Getting issue while creating new certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Hi Team ,
I'm working on creating a certificate that will be used in both our local developer environment and on different cluster servers for testing and development purposes. I'm using the following command: sudo certbot certonly --standalone -d 9.12.208.25 -d 9.12.69.197 -d localhost . However, I encountered the following error: "Requested name 9.12.208.25 is an IP address. The Let's Encrypt certificate authority will not issue certificates for a bare IP address."
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-hayb1c90/log or re-run Certbot with -v for more details.

Note: For time being I want to create certificate for IP address by the time we get the DNS hostName

1 Like

Hi @kgaurav, and welcome to the LE community forum :slight_smile:

LE doesn't provide certs for IPs [not yet at least - there is talk about them doing that one day].
The CAB forum rules won't allow any trusted CA to issue a cert for names outside of the global DNS.
Names like: "localhost", "*.local", "*.internal" are not allowed.

You should issue your own [self-signed] cert(s) and have the test environment trust them explicitly.

6 Likes

Although an internal/private CA would probably be best for your scenario, if you really want an IP certificate from a real CA, ZeroSSL can do free certificates for publicly-reachable IP addresses (but not "localhost" or private IPs), with certain caveats:

  1. IPv4 only, last I checked

  2. Must issue through their website or their API, not their ACME service

  3. Only 3 free 3-month certificates per account, ever, so you're looking at having to create a new account every 9 months, or less if you renew before expiration day.

As another alternative, if you don't own a domain, there are plenty of places that will give you a free subdomain, e.g. DuckDNS (5 hostnames per account, 1 A and 1 AAAA record for each). DuckDNS specifically is on the Public Suffix List (not all such services are) so you're not competing with other users of the service for weekly certificate quota. So set up a hostname for each of your IPs and request certificates for the hostnames (assuming your IPs are publicly reachable)

If your IPs aren't publicly reachable you could get a $1/year numeric .XYZ domain, put it on Cloudflare DNS (free), and use DNS-01 authentication to get a certificate (you can do wildcard certificates this way)

3 Likes

Do you think LE is not a "real CA"? :thinking:

2 Likes

This was in comparison to using a private CA as referenced upthread and in my own reply. LE is definitely real but does not currently issue certificates for IP addresses. As far as I know, ZeroSSL is the only CA that currently issues IP certificates for "free", albeit with significant caveats.

3 Likes

Thank you for the details. I will try to secure a DNA

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.