Certificate for public IP without domain name


also there’s dedyn which also gives free DynDNS along with DNSSec.


Question: why IP certificates are not going to be issued? You can easily get maintainer information with email through RIR databases which has already performed all required checks on IP ownership.


Email validation is not exactly perfect for an automated system. The existing challenge types probably won’t be sufficient to demonstrate IP ownership. IP-based certificates are also not something a lot of people use.

I think it’s understandable that this isn’t a priority.


You can make automated challenge type the same as let’s encrypt.

Say you want to verify for IPKVM software or just small software on VPS not worth issuing domains or sub-domains (these are not free, you remember that?). Say you got a cheap VPS and want it to be protected. You ask provider to verify through let’s encrypt - they supply a challenge link in info: or comment: or lencrypt: entry of RIR DB and provide and verify that this IP belongs to someone who ordered the VPS for at least 3 months via encrypted response on an url.

Making the web secure, as you say.


There’s plenty of free options when it comes to domains. Any DynDNS provider on the Public Suffix List will do. You can get a free domain at http://www.dot.tk/.

As I mentioned, none of the existing challenge types work in this context, and creating a new one (especially one that requires ISPs willing to implement something like that) for something that’s hardly being used in practice seems like a lot of effort that could be better spent elsewhere.


Besides, only using an IP address without a domain name suggest it isn’t for the main public to use?

In that case, you could as well generate your own root certificate and set up your own CA or just use a self-signed certificate.


well if you can do txt records for IP addresses you could set up something similar to DNS challenge just for IP but I personally think that http-01 shouldnt be used anyway and much less for IP addresses. wouldnt be nice if I could make a cert for a shared server would it?


You probably wouldn’t have access to the webroot of just the IP in a shared environment :wink:


well host configs can be pretty funny, especially considering the question “what host is the default”.


I’m running a development server. we won’t launch the site for some time but I still want to test out LE. Should I purchase/acquire a cheap/free domain to test? forgo crypto until we launch? install LE on the server for the domain name but not redirect DNS until launch?


I’d suggest either using a subdomain, or purchase a free domain ( freenom.com ) for testing you are happy with everything.



Any updates about it? I saw this feature from “paid” SSL Certificates: https://www.globalsign.com/en/ssl/intranetssl/

So I’ll be happy if I could do same with Let’s encrypt.


Well, they use “non-public GlobalSign root”. So, the normal root stores won’t include that root certificate presumably. Thus, this is no different compared with you running your own CA. Which is quite easily with OpenSSL btw…

So, why should Let’s Encrypt provide a non-public root and non-trusted certificates?


It make sense. Thanks for detaild explanation!


Hey there,

Click this:
It’s a valid SSL cert


Yes, it s possible to get a certificate for an IP address. It is not possible to do so from Let’s Encrypt, for a variety of reasons that have been described on other threads on this forum.


This is correct - you cannot issue a certificate for an IP address through Let’s Encrypt. That is a policy decision that has been made by Let’s Encrypt due to a large number of security and practicality implications surrounding how IP addresses are allocated as opposed to how domain names are allocated. There are several commercial certificate authorities who do offer certificates covering IP addresses, if you have an absolute requirement for such a certificate, but you will not be able to do so with Let’s Encrypt. As the Certbot error message explains, you must provide a domain name ending in a public suffix, that is to say something like .com, .net, .us, etc.


I think that there is no need to verify you “own” the IP before issuing a IP certificate.
Just like domain validation certificate, it just need to verify that you have full control over this IP address at this time.
I suggest using a method similar to http-01 to verify the control over this ip address.
To solve the security concern of dynamic ip, you can just issue IP certificates with very short valid period, for example 2 hours or 1 day. (That’s a solution, just like letsencrypt can’t ensure the owner of a domain will still own this domain in the next 90 days)
As IP certificates can’t perform MitM attacks on any hosts on this IP, I think issuing IP certificates won’t cause much security problems.
Then… why not provide IP certificates?

#84 have a IP SSL


… with ipv4 - and ipv6 - addresses:

DNS-Name: *.cloudflare-dns.com
DNS-Name: cloudflare-dns.com
IP-Adresse: 2606:4700:4700::1111
IP-Adresse: 2606:4700:4700::1001