When will Let's Encrypt's IP certificates be officially launched?

Now that GA for shortlived and ip address certs has been delayed, can I get early access? My account URI is https://acme-v02.api.letsencrypt.org/acme/acct/2728573601

You should already have access. Short lived certificates are available to everyone now; it's the switch to the Gen Y root hierarchy that's delayed. If you're running into issues, I suggest making a post in the Help section of this forum.

I suppose I should've checked - it works great! Sorry for the noise.

So how do I use it? this is my first time attempting to get a certificate so I'm probably doing something very stupid but no matter what I run I get:
Requested name <IP> is an IP address. The Let's Encrypt certificate authority will not issue certificates for a bare IP address.

I tried:
sudo certbot --nginx -d <IP>
sudo certbot --nginx --staging -d <IP>
sudo certbot --nginx --staging --preferred-profile shortlived -d <IP>

All yielded the same result.
I also tried with no arguments other than --nginx but same result.
What am I doing wrong here?

Certbot doesn't support IP certificates yet. You'll have to use a different ACME client that does.

(post deleted by author)

FYI for those who want to use this now, acme.sh supports using both IPv4 and IPv6 addresses like this:

acme.sh --issue \
  -d IPV4_ADDRESS_HERE \
  -d IPV6_ADDRESS_HERE \
  --standalone \
  --server letsencrypt \
  --certificate-profile shortlived \
  --days 3

Let's Encrypt actually recommends renewing short-lived certs about half-way through their life. This is somewhat hidden in the Integration Guide. Might be helpful to have it referenced in the Profiles page too.

When to Renew: Integration Guide - Let's Encrypt

LE also recommends ACME Clients use ARI (ACME Renewal Information) and to check it at least twice / day.

I am pretty sure acme.sh does NOT support ARI.

And, I might be wrong but it looks like --days is how many days after cert creation the renewal occurs. If so, that may be problematic as cert lifetimes shrink to 45 days with its default of 60. And, if so perhaps for shortlived LE certs a --days value of 4 is more appropriate for acme.sh since it looks like it does it a day before. So, better to renew mid-way than just after 1/3 of its life is left. I'm not an acme.sh expert so will happily stand corrected by one

In acme.sh wiki's Profile selection page

Important: Certificate Lifetime and --days

Some profiles may reduce the validity period of the certificate (e.g. 160 hours lifetimes instead of 90 days).

When using such profiles, you should also set the --days parameter to ensure that acme.sh renews the certificate early enough:

acme.sh --issue --server letsencrypt -d 203.0.113.195 \
        -w /home/username/public_html \
        --certificate-profile shortlived \
        --days 3

It is suggesting 3days, if the cron frequent enough, will the renew time fit in the ARI window?

The ARI renewal window is provided by the CA ACME Server after the ACME Client calls the ARI endpoint.

I couldn't find any reference in acme.sh docs or code that it supports ARI. You wouldn't need to have a --days option if it supported ARI.

The ARI window may vary based on the CA needs, possible pending CA revocations, or other CA factors.

I know what ARI is, besides revocation or other changes, will this setting coincidentally in Let's Encrypt’s ARI window? Currently Let's Encrypt’s ARI window is nearing 3 days left for the certificate lifetime.

while ARI will catch it still need to have a sane fallback schedule, otherwise hardcoded fail date of 30 days before expirey / 60 days after notbefore are both cause downtime or renewal every cronjob when ARI fails

Yes, good point. I've modified my post thanks

I’m using Lego to issue certificates and it works great

The only pain point for me is the rate limits.

I’m using short-lived certificates and set up a cron job to issue a new certificate every day. However, that quickly runs into the limit of max. 5 certificates per week for the exact same set of SANs.

Issuing a new certificate only every 2 days reduces the risk of hitting the limit, but it increases operational risk: if there’s an outage at Let’s Encrypt or on my own server at the time of issuance, I might end up without a valid certificate.

So, it would be very helpful if the rate limits for the short-lived certificate profile could be increased (or adjusted), since this use case is exactly about frequent renewals.

Thanks for the feedback. We are considering changing this rate limit to allow more duplicate certificates per week, but for now, yes you'll have to renew every 2 days.

The current limit is one duplicate cert per 34 hours. If you can schedule your job to run every 34 hours instead of every 24, you get the maximum current time.

The other thing that I think every system using short-lived certs should be using (really every production system regardless of using short-lived certs) is having active certs from more than one CA.

What's the purpose of this daily issuing of the same cert over and over again? I don't think LE recommends to renew a short-lived cert every 24 hours?

Don't renew every day. Renew at two-thirds of certificate lifetime, which for shortlived's 160 hour certificates is 4.5 days.

For short-lived certificates, we expect some users may want to renew sooner to ensure there’s more leeway for availability issued on renewal.

For shortlived they recommend renew at half time