Public IP Logging

This question is a continuation of

https://community.letsencrypt.org/t/public-ip-logging/26385
and
https://community.letsencrypt.org/t/public-logging-of-requesting-ip-addresses/64077

I’d like to weigh in on this as well. Both topics are already closed so for me to do this I had to open a new one :).

My use case is as follows: in order to encrypt all traffic in my home (NAS, few servers running some stuff) and attempting to avoid creating my own CA, install certs on all my devices etc., I’ve registered a public domain name and use certbot + a DNS-01 challenge to get a valid cert.

However, I prefer not to have that domain (or any record in that DNS zone that I manage now) lead back to my public IP address (the address given to me by my ISP). When I run certbot from my home network though and the IP is logged + published, my public IP becomes publicly tied to the domain name.

(Sidenote: My home router is provided by my ISP and it’s one of those basic boxes that can do anything but has no firmware updates since it was installed. I’m not terribly convinced that it’s a secure endpoint.)

I realize that this is an edge use case, but it leads to my question: if anybody runs certbot and uses the DNS-01 challenge, chances are very likely that the IP addresses don’t match. In the case of home use it’s actually a consumer IP like mine. I hope that when policies change and IP addresses are published (they are not for now, is that still true?), there is a way to avoid this. Is there already anything known about this public-IP-publishing policy? Where can I find the details?

I know that I can in theory connect to a public VPN, then run certbot to hide my public IP, so there is a workaround. This does, however, break the autorenewal which I’m aiming for unless I route all my traffic through such a VPN on a permanent basis (also possible, but costs money).

One last statement about public IP addresses (like mine when I run certbot) - those are considered private by the EU’s GDPR. Doesn’t cover every citizen on the planet, but it does apply to me :). Making the publishing of private IP addresses like mine GDPR-compliant is technically possible, but a real challenge which cannot be solved just by some more legalese in the EULA.

A solution to this is (as some US companies have done) of course to just stop providing services to EU citizens, which I sincerely hope that you do NOT do - Let’s Encrypt is awesome :). Keep up the good work.

2 Likes

For information, some ISP, such as “Free.fr” in France “split” an IP between users:

  • One gets the IP with the ports 1 to 16363
  • The next one gets the same IP with ports 16384 to 32767
    And so on…

Fair point, some ISP’s use CGNAT (Carrier-Grade NAT) with only a handful of IP addresses - in that case it wouldn’t matter much because you won’t be able to route traffic to my public IP even if you knew it (i.e. no attack vector at all). I don’t think that’s the case with my provider though, but to be honest I’m not sure. If/when IPv6 takes off this won’t be the case anymore.

1 Like

So you only use these services on a local network? Not through the internet?

May I ask why you want and/or need a certificate? Untrustworthy room mates or something? :stuck_out_tongue:

Haha, yes you might argue that it’s not really needed. Definitely not life-or-death or anything. As far as I know my cohabitants (which are my wife and a 7-month old) are not bad actors I should be wary about :stuck_out_tongue:. But both my browser and my password manager complain rather heavily if I log-in (e.g. to my NAS) and transfer credentials over an insecure connection, so I decided to improve on this and ended up with what I described above…

Surely Let’s Encrypt, whose mission it is to encrypt the web, can understand this :wink:

1 Like

I agree, encryption might be unnecessary in your case, but that’s no reason not to use it!

1 Like

But… back on topic - no changes or announcements w.r.t. public IP publishing policy compared to the first 2 topics that I referred to?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.