Plans to support RFC 8738

sca_le · March 2, 2020, 10:25pm

Hello,

now, as RFC 8738 is out of the door, are there any plans to support issue of certificates for IP addresses?

Andreas

hebbet · March 2, 2020, 10:29pm

Already on the roadmap

rg305 · March 3, 2020, 1:46am

Being a natural born sceptic, I would like to hear the PROs on using IP addresses in a cert SAN.

ski192man · March 3, 2020, 3:39am

My use case would be hosting a DNS over HTTPS resolver for my own use, having an IP address certificate will get rid of the requirement to bootstrap it.

This is definitely awesome news, other certificate authorities charge a lot and require complex validation which can be difficult, my IP is static on a business line but I don’t own the address on the ARIN record.

ndilieto · March 3, 2020, 10:06pm

I've just implemented RFC8738 in uacme (ualpn branch)

https://github.com/ndilieto/uacme/tree/ualpn

I've tested it against the staging endpoint but it does not accept "ip" identifiers yet:

uacme: creating new order for 192.168.0.1 at https://acme-staging-v02.api.letsencrypt.org/acme/new-order
uacme: acme_post: url=https://acme-staging-v02.api.letsencrypt.org/acme/new-order payload={"identifiers":[{"type":"ip","value":"192.168.0.1"}]}
uacme: acme_post: return code 400, json=
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "NewOrder request included invalid non-DNS type identifier: type "ip", value "192.168.0.1"",
"status": 400
}

felixf · March 3, 2020, 10:26pm

@ndilieto Pebble supports ip identifiers.

rg305 · March 4, 2020, 1:45am

Did you really try 192.168.0.1 ?

schoen · March 4, 2020, 2:16am

Right, Let's Encrypt has not implemented this new standard (in staging or production). It's only mentioned on the roadmap of future features.

9peppe · March 4, 2020, 3:46am

Are you sure you need a publicly trusted cert to do that?

I find no mentions of it being necessary on dnscrypt-proxy server install instructions., it also says it rotates keys every 8 hours (too fast for LE not to complain)

rg305 · March 4, 2020, 3:48am

I guess that depends on the overall scope and definition of "for my own use".

--- and there is the overall increased "coolness" factor ---
--- FYI using LE is officially COOL ---

9peppe · March 4, 2020, 3:52am

No, no. It’s the first time I see a DoH resolver using a PKI infrastructure. I have always seen list being distributed with their authentication fingerprints.

Anyway, OP: if you need a fqdn you can get one from dynamic dns providers (duckdns, afraid, nsupdate, …) or you can buy a very cheap .xyz domain (numeric only, 6-9 digits, should be around a dollar per year).

rg305 · March 4, 2020, 3:57am

I think I read it in a completely different light. But you might be right.
So it still depends on what is exactly meant by “for my own use”.
Maybe @ski192man can chime in with a few more details about it and clear things up a bit.

9peppe · March 4, 2020, 4:30am

Yeah, I do not fully understand what “bootstrapping requirements” he’s talking about…

ski192man · March 4, 2020, 4:34am

DNS over HTTPS is normally accessed over domain name, i.e. cloudflare’s resolver is https://cloudflare-dns.com/dns-query. This presents a chicken before the egg problem, to know where your resolver is you must first resolve it, the current typical solution is to query the system / network provided resolver.

Alternatively you can access cloudflare dns at https://1.1.1.1/dns-query (or their IPv6 alternative), this solves the problem of how do you know where the resolver is because it’s an IP address so you do not have to use the traditional resolver for anything. The catch is you have to have a certificate for your IP address.

And yes, I mainly want a LE cert because it’s cool to have a publicly trusted cert on your IP address, also some people I know might use it since i’ll run it through pihole. I already have quite a collection of domain name and am running a resolver on one of them at dns.mydomain.com

Regarding dnscrypt-proxy, I think you may be thinking of it’s DNScrypt mode (which i’m not familiar with), DoH and DoT uses the existing PKI infrastructure

@9peppe I updated my post with a bit more information, I didn’t see your other posts when I submitted mine.

Hopefully this will give some people a sense as to what is possible with this RFC, I have no doubt there are many other cool things you could do with this.

rg305 · March 4, 2020, 4:55am

At a bare minimum, it can allow those that truly can't afford encryption, or are blocked from using free services, the opportunity to have encrypted services with as minimal "complications"/costs as possible.
Power To The People!

9peppe · March 4, 2020, 5:04am

Yeah, it looks cool indeed. Think of ephemeral certs on dynamic ips or even validation based on reverse dns entries.

It's probably not as useful as it could on dynamic ips, though. That's more of a wireguard/tinc domain.

felixf · March 4, 2020, 6:40am

No CA will ever be able to issue certificates for that IP anyway (it's prohibited by the Baseline Requirements). If you want to run tests with that IP, you need Pebble or some other test CA you can run locally. Of course the resulting cert will never be publicly trusted

rg305 · March 4, 2020, 7:02am

5 words
50 words
…and yet…
they are saying the same thing.

Nah! Yours is much more colorful!

ndilieto · March 4, 2020, 5:59pm

Is it true that applying for a certificate with a private IP address could eventually lead to the Death Penalty or - worse - affect one's Credit Rating?

JuergenAuer · March 4, 2020, 6:32pm

It would be possible to use ip based links in websites.

Without using a domain name.

Or with a mail server, so users are able to connect raw ipv6 addresses.

The main question: Same life time - 90 days? So it would be possible to create a certificate:

non-www
www
ipv4 of that domain
ipv6 of that domain

Next step: Define a DNS entry, so the domain based certificate must have the correct ipv4 and ipv6 address.

If not -> something is wrong.