起因
撰写本文是因为看到了 Let's Encrypt 的 Blog 更新:We've Issued Our First IP Address Certificate - Let's Encrypt,很感兴趣。
一直以来,我都在使用 acme.sh 来实现 SSL 证书的申请与部署,于是想试一下用它为 IPv6 地址申请一下证书。
实际操作
根据 Blog 中的指引:
IP address certificates are available right now in Staging. They should be generally available in Prod later in 2025, at the same time that short-lived certificates become generally available. Prior to general availability we may allow list issuance for a limited number of partners who can provide us with feedback.
Many Let’s Encrypt client applications should already be able to request certificates for IP addresses, although there can be minor technical changes required to support this in some client software.
As a matter of policy, Let’s Encrypt certificates that cover IP addresses must be short-lived certs, valid for only about six days. As such, your ACME client must support the draft ACME Profiles specification, and you must configure it to request the
shortlivedprofile. And, probably not surprisingly, you can’t use the DNS challenge method to prove your control over an IP address; only the http-01 and tls-alpn-01 methods can be used.If your client software requests an IP address cert with details that aren’t compatible with these policies, the order will be rejected by the ACME server. In this case, your client application may need to be updated or reconfigured. Feel free to ask for help on the Let’s Encrypt community forum if you encounter any problems, either as a client application developer or as an end user.
关键的就是三点:
- 现阶段只能测试尝鲜,需要使用到 Let's Encrypt 的 Staging Server,正式环境暂不支持;
- 不能使用
dns-01验证方式,只能通过http-01和tls-alpn-01验证; - 必须配置为 shortlived 短期证书。
需要使用 80 / 443 端口
(显然)不能用 DNS 方式完成 IP 地址验证,使用http-01 验证时必须使用 80 端口,而使用 tls-alpn-01 验证时必须使用 443 端口。部分地区 / ISP 可能会阻止这两个端口的访问,因而无法通过验证并签发证书。
前两点稍作留意即可,但是对于短期证书配置的要求, acme.sh 的目前版本(截至 2025.07.21)暂不支持。不过,已经有了相关 PR:#6442 ,我们可以先使用这个修改过的版本。
测试环境为 nginx 默认配置。安装好已修改的 acme.sh 后执行:
acme.sh --issue --webroot /var/www/html -d "IPv4/IPv6 address" --keylength ec-256 --certificate-profile shortlived --days 6 --server https://acme-staging-v02.api.letsencrypt.org/directory--nginx 默认不可用
--webroot 手动指定路径,因为 --nginx 无法自动检测到配置文件。
即可获取到有效期为6天的IP证书。如果需要同时获取 IPv4/IPv6 均可用的证书,只需再指定一项 -d "IP" 即可。
当然,Let's Encrypt Staging 签发的证书仅供测试,不会被浏览器信任。正式使用还需等待后续正式版上线。
写在最后
Let's Encrypt 等机构从很早就开始推进免费、自动化的 SSL 证书颁发流程。但很长一段时间里,对 IP 地址签发 SSL 证书,尤其是自动化签发并不容易。对 IPv4 地址的支持尚且不多,更不用说 IPv6 了。
插一句,曾有一家名为 HiCA 的“中间商”提供用 acme.sh 签发 IP 证书的服务,但是其运营中涉及利用 RCE 漏洞(#4659)的行为,虽然没有造成很严重的后果,但之后也就不了了之了。
这次 Let's Encrypt 的更新,也算是推动了行业的发展吧。(另注:这一更新其实也在推进 6 天有效期的短期证书。感兴趣的读者可参阅:Announcing Six Day and IP Address Certificate Options in 2025 - Let's Encrypt)
本文(https://www.cgtsoft.com/archives/66/)来源于 CGT Software,使用 CC BY-NC-SA 4.0 许可发布。
