Hello. I heard it’s possible to use Let’s Encrypt with a tor hidden site. That’s odd as I thought part of the https spec includes some verification of the host IP address?
You won’t be able to use Let’s Encrypt certificates for a Tor hidden service but you’re mistaken as to why.
Let’s Encrypt needs to verify that you really control the name or names you want a certificate for. Ordinarily only names from the public Internet DNS can be verified in this way. There is a special exception for .onion, which isn’t part of the Internet DNS per se, but this exception requires the CA verify the name of the business or other entity running the hidden service. IP addresses aren’t relevant to this. Let’s Encrypt doesn’t offer any certificates which verify a business name so it can’t offer .onion
These rules are made through CA/B Forum, and are requirements of the trust store root programs which trust Let’s Encrypt. So it’s not up to Let’s Encrypt to unilaterally change them.
2 Likes
Per another thread here, I'm planning to ask the Forum about changing these rules, but am still in the early stages of preparing for that.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.