Planned RFC 8738 support pulled?

Wayback Machine shows as of 2021-01-25, Let's Encrypt still planned to implement RFC 8738 to issue certs against IP addresses as well as domains. This feature has now been removed from the Upcoming Features page. Is support for this feature still planned, or was it released somewhere and I didn't notice? If not planned/released, why was it pulled?

A couple of previous thread on this:


It has been removed 16 days ago by @josh without any accompanying text unfortunately.


We recently explored what it would take to support IP address validation - cost to implement, risks, and value to subscribers. We decided that it doesn't make sense to prioritize the work over other important projects any time soon so we removed it from our roadmap.

I know there are some people out there that want this and this is a disappointing decision. The feature is not entirely off of our radar, we may revisit it in the future, but since we aren't actually planning to do it soon we thought it best not to communicate about it as an upcoming feature any more.


May I suggest an improvement in communications for the future? Perhaps it would have been better to "shelve" the feature with this explanation on the upcoming features page or perhaps somewhere else. I think transparency is ALWAYS the better option in stead of just deleting things and have the Community finding out for themselves with only questions.. And thus this thread.

@jple Weren't you the LE Communications Specialist or am I remembering things wrongly? Perhaps the LE staff needs a Communications How-To refresher :wink:


Hi Osiris,

Noted and we will definitely look to do that in the future! All about that transparency and making sure our community knows what's happening at Let's Encrypt and ISRG.



Thanks! While I recognise the amazing things ISRG/LE does as a company/CA and their staff, I also have a great feeling it's also a Community Effort©®™ :slight_smile: Not just here, but also at GitHub. Therefore, I think it's nice if the Community is kept in the loop with these kinds of things.


IMHO, the problem with the messaging on this is less about "Transparency" and more about "Managing Expectations". The odd thing, in this scenario, is that you were trying to better manage expectations of everyone who had not yet seen that page.


..but ignoring everyone who did.


For more information, from my old draft pull requests (it can process cert for IP, but Ratelimit was busted and no way this was tested or log enough to be CA/B compliment )

bdaehlie commented 17 days ago

We have decided not to pursue IP address validation, at least in the near-mid future. There are a lot of unknowns that might cause this to be a much bigger project than we initially thought and we are not going to be able to prioritize that exploration over other projects, at least over the next year or so. We might reconsider some time in 2022.

As such, I think we can close this PR.


Thank you all for the quick replies and clarification. I look forward to seeing this implemented in the future. For anyone arriving here looking for an alternative, the ZeroSSL API (non-ACME) can provide certs for IP addresses. This is the only working solution I have currently found.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.