Source linked

Let's Encrypt Finally Ships IP Address Certificates With 6-Day Lifespan

letsencrypt.org@agile_squirrel2 hours ago·Systems Engineering·2 comments

Let's Encrypt now issues publicly trusted certificates for raw IP addresses, a move that fills a long-standing gap for DNS-over-HTTPS operators and infrastructure without domain names.

lets encryptip address certificatesshort lived certificatesdns over httpsacmetls

Let's Encrypt issued its first certificate for a raw IP address on July 1, 2025, after spending a decade telling subscribers "not yet." The feature is now generally available, and certificates come with the same 6-day validity as the short-lived domain certificates they rolled out earlier.

Why IP Certificates Took This Long

IP addresses are the numerical backbone of the Internet, but they're terrible identifiers for certificates. A domain name like letsencrypt.org stays stable even when the underlying server moves to a different cloud provider. An IP address can change overnight, especially on residential or dynamic connections where the ISP recycles addresses without notice. Let's Encrypt needed short-lived certificate automation to make IP certs practical - without 6-day validity, a certificate issued to a dynamic IP would expire long before the address changed, leaving a window of mis-issuance.

Second, the sense of ownership for an IP address is weaker than for a domain. Certificate authorities need to verify control, and while ACME can validate domain ownership via DNS, IP address validation requires either BGP routing or reverse DNS setup, which most operators don't bother with. Let's Encrypt waited until their ACME infrastructure could handle that cleanly.

Where You'd Actually Use an IP Address Certificate

Most subscribers won't need IP certs - your domain name cert works fine. Three use cases actually matter:

  • Default pages for hosting providers. When someone pastes a raw IP into a browser, the server can't serve a valid TLS certificate for that IP. Now it can, eliminating the dreaded certificate error on a host's landing page.
  • DNS over HTTPS (DoH) resolvers. A DoH server needs to prove its identity to clients. An IP certificate lets a resolver present a publicly-trusted cert without requiring a domain name at all, which makes it easier for privacy-conscious resolvers to enforce strict certificate validation.
  • Infrastructure without a domain name. If you run a dedicated server, IoT gateway, or VPN endpoint that only lives on an IP, you can now get TLS automatically. No more self-signed certificates or buying expensive certs from the handful of CAs that offered IP certs before.

What This Means for Infrastructure Operators

Let's Encrypt's ACME client already supports IP address validation via the --http-01 or --tls-alpn-01 challenges, but you'll need a stable IP or at least one that doesn't rotate faster than 6 days. The 6-day window aligns with the existing short-lived certificate pipeline, so operators who already automate certificate renewal for domains can extend that automation to IPs with minimal configuration changes.

For the DoH crowd, this is the missing piece. Quad9, Cloudflare, and Google already run DoH resolvers on fixed IPs. With publicly-trusted IP certificates now automated, a resolver can advertise its IP in DNS and have clients validate the cert against that IP directly, bypassing the domain-name chain entirely. Expect to see more resolvers add raw IP endpoints in the next release cycle.

Let's Encrypt's move closes a hole that has existed since the Web PKI was designed around domain names, and the combination of 6-day validity and ACME automation makes IP certificates finally worth the operational cost for anyone who needs them.

Source: Let's Encrypt now issuing 6-day IP address certificates
Domain: letsencrypt.org

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Systems Engineering

view topic
Flink 2.3's Native S3 Filesystem Checks Out 2x Faster, Drops Hadoop Dependency

Flink's new flink-s3-fs-native plugin averages 48.8s checkpoints vs 90.1s with the Presto plugin, eliminates Hadoop CVE baggage, and supports exactly-once sinks with AWS SDK v2.

Slisp Compiles Lisp to Standalone Assembly With No GC, No Macros, No Quote

Steve Kemp's compiler outputs native Linux/amd64 assembly from Lisp programs, using a bump allocator and explicitly avoiding garbage collection, macros, and quote for a lean implementation.

Why Your Nix Shell Is Slow: 486 Failed Opens Before Main

Developers using Nix face a hidden tax: the dynamic linker makes hundreds of failing openat() calls before main() even starts, adding 70ms to every shell prompt.

Google VPC-SC Adds AI Agent Identity and MCP-Level Guardrails

New VPC Service Controls rules let you enforce least-privilege per agent and block tool misuse at the MCP attribute level, targeting the OWASP Top 10 for LLM applications.

Comments load interactively on the live page.