6-Day and IP Address Certificates Are Generally Available

I wonder if the support made it to Caddy yet

(seems to be WIP https://github.com/caddyserver/caddy/issues/7399)

Work for this in Certbot is ongoing here, with some initial work already merged, but much to go. https://github.com/certbot/certbot/issues/10346

https://github.com/certbot/certbot/pull/10370 showed that a proof of concept is viable with relatively few changes, though it was vibe coded and abandoned (but at least the submitter did so in good faith and collaboratively) :/ Change management and backwards compatibility seem to be the main considerations at the moment.

Thank you for posting the lego command!

It allowed me to quickly obtain a couple of IP certificates to test with. I updated my simple TLS certificate checker (https://certcheck.sh) to support checking IP certificates (IPv4 only for now).

OpenSSL is quite particular about the IP address being included in the SAN field of the cert when making a TLS connection, fwiw. iOS engineers may not have explicitly added this requirement and it might just be a side effect of using a crypto library.

I use DoH behind a reverse proxy with my own domain daily without any kind of issue

> 8 lets me refresh weekly and have a fixed day of the week to check whether there was some API 429 timeout

There’s your answer.

6 days means on a long enough enough timeframe the load will end up evenly distributed across a week.

8 days would result in things getting hammered on specific days of the week.

Worry not, cause it's not 6 days (144 hours), it is 6-ish days: 160 hours

And 160 is the sum of the first 11 primes, as well as the sum of the cubes of the first three primes!

Because it allows to you to work for six days, and rest on the seventh. Like God did.

It's actually 6 and 2/3rds! I'm trying to figure out a rationale for 160 hours and similarly coming up empty, if anyone knows I'd be interested.

200 would be a nice round number that gets you to 8 1/3 days, so it comes with the benefits of weekly rotation.

Six is the smallest perfect number. Perfection is key here.

Why not refresh daily?

The are some great points

'Automated Certificate Management Environment (ACME) Extensions for ".onion" Special-Use Domain Names'

* https://datatracker.ietf.org/doc/html/rfc9799

* https://acmeforonions.org

* https://onionservices.torproject.org/research/appendixes/acm...

But isn't it unnecessary to use https, since tor itself encrypts and verifies the identity of the endpoint?

Some ACME clients that I think currently support IP addresses are acme.sh, lego, traefik, acmez, caddy, and cert-manager. Certbot support should hopefully land pretty soon.

Maybe but probably not. Various always-on , SDN, or wide scale site-to-site VPN schemes are deployed widely enough for long enough now that it's expected infrastructure at this point.

Even getting people to use certificates on IPSEC tunnels is a pain. Which reminds me, I think the smallest models of either Palo Alto or Checkpoint still have bizarre authentication failures if the certificate chain is too long, which was always weird to me because the control planes had way more memory than necessary for well over a decade.

Is IPsec still relevant ?

IPSec is terrible, huge, and messy standard that company that made it took 20 years to stop getting CVE every year

The short-lived requirement seems pretty reasonable for IP certs as IP addresses are often rented and may bounce between users quickly. For example if you buy a VM on a cloud provider, as soon as you release that VM or IP it may be given to another customer. Now you have a valid certificate for that IP.

6 days actually seems like a long time for this situation!

> Are IP addresses more transient than a domain within a 45 day window? The static IPs you get when you rent a vps, they're not transient.

They can be as transient as you want. For example, on AWS, you can release an elastic IP any time you want.

So imagine I reserve an elastic IP, then get a 45 day cert for it, then release it immediately. I could repeat this a bunch of times, only renting the IP for a few minutes before releasing it.

I would then have a bunch of 45 day certificates for IP addresses I don't own anymore. Those IP addresses will be assigned to other users, and you could have a cert for someone else's IP.

Of course, there isn't a trivial way to exploit this, but it could still be an issue and defeats the purpose of an IP cert.

The push for shorter and shorter cert lifetimes is a really poor idea, and indicates that the people working on these initiatives have no idea how things are done in the wider world.

It's less about IP address transience, and more about IP address control. Rarely does the operator of a website or service control the IP address. It's to limit the CA's risk.

> Are IP addresses more transient than a domain within a 45 day window?

If I don't assign an EIP to my EC2 instance and shut it down, I'm nearly guaranteed to get a different IP when I start it again, even if I start it within seconds of shutdown completing.

It'd be quite a challenge to use this behavior maliciously, though. You'd have to get assigned an IP that someone else was using recently, and the person using that IP would need to have also been using TLS with either an IP address certificate or with certificate verification disabled.

> If something goes wrong, like the pipeline triggering certbot goes wrong, I won't have time to fix this. So I'd be at a two day renewal with a 4 day "debugging" window.

I think a pattern like that is reasonable for a 6-day cert:

- renew every 2 days, and have a "4 day debugging window" - renew every 1 day, and have a "5 day debugging window"

Monitoring options: https://letsencrypt.org/docs/monitoring-options/

This makes me wonder if the scripts I published at https://heyoncall.com/blog/barebone-scripts-to-check-ssl-cer... should have the expiry thresholds defined in units of hours, instead of integer days?

You should probably be running your renewal pipeline more frequently than that: if you had let your ACME client set itself up on a single server, it would probably run every 12h for a 90-day certificate. The ACME client won't actually give you a new certificate until the old one is old enough to be worth renewing, and you have many more opportunities to notice that the pipeline isn't doing what you expect than if you only run when you expect to receive a new certificate.

If you are doing this in a commercial context and the 4 day debugging window, or any downtime, would cause you more costs than say, buying a 1 year certificate from a commercial supplier, then that might be your answer there...

What worries me more about the push for shorter and shorter cert terms instead of making revoking that works is that if provider fails now you have very little time to switch to new one

>I won't have time to fix this

Which should push you to automate the process.

I recently migrated to a wildcard (*.home.example.com) certificate for all my home network. Works okay for many parts. However requires a public DNS server where TXT records can be set via API (lego supports a few DNS providers out of the box, see https://go-acme.github.io/lego/dns/ )

I recently found this, might help someone here. Genius solution. https://sslip.io/

If you have non-public IPs you need certs for you should set up a non-public certificate authority and issue your own certs for them.

One can also use a private CA for that scenario.

IPv6? You wouldn’t even need to expose the actual endpoints out on the open internet. DNAT on the edge and point inbound traffic on a VM responsible for cert renewals, then distribute to the LAN devices actually using those addresses.

>so still no way to support TLS for LAN devices without manual setup or angering security researchers.

Arguably setting up letsencrypt is "manual setup". What you can do is run a split-horizon DNS setup inside your LAN on an internet-routable tld, and then run a CA for internal devices. That gives all your internal hosts their own hostname.sub.domain.tld name with HTTPS.

Frankly: it's not that much more work, and it's easier than remembering IP addresses anyway.

I mean if it's not routable how do you want to prove ownership in a way nobody else can? Just make a domain name.

What do you mean by 'LAN', everything should be routable globally with IPv6 decade ago anyway /s

One thing this can be useful for is encrypted client hello (ECH), the way TLS/HTTPS can be used without disclosing the server name to any listening devices (standard SNI names are transmitted in plaintext).

To use it, you need a valid certificate for the connection to the server which has a hostname that does get broadcast in readable form. For companies like Cloudflare, Azure, and Google, this isn't really an issue, because they can just use the name of their proxies.

For smaller sites, often not hosting more than one or two domains, there is hardly a non-distinct hostname available.

With IP certificates, the outer TLS connection can just use the IP address in its readable SNI field and encrypt the actual hostname for the real connection. You no longer need to be a third party proxying other people's content for ECH to have a useful effect.

The July announcement for IP address certs listed a handful of potential use cases: https://letsencrypt.org/2025/07/01/issuing-our-first-ip-addr...

No dependency on a registrar sounds nice. More anonymous.

Yeah actually seems pretty useful to not rely on the name server for something that isn't human facing.

> I am guessing the use case for ip address certs is so your ephemeral services can do TLS communication

There's also this little thing called DNS over TLS and DNS over HTTPS that you might have heard of ? ;)

Maybe you want TLS but getting a proper subdomain for your project requires talking to a bunch of people who move slowly?

It's a requirement from the Chrome root program. This page is probably the best resource on why they want this: https://googlechrome.github.io/chromerootprogram/moving-forw...

One reason is that the client certificate with id-kp-clientAuth EKU and a dNSName SAN doesn't actually authenticate the client's FQDN. To do that you'd have to do something of a return routability check at the app layer where the server connects to the client by resolving its FQDN to check that it's the same client as on the other connection. I'm not sure how seriously to take that complaint, but it's something.

Because Google doesn't want anyone using PKI for anything but simple websites

Because using a public key infrastructure for client certificate is terrible

mTLS is probably the only sane situation where private key infrastructure shall be used

It competes with "Sign in with Google" SSO.

* DoT/DoH

* An outer SNI name when doing ECH perhaps

* Being able to host secure http/mail/etc without being beholden to a domain registrar

No, they will only give out certificates if you can prove ownership of the IP, which means it being publicly routable.

Browsers consider ‘localhost’ a secure context without needing https

For local /network/ development, maybe, but you’d probably be doing awkward hairpin natting at your router.

What's stopping you from creating a "localhost.mydomain.com" DNS record that initially resolves to a public IP so you can get a certificate, then copying the certificate locally, then changing the DNS to 127.0.0.1?

Other than basically being a pain in the ass.

The websites for DNS servers known by IP? https://1.1.1.1/ presents a valid cert although it redirects.

No additional risk IMHO. If you can hijack my service IPs, you can establish control over the IPs or the domain names that point to them. (If you can hijack my DNS IPs, you can often do much more... even with DNSSEC, you can keep serving the records that lead to IPs you hijacked)

That is a very old article that seems to be outdated now.

The Internet is for End Users https://datatracker.ietf.org/doc/html/rfc8890

>Successful specifications will provide some benefit to all the relevant parties because standards do not represent a zero-sum game. However, there are sometimes situations where there is a conflict between the needs of two (or more) parties.

>In these situations, when one of those parties is an "end user" of the Internet -- for example, a person using a web browser, mail client, or another agent that connects to the Internet -- the Internet Architecture Board argues that the IETF should favor their interests over those of other parties.

Incorporated entities are just secondary users.

With a 6 day lifetime you'd typically renew after 3 days. If Lets Encrypt is down or refuses to issue then you'd have to choose a different provider. Your browser trusts many different "top of the chain" providers.

With a 30 day cert with renewal 10-15 days in advance that gives you breathing room

Personally I think 3 days is far too short unless you have your automation pulling from two different suppliers.

We've supported it for about a year!

Domains map one-to-one with registrars, but multiple AS can be using the same IP address.

1) For better or worse, code signing certificates are expected to come with some degree of organizational verification. No one would trust a domain-validated code signing cert, especially not one which was issued with no human involvement.

2) App stores review apps because they want to verify functionality and compliance with rules, not just as a box-checking exercise. A code signing cert provides no assurances in that regard.

I see how this would be useful once we take binary signing for granted. It would probably even be quite unobjectionable if it were simply a domain binding.

However, the very act of trying to make this system less impractical is a concession in the war on general purpose computing. To subsidize its cost would be to voluntarily loose that non-moral line of argument.

Would be cool. But since they’re a non-profit, they would need some way to make it scalable.