key hash.