As announced earlier this year, **Let's Encrypt** now issues IP address and six-day certificates to the general public. The **Certbot** team at the **Electronic Frontier Foundation** has been working on improvements to support these features, specifically the `--preferred-profile` flag released last year in Certbot 4.0, and the `--ip-address` flag, new in Certbot 5.3. With these improvements, you can now use **Certbot** to get those IP address certificates! ### Obtaining IP Address Certificates with Certbot To get an IP address certificate using Certbot, install version 5.4 or higher (for `webroot` support with IP addresses), and run this command: sudo certbot certonly --staging \ --preferred-profile shortlived \ --webroot \ --webroot-path <filesystem path to webserver root> \ --ip-address <your ip address> **Important Considerations:** * The `--staging` flag requests a non-trusted certificate from the Let's Encrypt staging server. Remove this flag for a publicly trusted certificate once you've confirmed proper functionality. * The `--preferred-profile shortlived` option requests a certificate with Let's Encrypt's "`shortlived`" profile, valid for 6 days. This is a requirement for IP address certificates. ### Installation and Web Server Configuration Currently, **Certbot** only supports *getting* IP address certificates, not *installing* them in your web server. You will need to manually edit your web server configuration to load the newly issued certificate from `/etc/letsencrypt/live/<ip address>/fullchain.pem` and `/etc/letsencrypt/live/<ip address>/privkey.pem`. The command-line example above utilizes **Certbot's** "webroot" mode, which places a challenge response file in a location accessible to your running web server. This method avoids temporary server downtime. ### Alternative Plugins Two other plugins currently support IP address certificates: `--manual` and `--standalone`. The `manual` plugin is similar to `webroot`, but Certbot pauses for manual placement of the challenge response file (or executes a user-provided hook). The `standalone` plugin runs a simple web server to serve the challenge response. While easy to configure, it requires temporarily taking down any existing web server on port 80. **Note:** The `nginx` and `apache` plugins do not yet support IP addresses. ### Automatic Renewal Ensure **Certbot** is configured for automatic renewal. Most installation methods set this up automatically. However, because webserver-specific installers don't yet support IP address certificates, you'll need to set a `--deploy-hook` that instructs your web server to load the updated certificates from disk. This `--deploy-hook` can be provided through the `certbot reconfigure` command, along with the other flags mentioned above. For assistance, consult the **Let's Encrypt** [Community Forum](https://community.letsencrypt.org/).