61 comments

[ 2.9 ms ] story [ 84.6 ms ] thread
As already noted on this thread, you can't use certbot today to get an IP address certificate. You can use lego [1], but figuring out the exact command line took me some effort yesterday. Here's what worked for me:

    lego --domains 206.189.27.68 --accept-tos --http --disable-cn run --profile shortlived
[1] https://go-acme.github.io/lego/
Thank you for posting the lego command!

It allowed me to quickly obtain a couple of IP certificates to test with. I updated my simple TLS certificate checker (https://certcheck.sh) to support checking IP certificates (IPv4 only for now).

This is interesting, I am guessing the use case for ip address certs is so your ephemeral services can do TLS communication, but now you don't need to depend on provisioning a record on the name server as well for something that you might be start hundreds or thousands of, that will only last for like an hour or day.
Does anyone know when Caddy plans on supporting this?
If I can use my DHCP assigned IP, will this allow me to drop having to use self-signed certificates for localhost development?
Something about a 6 day long IP address based token brings me back to the question of why we are wasting so much time on utterly wrong TOFU authorization?

If you are supposed to have an establishable identity I think there is DNSSEC back to the registrar for a name and (I'm not quite sure what?) back to the AS.for the IP.

This sounds like a very good thing, like a lot of stuff coming from letsencrypt.

But what risks are attached with such a short refresh?

Is there someone at the top of the certificate chain who can refuse to give out further certificates within the blink of an eye?

If yes, would this mean that within 6 days all affected certificates would expire, like a very big Denial of Service attack?

And after 6 days everybody goes back to using HTTP?

Maybe someone with more knowledge about certificate chains can explain it to me.

I have now implemented a 2 week renewal interval to test the change to the 45 days, and now they come with a 6-day certificate?

This is no criticism, I like what they do, but how am I supposed to do renewals? If something goes wrong, like the pipeline triggering certbot goes wrong, I won't have time to fix this. So I'd be at a two day renewal with a 4 day "debugging" window.

I'm certain there are some who need this, but it's not me. Also the rationale is a bit odd:

> IP address certificates must be short-lived certificates, a decision we made because IP addresses are more transient than domain names, so validating more frequently is important.

Are IP addresses more transient than a domain within a 45 day window? The static IPs you get when you rent a vps, they're not transient.

What worries me more about the push for shorter and shorter cert terms instead of making revoking that works is that if provider fails now you have very little time to switch to new one
> If something goes wrong, like the pipeline triggering certbot goes wrong, I won't have time to fix this. So I'd be at a two day renewal with a 4 day "debugging" window.

I think a pattern like that is reasonable for a 6-day cert:

- renew every 2 days, and have a "4 day debugging window" - renew every 1 day, and have a "5 day debugging window"

Monitoring options: https://letsencrypt.org/docs/monitoring-options/

This makes me wonder if the scripts I published at https://heyoncall.com/blog/barebone-scripts-to-check-ssl-cer... should have the expiry thresholds defined in units of hours, instead of integer days?

You should probably be running your renewal pipeline more frequently than that: if you had let your ACME client set itself up on a single server, it would probably run every 12h for a 90-day certificate. The ACME client won't actually give you a new certificate until the old one is old enough to be worth renewing, and you have many more opportunities to notice that the pipeline isn't doing what you expect than if you only run when you expect to receive a new certificate.
> Are IP addresses more transient than a domain within a 45 day window? The static IPs you get when you rent a vps, they're not transient.

They can be as transient as you want. For example, on AWS, you can release an elastic IP any time you want.

So imagine I reserve an elastic IP, then get a 45 day cert for it, then release it immediately. I could repeat this a bunch of times, only renting the IP for a few minutes before releasing it.

I would then have a bunch of 45 day certificates for IP addresses I don't own anymore. Those IP addresses will be assigned to other users, and you could have a cert for someone else's IP.

Of course, there isn't a trivial way to exploit this, but it could still be an issue and defeats the purpose of an IP cert.

You could do same trick even for 6 day certificate.
Next, I hope they focus on issuing certificates for .onion addresses. On the modern web many features and protocols are locked behind HTTPS. The owner of a .onion has a key pair for it, so proving ownership is more trustworthy than even DNS.
IP addresses must be accessible from the internet, so still no way to support TLS for LAN devices without manual setup or angering security researchers.
I recently migrated to a wildcard (*.home.example.com) certificate for all my home network. Works okay for many parts. However requires a public DNS server where TXT records can be set via API (lego supports a few DNS providers out of the box, see https://go-acme.github.io/lego/dns/ )
>so still no way to support TLS for LAN devices without manual setup or angering security researchers.

Arguably setting up letsencrypt is "manual setup". What you can do is run a split-horizon DNS setup inside your LAN on an internet-routable tld, and then run a CA for internal devices. That gives all your internal hosts their own hostname.sub.domain.tld name with HTTPS.

Frankly: it's not that much more work, and it's easier than remembering IP addresses anyway.

IPv6? You wouldn’t even need to expose the actual endpoints out on the open internet. DNAT on the edge and point inbound traffic on a VM responsible for cert renewals, then distribute to the LAN devices actually using those addresses.
What do you mean by 'LAN', everything should be routable globally with IPv6 decade ago anyway /s
If you have non-public IPs you need certs for you should set up a non-public certificate authority and issue your own certs for them.
I guess IP certs won't really be used for anything important, but isn't there a bigger risk due to BGP hijacking?
Has anyone actually given a good explanation as to why TLS Client Auth is being removed?
It competes with "Sign in with Google" SSO.
Because using a public key infrastructure for client certificate is terrible

mTLS is probably the only sane situation where private key infrastructure shall be used

I wonder if transport mode IPsec can be relevant again if we're going to have IP address certificates. Ditto RFC 5660 (which -full disclosure- I authored).
IPSec is terrible, huge, and messy standard that company that made it took 20 years to stop getting CVE every year
Maybe but probably not. Various always-on , SDN, or wide scale site-to-site VPN schemes are deployed widely enough for long enough now that it's expected infrastructure at this point.

Even getting people to use certificates on IPSEC tunnels is a pain. Which reminds me, I think the smallest models of either Palo Alto or Checkpoint still have bizarre authentication failures if the certificate chain is too long, which was always weird to me because the control planes had way more memory than necessary for well over a decade.

Is IPsec still relevant ?
It's not. What I have in mind is TLS handshake mediated ESP SA pair keying and policy. Why? Because ESP is much much simpler to implement in silicon than TCP+TLS.

ESP is stateless if using IPv6 (no fragmentation), or even if using IPv4 (fragmented packets -> let the host handle them; PMTUD should mean no need for fragmentation the vast majority of the time). Statelessness makes HW offload easy to implement.

It's a huge ask, but i'm hoping they'll implement code-signing certs some day, even if they charge for it. It would be nice if appstores then accepted those certs instead of directly requiring developer verification.
Would be cool. But since they’re a non-profit, they would need some way to make it scalable.
I see how this would be useful once we take binary signing for granted. It would probably even be quite unobjectionable if it were simply a domain binding.

However, the very act of trying to make this system less impractical is a concession in the war on general purpose computing. To subsidize its cost would be to voluntarily loose that non-moral line of argument.

I don't understand where the argument is. Being able to publish content that others can authenticate and then trust sounds like a huge win to me. I don't even see why it has to be restricted to code. It's just verifying who the signer is. More trusted systems and more progress happens when we trust the foundations we're building. I don't think that's a war on general purpose computing. I feel like there is this older way of thinking where insecurity is considered a right of some sort. Being able to do things insecurely should be your right, but being able to reach lots of people and force them to use insecure things sounds exactly like a war on general purpose computing.
IP address certificates are particularly interesting for iOS users who want to run their own DoH servers.

A properly configured DoH server (perhaps running unbound) with a properly constructed configuration profile which included a DoH FQDN with a proper certificate would not work in iOS.

The reason, it turns out, is that iOS insisted that both the FQDN and the IP have proper certificates.

This is why the configuration profiles from big organizations like dns4eu and nextdns would work properly when, for instance, installed on an iphone ... but your own personal DoH server (and profile) would not.

I use DoH behind a reverse proxy with my own domain daily without any kind of issue
OpenSSL is quite particular about the IP address being included in the SAN field of the cert when making a TLS connection, fwiw. iOS engineers may not have explicitly added this requirement and it might just be a side effect of using a crypto library.
Why 6 day and not 8?

- 8 is a lucky number and a power of 2

- 8 lets me refresh weekly and have a fixed day of the week to check whether there was some API 429 timeout

- 6 is the value of every digit in the number of the beast

- I just don't like 6!

Because it allows to you to work for six days, and rest on the seventh. Like God did.
> 8 lets me refresh weekly and have a fixed day of the week to check whether there was some API 429 timeout

There’s your answer.

6 days means on a long enough enough timeframe the load will end up evenly distributed across a week.

8 days would result in things getting hammered on specific days of the week.

The are some great points
It's actually 6 and 2/3rds! I'm trying to figure out a rationale for 160 hours and similarly coming up empty, if anyone knows I'd be interested.

200 would be a nice round number that gets you to 8 1/3 days, so it comes with the benefits of weekly rotation.

Worry not, cause it's not 6 days (144 hours), it is 6-ish days: 160 hours

And 160 is the sum of the first 11 primes, as well as the sum of the cubes of the first three primes!

Six is the smallest perfect number. Perfection is key here.
Why not refresh daily?
This comment used to say that was in staging only. (Nevermind, i was confused following the links from original article)
Honestly not a big fan of IP address certs in the context of dynamic IP address generation
Very excited about this. IP certs solve an annoying bootstrapping problem for selfhosted/indiehosted software, where the software provides a dashboard for you to configure your domain, but you can't securely access the dashboard until you have a cert.

As a concrete example, I'll probably be able to turn off bootstrap domains for TakingNames[0].

[0]: https://takingnames.io/blog/instant-subdomains

(comment deleted)
Do I understand correctly: would someone have a concrete example of URL which is both an IP address and HTTPS, widely accessible from global internet? e.g. https://<ipv4-address>/ ?
What is a good use case for an IP address certificate for the average company? Say, e-commerce or SaaS-startup?
The Internet is for End Users https://datatracker.ietf.org/doc/html/rfc8890

>Successful specifications will provide some benefit to all the relevant parties because standards do not represent a zero-sum game. However, there are sometimes situations where there is a conflict between the needs of two (or more) parties.

>In these situations, when one of those parties is an "end user" of the Internet -- for example, a person using a web browser, mail client, or another agent that connects to the Internet -- the Internet Architecture Board argues that the IETF should favor their interests over those of other parties.

Incorporated entities are just secondary users.