This is just a proposal for further discussion. Current p2p-forge implementation for acquiring TLS Certificates is functional (on master, yet to be released).
Summary
IP Address Certificates are generally supported by Let's Encrypt https://letsencrypt.org/2026/01/15/6day-and-ip-general-availability.
It was discussed earlier that we can support IP Address Certificates for libp2p WSS protocol alongside or instead p2p-forge.
This would remove the runtime dependency on domain names in order to have a functional WSS p2p connections. With that simplification, there would be no need for p2p-forge service providing the validation for multiaddresses.
Motivation
Simplify the certificate runtime dependencies only to Let's Encrypt, by not requiring p2p-forge.
Implementation
The implementation would have to be completely internal to bee, as no other libp2p components support IP Address Certificates.
Drawbacks
IP Address Certificates have a lifetime of 6 days. Given that, they should be renewed in about 3-4 days.
Let's Encrypt is limiting the number of issues certificates to 50 per IP per week. This would mean that there can be around 25 certificates per IP with TLS. In general this is not a problem, but for setups like we have in swarm where a lot of bee nodes are NAT-ed over one or two IP addresses, it makes impossible to have all the nodes IP Address Certificates.
This is just a proposal for further discussion. Current p2p-forge implementation for acquiring TLS Certificates is functional (on master, yet to be released).
Summary
IP Address Certificates are generally supported by Let's Encrypt https://letsencrypt.org/2026/01/15/6day-and-ip-general-availability.
It was discussed earlier that we can support IP Address Certificates for libp2p WSS protocol alongside or instead p2p-forge.
This would remove the runtime dependency on domain names in order to have a functional WSS p2p connections. With that simplification, there would be no need for p2p-forge service providing the validation for multiaddresses.
Motivation
Simplify the certificate runtime dependencies only to Let's Encrypt, by not requiring p2p-forge.
Implementation
The implementation would have to be completely internal to bee, as no other libp2p components support IP Address Certificates.
Drawbacks
IP Address Certificates have a lifetime of 6 days. Given that, they should be renewed in about 3-4 days.
Let's Encrypt is limiting the number of issues certificates to 50 per IP per week. This would mean that there can be around 25 certificates per IP with TLS. In general this is not a problem, but for setups like we have in swarm where a lot of bee nodes are NAT-ed over one or two IP addresses, it makes impossible to have all the nodes IP Address Certificates.