It would be very useful for LetsEncrypt to offer SSL Certificates for numeric IPs; that is to say, servers that do not have a Fully Qualified Domain Name.
After having spent years struggling with installing certificates, I appreciate the problem LE has solved so elegantly. There is a need however for people delivering merchant interfaces and other services over the web to have servers without FDQNs behind SSL. This is especially true in architectures that are decentralised; where clients have their own LAMP instances that are not connected to a central server, and are all on numeric IPs without domain names.
System administrators can’t issue each of these instances with a domain name; that would mean an expense and administrative burden for every instance and adding a huge amount of time for setting up. Automated roll outs that are scripted are standard in set-ups like this; if system administrators could script LetsEncrypt into their installers, and have the green lock out of the box, it would be super useful.
It would mean clients are behind SSL and can be set up very quickly. SSL certs for numeric IPs are not forbidden, and this scenario is a perfect example of where there is a use case for them. These services are for private clients or internal use, and are not public facing services, so there is no issue of confusion, and there is no technical reason why a numeric IP cant have a certificate.
It is infeasible for administrators to instruct users how to ignore SSL errors on privately issued certificates, since the people using these interfaces are non technical. SSL errors are confusing and panic inducing, and in a situation where browsers and platforms are being upgraded/swapped and there are many hundreds of instances to manage, customising browsers to get around errors is a non starter also.
If I understand correctly, LetsEncrypt used to issue certificates for numeric IPs but stopped. I would ask that they re-enable this feature, so that this use case can be serviced and automated and administrators keep their platforms more secure and easily deplyoyable. It would also increase the coverage of secure services that LE protects. Despite being an edge case, services that move and manage millions of dollars will be protected by this.
While I’m at it I would like to publicly thank LetsEncrypt for everything they do, and the massive amount of time they’ve saved us. Their installation numbers, multiplied by the amount of hassle and expense of setting up SSL certificates in the old way are very significant, and have been a boon.
I know that this has been requested before, but I’ve been asked by Josh Aas to post it here so that more people can benefit from seeing what we’re asking for and their reply.