Who benefits from this? Even though Let’s Encrypt stresses that most site operators will do fine sticking with ordinary domain certificates, there are still scenarios where a numeric identifier is the only practical choice:
Infrastructure services such as DNS-over-HTTPS (DoH) – where clients may pin a literal IP address for performance or censorship-evasion reasons.
IoT and home-lab devices – think network-attached storage boxes, for example, living behind static WAN addresses.
Ephemeral cloud workloads – short-lived back-end servers that spin up with public IPs faster than DNS records can propagate.
Would this work with a public dynamic DNS?
With dynamic DNS? Yeah it always has, as long as you can host a http server.
With a dynamic IP? It should do, the certs are only valid for 6 days for that reason.
Can I get a cert for 127.0.0.1 ? /s
How many bits is a /s mask?
i
8
The down votes are from people who work in IT support that have to deal with idiots that play with things they dont understand.
It’s unfortunate they don’t know what /s means
How do I setup a reverse proxy for pure TCP? /s
Think that’s called NATing
That’s kind of awesome! I have a bunch of home lab stuff, but have been putting off buying a domain (I was a broke college student when I started my lab and half the point was avoiding recurring costs- plus I already run the DNS, as far as the WAN is concerned, I have whatever domain I want). My loose plan was to stand up a certificate authority and push the root public key out with active directory, but being able to certify things against Let’s Encrypt might make things significantly easier.
I use a domain, but for homelab I eventually switched to my own internal CA.
Instead of having to do
service.domain.tldit’s nice to doservice.lan.FYI you can get a numeric xyz domain for 1$ a year
At least for the first year.
Pretty sure it remains $1. But it’s specifically only 6-9 digit numeric .xyz domains.
Setting up a root and a immediate CA is significantly more fun though ;) It’s also teaches you more about PKI which is a good skill to have.
but for the love of god and your own benefit, put a name constraint directly on the root cert
Its like self signed certs with the convience of a third party
Couldn’t this prove very troublesome in combination with carrier grade nat?
I don’t see how? Normal HTTP/TLS validation would still apply so you’d need port forwarding. You can’t host anything on the CGNAT IP so you can’t pass validation and they won’t issue you a cert.
Hell yuh.
