Certificates for IP addresses

rehmat · August 18, 2021, 9:47pm

I am working on an open source control panel for Ubuntu that users can use in order to deploy and manage PHP websites. I felt a need of this control panel and I hope that it will serve the community.

So during the installation, mostly users don't point any domains. And I want to serve the control panel over the IP address on a custom port and over HTTPS using a valid SSL certificate. I initially used self-signed certs, but then I found that ZeroSSL does provide SSL certificates for IP addresses too.

They have mentioned unlimited 90 days SSL certificates under their pricing plans, but for an open source project, I am expecting to get a lot of users. And I am sure that ZeroSSL isn't going to like if I use a single account to generate SSLs for the users of the control panel.

This is one single use and this is specific to the control panel that I am developing. But I am sure that a lot of other users and businesses are also needing this feature. Where Let's Encrypt has brought a revolution when it comes to serve secure websites, I sincerely request that please consider this feature request. If you are a normal user like me, do reply here and support this thread to get attention of the LE team. Desperately looking forward for this feature.

aarongable · August 18, 2021, 10:08pm

Yep, it's been on our radar for a long time. We hoped to get to it this year, but other higher priorities (such as the chain change) arose which have bumped ACME-IP further into the future. It's still something that we hope to do, but not something we plan to do at this time.

griffin · August 18, 2021, 10:53pm

Are IP address SANs back on the table now? I thought I heard somewhere recently that they were permanently shelved.

orangepizza · August 18, 2021, 11:16pm

it was "too large: we maybe look this again in 2022"

github.com/letsencrypt/boulder

Support for ip address san

letsencrypt:main ← orangepizza:master

opened 12:01AM - 01 Jul 20 UTC

orangepizza

+209 -100

tested with modified certbot https://github.com/certbot/certbot/pull/8029 for ip…v4 addresses, and ipv6 just before actual signing pa and CFSSL blocks signing certificate for reserved IP address, and I don't have ipv6 internet connectivity, I couldn't test actual ipv6 cert: what not done yet: 1. ratelimit (it treats ipv6 address as it's own base domain, and last two octet for ipv4 address 3.4 for 1.2.3.4) 2. as I feared changing order/challenge structure that just save name instead of identifier will brake backward compatibility with current database structure, I untouched and just recreated right type of identifier on the fly. (so wfe is only real place that mistyped user's identifier) so a lot more net.parseIP (5ish per a set of domain) I hope it isn't that heavy. 3. I make some new unit tests but it may(and probably will) not be enough for public ca. 4. integration test for cert with ip address: we just don't have large enough public IP space for that P.S what kind of IP should be used for integrate testing that isn't Reserved IP address and free to use in test context?

jvanasco · August 18, 2021, 11:52pm

This was way too hard for me to find, but i did remember this comment:

griffin · August 18, 2021, 11:54pm

That's the one. Glad you found it, @jvanasco. I tried a few searches, but came up empty.

jvanasco · August 19, 2021, 3:14pm

I only remembered that was from a male LetsEncrypt staff member with a black and white photo, and started digging through the posts/comments on each staff member's profile.

Pretty much all their staff photos are black & white.

system · September 18, 2021, 9:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.