Hi...
When using a server with a dedicated IP address for a website, is there a way to make the certificate work also for anybody who accesses the website via the IP address, so that there is no error message from the browser?
Thanks
Mark
1 Like
"is it possible" and "does Let's Encrypt do it" are two different questions with different answers.
It is possible, but not on Let's Encrypt.
Also, Google Public CA does it, but they require you actually own the IP, so if the IP belongs to your provider they won't issue a certificate.
8 Likes
This is something I've looked into a lot
There are no good free options for IP certificates
There are no good cheap options for IP certificates
Can it be done for the right price? Yes, look at https://1.1.1.1/ or https://8.8.8.8/ (which is just a redirect but it DOES have a valid certificate), or, on the IPv6 side https://[2606:4700:4700::1001]/
as far as I know, there is exactly one free option, ZeroSSL, and it has many caveats:
-
Only IPv4, because, as per their customer service, they haven't gotten around to updating their system yet
-
Not available via their ACME service, only available through the website, or using their API
-
You can only get 3 free 3-month certificates per account. That means you can get at most 9 months of life out of each account, and that's if you renew on the very last day
I will say that the account creation process is fairly quick & easy, and their API isn't too painful to work with.
https://zerossl.com/ if you want to check them out
also, I will say, if you're just trying to catch stray traffic and redirect it to your hostname... yes, you probably do see some traffic hitting your web server with no "Host:" header, or with the "Host:" header set to your IP address... but those aren't humans. They're bots & security scanners & stuff. They probably don't even check certificate validity. So whether they follow your redirect or not is probably not going to be affected by whether or not you have a valid certificate for your IP address. Valid IP certificates are actually very rare in the wild, so unless you have some very obscure use case you'll probably be fine without one.
8 Likes
followup to my previous post...
there are a few different use cases where someone might want a certificate for an IP address, with different workarounds (or lack thereof) for each
-
You're currently using the IP as a pseudo-hostname because you don't have an actual hostname to use. Fortunately, it's very easy to get a subdomain for free. There are many services that offer this, with two of the more well-known being https://nic.eu.org/ and https://freedns.afraid.org/. Also, for IPV6, check this out: We are giving every IPv6 address a name | ungleich.ch ; I wouldn't recommend using it for anything serious, because the person running the service could potentially hijack your traffic at any time, but it's there if you want it.
-
As mentioned in my previous post, you're just trying to catch stray HTTPS traffic targetting your IP instead of your hostname. As mentioned, this is bot traffic and can be safely ignored.
-
You're wanting to run a DNS-over-TLS or DNS-over-HTTPS server. Not many options here, at least if you're wanting it to be accessible to the public, so you may have to pay, or get in the habit of creating burner ZeroSSL accounts. If it's for private / corporate use, you could set up a private CA to issue the certificate from, and configure the clients to trust that CA.
-
You want to host a website off of a long-ass IPV6 IP solely because it's funny. There's no real workaround here. Either fork over big $$$ for a certificate, host the site on HTTP, or host on HTTPS with an invalid certificate. Or combine the last two options and let visitors choose which they prefer.
Any other use cases I missed?
5 Likes
Hi again, appreciate the replies! (9peppe and catharsis)
And I learned more than I had asked for 
In this case it's not about stray traffice but about being able to access the website in case DNS is not working.
We are in a remote location, and we only have one connection to the outside world, which is from time to time being interrupted (usually physical damage that takes a day or so to repair). But since the local cell phone system and many local computers in town, including the server in question, are connected via the same provider, it is technically possible to access the server from a smartphone or other local computer without DNS at a time when the connection to the rest of the world has been severed.
However, my clients don't know that, and for the time being that will not change, since I will only tell them about it if we ever find an easy and inexpensive way of using an SSL certificate with an IP address...
Anyway, thanks again for the details (I've copied and saved everythning for future use).
Mark
3 Likes
Where are you, Saint Helena? 
You should probably get a DNS resolver on that island and cache it aggressively. I guess you probably have a /16 for the entire place, no?
5 Likes
I thought it was just 3 concurrent certs per account? As in, if you have 3 certs, you can't get a fourth, but if the first of the 3 certs expires, you can get a new one? It's not like your account gets disabled or you can't get any more free certs after those initial 3, right?
3 Likes
That's exactly how it is now
I think they changed the policy a couple years ago
Your account doesn't get "disabled" it just becomes a useless platform for advertising paid certificates to you
their ACME platform has no such limits but they don't do IP certificates there
3 Likes
couple more (not great) options:
-
just click past the "invalid certificate" warning when you access the site via IP (no HSTS to contend with for IP addresses)
-
add the site to the hosts file (easier on Linux than Windows but not a huge ordeal on Windows) of the connecting machine, and the site will still be accessible by hostname even if DNS is down, with no certificate warning.... although if the IP ever changes then you have a problem
3 Likes
Well, whad'ya know indeed:
You have reached the maximum amount of 90-day certificates allowed on the Free Plan.
Sucks..
Luckily the accounts are free 
2 Likes
November 2020 seems to be when they changed the policy
it's a little vague (probably intentionally) but basically, expired certificates now count against the 3-certificate limit, and they never disappear.
so it's really more of a "free trial" although they don't call it that
5 Likes
in that wording same kind of crappiness apply for the paid plans, not sure how clients reacts when they find they can't renew their certificate
4 Likes
This is actually the best advice here. You can set it up as a backup local secondary DNS server. Everyone in your org would need to set that in their phone / computer, but that would solve the issues.
You should also talk to the provider about them offering backup DNS caching and mirroring.
5 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.