By ByteBot
On January 15, Let’s Encrypt made 6-day certificates and IP address certificates generally available—the first major free certificate authority to issue TLS certificates for IP addresses without requiring domain names. These certificates last 160 hours (just over 6 days) and are mandatory short-lived for IP addresses. Commercial CAs charge $60-150/year for IP certificates. Let’s Encrypt makes it free.
The economics shift immediately. For 10,000 IoT devices, that’s $1 million saved annually. The catch? You must automate everything—manual renewal every 6 days is impractical.
What Changed: Free IP Certificates, Mandatory Automation
Let’s Encrypt now issues certificates for IP addresses (192.0.66.233, 2001:db8::1) with a policy-driven 160-hour lifespan. IP addresses change hands more frequently than domain names, so validation happens every 6 days instead of 90. For domain certificates, 6-day lifespans are optional. For IP certificates, they’re required.
The technical requirements are straightforward: use an ACME client (Certbot, acme.sh, Caddy) to request the ‘shortlived’ certificate profile. Validation works via http-01 (HTTP challenge on port 80) or tls-alpn-01 (TLS challenge on port 443). DNS-01 validation isn’t supported—IP addresses don’t have DNS records.
Let’s Encrypt operates 434 million active certificates as of December 2025, making it the world’s largest certificate authority. First IP certificate shipped July 1, 2025 in staging. General availability arrived this week.
The Automation Mandate
Manual renewal every 6 days is impossible at scale—automation becomes mandatory, not optional. This is a forcing function: teams must adopt ACME automation, set up systemd timers or cron jobs, and monitor for failures. If you can’t automate, you can’t use this.
The security rationale is solid. Let’s Encrypt states: “If a certificate’s private key is compromised, revocation has historically been unreliable, leaving parties vulnerable for up to 90 days. Short-lived certificates reduce that vulnerability window to 6 days.” Certificate revocation checking (OCSP, CRL) disappears entirely—expiration handles revocation automatically.
Renewal frequency jumps from ~2 renewals/year (90-day certs) to ~61 renewals/year (6-day certs). The recommended renewal window is 4 days before expiration, giving you a 96-hour buffer for automation failures. Infrastructure simplifies because you don’t need revocation checking infrastructure.
Related: Claude Cowork Security: Non-Zero Attack Risk Warning
This isn’t just about Let’s Encrypt. The industry is shifting toward shorter certificate lifespans. Let’s Encrypt plans 45-day default certificates in the next few years, eventually shorter. Teams that master automation now will be prepared. Those that delay will face service outages.
Use Cases: IoT, Homelab, Internal Services
IP certificates unlock three major use cases. IoT devices with embedded web interfaces (security cameras, routers, smart home hubs) can eliminate self-signed certificates. Home NAS servers and Raspberry Pi projects get valid HTTPS without buying domains. Internal enterprise services on private IPs can be secured without DNS infrastructure.
Concrete example: your home security camera at 192.168.1.100 gets a valid certificate—no more browser warnings when accessing the web interface. Your Synology NAS accessed via direct IP (203.0.113.45) now has a Let’s Encrypt certificate instead of triggering security warnings. For IoT manufacturers, baking certificate automation into firmware becomes economically viable.
The cost savings are transformative. Commercial CAs (Sectigo, DigiCert) charge $60-150/year per IP certificate. For 10,000 IoT devices, that’s $600,000-$1,500,000 annually. Let’s Encrypt makes this $0. The trade-off is automation investment—you need infrastructure to handle 61 renewals/year per device.
Important constraint: devices must be publicly accessible on ports 80 or 443 for validation. Internal-only services on private IP ranges (192.168.x.x, 10.x.x.x) can’t use this—Let’s Encrypt can’t validate private IPs. For those, run an internal certificate authority (step-ca, Smallstep).
IP Certificate Security: Benefits vs Risks
Security researchers are split on free IP certificates. Malwarebytes warns that attackers could exploit this: “A malicious actor could construct links that display one domain while directing users to an IP address under their control, hosting fraudulent payment sites.” The padlock icon creates false security—encrypted doesn’t mean trustworthy.
The counterargument: 6-day lifespans mitigate phishing risk. If an attacker gets a certificate for a malicious server, it’s valid for 6 days maximum versus 90 days with traditional certificates. Malwarebytes recommends monitoring certificate transparency logs for suspicious IP certificates and combining that with threat intelligence to identify abuse.
The net benefit tilts toward securing IoT. Millions of home devices currently use self-signed certificates or no encryption at all. Free IP certificates reduce that attack surface. For developers: use IP certificates for internal and IoT use cases, stick with domain certificates for production services where DNS is practical.
What Developers Should Do Now
If you manage IoT devices, home servers, or internal services on IP addresses, evaluate ACME automation. Start with Let’s Encrypt’s staging environment (test.letsencrypt.org) to avoid production rate limits—50 certificates per week. Choose an ACME client: Certbot for simplicity, acme.sh for minimal dependencies, Caddy or Traefik for automatic renewal.
Set up monitoring for certificate expiry even with automation. Automation fails—network issues, rate limiting, firewall misconfigurations. Use Prometheus exporters, Nagios plugins, or custom scripts. For production services with DNS, stick with domain certificates. IP changes don’t invalidate domain certs, but they do invalidate IP certs.
Key Takeaways
- Let’s Encrypt launched free IP certificates on January 15: First major CA to offer IP address certificates (IPv4/IPv6) without domains. Validity: 160 hours (6 days). Commercial CAs charge $60-150/year—Let’s Encrypt is $0.
- Automation is mandatory, not optional: 6-day renewals require ACME clients (Certbot, acme.sh, Caddy). Manual workflows break. Renewal frequency: ~61/year vs ~2/year for 90-day certs. Prepare for industry shift to 45-day defaults soon.
- Use cases: IoT devices, homelab, internal services: Security cameras, NAS servers, Raspberry Pi projects eliminate self-signed certificates. Cost savings: $1M/year for 10,000 devices. Constraint: public IP + ports 80/443 accessible for validation.
- Security trade-off is real but manageable: Malwarebytes warns about phishing infrastructure. 6-day lifespan mitigates risk (short compromise window). Monitor certificate transparency logs. Net benefit: securing millions of IoT devices outweighs phishing risk.
- Domain certificates remain better for production: IP changes don’t invalidate domain certs. Use IP certs for static IPs, internal services, cost-sensitive IoT deployments. Use domain certs for production services with DNS.
