Let’s Encrypt, the world’s most popular free certificate authority, has announced yet another new feature: the rollout of free TLS/SSL certificates for IP addresses. This move allows organizations and individuals to secure direct IP address connections without the hefty price tag previously associated with such certificates.
A Game-Changer for IP Security
Until now, obtaining a trusted SSL certificate for an IP address required turning to commercial providers, often costing between $40 and $90 per year. This barrier made it difficult for many to secure services that don’t use domain names—such as IoT devices, internal networks, or APIs. Let’s Encrypt’s new offering democratizes access to encryption for these use cases.
Key Features and Technical Details
The new IP address certificates come with several important characteristics:
- Short Lifespan: Unlike Let’s Encrypt’s standard 90-day domain certificates, IP address certificates are valid for just six days. This short validity period minimizes the risk if a certificate is compromised and encourages users to automate renewals.
- Gradual Rollout: The feature is currently available in Let’s Encrypt’s staging environment, with general availability in production expected later in 2025. Select partners have been granted early access for testing and feedback.
- Supported Validation Methods: Only the http-01 and tls-alpn-01 ACME challenge methods are supported for proving control over an IP address. DNS-based validation is not available for IP addresses.
- Client Requirements: ACME clients must support the “shortlived” profile as defined in the draft ACME Profiles specification. Some client software may require updates to be compatible with this new feature.
Who Benefits?
While the majority of web traffic relies on domain names, there are many scenarios where securing an IP address directly is valuable:
- Public IP Landing Pages: Services like Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1 can now offer secure landing pages directly on their IPs.
- Device Security: Network-attached storage, ephemeral cloud servers, and other devices that operate without a domain can now be secured more easily.
- Temporary or Internal Services: System administrators and developers can encrypt connections for short-term server administration or internal APIs.
Important Limitations
There are some caveats to keep in mind:
- Dynamic and Shared IPs: Many IP addresses are not static or are shared among multiple users, which can limit the practicality of these certificates for some scenarios.
- Automation Required: The short six-day lifespan means users must automate certificate renewal and ensure their ACME clients are up to date.
