For years, if you wanted to secure a server that didn’t have a domain name, you were stuck in a digital “no man’s land.” You either paid a premium for a specialized certificate, or you forced your users to click through those ominous “Your connection is not private” warnings that look like a scene from a 90s hacking movie.
Let’s Encrypt has officially closed that gap. By moving short-lived certificates and IP address support into General Availability (GA), the internet’s most popular Certificate Authority is changing how we think about infrastructure security.
Why IP Certificates Matter (Finally)
In an ideal world, everything has a human-readable domain name. But reality is messy. Maybe you’re managing a fleet of IoT devices, configuring DNS-over-HTTPS (DoH) resolvers, or spinning up ephemeral backend microservices that communicate directly via IP.
Until now, Let’s Encrypt focused solely on Domain Name (FQDN) validation. If you only had an IP, you were essentially invisible to their automated systems. The new update allows you to issue publicly trusted certificates for both IPv4 and IPv6 addresses, provided they are public and routable.
The “Catch”: It’s a 6-Day Sprint
The most striking part of this rollout is the lifespan. These aren’t your typical 90-day certificates. IP address certificates must use the new short-lived profile, meaning they expire after exactly 160 hours (just over six days).
Why the rush? Let’s Encrypt cites two main reasons:
- IP Transience: Unlike domain names, which people tend to hold onto for years, IP addresses change hands constantly in cloud environments. A six-day window ensures that if an IP is reassigned, the old certificate becomes useless almost immediately.
- Killing Revocation: Traditional revocation methods (like OCSP and CRLs) are notoriously flaky. By making the certificate expire in less than a week, the need for a “kill switch” is largely eliminated. If a key is compromised, it’s only dangerous for a few days at most.
How it Works: The ACME “Shortlived” Profile
You can’t just run your old Certbot script and expect it to work. To get an IP certificate, your ACME client must support the ACME Profiles extension. You have to explicitly request the shortlived profile during the handshake.
Because DNS isn’t involved, you can’t use the DNS-01 challenge. Instead, you’re limited to:
- HTTP-01: Placing a token on your web server at port 80.
- TLS-ALPN-01: A specialized handshake on port 443.
The Death of Manual Management
If you’re the type of person who still renews certificates manually via a calendar reminder, this feature isn’t for you. Trying to manually renew a certificate every 144 hours is a recipe for a mental breakdown (and a broken website).
This move is a clear signal from the ISRG (the folks behind Let’s Encrypt) that the future of the web is fully automated. You need a robust client—like the latest versions of Certbot, acme.sh, or Lego—to handle the constant rotation in the background. If your automation fails for even 24 hours, you’re already halfway to an expiration crisis.
Who is this really for?
While the average WordPress blogger won’t care, this is a massive win for:
- DevOps Teams: Securing internal traffic between load balancers and backend nodes without managing a private CA.
- Hardware Manufacturers: Shipping devices that can be accessed securely via a local-but-public IP address right out of the box.
- Privacy Advocates: Running secure relays and nodes that don’t want the “paper trail” of a registered domain name.
It’s a bit punchy and requires a tighter grip on your automation scripts, but the result is a web that’s harder to spoof and significantly more secure.
Leave a Reply