Certbot and Let's Encrypt Now Support IP Address Certificates

eff.org · speckx · 4 hours ago · view on HN · security
0 net
Tags
browser facebook google
Certbot and Let's Encrypt Now Support IP Address Certificates | Electronic Frontier Foundation Skip to main content About Contact Press People Opportunities EFF's 35th Anniversary Issues Free Speech Privacy Creativity and Innovation Transparency International Security Our Work Deeplinks Blog Press Releases Events Legal Cases Whitepapers Podcast Annual Reports Take Action Action Center Electronic Frontier Alliance Volunteer Tools Privacy Badger Surveillance Self-Defense Certbot Atlas of Surveillance Cover Your Tracks Street Level Surveillance apkeep Donate Donate to EFF Giving Societies Shop Sponsorships Other Ways to Give Membership FAQ Donate Donate to EFF Shop Other Ways to Give Email updates on news, actions, and events in your area. Join EFF Lists Copyright (CC BY) Trademark Privacy Policy Thanks Electronic Frontier Foundation Donate Privacy’s Defender: My Thirty-Year Fight Against Digital Surveillance Certbot and Let's Encrypt Now Support IP Address Certificates DEEPLINKS BLOG By Jacob Hoffman-Andrews March 11, 2026 Certbot and Let's Encrypt Now Support IP Address Certificates Share It Share on Mastodon Share on Twitter Share on Facebook Copy link (Note: This post is also cross-posted on the Let's Encrypt blog ) As announced earlier this year, Let's Encrypt now issues IP address and six-day certificates to the general public. The Certbot team here at the Electronic Frontier Foundation has been working on two improvements to support these features: the --preferred-profile flag released last year in Certbot 4.0, and the --ip-address flag , new in Certbot 5.3. With these improvements together, you can now use Certbot to get those IP address certificates! If you want to try getting an IP address certificate using Certbot, install version 5.4 or higher (for webroot support with IP addresses), and run this command: sudo certbot certonly --staging \ --preferred-profile shortlived \ --webroot \ --webroot-path \ --ip-address Two things of note: This will request a non-trusted certificate from the Let's Encrypt staging server. Once you've got things working the way you want, run without the --staging flag to get a publicly trusted certificate. This requests a certificate with Let's Encrypt's " shortlived " profile, which will be good for 6 days. This is a Let's Encrypt requirement for IP address certificates. As of right now, Certbot only supports getting IP address certificates, not yet installing them in your web server. There's work to come on that front. In the meantime, edit your webserver configuration to load the newly issued certificate from /etc/letsencrypt/live//fullchain.pem and /etc/letsencrypt/live//privkey.pem . The command line above uses Certbot's "webroot" mode, which places a challenge response file in a location where your already-running webserver can serve it. This is nice since you don't have to temporarily take down your server. There are two other plugins that support IP address certificates today: --manual and --standalone . The manual plugin is like webroot , except Certbot pauses while you place the challenge response file manually (or runs a user-provided hook to place the file). The standalone plugin runs a simple web server that serves a challenge response. It has the advantage of being very easy to configure, but has the disadvantage that any running webserver on port 80 has to be temporarily taken down so Certbot can listen on that port. The nginx and apache plugins don't yet support IP addresses. You should also be sure that Certbot is set up for automatic renewal. Most installation methods for Certbot set up automatic renewal for you. However, since the webserver-specific installers don't yet support IP address certificates, you'll have to set a --deploy-hook that tells your webserver to load the most up-to-date certificates from disk. You can provide this --deploy-hook through the certbot reconfigure command using the rest of the flags above. We hope you enjoy using IP address certificates with Let's Encrypt and Certbot, and as always if you get stuck you can ask for help in the Let's Encrypt Community Forum . Related Issues Encrypting the Web Share It Share on Mastodon Share on Twitter Share on Facebook Copy link Related Updates It’s time to expand encryption on Android and iPhone. With governments around the world engaging in constant attacks on user’s digital rights and access to the internet, removing glaring and potentially dangerous targets off of people’s backs when... At EFF we’ve long noted that you cannot build a backdoor that only lets in good guys and not bad guys. Over the weekend, we saw another example of this. EFF’s Certbot is now installed on over 4 million web servers, where it’s used to maintain HTTPS certificates for more than 31 million websites. The recent achievement of these milestones helps show the success of the project and the important role it plays in the infrastructure of a secure... Can free and open source software projects like Caddy and Traefik eventually replace EFF’s Certbot ? Although Certbot continues to be developed, we think tools like these help offer a promising path forward in the further development of a secure and encrypted web. For some users, tools like... Welcome! The fact that you’re reading this means that you probably care deeply about the issue of privacy, which warms our hearts. Unfortunately, even though you care about privacy, or perhaps because you care so much about it, you may feel that there's not much you (or anyone) can really... At the start of 2023, we sunsetted the HTTPS Everywhere web extension. It encrypted browser communications with websites and made sure users benefited from the protection of HTTPS wherever possible. HTTPS Everywhere ended because all major browsers now offer the functionality to make HTTPS the default. This is due to... SAN FRANCISCO—Electronic Frontier Foundation (EFF) on Tuesday launched the Tor University Challenge , a campaign urging higher education institutions to support free, anonymous speech by running a Tor network relay. Universities answering this call to defend private access to an uncensored web will receive prizes while helping... According to Firefox data, 78% of pages loaded use HTTPS. That’s tremendously improved from 27% in 2013 when Let’s Encrypt was founded. There’s still a lot of work to be done to get to 100%. We hope you’ll join EFF and Let’s Encrypt in celebrating the successes of ten years... Private communication is a basic, universal right. In the online world, the best tool we have to defend this right is end-to-end encryption. End-to-end encryption ensures that governments, tech companies, social media platforms, and other groups cannot view or access our private messages, the pictures we share with family and... The Council of the European Union this week adopted new language for regulations governing internet systems that may put the security of your browser at greater risk.The new language affects the EU’s electronic identification, authentication and trust services (eIDAS) rules, which are supposed to enable secure online transactions across countries... Share on Mastodon Share on X Share on Facebook Related Issues Encrypting the Web Back to top Follow EFF: mastodon facebook instagram x Blue Sky youtube flicker linkedin tiktok threads Check out our 4-star rating on Charity Navigator . Contact General Legal Security Membership Press About Calendar Volunteer Victories History Internships Jobs Staff Diversity & Inclusion Issues Free Speech Privacy Creativity & Innovation Transparency International Security Updates Blog Press Releases Events Legal Cases Whitepapers EFFector Newsletter Press Press Contact Donate Join or Renew Membership Online One-Time Donation Online Giving Societies Corporate Giving and Sponsorship Shop Other Ways to Give Copyright (CC BY) Trademark Privacy Policy Thanks JavaScript license information
← Back to stories