Is it possible to use an ip address with ap?
-
SAN does support IPs.
-
Right, it can be done, but would require a CA who supports that, not all do. For example, Let's Encrypt doesn't allow bare IP addresses. I was assuming the question about an IP address was raised due to aversion to purchase a domain name. If so, then TLS certificate is another cost to consider and if not using a domain name, then the main free option becomes unavailable.
-
If you can point me to a CA that will allow your to request a cert for an IP address that'd be great
-
Okay, thanks!
-
kopper [they/them]replied to [email protected] last edited by
there is a general "encrypted transport" requirement which in real world use mandates HTTPS (although it's worded broadly to allow for onion services and whatnot which provide their own encryption outside TLS)
-
[email protected]replied to [email protected] last edited by
I haven't tried this but searching google shows SSL.com does allow it granted you can demonstrate the requirements:
- The IP address you wish to secure must be public, and your organization must own it.
- The IP address ranges
10.x.x.xand192.168.x.xare prohibited. - A WHOIS lookup of the IP address should show your organization’s name, address, phone number, and email contacts (not your web hosting provider’s).
- The IP address ranges
- Control over the IP address must be demonstrated by the HTTP/HTTPS file lookup method. The email challenge response and DNS CNAME lookup methods may not be used to validate an IP address.
- The IP address you wish to secure must be public, and your organization must own it.
-
[email protected]replied to [email protected] last edited by
So you need to own and operate your own ASN. I guess that's better than what I thought but it's nowhere near attainable for regular people.
-
[email protected]replied to [email protected] last edited by
If you are ok with ipv6, you can get a /48, and a 4-byte ASN for a few hundred dollars for the registration fee. The 4-byte ASN isn't even necessary. You can then use AWS/Oracle/AliBaba or some other public cloud to advertise your registered ipv6 address block on your behalf. A whois will show the details you used with the registrar.
-
[email protected]replied to [email protected] last edited by
I'm pretty sure most browsers will straight up refuse to load content from bare IPv6 adresses regardless of cert status no? I remember having problems with this with an internal CA.
-
[email protected]replied to [email protected] last edited by
Googleing it, is this relevant?
https://superuser.com/a/367788 -
[email protected]replied to [email protected] last edited by
Not really. I ça t find an official source for this so maybe this has been fixed but from what I remember this was explicitly disabled for security.
![kopper [they/them]](https://lemmy.blahaj.zone/pictrs/image/PG5vaKqMsg.webp "kopper [they/them]"){kind=avatar}