Enterprise-grade Swiss Army Knife for managing Let's Encrypt SSL certificates for IP addresses
Features β’ Quick Start β’ Documentation β’ Installation β’ Usage β’ FAQ β’ Contributing
As of July 2025, Let's Encrypt now supports SSL certificates for IP addresses! This is a significant milestone that enables HTTPS for services accessed directly via IP address.
This tool simplifies the process of obtaining and managing these IP certificates with automatic renewal, comprehensive validation, and production-ready features.
This project is made possible by Let's Encrypt, a free, automated, and open Certificate Authority. We extend our gratitude to:
- Let's Encrypt - For providing free SSL certificates and pioneering IP address certificate support
- Internet Security Research Group (ISRG) - For operating Let's Encrypt
- Electronic Frontier Foundation (EFF) - For their contributions to Certbot and web security
- Staging Environment Only: IP certificates are currently available only in Let's Encrypt's staging environment
- Short-lived Certificates: IP certificates are valid for only 6 days (requires aggressive renewal)
- ACME Profile Support: Requires Certbot 2.0.0+ with ACME profile support
- Public IPs Only: Private or local IP addresses are not supported
# Clone and setup
git clone https://github.com/yourusername/letsencrypt-ip-manager.git
cd letsencrypt-ip-manager
chmod +x letsencrypt-ip-ssl-manager.sh
# Interactive setup (recommended for new users)
sudo ./letsencrypt-ip-ssl-manager.sh --setup
# Or quick certificate generation
sudo ./letsencrypt-ip-ssl-manager.sh -i YOUR_PUBLIC_IP -e [email protected]- π User Manual - Complete usage guide
- π§ Installation Guide - Step-by-step setup
- π οΈ API Reference - All commands and options
- π Troubleshooting - Common issues and solutions
- π‘οΈ Security Guide - Security best practices
- π Deployment Examples - Production deployment scenarios
- π Universal IP Support: IPv4 and IPv6 addresses with comprehensive validation
- π Smart Validation: Ensures public IP addresses only, rejects private/reserved ranges
- β‘ Aggressive Renewal: Every 4 hours for 6-day certificates with multiple fallback mechanisms
- π― Interactive Setup: User-friendly configuration wizard with persistent settings
- π Input Sanitization: Comprehensive validation preventing injection attacks
- π Secure Permissions: Proper file permissions and access controls
- π Audit Logging: Complete audit trail for compliance and monitoring
- π¨ Emergency Recovery: Automatic backup and restore capabilities
- π§ Linux Distributions: Debian, Ubuntu, RHEL, CentOS, Fedora, SUSE, Arch, Alpine, Gentoo
- πΊ BSD Systems: FreeBSD, OpenBSD, NetBSD, DragonFlyBSD
- π macOS Support: Limited support with Homebrew
- βοΈ Multi-Init Systems: SystemD, OpenRC, SysV, BSD RC, launchd
- π System Monitoring: Comprehensive status reports and health checks
- ποΈ Backup Management: Automated backup rotation with configurable retention
- π Auto-Recovery: Intelligent error recovery with rollback capabilities
- π¨ User Experience: Colored output, progress indicators, helpful messages
- π Dependency Management: Automatic dependency detection and installation
- π Integrity Checking: System integrity verification and validation
- Operating System: Linux (Debian/Ubuntu/RHEL/CentOS/Fedora/SUSE/Arch/Alpine/Gentoo), BSD (FreeBSD/OpenBSD/NetBSD), or macOS
- Privileges: Root or sudo access for certificate operations
- Network: Public IP address (IPv4 or IPv6) accessible from the internet
- Firewall: Port 80 accessible for HTTP-01 challenge validation
- Shell: Bash 3.2+ (compatible with older systems)
- Certbot: 2.0.0+ with ACME profile support (auto-installed if missing)
- Python: 3.6+ (usually pre-installed)
- Utilities: curl, openssl, DNS tools (auto-detected and installed)
# Clone the repository
git clone https://github.com/yourusername/letsencrypt-ip-manager.git
cd letsencrypt-ip-manager
# Make the script executable
chmod +x letsencrypt-ip-ssl-manager.sh
# Interactive setup (handles everything automatically)
sudo ./letsencrypt-ip-ssl-manager.sh --setup# Clone and install dependencies
git clone https://github.com/yourusername/letsencrypt-ip-manager.git
cd letsencrypt-ip-manager
chmod +x letsencrypt-ip-ssl-manager.sh
# Install certbot and dependencies automatically
sudo ./letsencrypt-ip-ssl-manager.sh --install
# Configure settings interactively
sudo ./letsencrypt-ip-ssl-manager.sh --configure-
Install Dependencies (if not using the script's auto-installer):
Debian/Ubuntu:
sudo apt update sudo apt install -y snapd python3 curl openssl dnsutils sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot
RHEL/CentOS/Fedora:
sudo yum install -y snapd python3 curl openssl bind-utils sudo systemctl enable --now snapd.socket sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot -
Verify Certbot Version:
certbot --version # Should be 2.0.0 or higher
# Interactive setup for new users
sudo ./letsencrypt-ip-ssl-manager.sh --setup
# Get certificate for IPv4 address
sudo ./letsencrypt-ip-ssl-manager.sh -i 203.0.113.10 -e [email protected]
# Get certificate for IPv6 address
sudo ./letsencrypt-ip-ssl-manager.sh -i 2001:db8::1 -e [email protected]
# Setup automatic renewal (CRITICAL for 6-day certs!)
sudo ./letsencrypt-ip-ssl-manager.sh --setup-renewal
# Check system status and health
sudo ./letsencrypt-ip-ssl-manager.sh --status
# View current configuration
./letsencrypt-ip-ssl-manager.sh --show-config# List all certificates and expiration status
sudo ./letsencrypt-ip-ssl-manager.sh --list
# Force renewal of all certificates
sudo ./letsencrypt-ip-ssl-manager.sh --force-renew
# Check available ACME profiles
sudo ./letsencrypt-ip-ssl-manager.sh --check-profiles
# Create manual backup
sudo ./letsencrypt-ip-ssl-manager.sh --backup
# Emergency recovery mode
sudo ./letsencrypt-ip-ssl-manager.sh --emergency
# System integrity check
./letsencrypt-ip-ssl-manager.sh --integrity-check| Command | Description | Root Required |
|---|---|---|
| Certificate Operations | ||
-i, --ip IP_ADDRESS |
Public IP address (IPv4 or IPv6) for certificate | β |
-e, --email EMAIL |
Email address for certificate notifications | β |
-w, --webroot PATH |
Webroot path for HTTP-01 challenge (default: /var/www/html) | β |
| Interactive Setup | ||
--setup |
Quick interactive setup for new users | β |
--configure |
Interactive configuration wizard | β |
--show-config |
Display current configuration | β |
| Management Operations | ||
--install |
Install certbot with profile support | β |
--renew |
Renew existing IP certificates | β |
--force-renew |
Force renewal of all certificates | β |
--setup-renewal |
Configure automatic renewal (every 4 hours) | β |
--list |
List all certificates and expiration status | β |
--check-profiles |
Show available ACME profiles | β |
| Information & Diagnostics | ||
-h, --help |
Show comprehensive help message | β |
-v, --version |
Show version information | β |
--status |
Generate comprehensive system status report | β |
--integrity-check |
Perform system integrity verification | β |
--debug |
Enable debug logging for troubleshooting | β |
| Maintenance & Recovery | ||
--backup |
Create manual backup of configuration and certificates | β |
--restore |
Interactive restore from backup | β |
--emergency |
Emergency recovery mode with guided restoration | β |
# 1. Clone and setup (recommended)
git clone https://github.com/yourusername/letsencrypt-ip-manager.git
cd letsencrypt-ip-manager
chmod +x letsencrypt-ip-ssl-manager.sh
sudo ./letsencrypt-ip-ssl-manager.sh --setup
# 2. Or manual steps
sudo ./letsencrypt-ip-ssl-manager.sh --install
curl -4 icanhazip.com # Check your public IPv4
sudo ufw allow 80/tcp # Open port 80 if using ufw
sudo ./letsencrypt-ip-ssl-manager.sh -i YOUR_PUBLIC_IP -e [email protected]
sudo ./letsencrypt-ip-ssl-manager.sh --setup-renewal
# 3. Verify everything is working
sudo ./letsencrypt-ip-ssl-manager.sh --status
sudo ./letsencrypt-ip-ssl-manager.sh --list- Live certificates:
/etc/letsencrypt/live/YOUR_IP/cert.pem- Certificateprivkey.pem- Private keychain.pem- Intermediate certificatesfullchain.pem- Certificate + intermediates
- Main log:
/var/log/letsencrypt-ip-manager/ip-certificate.log - Error log:
/var/log/letsencrypt-ip-manager/error.log - Audit log:
/var/log/letsencrypt-ip-manager/audit.log - Renewal log:
/var/log/letsencrypt-ip-manager/renewal.log
- Systemd timer:
/etc/systemd/system/certbot-ip-renew.timer - Systemd service:
/etc/systemd/system/certbot-ip-renew.service - Cron job:
/etc/cron.d/certbot-ip-renew
server {
listen YOUR_IP:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/YOUR_IP/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/YOUR_IP/privkey.pem;
# Modern SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
location / {
root /var/www/html;
index index.html;
}
}
# HTTP to HTTPS redirect
server {
listen YOUR_IP:80;
return 301 https://$host$request_uri;
}<VirtualHost YOUR_IP:443>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/YOUR_IP/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/YOUR_IP/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/YOUR_IP/chain.pem
# Modern SSL configuration
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384
DocumentRoot /var/www/html
</VirtualHost>
# HTTP to HTTPS redirect
<VirtualHost YOUR_IP:80>
Redirect permanent / https://YOUR_IP/
</VirtualHost>Let's Encrypt is gradually rolling out IP certificate support. Production availability is expected later in 2025.
Short-lived certificates enhance security by limiting the window of exposure if a private key is compromised. They also align with Let's Encrypt's automation philosophy.
No, Let's Encrypt only issues certificates for publicly routable IP addresses. Private IPs (192.168.x.x, 10.x.x.x, etc.) are not supported.
The script sets up multiple renewal mechanisms (systemd timer + cron) running every 4 hours. It also logs all renewal attempts for troubleshooting.
No, DNS-01 challenge is not supported for IP address certificates.
-
"Port 80 is not accessible"
- Ensure firewall allows port 80:
sudo ufw allow 80/tcp - Check if another service is using port 80:
sudo netstat -tlnp | grep :80
- Ensure firewall allows port 80:
-
"IP address appears to be private"
- Verify you're using your public IP:
curl -4 icanhazip.com - Check if you're behind NAT/proxy
- Verify you're using your public IP:
-
"Certbot version too old"
- Update certbot:
sudo snap refresh certbot - Or reinstall:
sudo ./letsencrypt-ip-manager.sh --install
- Update certbot:
-
"Certificate expired"
- Check renewal timer:
sudo systemctl status certbot-ip-renew.timer - Force renewal:
sudo ./letsencrypt-ip-manager.sh --force-renew
- Check renewal timer:
Enable detailed logging:
sudo DEBUG=true ./letsencrypt-ip-manager.sh -i YOUR_IP -e [email protected]Contributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change.
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
- Let's Encrypt - IP Address Certificates Announcement
- Let's Encrypt - ACME Profiles
- Let's Encrypt - Staging Environment
- Certbot Documentation
- ACME Protocol Specification
If you find this tool useful, please consider giving it a star on GitHub!
Made with β€οΈ for the community by developers who believe in a secure and open internet.
Special thanks to Let's Encrypt for making HTTPS accessible to everyone.