SSL Certs for IP Addresses Available Now

[DrWizzle]

Lets Encrypt have now started to issue certs for public facing IP addresses as well as their famed free TLS and DV SSL Certs.

This is an absolute Game changer!!

Now you can simply run a site without a domain name, with SSL. Whilst I don't think that's the real takeaway here, and purpose, It is dead handy for when you spin up a new server, and haven't got DNS fully functional for your hostname yet. So in theory, you could buy a server, install directadmin and not have to worry about using DA's DNS and temp link to log in to your panel securely. You could simply use the servers given IP securely, out of the box. It's something DA would have to implement, unless you set it up by obtaining certs yourself first before install DA.

I have to add, there's 2 caveats here,

You CANNOT use one of these certs with a local IP for example 10.0.10.272 or 192.168.0.100
Certs are aggressively renewed, and expire after 7 days, so daily issuance is recommended (I guess as it's only supposed to be a temp fix)

This has so much potential!

IPv4 and IPv6 supported, Pics incoming...!

Edit - Here's pics showing SSL on IPs

https://65.21.61.62/

https://[2a01:4f9:c013:5051::1]

Certificate issuance

 

[Richard G]

So in theory, you could buy a server, install directadmin and not have to worry about using DA's DNS and temp link to log in to your panel securely.

So no change at all. As this is also possible at this moment already since da uses an SSL based on the ip.
That's why it's called the (for example) 65.21.61.62-da.direct as hostname. So this way you can already directly visit your server via SSL by the hostname.
So this is already implemented. Out of the box!

This has so much potential!

To me this sounds as bad news. As this will make it a lot easier again for spammers to use ssl and stuff, without the cost of a domain name to register.
Fun for hobbyists and maybe website devs, but imho they will be sorry later on for doing this.

 

[DrWizzle]

So no change at all. As this is also possible at this moment already since da uses an SSL based on the ip.
That's why it's called the (for example) 65.21.61.62-da.direct as hostname. So this way you can already directly visit your server via SSL by the hostname.
So this is already implemented. Out of the box!


To me this sounds as bad news. As this will make it a lot easier again for spammers to use ssl and stuff, without the cost of a domain name to register.
Fun for hobbyists and maybe website devs, but imho they will be sorry later on for doing this.

Yeah I know DA do the 65.21.61.62-da.direct thing which is really handy. I do remember someone complaining about it, but I personally don't see it as a bad thing with what DA are doing and should not ditch this at all. I was merely stating it may be an option if someone hasn't set up their DNS and wants to use their IP.

Could use them on your Directslave projects? Hostname's always protected if you put a cert on like you should, but the IP itself isn't. Just a thought

I guess it could be good for devs to secure a server before they get a customers domain sorted, I mean not everyone spins up a VPS or Dedi and then puts DA or other panels on it immediately.

Maybe organizations that run servers and don't have DNS sorted, or don't plan at all to have DNS setup. and I don't see it quite like you do with spammers for example. Nothing stopping them spinning up servers as they do now, and using free/cheap domains with free SSL. You'll never get rid of spammers or botnets unfortunately

Certs are very short lived so you'd have to set up a cron to reissue every few days if you wanted to keep it ip only. People have asked Lets Encrypt for this, for domainless projects and they've obliged. They are not a replacement for the TLS certs either, more of an extension.

I can see hobbyists taking advantage of it like you say. I mean I think it's cool in some ways, as an IP can look like a phone number. In my example i've been given an 8 digit IP, 65.21.61.62 really no different from the format of a french phone number for example. Advertising maybe?

I mean there is good and bad associated with this. It's great to be positive about new things, but as you point out, it's also good to point out and identify the potential pitfalls and problems.