This was also posted on EFF’s blog.
As we announced earlier this year, Let’s Encrypt now issues IP address and six-day certificates to the general public. The Certbot team at the Electronic Frontier Foundation has been working on two improvements to support these features: the --preferred-profile
flag released last year in Certbot 4.0, and the --ip-address
flag, new in Certbot 5.3. With these improvements together, you can now use Certbot to get those IP address certificates!
If you want to try getting an IP address certificate using Certbot, install version 5.4 or higher (for webroot
support with IP addresses), and run this command:
sudo certbot certonly --staging \
--preferred-profile shortlived \
--webroot \
--webroot-path
--ip-address
Two things of note:
This will request a non-trusted certificate from the Let’s Encrypt staging server. Once you’ve got things working the way you want, run without the --staging
flag to get a publicly trusted certificate.
This requests a certificate with Let’s Encrypt’s “shortlived” profile, which will be good for 6 days. This is a Let’s Encrypt requirement for IP address certificates.
As of right now, Certbot only supports getting IP address certificates, not yet installing them in your web server. There’s work to come on that front. In the meantime, edit your webserver configuration to load the newly issued certificate from /etc/letsencrypt/live/
and /etc/letsencrypt/live/
.
The command line above uses Certbot’s “webroot” mode, which places a challenge response file in a location where your already-running webserver can serve it. This is nice since you don’t have to temporarily take down your server.
There are two other plugins that support IP address certificates today: --manual
and --standalone
. The manual
plugin is like webroot
, except Certbot pauses while you place the challenge response file manually (or runs a user-provided hook to place the file). The standalone
plugin runs a simple web server that serves a challenge response. It has the advantage of being very easy to configure, but has the disadvantage that any running webserver on port 80 has to be temporarily taken down so Certbot can listen on that port. The nginx
and apache
plugins don’t yet support IP addresses.
You should also be sure that Certbot is set up for automatic renewal. Most installation methods for Certbot set up automatic renewal for you. However, since the webserver-specific installers don’t yet support IP address certificates, you’ll have to set a --deploy-hook
that tells your webserver to load the most up-to-date certificates from disk. You can provide this --deploy-hook
through the certbot reconfigure
command using the rest of the flags above.
We hope you enjoy using IP address certificates with Let’s Encrypt and Certbot, and as always if you get stuck you can ask for help in our Community Forum.
Facts Only
Electronic Frontier Foundation (EFF)
Let’s Encrypt
Certbot
IP address certificates
Six-day certificates
Certbot 5.4 or higher
webroot support with IP addresses
non-trusted certificate from the Let’s Encrypt staging server
Certbot’s “webroot” mode
editing webserver configuration to load the newly issued certificate
Certbot only supports obtaining IP address certificates (not installing)
manual and standalone plugins also support IP address certificates
automatic renewal of certificates
Executive Summary
Full Take
The article describes a significant development in digital security: the ability for the general public to obtain IP address and six-day certificates from Let’s Encrypt using Certbot. This move toward increased internet security is a positive step, but it also raises questions about the broader landscape of cybersecurity. For instance, while Certbot only supports obtaining IP address certificates at this time, there may be other methods or tools emerging that could further strengthen digital security. Additionally, the ongoing work to address the issue of installing IP address certificates in web servers highlights the dynamic nature of internet security and the need for continued innovation and improvement.
Patterns detected: ARC-0024 Ambiguity (the article does not elaborate on the reasons behind Let’s Encrypt's requirement for IP address certificates to be valid for 6 days)
