Register IP as SAN for my Domain


#1

I registered a domain, I have the server’s IP redirect to the domain name when requested by http. If someone hits the server using the IP via Https they get a privacy error since the TLS handshake occurs before the redirect. Is it possible to have the cert also specify the IP as a valid name for the server or is this against LE issuance policy? I can’t seem to find a post or anything referring to this in the documentation.


#2

Let’s Encrypt currently only issues certificates for domain names. I don’t think there are any plans to change that as of now.

Proof of ownership for IP addresses is probably harder to demonstrate in an automated fashion, compared to domain names.


#3

Yeah, I suspected as much. I’ll just ignore the issue. I wouldn’t really be bothering with SSL if it were not for LE. Thanks for the answer.


#4

proof of ownership via dns auth would be not easy
but proof of ownership via http://ip.ip.ip.ip/acme-protocol-path
should be no more difficult than for any other name wanted for a san cert covering all the urls on a webserver


#5

Right, but IP ownership is probably defined in a different context than domain ownership. Getting a DHCP lease for a dynamic IP for 24 hours, or a new IP whenever you reset your modem, is not quite the same thing as owning that IP. It would be significantly easier to acquire certificates for a large range of IP addresses that don’t actually belong to you after your next modem reset, and I’m not quite sure how other CAs handle this in general (CA/B Baseline Requirements aren’t really all that explicit on this matter either).

Then there’s also the fact that in pretty much every context I can think of where you’d prefer to connect to IPs instead of domain names, you might as well be using your own CA certificate and only trust that one, since it would almost always be some kind of programmatic access.


#6

well yes if and only if the cert was for just an ip
but if its for a san cert (for example)
it does mean that the cert can cover all possible names that could have been used to connect to the site
even if like most of ours if you try the ip you get redirected to another site/page listing the valid names you should have used instead
(but at least with the ip in the san this does not require clicking through several cert error warnings to move onward)
it should be possible to authenticate whether an ip is dynamic or static fairly easily, for at least users like me with correct whois/fqrdns etc etc, all with long and verifiable history

but i do think the point about dynamic is well made and should be a reason to limit their availability to say san certs after x trouble free renewals for example

because yes ip ownership can change, but this is true of names also, but the short lifetime of the certs (and the potential usefullness of a cert for an ip you no longer control) are both quite limiting


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.