Signing Certificate with SAN IP.1 public IP inside

grzech_p · November 8, 2021, 9:43am

I have a service that runs on machine 2 machine basis behind a private apn.
There is strict requirement to use public authority certificate to cipher non http traffic.

Problem is that communication is working on public IP not on domain name.
I'm trying to run certbot with own created CSR with alternative names section with one DNS.1 and one IP.1 entry with PUBLIC IP inside.
Unfortunatly certbot screams that this IP is not allowed there.
Is it by design or i do something wrong?
The csr for config without IP.1 works well.

certbot.exe certonly --manual --preferred-challenge dns --csr mydomain.csr
Saving debug log to C:\Certbot\log\letsencrypt.log
Requesting a certificate for and <hidden_alternativesubdomainname>
An unexpected error occurred:
The request message was malformed :: NewOrder request included invalid non-DNS type identifier: type "ip", value "83.x.y.z"

Regards,
Grzegorz

orangepizza · November 8, 2021, 10:27am

that's not certbots error, that's LE side throwing error.
IIRC zerossls web interface support ip address but not their acme interface. but you will have to pay them to put multiple domain by web

danb35 · November 8, 2021, 11:21am

It is by design; Let's Encrypt does not (at least currently) issue certificates for IP addresses. There are a couple of ways to address this, the simplest likely being to get a cert from a CA that does issue such certs. A better way to go, IMO, would be to use FQDNs rather than IP addresses.

system · December 8, 2021, 11:21am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.