Caddy IP Address Certificates with Let's Encrypt

Let’s Encrypt now signs certificates for IP Addresses if you use the shortlived profile. By using this profile the certificates will only be valid for roughly a week, but that isn’t really a problem since they are renewed automatically anyway.

This also means you won’t have any problems with shorter certificate lifespans in the future, since the limit will only be reduced to a minimum of 47 days in 2029. For the timeline of how long certificates can be valid, see the CA/B Forum Ballot, the timeline is listed in section 6.3.2.

The caddy documentation for tls doesn’t yet include instructions on how to configure acme profiles, but it does already work. These are the two options that worked for me (Version 2.10.2):

{
    cert_issuer acme https://acme-v02.api.letsencrypt.org/directory {
        profile shortlived
    }
}

87.106.104.170 {
    respond "https secured ip address!" 200
}

Above is the global configuration, if you always want to use it. Below is a local one, if you only intend to cover one domain.

87.106.104.170 {
    tls {
        issuer acme https://acme-v02.api.letsencrypt.org/directory {
            profile shortlived
        }
    }
    respond "https secured ip address!" 200
}

At the moment IPv6 doesn’t work yet, there appears to be some implementation issue with how they are supposed to be presented to the CA.

I’ve found the information on how all of this works in this issue.