For IPv6 IP cert

Can I request a certificate for an ipv6 ip address? Because I manage and run a BGP IPv6 network myself. Should be able to authenticate the ip's jurisdictional identity.

Let's Encrypt does not currently offer any IP certificates

5 Likes

Are there any plans to increase this?

Also see:

@mcpherrinm Welcome !!

3 Likes

To be clear (for all readers):

  • LE can issue certs to FQDNs that (only) resolve to IPv6 addresses.
  • LE will not include IPv4, nor IPv6, addresses in the certificate itself.

[LE certs only contain names]

3 Likes

But hope to add it soon.

It might happen but not soon. There might be other CAs that support it (check the Google one via acme, and zerossl but not via acme).

I don't work for LE nor do I have any insight into their intended future plans (anymore than they have publicly stated).

But it seems to me that providing a DV cert for shared IP is a very problematic endeavor.
How can anyone be certain if an IP is being shared or not? [all IPs can be shared without notice]
I would not expect IP certs from LE anytime soon.

2 Likes

I don't think that is a reasonable guess. From the link I earlier posted are these two comments from LE staff:

josh, ISRG Executive Director, May '21
We recently explored what it would take to support IP address validation - cost to implement, risks, and value to subscribers. We decided that it doesn't make sense to prioritize the work over other important projects any time soon so we removed it from our roadmap.

I know there are some people out there that want this and this is a disappointing decision. The feature is not entirely off of our radar, we may revisit it in the future, but since we aren't actually planning to do it soon we thought it best not to communicate about it as an upcoming feature any more.

And this

aarongable, Let's Encrypt staff, Aug '21
Yep, it's been on our radar for a long time. We hoped to get to it this year, but other higher priorities (such as the chain change) arose which have bumped ACME-IP further into the future. It's still something that we hope to do, but not something we plan to do at this time.

3 Likes

@rg305 In Google's FAQ about the preview for their acme CA they said:

Do you issue certificates containing IP addresses?
Yes we do; however, this is currently limited to customers who control an IANA assigned IP address block. Contact your sales representative for more information.

I also don't have any special insight to what LE might do but I'd guess if they ever did offer IP addresses in the cert it would have similar constraints to this - for the reasons you state.

2 Likes

my ip address not shared. i have RIPE and ARIN account and IP space pool. Authenticate ownership and management rights similar to making BGP announcements.

1 Like

IP has .ip6.arpa DNS records, So the IP address can also be verified using DNS.

Sure, they may offer IP based certificates eventually. But are your users actually visiting via IP rather than name? Why not just use a domain name? I think the only common use case for IP-based certificates is for configuring DNS-over-HTTPS or DNS-over-TLS or the like, where users really are using the IP directly. Other than that, usually everyone finds it easier to just use a domain name.

4 Likes

Along those lines, I would like the hear more about the use case scenario driving this request/need.

3 Likes

zerossl reply said they supported ipv4 cert.

Yes they do, but check if they support it via their acme endpoint or just via their proprietary api.

1 Like

If you want to think about it, I see what my DoH provider does:

They have two IPv6 subnets, 2a07:a8c0:: and 2a07:a8c1:: and they just give you two addresses, ie

  • 2a07:a8c0::ab:1234
  • 2a07:a8c1::ab:1234

and they also use a FQDN pointing to that: ab1234.dns.nextdns.io

something like this might work for you too.

1 Like

One of the uses is that if the domain name cannot be resolved due to DNS interference in a dictatorial country, it can be accessed directly using the IP address.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.