I have virtual server from hosting provider that support manual entering ssl certificates using directAdmin but no automatic lensencrypt support. A while ago I was trying to add certificate but certbot was looking at some port for the ip address and found Certificate of the hosting provider and certbot failed.
And few days ago I purchased unique IP address for my virtual server and successfully installed certificate but I’ve used --prefered-challanges http, I don’t remember if I’ve used this option the time when the IP check was failing.
Is unique IP address and correct certificate for IP really needed or does the http option make certbot only check for .well-know directory file?
Unique IP is not actually needed, I think you were using one of the TLS methods to verify. However, the best method to use on a shared hosting is HTTP or DNS verification.
In conclusion: If you have HTTP method you won’t need a unique IP.
A bit more nuance:
If an IP address has more than one web site on it, somehow the server software must figure out which site is meant. For plain HTTP, this is done by a very old feature called the Host header which was standardized in HTTP/1.1 but is actually older.
But for HTTPS this isn’t enough, the problem is that to set up the HTTPS connection a server needs to know immediately which site you wanted, so it can present the certificate for that site. Otherwise we haven’t secured anything at all. There is no way to do this from the HTTP layer, that’s too late. The only thing a server knows in time is the IP address being connected to, so for years you needed a dedicated IP address in order to do HTTPS.
So, a technology called Server Name Indication (SNI) was invented. With SNI the user agent (web browser) tells the server when it connects “Oh, by the way I want www.example.com” before any encryption happens, the right certificate can be presented and everything works even with many sites on an IP address.
But, SNI is relatively new, not so new that it doesn’t work in any popular web browser today, but new enough that some older systems (e.g. Internet Explorer on Windows XP) and non-browsers (e.g. older Python versions) can’t do it.
For most web sites this isn’t a problem you can rely on SNI. Certainly if you have a blog, or a typical web site with users who tend to have newer software, it’s not a problem at all. An IP address doesn’t hurt, but it won’t help much either. Sites which focus on users in poorer countries, in deprived areas or the technology “misfits” might need to consider a dedicated IP address still, and so might sites for use by software other than web browsers. As the years pass, the need for dedicated IP addresses should continue to decline.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.