2

I am running my own ACME CA server that allows issuing of certificates to IP addresses. I have installed the root certificate into all the devices in my LAN. Let's say that I am running the server at https://ca.internal/acme. Now, I would like to issue a certificate for an internal IP address, say 10.0.0.2. Let's also assume that I have a web server set up and working well. So now, I try to use the command sudo certbot certonly -n --standalone -d 10.0.0.2 --server https://ca.internal/acme, but it returns with an error saying that Let's Encrypt certificates do not support IP addresses. Is there a way (maybe by editing the Certbot config files) to resolve this problems and allow the issuing of certificates to an IP address? I've checked the Certbot documentation but have not found anything helpful there.

If it does turn out that what I'm asking is impossible with Certbot, are there any other ACME clients that support issuing a certificate to an IP address with an intermal CA?

huanglx
  • 213
  • 1
  • 3
  • 6
  • Have you tried using a 3rd party ACME client? – Zoredache May 16 '20 at 01:03
  • 1
    What ACME CA implementation? The IP identifier extension RFC 8738 was published relatively recently. I cannot find if Boulder has made any progress. Although, uacme client claims support. – John Mahowald May 16 '20 at 03:07
  • 1
    While iPAddress cert may seem strange, the primary cited use case is DNS over HTTPS. Let's Encrypt cannot support RFC 1918 IPs, but presumably they will be a good way to issue certs for the IPv6 addreses of DoH servers. – John Mahowald May 16 '20 at 03:24
  • Alternatively, set up a simple DNS server, such as `dnsmasq`. – garethTheRed May 16 '20 at 09:29

1 Answers1

0

You could try uacme: https://github.com/ndilieto/uacme

It supports IP according to https://www.rfc-editor.org/rfc/rfc8738#section-3

Community
  • 1
Ulrich
  • 1
  • or create a self signed one and create a wildcard certificate to match any address in the universe :) – djdomi Jul 27 '21 at 10:30