Certbot 5.3+ Now Supports IP Address and Six-Day Certificates from Let's Encrypt

Summary

The Certbot team at the Electronic Frontier Foundation has released new features enabling users to obtain IP address and six-day SSL/TLS certificates from Let's Encrypt. The update introduces the --ip-address flag in Certbot 5.3 and builds on the --preferred-profile flag released in version 4.0, allowing developers and system administrators to secure IP-based infrastructure with publicly trusted certificates. Users can now run Certbot commands to request six-day certificates for IP addresses using webroot, manual, or standalone authentication plugins.

The implementation requires Certbot version 5.4 or higher for full webroot support with IP addresses. While Certbot can now issue IP address certificates, manual configuration of web server settings is still required to install them, and webserver-specific installers for nginx and Apache do not yet support this feature. Automatic renewal setup is necessary, requiring administrators to configure deploy hooks that instruct web servers to load updated certificates from disk.

• Manual certificate installation and deployment hook configuration required; automatic renewal setup recommended for continuous coverage

Editorial Opinion

This update democratizes secure infrastructure for IP-based deployments, a historically underserved use case in the certificate ecosystem. The six-day expiration window may initially seem burdensome compared to standard 90-day certificates, but it reflects a thoughtful security tradeoff—forcing more frequent validation cycles for dynamic IP environments. However, the lack of automatic installer support for popular web servers suggests this feature is still in its maturation phase and may face adoption barriers until those gaps are closed.