If/when will LE support .onion addresses?


@kerkeslager, we are talking about hidden services. All traffic to and from a hidden service is end-to-end encrypted. This is different from just using tor to browse the clearnet, where your potentially unencrypted traffic can be seen by an exit node. For browsing the clearnet, your warning should be carefully headed.


Oh! My apologies! You’re absolutely correct! I still think this warning is important for people coming to this uninitiated, but I’ll edit to clarify.


.onion is a special use TLD now! So it cannot be registered as a normal gTLD any more.

This document uses the Special-Use Domain Names registry to register the
’.onion’ Top Level Domain (TLD) for the Tor Network. This will allow hosts on
the ToR network to apply for and receive legitimate SSL Certificates.

I think that’s what you were waiting for…


BTW from another topic a quote from @schoen:

Congratulations to the authors of the RFC, and thanks to the authors of
the earlier P2P Names Internet-Draft. I hope this leads the CA/B Forum
to agree that it’s appropriate for CAs to issue certs for .onion names
in the long run.


Hi all I wanted to jump in here to provide some additional information. As you may know, the issuance of publicly-trusted SSL certificates is governed by the CA/B Forum. The biggest issue will be complying with whatever rules the CA/B Forum sets regarding .onion domains.

I am not a Tor user, so I have not followed the CA/B Forum’s actions on this very closely. But I believe that they had allowed the issuance of .onion domains, but only if they underwent a procedure similar to EV validation. Since Let’s Encrypt does not plan on performing manual validation, it would seem .onion domains wouldnt be something they could provide.

For those wanting to know more, they should read CA/B Forum Ballot 144. Unfortunately that has not yet been put on their website yet, so you would need to search their listserv archives to find it.


@vtlynch, I’m not clear on whether the CA/B Forum limited .onion certs to EV because of the questionable status of issuing for .onion at all (in terms of guaranteeing uniqueness of a name’s meaning), or because of the difficulty in specifying a validation method.

I hope that we’ll eventually be able to issue DV certs for .onion names, too.



i think since two days now the status of ONION Domain is not no well Defined as an Spezial Domain.

EV - did not make any sense for ONION Domain since hidden service normally mean that the person
does not want to be personally be known. For example woman help sites.


However, it might make sense for a site such as http://facebookcorewwwi.onion. In fact, that’s a quite likely candidate for a DV (or higher?) certificate.

LE could issue a Proof-Of-Posession challenge for the hidden service’s private key as authorization for the domain.


Indeed, they already got an EV certificate under the current policy (which they were a major inspiration for).


That’s a great idea. (This particular mechanism has never been used for DV before, but clearly it’s the gold standard technically for certificate issuance for .onion names.)


I agree with issuing Proof-Of-Possession challenges for onion domains.


Considering this new decision regarding .onion pseudo-TLD, would Let’s Encrypt be able to support .onion domains as a SAN where a site is accessible by both direct connect and by .onion, where the direct-connect domain would provide validation of domain ownership?


@BFeely, probably not yet, because of industry rules that currently limit .onion certificates to EV, which Let’s Encrypt doesn’t issue at all.


Really there are such <your bad word here> industry rules?
That’s disappointing…


There are many reasons why having proper TLS/SSL certs setup for hidden services should be a priority. We run an non-profit private Tor-only e-mail service. It requires our members to connect to mail services (POP3/IMAP/SMTP) using TLS. Without valid .onion domain certs, our clients continue to get security warnings since even if we used lelantos.org certs… there would still be a mismatch when they connect to our hidden services.
This is but one example why certs are so important for .onion domains. Private key signing is quite robust and simple to implement.

I would appreciate any attention and energy you can commit to making this minor change to your software.



wait a sec, this doesnt make sense, I dont think that that many companies use Tor and, but rather more “normal” people, now you can guess three times who may NOT recieve an EV cert…


Agreed, however, times change. The .onion domain is growing far more legitimate every day. The desire for end-to-end encryption, privacy and anonymity will only increase as dragnet government surveillance grows ever more intrusive.

At some point this will need to be supported, and without the “special use” designation.

I value the letsencrypt.org project immensely and hope that they will find a way to make this work.


well it should be but some stupid “forum” (not pointing names, but it should be obvious) said that only companies and stuff may use those with HTTPS.


Hi @Lelantos, it’s not really a question of software features (or about Let’s Encrypt not caring about the issue), it’s a question of CA/Browser Forum rules that .onion certs may currently only be EV, which Let’s Encrypt doesn’t do. If these rules change (which several people from LE have said we hope they will), we would be interested in exploring whether we could issue .onion certs.

Please see the just-posted item at

for more about this issue.


but why did they say EV only and essentially locked out normal people, and why can normal ppl not get EV certs this is discrimination, I say! (not by LE, obviously but by the forum)