I ran across this in the Let’s Encrypt community forum and figured it was worth sharing here because this actually affects a lot of home lab and self-hosting setups or could potentially be useful.
Let's Encrypt is starting to move toward SSL/TLS certificates for IP addresses, not just DNS names. That’s something we haven’t really had from public CAs before, and it solves a pretty common problem.
What does this mean in plain terms?
Right now, if you hit something like: https://192.168.1.50
You either:
-
Get a browser warning
-
Use a self-signed cert
-
Or create a fake/internal DNS name just to make HTTPS happy
With this change, you’ll be able to get a trusted HTTPS certificate for an IP address directly and you won't need a domain name.
Why this actually matters
This comes up way more often than people might think, especially in labs or development environments. Think about things like the following URLs where we usually get a certificate warning:
-
Proxmox, ESXi, or appliance web UIs
-
NAS management pages
-
Firewalls and switches
-
Internal dashboards
-
Test services you don’t want to bother putting behind DNS
A lot of us just live with browser warnings for these, but this will give us a better way moving forward.
A couple important gotchas
This isn’t magic and there are limits.
-
These certs are IP-only. Currently, if I am reading this right, you can’t mix DNS names and IPs in the same cert, so this will cause some complexity and either/or scenarios
-
Validation is done via HTTP-01 or TLS-ALPN-01
-
Let’s Encrypt needs to be able to reach that IP during issuance
So this isn’t for completely isolated internal-only IPs unless you already have a way to expose them temporarily to get a cert issued.
This doesn’t replace normal DNS certs
If you already have proper DNS and domain-based certs, nothing really changes there. DNS certs are still the cleanest solution long-term. This new solution as part of upcoming changes will just give admins another option to help reduce some challenges they may face. It will also help with bad habits like ignoring cert warnings and it will make IP access only much cleaner and trustworthy.
Why this may be a big deal for home labs
Most of us start out accessing things IP-only. DNS comes later in the lab (a soon later). And then it means you need a public DNS name that you can use for proper SSL certificate issuance. So many likely don't start with this out of the gate. So these upcoming changes will help to run secure HTTPS earlier, avoid self-signed certificates that can be a nightmare to manage and make management feel more production-grade.
Rollout timing
This is still rolling out, so don’t expect everything to work right away. ACME clients and reverse proxies will need updates. If you’re using Certbot, Traefik, Caddy, Nginx, etc., support will depend on client updates.
Read their blog here: Upcoming Changes to Let’s Encrypt Certificates - API Announcements - Let's Encrypt Community Support
Curious how others here might use this. Proxmox UI? Network gear? Temporary lab services? I think we also need more information on the requirements and limitations of needing to have Let's Encrypt be able to access the IP for issuance.