On 2025-07-02, Zack Newman <z...@philomathiclife.com> wrote:
> There was a thread[^1] early this year on @tech talking about this.
> The fact IP addresses could be issued an X.509 v3 certificate was not
> explicitly mentioned, but there was talk about short-lived certs and
> more generally the notion of "profiles".
>
> Stuart replied a few months back on that thread talking about a "slight
> issue", but it seems to me that acme-client(1) will eventually have this
> ability. I presume this includes support for IP addresses, but I
> obviously can't speak on behalf of Stuart and company.
>
> [^1]: https://marc.info/?l=openbsd-tech&m=173659382332551&w=2
the older post about IP address certs suggested that you wouldn't need
to do anything special, once available:
"Once IP address support is an option for you, requesting an IP
address in a certificate will automatically select a short-lived
certificate profile."
the latest post which mentions that IP address certs are available in
staging says
"As a matter of policy, Let’s Encrypt certificates that cover
IP addresses must be short-lived certs, valid for only about six
days. As such, your ACME client must support the draft ACME Profiles
specification, and you must configure it to request the shortlived
profile"
which conflicts with the earlier one - it's not clear if that
requirement will continue later (i.e. when it's in a later stage of
development in staging, or when released to production)
--
Please keep replies on the mailing list.
