無料で証明書を発行できるLet’s Encrypt で短期証明書と IP アドレス証明書の一般提供が開始されました.
Short-lived and IP address certificates are now generally available from Let’s Encrypt. These certificates are valid for 160 hours, just over six days. In order to get a short-lived certificate subscribers simply need to select the ‘shortlived’ certificate profile in their ACME client.
興味があるので少し試してみました.
certbot コマンドで試そうと思ったのですが,Debian package版のcertbot はunstable でも4.0.0 で対応していません.
$ certbot --ip-address usage: certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the certificate. certbot: error: unrecognized arguments: --ip-address $ certbot --version certbot 4.0.0 $ rmadison certbot certbot | 1.12.0-2 | oldoldstable | all certbot | 2.1.0-4 | oldstable | all certbot | 4.0.0-2 | stable | all certbot | 4.0.0-2 | testing | all certbot | 4.0.0-2 | unstable | all
2日前の 58724f6 でCommit されているようです.
ということでDeveloper Guide を見ながらsource から導入して試しました.
certbot をsource からbuild
$ sudo apt install python3-dev python3-venv libaugeas-dev gcc (1) $ git clone https://github.com/certbot/certbot (2) $ cd certbot $ git log --pretty=oneline -1 58724f68ec46c57dd3c3c8ed4ae686c2d7ad893b (HEAD -> 58724f6) Add CLI flag --ip-address (#10495) $ python3 tools/venv.py (3) $ source venv/bin/activate (4) $ which certbot /home/matoken/src/certbot/venv/bin/certbot $ certbot --version certbot 5.3.0.dev0
依存パッケージ導入
source 入手
build
certbot環境に入る
今回使うオプションのhelp
$ certbot help all | grep -A2 -- --ip-address
--ip-address IP_ADDRESSES
IP addresses to include. For multiple IP addresses you
can use multiple --ip-address flags. All IP addresses
will be included as Subject Alternative Names on the
certificate. (default: [])
$ certbot help all | grep -A8 -- --preferred-profile
--preferred-profile PREFERRED_PROFILE
Request the given profile name from the ACME server,
or fallback to default. If the given profile name
exists in the ACME directory, use it to request a a
certificate. Otherwise, fall back to requesting a
certificate without a profile (which means the CA will
use its default profile). This allows renewals to
succeed even if the CA deprecates and removes a given
profile. (default: None)IPアドレス証明書を取得
$ sudo bash -c "source venv/bin/activate && certbot certonly --ip-address 84.247.152.162 --preferred-profile shortlived"
出来上がった証明書を確認
$ sudo cat /etc/letsencrypt/live/84.247.152.162/cert.pem | openssl x509 -noout -issuer -subject -dates
issuer=C=US, O=Let's Encrypt, CN=YE2
subject=
notBefore=Jan 18 23:06:01 2026 GMT
notAfter=Jan 25 15:06:00 2026 GMT
$ sudo cat /etc/letsencrypt/live/84.247.152.162/cert.pem | openssl x509 -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
06:e7:4e:65:fe:41:f7:9b:9e:38:12:12:64:13:85:b4:f3:dd
Signature Algorithm: ecdsa-with-SHA384
Issuer: C=US, O=Let's Encrypt, CN=YE2
Validity
Not Before: Jan 18 23:06:01 2026 GMT
Not After : Jan 25 15:06:00 2026 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:d9:d9:68:d2:fe:7b:09:0d:c4:97:1e:fc:e4:1e:
65:50:90:cc:63:ec:6a:98:a3:5c:77:b6:d0:33:f5:
4d:8f:ec:38:d5:e8:1d:01:75:fb:d6:93:15:b9:f3:
f8:7e:a4:a9:7b:bf:d7:4d:a3:5e:d0:ca:8f:74:e5:
7a:98:bc:8e:9e
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
B9:59:F2:8E:CF:22:F0:86:D3:37:48:FF:76:14:18:BA:82:D8:55:87
Authority Information Access:
CA Issuers - URI:http://ye2.i.lencr.org/
X509v3 Subject Alternative Name: critical
IP Address:84.247.152.162
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://ye2.c.lencr.org/94.crl
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 0E:57:94:BC:F3:AE:A9:3E:33:1B:2C:99:07:B3:F7:90:
DF:9B:C2:3D:71:32:25:DD:21:A9:25:AC:61:C5:4E:21
Timestamp : Jan 19 00:04:31.276 2026 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:19:47:12:58:F2:D7:9C:08:A5:0D:C0:5B:
F0:E7:DF:73:0F:64:77:B2:39:39:A4:3C:A1:D3:F0:39:
4E:7B:0D:91:02:21:00:87:BA:CE:E6:6E:F6:D3:52:D2:
BC:C4:ED:BE:26:6F:DE:BC:B7:17:5F:B6:47:4A:82:75:
A9:95:56:A0:68:FD:1F
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : E3:23:8D:F2:8D:A2:88:E0:AA:E0:AC:F0:FA:90:C9:85:
F0:B6:BF:F5:D2:A5:27:B0:01:FC:1C:44:58:C4:B6:E8
Timestamp : Jan 19 00:04:31.523 2026 GMT
Extensions: 00:00:05:00:2F:CD:F8:E5
Signature : ecdsa-with-SHA256
30:46:02:21:00:CD:4B:99:89:27:23:A9:B5:4E:68:D9:
A0:59:63:45:F5:8F:6A:5C:1F:C2:39:24:AF:60:E4:25:
FF:E6:53:08:4E:02:21:00:DE:9F:73:AB:35:BC:7D:5D:
E7:7A:CB:DE:A7:25:FE:2E:09:A3:2A:33:6E:3B:E4:4E:
D7:AD:67:B9:02:E5:36:B8
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:64:02:30:09:90:c5:7b:2d:7c:21:7e:7a:21:77:3a:2d:8e:
cd:a1:4d:d1:5e:08:2f:8c:e7:b9:ad:19:39:33:d7:67:41:76:
68:39:26:f5:cf:8e:4d:42:5e:cf:45:69:e2:8a:18:ef:02:30:
2b:7f:6c:90:27:d1:e5:b1:dd:a2:2a:cb:20:d4:8c:27:0c:7c:
6d:9b:06:c8:52:bd:23:d6:aa:83:61:f5:13:fd:77:55:e9:ab:
29:e2:bd:82:84:4d:4f:81:4b:3b:76:8a有効期限の時間を確認
$ echo $(( $( date +%s --date 'Jan 25 15:06:00 2026 GMT' ) - $( date +%s --date='Jan 18 23:06:01 2026 GMT' ) )) (1) 575999 $ echo $((160*60*60)) (2) 576000
notBefore と notAfter の間の秒数を確認
160時間を秒数に変換
環境
$ git log --pretty=oneline -1 58724f68ec46c57dd3c3c8ed4ae686c2d7ad893b (HEAD -> 58724f6) Add CLI flag --ip-address (#10495) $ dpkg-query -W python3-dev python3-venv libaugeas-dev gcc gcc 4:14.2.0-1 libaugeas-dev:amd64 1.14.1-1+b3 python3-dev 3.13.5-1 python3-venv 3.13.5-1 $ lsb_release -dr Description: Debian GNU/Linux 13 (trixie) Release: 13 $ arch x86_64