Who benefits from this? Even though Let’s Encrypt stresses that most site operators will do fine sticking with ordinary domain certificates, there are still scenarios where a numeric identifier is the only practical choice:
Infrastructure services such as DNS-over-HTTPS (DoH) – where clients may pin a literal IP address for performance or censorship-evasion reasons.
IoT and home-lab devices – think network-attached storage boxes, for example, living behind static WAN addresses.
Ephemeral cloud workloads – short-lived back-end servers that spin up with public IPs faster than DNS records can propagate.
Would this work with a public dynamic DNS?
With dynamic DNS? Yeah it always has, as long as you can host a http server.
With a dynamic IP? It should do, the certs are only valid for 6 days for that reason.
Can I get a cert for 127.0.0.1 ? /s
How many bits is a /s mask?
i
8
The down votes are from people who work in IT support that have to deal with idiots that play with things they dont understand.
It’s unfortunate they don’t know what /s means
We do, it’s just that those users will also often go “nah, I’m just joking!” then do some shit anyways.
How do I setup a reverse proxy for pure TCP? /s
Think that’s called NATing
That’s kind of awesome! I have a bunch of home lab stuff, but have been putting off buying a domain (I was a broke college student when I started my lab and half the point was avoiding recurring costs- plus I already run the DNS, as far as the WAN is concerned, I have whatever domain I want). My loose plan was to stand up a certificate authority and push the root public key out with active directory, but being able to certify things against Let’s Encrypt might make things significantly easier.
I use a domain, but for homelab I eventually switched to my own internal CA.
Instead of having to do
service.domain.tldit’s nice to doservice.lan.Any good instructions you would recommend for doing this?
FYI you can get a numeric xyz domain for 1$ a year
At least for the first year.
Pretty sure it remains $1. But it’s specifically only 6-9 digit numeric .xyz domains.
Setting up a root and a immediate CA is significantly more fun though ;) It’s also teaches you more about PKI which is a good skill to have.
but for the love of god and your own benefit, put a name constraint directly on the root cert
Its like self signed certs with the convience of a third party
Hell yuh.
Couldn’t this prove very troublesome in combination with carrier grade nat?
I don’t see how? Normal HTTP/TLS validation would still apply so you’d need port forwarding. You can’t host anything on the CGNAT IP so you can’t pass validation and they won’t issue you a cert.
You can totally host something on carrier-grade NAT using techniques like NAT hole punching.
You don’t get control of the incoming port that way. For LetsEncrypt to issue a certificate primarily intended for HTTPS, they will check that the HTTP server on that IP is owned by the requesting party. That has to live on port 80, which you can’t forward on CGNAT.
