List of clients (and CAs) with RFC 8738 support?

This thread seems to indicate Let's Encrypt and certbot will support RFC 8738 at some point. and do not support it yet. I have been able to verify that uacme, ACME4J and an Ansible plugin support it now, but are there any CAs (other than pebble) that currently implement this standard? I was unable to test ZeroSSL since there is no client with support for both RFC 8738 and External Account Binding (EAB). Buypass is another CA offering free certs over ACME but I got the following response while testing with uacme:

uacme: creating new order at
uacme: failed to create new order at
uacme: the server reported the following error:
    "type": "urn:ietf:params:acme:error:unsupportedIdentifier",
    "detail": "Identifier type not supported: ip",
    "code": 403,
    "details": "HTTP 403 Forbidden"

Has anyone found any other compatible clients or CAs out there?


I don't think ZeroSSL will actually issue IP certificates (at least, not via ACME):

[ ACME ] > post -body='{"identifiers":[{"type":"ip","value":"}]}'
2020/12/01 10:40:34 Sending HTTP POST request to ""
{"type":"urn:ietf:params:acme:error:unsupportedIdentifier","status":400,"detail":"IPv4 and IPv6 identifier types are not yet supported"}
1 Like

Cool, did you manually craft that ACME message to test it for me, or which client is this? Great to see it is the same error as Buypass, they are likely both running boulder or something similar on the backend. I was able to get ZeroSSL to issue IP certs using their REST API, so that (and possibly Buypass, which I will test) seem to be the only option to automate this at the moment?

Yeah, I registered a ZeroSSL account using Certbot, then converted the account key from JWK to DER and imported that to acmeshell, where I manually wrote the request. You are right that it's tricky to find a client which supports everything :sweat:.

That's pretty cool. I bet most people don't know that free IP certs are available.

Looks like they'd be waiting on Sectigo to add RFC8738 to their ACME server.


as currently boulder use set of FQDN for store names in database not set of identifiers, and some are hashed, I think start support other type of identifier need to alter table on 10b+ rows. or at when safely drop database and start clean. (like freeze old CA for OCSP and move to different intermediate CA)

The Ansible module supports both :slight_smile: (More precisely: you need to use the acme_account module to set up the account.)

I'd doubt that ZeroSSL supports IP addresses though (which you found out by now). I would even guess that no CA (also non-ACME CAs) supports automatic IP address validation at all at the moment.

it looks like zerossl does sign certificate for ip address. and I don't think setigo runs non-automated cert on zerossl name?

It seems that you can create IP certs both with the ZeroSSL REST API (according to strophy) and also using the web interface:

Worked okay for me (though the CNAME method shows up when it doesn't work or make sense).


That's very interesting. And worrying, seeing that the certificate @orangepizza found is valid for 90 days! IMO that's way to long for an IP address (that hasn't been vetted manually). There are a lot of dial-up services where you get a new IP address every time you connect to the internet, you could use that to get hold of a large amount of certificates for IP addresses you no longer control after maybe even minutes. I hope they have some mechanism which prevents abuse at least for known dial-up IP ranges. And this is ignoring the issues with on-the-fly IP assignment for cloud providers.

(Having a short certificate life-time still has all these problems, but at least it would be limited to say 7 days, and not to 90 days.)

I tried to obtain a certificate for an IPv4, an IPv6, and both addresses (i.e. three distinct requests) from ZeroSSL with ACME; every one was answered by urn:ietf:params:acme:error:unsupportedIdentifier with detail IPv4 and IPv6 identifier types are not yet supported. (I.e. same result @_az got.)

I just added support for RFC 8738 in the 4x branch of Posh-ACME because why not. It also supports EAB.


As you requested, I implemented EAB in uacme. Please try it when you have a minute.

Thanks for the quick and high quality work @ndilieto and @rmbolger! I can confirm the current dev branch of uacme supports EAC as required by ZeroSSL, and I can now get the same error as _az above from their ACME API when attempting to use an IPv4 identifier. I'm unable to test Posh-ACME but I'm sure it works great as well, cheers guys! :slight_smile:

1 Like

You're welcome. The new EAB feature is now released in uacme 1.6


please use the "ip" branch to test ip cert:



I successfully created a ZeroSSL account over ACME but got the following error when trying to issue a cert. Should I use some identifier other than -d to provide an IP address instead of domain? I can't find documentation on how this is supposed to work...

strophy@X250:~/Code/$ --issue --server zerossl -d -w .
[Tue 15 Dec 2020 10:32:43 PST] Using CA:
[Tue 15 Dec 2020 10:32:43 PST] Creating domain key
[Tue 15 Dec 2020 10:32:43 PST] The domain key is here: /home/strophy/
[Tue 15 Dec 2020 10:32:43 PST] Single domain=''
[Tue 15 Dec 2020 10:32:43 PST] Getting domain auth token for each domain
[Tue 15 Dec 2020 10:32:45 PST] Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:rejectedIdentifier","status":400,"detail":"Invalid DNS identifier []"}
[Tue 15 Dec 2020 10:32:45 PST] Please add '--debug' or '--log' to check more details.
[Tue 15 Dec 2020 10:32:45 PST] See:

you should use version of, it doesn't merged to main yet.

I am using that branch and i get the same error message

when I last checked zerossl didn't issue certificate with IP address with this error

detail":"IPv4 and IPv6 identifier types are not yet supported"

Strophy's error says they got ip address in dns identifier so it's techiacally different error :stuck_out_tongue:

zerossl doesn't support ipcert via ACME api yet.