Short-Lived Certs, Long-Term Security Let's Encrypt Secures IPs
By Cybersec Sentinel | July 6, 2025
Overview
Let's Encrypt has launched IP address certificates as of July 1, 2025. These certificates allow secure, HTTPS connections directly to IP addresses without needing a domain name. This feature addresses long-standing gaps in encrypted communications for infrastructure where traditional domain-based certificates are either impractical or unavailable. Systems such as cloud-hosted virtual machines, administrative interfaces, IoT devices, backend microservices, and DNS-over-HTTPS (DoH) servers often operate without registered domain names, making traditional SSL/TLS deployment challenging.
IP address certificates solve this problem by binding encryption and server identity directly to an IP address. This enables encrypted traffic to infrastructure endpoints, even in scenarios where setting up DNS records is too complex, dynamic, or simply not feasible. For example, ephemeral cloud resources often spin up and down quickly, using temporary IPs for admin access or API calls. Similarly, many IoT devices and NAS units are managed by direct IP rather than domain names, especially in local or small-scale deployments.
By introducing free, automated IP certificates with a short six-day lifespan, Let's Encrypt reduces cost and complexity while enhancing security. The short duration limits risks associated with IP reassignment—a common concern when IP addresses are reallocated to new users. If a malicious actor were to obtain a certificate and the IP changed hands, the short validity period narrows the window of possible misuse.
However, IP-based SSL does carry risks. Unlike domain names, IPs can be volatile and reassigned frequently. If automation fails, service outages could occur when certificates expire. Moreover, misconfigurations or shared hosting vulnerabilities could allow unauthorized issuance if validation is not properly secured. Older systems may also struggle with compatibility, especially if they don't fully support IPs in the Subject Alternative Name (SAN) field.
Despite these challenges, IP address certificates significantly enhance security for direct IP access, reduce browser warnings, and eliminate the need for self-signed certificates. With proper automation and infrastructure planning, they present a powerful tool for securing core internet services and modern deployments.
Key Points
- Purpose: Secure connections directly to IPs where domain names are not used.
- Availability: In staging now; full rollout expected in late 2025.
- Validity: 6 days (short-lived to reduce risk from IP reassignment).
- Supported Challenges: HTTP-01 and TLS-ALPN-01 (no DNS-01).
- Automation Required: Renewal must be fully automated due to short lifespan.
How It Works
- ACME Protocol: Clients prove control over an IP via supported challenges.
- Short-Lived Profile: Required for all IP certs; no revocation due to brief lifespan.
- Validation: Must be publicly reachable on ports 80 or 443.
- Client Support: Must support the ACME Profiles draft and short-lived cert profile.
Use Cases
| Use Case | Benefit |
|---|---|
| IP-based hosting pages | Eliminates insecure default pages or browser warnings |
| Cloud VMs | Secures ephemeral admin or API endpoints |
| IoT & NAS Devices | Enables secure remote access without DNS |
| Infrastructure (e.g., DoH) | Adds trust to DNS over HTTPS or similar critical services |
Security Benefits & Risks
Pros:
- Reduces attack window if a cert is compromised.
- Avoids unreliable revocation processes.
- Forces strong automation and regular revalidation.
Risks:
- IP Reuse: Reassigned IPs can briefly be exposed to misuse.
- Misissuance: Weak server security (e.g., open file uploads) could lead to cert abuse.
- Legacy Issues: Older systems may not support IP SAN certs properly.
- Single CA Risk: Heavy reliance on Let's Encrypt means outages affect many.
Operational Requirements
- Automation: Use Certbot or similar, renew every 4–5 days.
- Firewall Config: Open ports 80/443 to the world for validation.
- Monitoring: Alert if certs not renewed by Day 4.
- Client Compatibility: Ensure modern browser support; legacy systems may fail.
Recommendations
- Use for Static IPs: Best for stable addresses in infra/cloud settings.
- Embed into CI/CD: Integrate ACME automation into provisioning pipelines.
- Use Staging for Testing: Avoid hitting rate limits in production.
- Stay Patched: Server security must prevent abuse of HTTP-01/TLS-ALPN-01.
- Monitor CA/B Forum Updates: Stay aligned with ongoing changes in cert policies.
Conclusion
Let's Encrypt's IP address certificates fill a long-missing piece in internet security. While not replacing domain certs, they enable safer direct IP access for critical systems. Their short lifespan boosts security but demands automation. For infrastructure teams, especially those in cloud, IoT, or DNS security, this development offers a valuable new tool to extend encryption everywhere it counts.
Sources
Let's Encrypt - We've Issued Our First IP Address Certificate