For people who want IP certificates, keep in mind that certbot doesn't support it yet, with a PR still open to implement it: https://github.com/certbot/certbot/pull/10495

I think acme.sh supports it though.

As already noted on this thread, you can't use certbot today to get an IP address certificate. You can use lego [1], but figuring out the exact command line took me some effort yesterday. Here's what worked for me:

    lego --domains 206.189.27.68 --accept-tos --http --disable-cn run --profile shortlived

[1] https://go-acme.github.io/lego/

This is interesting, I am guessing the use case for ip address certs is so your ephemeral services can do TLS communication, but now you don't need to depend on provisioning a record on the name server as well for something that you might be start hundreds or thousands of, that will only last for like an hour or day.

Does anyone know when Caddy plans on supporting this?

If I can use my DHCP assigned IP, will this allow me to drop having to use self-signed certificates for localhost development?

Something about a 6 day long IP address based token brings me back to the question of why we are wasting so much time on utterly wrong TOFU authorization?

If you are supposed to have an establishable identity I think there is DNSSEC back to the registrar for a name and (I'm not quite sure what?) back to the AS.for the IP.

This sounds like a very good thing, like a lot of stuff coming from letsencrypt.

But what risks are attached with such a short refresh?

Is there someone at the top of the certificate chain who can refuse to give out further certificates within the blink of an eye?

If yes, would this mean that within 6 days all affected certificates would expire, like a very big Denial of Service attack?

And after 6 days everybody goes back to using HTTP?

Maybe someone with more knowledge about certificate chains can explain it to me.