Certificates for Numeric IPs


#1

It would be very useful for LetsEncrypt to offer SSL Certificates for numeric IPs; that is to say, servers that do not have a Fully Qualified Domain Name.

After having spent years struggling with installing certificates, I appreciate the problem LE has solved so elegantly. There is a need however for people delivering merchant interfaces and other services over the web to have servers without FDQNs behind SSL. This is especially true in architectures that are decentralised; where clients have their own LAMP instances that are not connected to a central server, and are all on numeric IPs without domain names.

System administrators can’t issue each of these instances with a domain name; that would mean an expense and administrative burden for every instance and adding a huge amount of time for setting up. Automated roll outs that are scripted are standard in set-ups like this; if system administrators could script LetsEncrypt into their installers, and have the green lock out of the box, it would be super useful.

It would mean clients are behind SSL and can be set up very quickly. SSL certs for numeric IPs are not forbidden, and this scenario is a perfect example of where there is a use case for them. These services are for private clients or internal use, and are not public facing services, so there is no issue of confusion, and there is no technical reason why a numeric IP cant have a certificate.

It is infeasible for administrators to instruct users how to ignore SSL errors on privately issued certificates, since the people using these interfaces are non technical. SSL errors are confusing and panic inducing, and in a situation where browsers and platforms are being upgraded/swapped and there are many hundreds of instances to manage, customising browsers to get around errors is a non starter also.

If I understand correctly, LetsEncrypt used to issue certificates for numeric IPs but stopped. I would ask that they re-enable this feature, so that this use case can be serviced and automated and administrators keep their platforms more secure and easily deplyoyable. It would also increase the coverage of secure services that LE protects. Despite being an edge case, services that move and manage millions of dollars will be protected by this.

While I’m at it I would like to publicly thank LetsEncrypt for everything they do, and the massive amount of time they’ve saved us. Their installation numbers, multiplied by the amount of hassle and expense of setting up SSL certificates in the old way are very significant, and have been a boon.

I know that this has been requested before, but I’ve been asked by Josh Aas to post it here so that more people can benefit from seeing what we’re asking for and their reply.


#2

Hi,

It’s possible to request IP certificate from CAs, but not let’s encrypt.
It seems that public trusted CAs issue certificate for organization validation. (from GlobalSign https://support.globalsign.com/customer/portal/articles/1216536-securing-a-public-ip-address---ssl-certificates)

Personally thinking:

Since IP addresses could be requested & released frequently, it’s not that possible to automate issuance of such certificate (without identity verification)

I don’t think Let’s Encrypt have ever issued certificates for IPs… (However i’m not sure)

Finally, ping an Let’s Encrypt Staff & ask for their inputs…
@lestaff

Thank you


#3

Thank you for this. Unfortunately, GlobalSign doesn’t issue certificates programmatically. You have to “sign up”, do things manually and then they email you the link to download the certificate to install manually. This is a pretty typical old style certificate issuing business model and process of the kind that Lets Encrypt disrupted forever. GlobalSign also want $249 for a certificate that lasts one year. That’s no longer a fit for the market now, obviously.

LetsEncrypt is totally automated and scriptable. Even if we were wiling to pay GlobalSign for 500 certificates at $249 each, we would have to manually install them all. That is unthinkable.


#4

Hi,

One correction… It’s actually $349 per year (for one IP), $199 per additional IP…

Thank you


#5

Nope, we’ve never issued certificates for numeric IP addresses. Here are a few forum threads from 2015 talking about how we don’t do this:

(Let’s Encrypt’s first public certificate issuance was in September 2015.)


#6

Let’s Encrypt is involved in the ongoing work to specify IP address certificates within ACME, but I don’t know what the timeline or Let’s Encrypt’s plans are.

https://tools.ietf.org/html/draft-ietf-acme-ip-04


#7

Thank you for this, it’s positive and useful information which contributes to understanding.


#8

We’ve only briefly discussed this topic and there is no timeline. It’s likely we would want to be issuing certificates with a shorter lifetime than 90days for IP address subjects and doing so will require some rework in our backend software. The first step will be experimenting with draft-ietf-acme-ip support in Pebble.


#9

This would be a perfect solution. We (and everyone else) can automate renewal of certificates with a cron job, to keep everything up to date and safe.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.