Let’s Encrypt Now Supports IP Address and Short-Lived Certificates with Certbot

Let’s Encrypt, the widely used certificate authority, now issues IP address and six-day certificates to the public. The Electronic Frontier Foundation’s (EFF) Certbot team has released updates to support these new features, specifically the --preferred-profile flag in Certbot 4.0 and the --ip-address flag in Certbot 5.3. These improvements enable users to obtain IP address certificates using Certbot.

Obtaining IP Address Certificates with Certbot

To acquire an IP address certificate using Certbot, ensure you have version 5.4 or higher installed (for webroot support with IP addresses). The command to request a certificate is:

sudo certbot certonly --staging --preferred-profile shortlived --webroot --webroot-path --ip-address

Important Considerations:

• The --staging flag requests a non-trusted certificate from the Let’s Encrypt staging server. Remove this flag for a publicly trusted certificate.
• The --preferred-profile shortlived flag requests a certificate valid for six days, a requirement for IP address certificates from Let’s Encrypt.

Current Limitations

Currently, Certbot only supports getting IP address certificates, not automatically installing them in your web server. After obtaining the certificate, you must manually configure your web server to load the new certificate from /etc/letsencrypt/live//fullchain.pem and /etc/letsencrypt/live//privkey.pem.

Certbot Plugins and IP Address Certificates

Besides the webroot plugin, two other plugins support IP address certificates:

• --manual: Similar to webroot, but Certbot pauses for manual placement of the challenge response file or execution of a user-provided hook.
• --standalone: Runs a simple web server to serve the challenge response. It requires temporarily stopping any existing web server listening on port 80.

The nginx and apache plugins do not yet support IP addresses.

Automatic Renewal

Ensure Certbot is configured for automatic renewal. While most installations handle this automatically, web server-specific installers may require a --deploy-hook to instruct your web server to load the latest certificates from disk. This can be configured using the certbot reconfigure command with the appropriate flags.

Where to Get Help

For assistance or to report issues, consult the Let’s Encrypt Community Forum.

Let’s Encrypt is a non-profit certificate authority run by the Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption without charging fees. It is the world’s largest certificate authority, used by over 700 million websites, with the goal of creating a more secure and privacy-respecting web through the widespread adoption of HTTPS [Let’s Encrypt]. Certbot, a project of the Electronic Frontier Foundation (EFF), is a tool used to obtain these certificates [Certbot].