Big news for all self-hosting enthusiasts. In the middle of last summer, we reported that Let’s Encrypt, a free, automated, and open certificate authority that provides TLS/SSL certificates to encrypt internet traffic, was planning to issue certificates not only for domain names but also for IP addresses. Now, that become a reality.
Until now, publicly trusted TLS certificates have been almost exclusively tied to DNS names, limiting secure deployments for infrastructure that operates primarily on raw IP addresses.
Starting January 15, Let’s Encrypt has made IP address TLS certificates (both IPv4 and IPv6) and short-lived certificates generally available, marking a significant expansion of its certificate authority services, allowing HTTPS connections without relying on domain names.
IP address certificates issued by Let’s Encrypt are mandatory short-lived certificates, valid for 160 hours, or just over six days. The organization says this design choice reflects the transient nature of IP addresses, which can change ownership or assignment more frequently than domain names. More frequent validation reduces the risk of mis-issued or stale certificates remaining trusted.
Alongside IP address certificates, Let’s Encrypt has also made short-lived domain name certificates generally available. These certificates are opt-in and can be requested by selecting the shortlived profile in an ACME client. By reducing certificate lifetimes from 90 days to 6 days, the impact of a compromised key is limited by design rather than through revocation.
To get a short-lived IP address certificate, use an ACME client (like Certbot) that supports the shortlived certificate profile and specify your public IP address as the identifier (ensuring your client is updated for this newer feature) and uses HTTP-01 or TLS-ALPN-01 challenges for validation.
Separately, Let’s Encrypt reaffirmed its previously announced plan to reduce default certificate lifetimes from 90 days to 45 days over the coming years, continuing its long-term push toward shorter-lived trust models.
Finally, I would like to add that IP address certificates are a game-changer for self-hosters. It removes the need to register, manage, and maintain domain names just to enable HTTPS. Services can be secured directly by IPv4 or IPv6 address, which is especially useful for homelabs, temporary test systems, and devices exposed to the internet only briefly.
For more information, refer to Let’s Encrypt’s announcement.
