This question is a continuation of
I’d like to weigh in on this as well. Both topics are already closed so for me to do this I had to open a new one :).
My use case is as follows: in order to encrypt all traffic in my home (NAS, few servers running some stuff) and attempting to avoid creating my own CA, install certs on all my devices etc., I’ve registered a public domain name and use certbot + a DNS-01 challenge to get a valid cert.
However, I prefer not to have that domain (or any record in that DNS zone that I manage now) lead back to my public IP address (the address given to me by my ISP). When I run certbot from my home network though and the IP is logged + published, my public IP becomes publicly tied to the domain name.
(Sidenote: My home router is provided by my ISP and it’s one of those basic boxes that can do anything but has no firmware updates since it was installed. I’m not terribly convinced that it’s a secure endpoint.)
I realize that this is an edge use case, but it leads to my question: if anybody runs certbot and uses the DNS-01 challenge, chances are very likely that the IP addresses don’t match. In the case of home use it’s actually a consumer IP like mine. I hope that when policies change and IP addresses are published (they are not for now, is that still true?), there is a way to avoid this. Is there already anything known about this public-IP-publishing policy? Where can I find the details?
I know that I can in theory connect to a public VPN, then run certbot to hide my public IP, so there is a workaround. This does, however, break the autorenewal which I’m aiming for unless I route all my traffic through such a VPN on a permanent basis (also possible, but costs money).
One last statement about public IP addresses (like mine when I run certbot) - those are considered private by the EU’s GDPR. Doesn’t cover every citizen on the planet, but it does apply to me :). Making the publishing of private IP addresses like mine GDPR-compliant is technically possible, but a real challenge which cannot be solved just by some more legalese in the EULA.
A solution to this is (as some US companies have done) of course to just stop providing services to EU citizens, which I sincerely hope that you do NOT do - Let’s Encrypt is awesome :). Keep up the good work.