Unable to issue IP address certificate with Let's Encrypt shortlived ACME profile #7399
Description
Issue Details
Greetings,
Hence, I wanted to see if I could get this up and running on my Caddy instance.
I am trying to set up a basic splash page for the IP addresses that my Caddy instance is running on with caddy certificate management.
However, I am getting an error in regard to IP address Identifiers not being permitted on Let's Encrypt, even with the shortlived ACME profile.
Relevant Caddyfile et al. snippets:
{
## log stuff
log file {
output file /var/log/caddy/main.log {
roll_size 100M
roll_local_time
roll_keep 3
roll_keep_for 72h
}
format console
level info
}
default_bind 45.129.94.148 [2a12:4944:efe4::] 167.150.90.148
##SSL stuff
key_type p384
email xxx@xxx.be
acme_ca https://acme-v02.api.letsencrypt.org/directory
}
import /etc/caddy/conf.d/*Then the IP address configuration:
167.150.90.148, 45.129.94.148, 2a12:4944:efe4:: {
tls {
issuer acme https://acme-v02.api.letsencrypt.org/directory {
profile shortlived
}
}
respond "Hello, World!" 200
}This gives me the following errors in the configured /var/log/caddy/main.log file:
dec 17 04:58:55 klomachi caddy[13161]: {"level":"info","ts":1765943935.7888427,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"167.150.90.148"}
dec 17 04:58:55 klomachi caddy[13161]: {"level":"info","ts":1765943935.795329,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"2a12:4944:efe4::"}
dec 17 04:58:55 klomachi caddy[13161]: {"level":"error","ts":1765943935.8016365,"logger":"tls.obtain","msg":"will retry","error":"[167.150.90.148] Obtain: subject '167.150.90.148' cannot have public IP certificate from https://acme-v02.api.letsencrypt.org/directory (if CA's policy has changed, please notify the developers in an issue)","attempt":5,"retrying_in":600,"elapsed":600.072403854,"max_duration":2592000}
dec 17 04:58:55 klomachi caddy[13161]: {"level":"error","ts":1765943935.8080711,"logger":"tls.obtain","msg":"will retry","error":"[2a12:4944:efe4::] Obtain: subject '2a12:4944:efe4::' cannot have public IP certificate from https://acme-v02.api.letsencrypt.org/directory (if CA's policy has changed, please notify the developers in an issue)","attempt":5,"retrying_in":600,"elapsed":600.083840312,"max_duration":2592000}
So, hence the error message, I am doing as instructed with this issue. :)
For now, I am using acme.sh with a reverse proxy for the TLS-ALPN protocol set up in the Caddyfile to actually get the certificates.
I will leave the configuration I have for this here, in case anyone wants to re-create this until upstream support is added. :)
(If this is not allowed, please let me know so that I can remove this)
Caddyfile entry:
167.150.90.148, 45.129.94.148, 2a12:4944:efe4:: {
tls /path/to/ip-fullchain.pem /path/to/ip-key.pem
@acme_tls {
protocol acme-tls/1
}
handle @acme_tls {
reverse_proxy localhost:8443
}
respond "Hello, World!" 200
}Relevant acme.sh commands
./acme.sh --issue \
--alpn \
--tlsport 8443 \
--server letsencrypt \
--keylength ec-256 \
-d 167.150.90.148 \
-d 45.129.94.148 \
-d 2a12:4944:efe4:: \
--certificate-profile shortlived
./acme.sh --install-cert \
-d 167.150.90.148 \
--ecc \
--cert-file /path/to/ip-cert.pem \
--key-file /path/to/ip-key.pem \
--fullchain-file /path/to/ip-fullchain.pem \
--reloadcmd "sudo systemctl reload caddy" \
--tlsport 8443
echo "Le_RenewalDays='4'" >> /path/to/.acme.sh/167.150.90.148_ecc/167.150.90.148.confAs you can see, all three IPs are secured with this current method.
The default crontab should be enough to keep up with the shorter 6-day lifespan of the shortlived certificates. As it checks every day at a static time, and with Le_RenewalDays set to 4, it will renew the certificate at ~3 days.
I would write a PR myself, but my knowledge with Go and relevant projects is unfortunately too limited to even dare to try this. ^^'
Really hoping this could be added to a future release of Caddy, so that I can get rid of this ugly hack to get it working!
Cheers, and happy holidays to all of you who celebrate them,
Jori Vanneste / Tyrasuki
Assistance Disclosure
AI not used
If AI was used, describe the extent to which it was used.
No response