We see that #LetsEncrypt is now experimentally issuing IPv4 and IPv6 certs! (https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate/).
This is fantastic news for people who want to set up their own #DOH or #DOT servers that support automatic encryption upgrade (DDR - https://datatracker.ietf.org/doc/rfc9462/).
We look forward to this being put into production. We wish the expiry time was a bit longer - maybe a new profile with 30 day validity? But in any case - great to see this happening.
#Development #Announcements
Our first IP address certificate · Let’s Encrypt starts rolling out the new option https://ilo.im/16530s
_____
#LetsEncrypt #CA #IpAddress #Certificate #SSL #TLS #HTTPS #WebDev #Frontend #Backend
@aral wrote: "If your friends and family are trying to phish you, you have bigger problems."
Phishing means that an adversary *claiming to be* someone you know (including friends and family) convinces you to click on a link.
The purpose of a certificate, telling a receiver *WHO* (human readable) owns the associated private key (the last resort to distinguish between fake and authentic), now has completely vanished.
As if phishing is not already the nr. 1 problem on the internet.
Note: I'm fine with the idea provided that browsers clearly inform users about the reliability of authenticity (I've read your article, did you read https://infosec.exchange/@ErikvanStraten/113079966331873386 ?)
Thanking the @letsencrypt folks for the excellent work they do, and especially for their upcoming support for security certificates for IP addresses which is nothing short of revolutionary for the future of the (Small) Web.
https://community.letsencrypt.org/t/getting-ready-to-issue-ip-address-certificates/238777/22
Introducing Web Numbers
Domains? Where we’re going, we don’t need domains!
Get ready for an exciting new (old?) way to address (small) web sites in 2026.
https://ar.al/2025/06/25/web-numbers/
(Thanks to @letsencrypt.)
How to Install #PeerTube on #Ubuntu VPS
This article provides an in-depth guide demonstrating how to install PeerTube on Ubuntu VPS.
What is PeerTube?
PeerTube is a decentralized, federated video hosting platform powered by WebTorrent and ActivityPub. It enables users to self-host video services and interact with other PeerTube ...
Continued https://blog.radwebhosting.com/how-to-install-peertube-on-ubuntu-vps/?utm_source=mastodon&utm_medium=social&utm_campaign=mastodon.raddemo.host #decentralized #letsencrypt #videostreaming #installguide #nodejs #selfhosted #selfhosting #vpsguide #fediverse #opensource
@mms why is Let's Encrypt going to become shit? Very bad news if true.
And no, #letsencrypt has no plans to offer client certificates. Which led to me the concept of https://nerdcert.eu ;) Which is NOT a project or a product yet. But could very well become such a thing :)
4/4
My current conspiracy theory: Now that #letsencrypt has more or less destroyed the market for domain certificates and people are more interested in using client/user certificate, Google throws the market a lifeline by removing clientAuth from acceptable certificates in the browser context with some vague "it's about security" arm waving. #NerdTalk
1/4
Remember the threads¹² about #LetsEncrypt removing a crucial key usage from certificates issued by them in predictive obedience to their premium sponsor Google?
We were at first concerned about #SMTP. While I had lived through this problem with #StartSSL by #StartCom back in 2011, I only had a vague recollection of Jabber but recalled in detail that it broke server-to-server SMTP verification (whether the receiving server acted on it or just documented it).
Well, turns out someone now reported that it indeed breaks #XMPP entirely: https://community.letsencrypt.org/t/do-not-remove-tls-client-auth-eku/237427/66
This means that it will soon no longer be possible at all to operate Jabber (XMPP) servers because the servers use the operating system’s CA certificate bundle for verification, which generally follows the major browsers’ root stores, which has requirements from the CA/Browser forum who apparently don’t care about anything else than the webbrowser, and so no CA whose root certificate is in that store will be allowed to issue certificates suitable for Jabber/XMPP server-to-server communication while these CAs are the only ones trusted by those servers.
So, yes, Google’s requirement change is after all breaking Jabber entirely. Ein Schelm, wer Böses dabei denkt.
While https://nerdcert.eu/ by @jwildeboer would in theory help, it’s not existent yet, and there’s not just the question of when it will be included in operating systems’ root CA stores but whether it will be included in them at all.
Google’s policy has no listed contact point, and the CA/B forum isn’t something mere mortals can complain to, so I’d appreciate if someone who can, and who has significant skills to argument this in English and is willing to, to bring it to them.
① mine: https://toot.mirbsd.org/@mirabilos/statuses/01JV8MDA4P895KK6F91SV7WET8
② jwildeboer’s: https://social.wildeboer.net/@jwildeboer/114516238307785904
yet another ACME client, based on uacme: https://github.com/llfw/lfacme
good:
+ uses uacme and POSIX /bin/sh
+ better configuration/hook system than dehydrated
+ comes with manpages
+ small and simple
+ supports Kerberized dns-01 domain validation
bad:
- only supports Kerberized dns-01 domain validation (but this could be improved)
- only tested on FreeBSD (but this could be improved too)
/cc @_bapt_
UPDATE: Thx to the replies, I implemented the change for all my domains, did a `certbot renew --dry-run` and that succeeded. Yay to a cleaner config :)
#NerdQuestion. When I move {server [...] } blocks in `/etc/nginx/nginx.conf` to separate files in the `/etc/nginx/conf.d` directory, will certbot still find them and will automatic renewals just keep working as before? Anyone with experience on that?
Just requested that Auto Encrypt¹ is added to the list of @letsencrypt clients for Node.js and that Kitten² is added to the list of projects that integrate Let’s Encrypt support:
• https://github.com/letsencrypt/website/pull/1921
• https://github.com/letsencrypt/website/pull/1922
I originally requested that Auto Encrypt and Site.js (the precursor to Kitten, now sunset) be added to the list in 2021. It was not approved (no reason given), so hopefully this time will be different.
https://github.com/letsencrypt/website/pull/1203
¹ https://codeberg.org/small-tech/auto-encrypt
² https://kitten.small-web.org
Auto Encrypt – heads up!
In the next minor version release of Auto Encrypt¹, we’ll be moving from a hard-coded date-based certificate renewal check to using ACME Renewal Information (ARI)².
The change³ should be seamless.
If you have any concerns, now is the time to raise them :)
#AutoEncrypt #TLS #LetsEncrypt #SmallTech #SmallWeb
¹ Drop-in Node.js https server replacement that automatically provisions and renews Let’s Encrypt certificates for you. (https://codeberg.org/small-tech/auto-encrypt#auto-encrypt)
² https://datatracker.ietf.org/doc/draft-ietf-acme-ari/
³ https://codeberg.org/small-tech/auto-encrypt/src/branch/main/CHANGELOG.md#4-4-0-2025
To all the people upset about #letsencrypt removing TLS Client Auth support from certificates, yes it sucks, but please direct your anger at Google who initiated this change. LetsEncrypt cannot exist if the biggest browser doesn't accept their certificates. Yell at Google, Not LE please.
Sure, #LetsEncrypt, you can say that using certificates with the ClientAuth UKE is a minor use case and that this functionality was never guaranteed to always be available and all of that. But the fact stays: you are removing a feature from your certificates that has been here for a very long time, just because Google demands this. Why Google wants this? I will ask them. But I am quite sure that this #oopsie side effect is not an oversight.
3/5
I am totally sure (sarcasm included) that #Google has totally overseen that their planned changes to their root program requirements will cause a lot of problems for mailserver owners like me who in future might run into weird problems with #Letsencrypt certificates for SMTP. I am sure that Google is absolutely not trying to make running your own mailserver even more complicated just to protect their gmail business. That would be totally not how Google thinks, amirite? https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/
Dear #Letsencrypt, you helped secure millions and millions of servers, not just web servers. But your announcement at https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/ about ending Ending TLS Client Authentication Certificate Support in 2026 because Google changes their requirements would result in your certificates becoming a possible risk for ensuring SMTP traffic. Please think again. Please.
1/5