IP Address on certificate

I have read the posts on IP address in ssl certs. Has there been any more developments? At the moment https://check-your-website.server-daten.de gives me an error (one among many!)

x.x.x.x 10000 Webmin (https) open
https://x.x.x.x:10000/. Http-Status: 200. Certificate is invalid

Accessing the site is fine and the cert padlock shows. I assume that as the IP address is not listed under the SAN the error comes up.

I am uncertain that I could successfully add it in any case as the address is owned by my VPS provider and not by me direct? Is there any clarification on what can be done in these cases?

Would be good to get this sorted if possible so where can I track progress on this being developed please?


1 Like

Let's Encrypt doesn't issue certificates for IP addresses.

ZeroSSL does, it was fairly straightforward to get a free one through their website when I tried many months ago. I'm not sure whether they make it available via their ACME integration though. When I tried, that wasn't available yet.


Nope, that feature has been "shelved". Please also see the following thread:

Also the only free ACME providing CA that issued certificates for IP address is down. Not sure how/why (it was a rather unknown Chinese CA).

Note that ZeroSSL does provide certificates for IP address, but just not through their ACME API. Only using their webinterface and/or REST API I believe (or that has changed too), but that method is subject to rather harsh limits, unless you pay. But I believe getting just one cert for the IP address using ZeroSSL should be possible.

Tried it a few days ago when I merged RFC 8738 into my Certbot forks "for own use" branch filled with some nice features (IMO) not getting in the main Certbot branch it was still not possible using ACME.


That feature is also not very "future proof."

If you want a certificate for a single IPv4 address, ok. But... what happens when you want a certificate for an entire /64 IPv6 subnet?


not sure why you want that kind of thing: thats means a webserver listens on any address on that subnet
(its like listening on every address on /24 in ipv4)


You'd have to get a lot of certificates. 2^64 / 100 to be exact :wink:


No IP wildcards?

I have no idea how to validate those subnets, does reverse DNS work in subnets?


I might have an IP based reverse proxy, for example.

(It would be pretty useless indeed)




This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.