diff --git a/content/en/post/2025-01-16-6-day-and-IP-certs.md b/content/en/post/2025-01-16-6-day-and-IP-certs.md index de75b18cd..ee00389fa 100644 --- a/content/en/post/2025-01-16-6-day-and-IP-certs.md +++ b/content/en/post/2025-01-16-6-day-and-IP-certs.md @@ -7,6 +7,10 @@ excerpt: "In addition to our standard certificates, Let’s Encrypt will introdu display_support_us_footer: true --- +> **Update: January 15, 2026** +> +> Six-day and IP address certificates are now generally available. See [6-day and IP Address Certificates are Generally Available](/2026/01/15/6day-and-ip-general-availability) for details. + This year we will continue to pursue our commitment to improving the security of the Web PKI by introducing the option to get certificates with six-day lifetimes ("short-lived certificates"). We will also add support for IP addresses in addition to domain names. Our longer-lived certificates, which currently have a lifetime of 90 days, will continue to be available alongside our six-day offering. Subscribers will be able to opt in to short-lived certificates via a certificate profile mechanism being added to our ACME API. ## Shorter Certificate Lifetimes Are Good for Security @@ -37,4 +41,4 @@ Once IP address support is an option for you, requesting an IP address in a cert The best way to prepare to take advantage of short-lived certificates is to make sure your ACME client is reliably renewing certificates in an automated fashion. If that's working well then there should be no costs to switching to short-lived certificates. -If you have questions or comments about our plans, feel free to let us know on our [community forums](https://community.letsencrypt.org/t/questions-regarding-announcing-six-day-and-ip-address-certificate-options-in-2025/232043). \ No newline at end of file +If you have questions or comments about our plans, feel free to let us know on our [community forums](https://community.letsencrypt.org/t/questions-regarding-announcing-six-day-and-ip-address-certificate-options-in-2025/232043). diff --git a/content/en/post/2025-07-01-issuing-our-first-ip-address-certificate.md b/content/en/post/2025-07-01-issuing-our-first-ip-address-certificate.md index 4bf719ad1..b45712035 100644 --- a/content/en/post/2025-07-01-issuing-our-first-ip-address-certificate.md +++ b/content/en/post/2025-07-01-issuing-our-first-ip-address-certificate.md @@ -8,6 +8,10 @@ display_support_us_footer: true display_inline_newsletter_embed: false --- +> **Update: January 15, 2026** +> +> Six-day and IP address certificates are now generally available. See [6-day and IP Address Certificates are Generally Available](/2026/01/15/6day-and-ip-general-availability) for details. + Since Let's Encrypt started issuing certificates in 2015, people have repeatedly requested the ability to get certificates for IP addresses, an option that only a few certificate authorities have offered. Until now, they've had to look elsewhere, because we haven't provided that feature. Today, we've issued our [first certificate for an IP address](https://crt.sh/?id=19376952215), as we [announced we would](https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/) in January. As with other new certificate features on our engineering roadmap, we'll now start gradually rolling out this option to more and more of our subscribers. @@ -52,4 +56,4 @@ Many Let's Encrypt client applications should already be able to request certifi As a matter of policy, Let's Encrypt certificates that cover IP addresses must be short-lived certs, valid for only about six days. As such, your ACME client must support the [draft ACME Profiles specification](https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/), and you must configure it to request [the `shortlived` profile](https://letsencrypt.org/docs/profiles/#shortlived). And, probably not surprisingly, you can't use the DNS [challenge method](https://letsencrypt.org/docs/challenge-types/) to prove your control over an IP address; only the http-01 and tls-alpn-01 methods can be used. -If your client software requests an IP address cert with details that aren't compatible with these policies, the order will be rejected by the ACME server. In this case, your client application may need to be updated or reconfigured. Feel free to ask for help on the [Let's Encrypt community forum](https://community.letsencrypt.org/) if you encounter any problems, either as a client application developer or as an end user. \ No newline at end of file +If your client software requests an IP address cert with details that aren't compatible with these policies, the order will be rejected by the ACME server. In this case, your client application may need to be updated or reconfigured. Feel free to ask for help on the [Let's Encrypt community forum](https://community.letsencrypt.org/) if you encounter any problems, either as a client application developer or as an end user. diff --git a/content/en/post/2026-01-15-IP-and-6day-general-availability.md b/content/en/post/2026-01-15-IP-and-6day-general-availability.md index feafb0b0f..fc2e07216 100644 --- a/content/en/post/2026-01-15-IP-and-6day-general-availability.md +++ b/content/en/post/2026-01-15-IP-and-6day-general-availability.md @@ -8,6 +8,10 @@ display_support_us_footer: true display_inline_newsletter_embed: false --- +> **Update: March 11, 2026** +> +> If you use Certbot, see [Six-Day and IP Address Certificates Available in Certbot](/2026/03/11/shorter-certs-certbot) for details on requesting these certificates. + Short-lived and IP address certificates are now generally available from Let's Encrypt. These certificates are valid for 160 hours, just over six days. In order to get a short-lived certificate subscribers simply need to select the 'shortlived' [certificate profile](https://letsencrypt.org/docs/profiles/) in their ACME client. Short-lived certificates improve security by requiring more frequent validation and reducing reliance on unreliable revocation mechanisms. If a certificate's private key is exposed or compromised, revocation has historically been the way to mitigate damage prior to the certificate's expiration. Unfortunately, revocation is an unreliable system so many relying parties continue to be vulnerable until the certificate expires, a period as long as 90 days. With short-lived certificates that vulnerability window is greatly reduced. @@ -18,4 +22,4 @@ Our default certificate lifetimes will be going from 90 days down to 45 days ove IP address certificates allow server operators to authenticate TLS connections to IP addresses rather than domain names. Let's Encrypt supports both IPv4 and IPv6. IP address certificates must be short-lived certificates, a decision we made because IP addresses are more transient than domain names, so validating more frequently is important. You can learn more about our IP address certificates and the use cases for them from our [post announcing our first IP Certificate](https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate). -We'd like to thank the Open Technology Fund and Sovereign Tech Agency, along with our [Sponsors](https://www.abetterinternet.org/sponsors/) and Donors, for supporting the development of this work. \ No newline at end of file +We'd like to thank the Open Technology Fund and Sovereign Tech Agency, along with our [Sponsors](https://www.abetterinternet.org/sponsors/) and Donors, for supporting the development of this work. diff --git a/content/en/post/2026-03-11-shorter-certs-certbot.md b/content/en/post/2026-03-11-shorter-certs-certbot.md new file mode 100644 index 000000000..ba0fbfa6d --- /dev/null +++ b/content/en/post/2026-03-11-shorter-certs-certbot.md @@ -0,0 +1,37 @@ +--- +author: Jacob Hoffman-Andrews +date: 2026-03-11T00:00:00Z +slug: shorter-certs-certbot +title: "Six-Day and IP Address Certificates Available in Certbot" +excerpt: "The most commonly used ACME client now offers shorter-lifetime certificates" +display_support_us_footer: true +display_inline_newsletter_embed: false +--- + +As we announced earlier this year, Let's Encrypt now [issues IP address and six-day certificates](/2026/01/15/6day-and-ip-general-availability) to the general public. The Certbot team at the [Electronic Frontier Foundation](https://www.eff.org/) has been working on two improvements to support these features: the `--preferred-profile` flag released last year in Certbot 4.0, and the `--ip-address` flag, new in Certbot 5.3. With these improvements together, you can now use [Certbot](https://certbot.eff.org/) to get those IP address certificates! + +If you want to try getting an IP address certificate using Certbot, install version 5.4 or higher (for `webroot` support with IP addresses), and run this command: + +```bash +sudo certbot certonly --staging \ + --preferred-profile shortlived \ + --webroot \ + --webroot-path \ + --ip-address +``` + +Two things of note: + +- This will request a non-trusted certificate from the Let's Encrypt staging server. Once you've got things working the way you want, run without the `--staging` flag to get a publicly trusted certificate. + +- This requests a certificate with Let's Encrypt's "shortlived" profile, which will be good for 6 days. This is a Let's Encrypt requirement for IP address certificates. + +As of right now, Certbot only supports getting IP address certificates, not yet installing them in your web server. There's work to come on that front. In the meantime, edit your webserver configuration to load the newly issued certificate from `/etc/letsencrypt/live//fullchain.pem` and `/etc/letsencrypt/live//privkey.pem`. + +The command line above uses Certbot's "webroot" mode, which places a challenge response file in a location where your already-running webserver can serve it. This is nice since you don't have to temporarily take down your server. + +There are two other plugins that support IP address certificates today: `--manual` and `--standalone`. The `manual` plugin is like `webroot`, except Certbot pauses while you place the challenge response file manually (or [runs a user-provided hook](https://eff-certbot.readthedocs.io/en/stable/using.html#hooks) to place the file). The `standalone` plugin runs a simple web server that serves a challenge response. It has the advantage of being very easy to configure, but has the disadvantage that any running webserver on port 80 has to be temporarily taken down so Certbot can listen on that port. The `nginx` and `apache` plugins don't yet support IP addresses. + +You should also be sure that Certbot is set up for automatic renewal. Most installation methods for Certbot set up automatic renewal for you. However, since the webserver-specific installers don't yet support IP address certificates, you'll have to [set a `--deploy-hook`](https://eff-certbot.readthedocs.io/en/stable/using.html#renewing-certificates) that tells your webserver to load the most up-to-date certificates from disk. You can provide this `--deploy-hook` through the `certbot reconfigure` command using the rest of the flags above. + +We hope you enjoy using IP address certificates with Let's Encrypt and Certbot, and as always if you get stuck you can ask for help in our [Community Forum](https://community.letsencrypt.org/).