Can I obtain a free HTTPS certificate from Let’s Encrypt using Certbot on a server with a static public IP address but no associated domain name?
Unfortunately, it is not possible to obtain a free HTTPS certificate from Let’s Encrypt using Certbot for a server with a static public IP without a domain name. Let’s Encrypt issues Domain Validation (DV) certificates, which require a fully qualified domain name (FQDN) to verify ownership through challenges like HTTP-01 or DNS-01. Their policy explicitly does not support issuing certificates for bare IP addresses, as certificates must be tied to a domain name to comply with Certificate Authority/Browser Forum (CA/B Forum) standards and ensure proper validation. Here are the key points:
- Let’s Encrypt Requirements: Let’s Encrypt validates domain ownership, not IP addresses. Certbot, as an ACME client, is designed to work with domain names, and its commands (e.g.,
certbot certonly --standalone) prompt for a domain name, not an IP address. Even with a static public IP, you need a domain name to complete the validation process. - IP-Based Certificates: While some certificate authorities (e.g., Sectigo or DigiCert) offer SSL certificates for public IP addresses, Let’s Encrypt does not. IP-based certificates are technically possible but rare, and Let’s Encrypt’s infrastructure does not support them due to security and policy reasons, such as the lack of a reliable way to verify IP ownership.
- Workarounds:
- Obtain a Domain Name: The simplest solution is to register a domain name (even a free or low-cost one from providers like DuckDNS or afraid.org) and point it to your static public IP via a DNS A record. You can then use Certbot to obtain a Let’s Encrypt certificate for that domain. This domain does not need to be publicly accessible for the DNS-01 challenge, but the DNS records must be publicly resolvable.
- Self-Signed Certificates: If you don’t need a publicly trusted certificate (e.g., for internal use or testing), you can generate a self-signed certificate using tools like OpenSSL. However, browsers will display a warning since it’s not trusted by a public CA. This is not a Let’s Encrypt solution but avoids the domain requirement.
- Alternative CAs: For IP-based certificates, you could explore paid options from other CAs like Sectigo, which offer certificates for public IPs. However, these are not free and require proof of IP control.
- Certbot Limitations: Certbot does not support IP addresses in its configuration. Commands like
certbot certonly --standalone -d <IP>will fail because Let’s Encrypt rejects IP addresses as valid identifiers. A pull request to Certbot discussed IP support, but it has not changed Let’s Encrypt’s policy against issuing such certificates. - Practical Example with Domain: If you acquire a domain (e.g.,
example.com), you can set up a DNS A record pointing to your static public IP and run:
# sudo certbot certonly --standalone -d example.com
This will issue a certificate if the HTTP-01 challenge succeeds (requires port 80 open). Alternatively, use the DNS-01 challenge for internal servers:
# sudo certbot certonly --manual --preferred-challenges dns -d example.com
Follow the prompts to add a TXT record to your DNS provider. Recommendation: For a free and straightforward solution, register a cheap or free domain name and use Certbot with Let’s Encrypt. This aligns with Let’s Encrypt’s automated, domain-based validation process and avoids the limitations of IP-based certificates. If you absolutely cannot use a domain, consider a self-signed certificate for non-public use or explore paid CAs for IP-based certificates.