Let’s Encrypt の短期証明書とIP証明書を少し試す

matoken DebianLinuxtrixie

無料で証明書を発行できるLet’s Encrypt で短期証明書と IP アドレス証明書の一般提供が開始されました.

Short-lived and IP address certificates are now generally available from Let’s Encrypt. These certificates are valid for 160 hours, just over six days. In order to get a short-lived certificate subscribers simply need to select the ‘shortlived’ certificate profile in their ACME client.

6-day and IP Address Certificates are Generally Available – Let's Encrypt

興味があるので少し試してみました.

certbot コマンドで試そうと思ったのですが,Debian package版のcertbot はunstable でも4.0.0 で対応していません.

$ certbot --ip-address
usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --ip-address
$ certbot --version
certbot 4.0.0
$ rmadison certbot
certbot    | 1.12.0-2      | oldoldstable | all
certbot    | 2.1.0-4       | oldstable    | all
certbot    | 4.0.0-2       | stable       | all
certbot    | 4.0.0-2       | testing      | all
certbot    | 4.0.0-2       | unstable     | all

2日前の 58724f6 でCommit されているようです.

ということでDeveloper Guide を見ながらsource から導入して試しました.

certbot をsource からbuild
$ sudo apt install python3-dev python3-venv libaugeas-dev gcc (1)
$ git clone https://github.com/certbot/certbot (2)
$ cd certbot
$ git log --pretty=oneline -1
58724f68ec46c57dd3c3c8ed4ae686c2d7ad893b (HEAD -> 58724f6) Add CLI flag --ip-address (#10495)
$ python3 tools/venv.py (3)
$ source venv/bin/activate (4)
$ which certbot
/home/matoken/src/certbot/venv/bin/certbot
$ certbot --version
certbot 5.3.0.dev0

  1. 依存パッケージ導入

  2. source 入手

  3. build

  4. certbot環境に入る

今回使うオプションのhelp
$ certbot help all | grep -A2 -- --ip-address
  --ip-address IP_ADDRESSES
                        IP addresses to include. For multiple IP addresses you
                        can use multiple --ip-address flags. All IP addresses
                        will be included as Subject Alternative Names on the
                        certificate. (default: [])
$ certbot help all | grep -A8 -- --preferred-profile
  --preferred-profile PREFERRED_PROFILE
                        Request the given profile name from the ACME server,
                        or fallback to default. If the given profile name
                        exists in the ACME directory, use it to request a a
                        certificate. Otherwise, fall back to requesting a
                        certificate without a profile (which means the CA will
                        use its default profile). This allows renewals to
                        succeed even if the CA deprecates and removes a given
                        profile. (default: None)
IPアドレス証明書を取得
$ sudo bash -c "source venv/bin/activate && certbot certonly --ip-address 84.247.152.162 --preferred-profile shortlived"
出来上がった証明書を確認
$ sudo cat /etc/letsencrypt/live/84.247.152.162/cert.pem | openssl x509 -noout -issuer -subject -dates
issuer=C=US, O=Let's Encrypt, CN=YE2
subject=
notBefore=Jan 18 23:06:01 2026 GMT
notAfter=Jan 25 15:06:00 2026 GMT
$ sudo cat /etc/letsencrypt/live/84.247.152.162/cert.pem | openssl x509 -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            06:e7:4e:65:fe:41:f7:9b:9e:38:12:12:64:13:85:b4:f3:dd
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C=US, O=Let's Encrypt, CN=YE2
        Validity
            Not Before: Jan 18 23:06:01 2026 GMT
            Not After : Jan 25 15:06:00 2026 GMT
        Subject:
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:d9:d9:68:d2:fe:7b:09:0d:c4:97:1e:fc:e4:1e:
                    65:50:90:cc:63:ec:6a:98:a3:5c:77:b6:d0:33:f5:
                    4d:8f:ec:38:d5:e8:1d:01:75:fb:d6:93:15:b9:f3:
                    f8:7e:a4:a9:7b:bf:d7:4d:a3:5e:d0:ca:8f:74:e5:
                    7a:98:bc:8e:9e
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier:
                B9:59:F2:8E:CF:22:F0:86:D3:37:48:FF:76:14:18:BA:82:D8:55:87
            Authority Information Access:
                CA Issuers - URI:http://ye2.i.lencr.org/
            X509v3 Subject Alternative Name: critical
                IP Address:84.247.152.162
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
            X509v3 CRL Distribution Points:
                Full Name:
                  URI:http://ye2.c.lencr.org/94.crl

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 0E:57:94:BC:F3:AE:A9:3E:33:1B:2C:99:07:B3:F7:90:
                                DF:9B:C2:3D:71:32:25:DD:21:A9:25:AC:61:C5:4E:21
                    Timestamp : Jan 19 00:04:31.276 2026 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:19:47:12:58:F2:D7:9C:08:A5:0D:C0:5B:
                                F0:E7:DF:73:0F:64:77:B2:39:39:A4:3C:A1:D3:F0:39:
                                4E:7B:0D:91:02:21:00:87:BA:CE:E6:6E:F6:D3:52:D2:
                                BC:C4:ED:BE:26:6F:DE:BC:B7:17:5F:B6:47:4A:82:75:
                                A9:95:56:A0:68:FD:1F
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : E3:23:8D:F2:8D:A2:88:E0:AA:E0:AC:F0:FA:90:C9:85:
                                F0:B6:BF:F5:D2:A5:27:B0:01:FC:1C:44:58:C4:B6:E8
                    Timestamp : Jan 19 00:04:31.523 2026 GMT
                    Extensions: 00:00:05:00:2F:CD:F8:E5
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:CD:4B:99:89:27:23:A9:B5:4E:68:D9:
                                A0:59:63:45:F5:8F:6A:5C:1F:C2:39:24:AF:60:E4:25:
                                FF:E6:53:08:4E:02:21:00:DE:9F:73:AB:35:BC:7D:5D:
                                E7:7A:CB:DE:A7:25:FE:2E:09:A3:2A:33:6E:3B:E4:4E:
                                D7:AD:67:B9:02:E5:36:B8
    Signature Algorithm: ecdsa-with-SHA384
    Signature Value:
        30:64:02:30:09:90:c5:7b:2d:7c:21:7e:7a:21:77:3a:2d:8e:
        cd:a1:4d:d1:5e:08:2f:8c:e7:b9:ad:19:39:33:d7:67:41:76:
        68:39:26:f5:cf:8e:4d:42:5e:cf:45:69:e2:8a:18:ef:02:30:
        2b:7f:6c:90:27:d1:e5:b1:dd:a2:2a:cb:20:d4:8c:27:0c:7c:
        6d:9b:06:c8:52:bd:23:d6:aa:83:61:f5:13:fd:77:55:e9:ab:
        29:e2:bd:82:84:4d:4f:81:4b:3b:76:8a
有効期限の時間を確認
$ echo $(( $( date +%s --date 'Jan 25 15:06:00 2026 GMT' ) - $( date +%s --date='Jan 18 23:06:01 2026 GMT' ) )) (1)
575999
$ echo $((160*60*60)) (2)
576000

  1. notBefore と notAfter の間の秒数を確認

  2. 160時間を秒数に変換

環境
$ git log --pretty=oneline -1
58724f68ec46c57dd3c3c8ed4ae686c2d7ad893b (HEAD -> 58724f6) Add CLI flag --ip-address (#10495)
$ dpkg-query -W python3-dev python3-venv libaugeas-dev gcc
gcc     4:14.2.0-1
libaugeas-dev:amd64     1.14.1-1+b3
python3-dev     3.13.5-1
python3-venv    3.13.5-1
$ lsb_release -dr
Description:    Debian GNU/Linux 13 (trixie)
Release:        13
$ arch
x86_64

コメントを残す

メールアドレスが公開されることはありません。 が付いている欄は必須項目です

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Find out more about Webmentions.)