Skip to main content
  1. Posts/

Let's Encrypt for IPs

·2 mins
Table of Contents

Let’s Encrypt now has the option to issue certs for just IP addresses. For no good reason, it’s always bugged me that I can easily redirect traffic going to port 80 for the IP of my webserver to my main HTTPS site, but not 443 traffic. I’m using the phrase bugged me a bit strongly here… “annoyed about the cert warnings on HTTPS” is probably more accurate.

I’ve recently switched over to using acme.sh instead of certbot. I want to write a post on that later, but this post is just covering the fact that you can get certs for IPs now!

acme.sh #

My main move to acme.sh was because I’m not doing HTTP challenges anymore to get Let’s Encrypt certs; I’ve moved to doing DNS challenges. Well, it might be obvious, but you can only get IPs via HTTP challenges. They’re also very short-lived—7 days. However, we don’t care about that as automation will renew them before they expire.

I configured Nginx to allow for the .well-known HTTP challenge:

nginx snippit:

  server {
    listen 80 default_server;
    listen [::]:80 default_server;

    location /.well-known/acme-challenge/ {
        root /var/www/acme-challenge;
        try_files $uri =404;
    }

    location / {
        return 301 https://65.120.231.36$request_uri;
    }
  }

Then, I asked Let’s Encrypt to issue the cert:

acme.sh issue:

acme.sh --issue \
  -d 65.120.231.36 \
  --webroot /var/www/acme-challenge \
  --cert-profile shortlived \
  --days 5

The main trick here is the cert-profile for a shortlived cert and, for good measure, having acme.sh renew it after 5 days.

Install the cert:

acme.sh install:

acme.sh --install-cert -d 65.120.231.36 \
  --key-file       /etc/ssl/private/65.120.231.36.key \
  --fullchain-file /etc/ssl/certs/65.120.231.36.crt \
  --ca-file        /etc/ssl/certs/65.120.231.36.ca.crt \
  --reloadcmd      "systemctl reload nginx"

IP Webpage #

I started out by having any HTTPS traffic to the IP redirect to my main “placeholder” page at allurbase.us. But that seemed pretty boring for such a feat as having a cert for an IP! As I suck at any type of artistic style, I asked Claude Code to make me something fun.

Secure Connection to HTTPs to my IP
HTTPs to my IP

Behold! https://65.120.231.36