Certbot and Let's Encrypt Now Support IP Address Certificates

gnabgib · 2026-03-12T18:08:58 1773338938

(29 points) https://news.ycombinator.com/item?id=47343278

Related 6-Day and IP Address Certificates Are Generally Available (506 points, 2 months ago, 281 comments) https://news.ycombinator.com/item?id=46647491

pocksuppet · 2026-03-12T19:06:26 1773342386

As seen in the BND's attack on jabber.ru, some adversaries have no difficulty taking over your IP address. Will this be a new threat vector?

wolrah · 2026-03-16T16:47:51 1773679671

> Will this be a new threat vector?

IMO no, because if they could take over your IP address they could already obtain a domain-validated certificate which is arguably a lot more valuable than an IP address certificate.

CaliforniaKarl · 2026-03-12T22:02:37 1773352957

If an attacker manages to gain ownership of an IP address, and gets a Let's Encrypt certificate for that IP address, the certificate will show up in Certificate Transparency logs. In that way, if people are watching, the attack will become visible fairly quickly.

greatgib · 2026-03-12T19:12:13 1773342733

They should at least restricted it to IPv6. Here it will be a kill for everyone using mobile network and 5g hotspots.

pocksuppet · 2026-03-15T22:08:30 1773612510

Can you receive inbound connections on your hotspot?

greatgib · 2026-03-16T00:57:30 1773622650

At least in France and I think in a lot of other countries, you still get a dedicated IP for your connection, so yes you could receive inbound traffic.

Just the IP will most of the time be dynamic, and you might have your IP changing regularly.

nubinetwork · 2026-03-12T20:41:21 1773348081

When will they let me generate certificates for IMAP and SMTP?

neoCrimeLabs · 2026-03-13T02:05:59 1773367559

They never stopped supporting it, to my knowledge. I first started using their certs for my IMAP and SMTP servers 10ish years ago, at least.

If you use HTTP-01 challenge method you require an HTTP server on the host.

If you don't want an HTTP server on your imap/smtp server you need to use the DNS-01 challenge method.

nubinetwork · 2026-03-13T08:06:50 1773389210

And what if I want to run DNS and http on separate servers than my mail server?

wolrah · 2026-03-16T16:49:49 1773679789

DNS-01 validation has nothing to do with where your DNS is hosted, all it takes is being able to create a DNS record to prove control over the zone.

neoCrimeLabs · 2026-03-13T13:23:07 1773408187

The same thing everyone else does. Build automation, use configuration management, use cert manager or other similar solutions.

neoCrimeLabs · 2026-03-14T03:40:24 1773459624

Update: Had less time to post than I realized, hence the terse reply.

Meant to say those solutions are in addition to Lets Encrypt. An X509 certificate is an X509 certificate, regardless if its for https, imaps, or smtps. If you're distributing your stuff across multiple hosts or containers, then it makes sense to use some sort of automation, configuration management, or certificate management/distribution system.

apitman · 2026-03-12T19:55:56 1773345356

Nice. I've been using lego for this the past few weeks.