Found out that Lets Encrypt supports the staging IP TLS certs:
It uses the shortlived profile:
Looked at the Traefik github and found the profile parameter:
You can configure most if not all the features (yaml):
letsEncryptIP:
acme:
email: "address@domain.tld"
storage: "/letsencrypt/acmeip.json"
# CA server to use.
# Uncomment the line to use Let's Encrypt's staging server,
# leave commented to go to prod.
# Default: "https://acme-v02.api.letsencrypt.org/directory"
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
# The certificates' duration in hours.
# It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
# Optional
certificatesDuration: 160 # Duration for shortlived
# Preferred chain to use.
# If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
# If no match, the default offered chain will be used.
# Optional
# Default: ""
# preferredChain: 'ISRG Root X1'
# KeyType to use.
# Default: "RSA4096"
# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
# keyType: RSA4096
# Use a TLS-ALPN-01 ACME challenge.
# tlsChallenge:
# Use a HTTP-01 ACME challenge.
httpChallenge:
# Required
entryPoint: web
# found profile parameter at https://github.com/traefik/traefik
profile: shortlived
When I attempt to configure a router, I get this error message, IPv4 and IPv6 addresses have been replaced and tokens redacted:
2025-07-09T17:28:01-05:00 ERR Cannot retrieve the ACME challenge for [89:a1234::4] (token "<REDACTED>") providerName=acme
2025-07-09T17:28:03-05:00 ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [1.2.3.4]: error: one or more domains had a problem:\n1.2.3.4: acme: error: 400 :: POST :: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/211687314/25947859584 :: urn:ietf:params:acme:error:badCSR :: Error finalizing order :: CSR contains IP address in Common Name" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["1.2.3.4"] providerName=letsEncryptIP.acme routerName=redirectIPv4toDomain@file rule="Host(`1.2.3.4`) || HostRegexp(`^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}$`)"
2025-07-09T17:28:07-05:00 ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [89:a1234::4]: error: one or more domains had a problem:\n[89:a1234::4] invalid authorization: acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 89:a1234::4: Invalid response from http://[89:a1234::4]/.well-known/acme-challenge/<REDACTED>: 404\n" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["89:a1234::4"] providerName=letsEncryptIP.acme routerName=redirectIPv6toDomain@file rule="Host(`89:a1234::4`) || HostRegexp(`^(\\[|)(([a-f0-9:]+:+)+[a-f0-9]+)(\\[|)$`)"
If you do not specify the shortlived profile, you get an even more abbreviated less successful it would seem error message.
Are there any next steps to configure this feature or support the IP based certificate?
Not sure which version of go-acme (Lego?) Traefik uses. Looks like v2 supports it already:
" * Support RFC 8738: certificates for IP addresses"
Would there be a way I could add a container to my stack, have it do the IP certificate detail and have that available in a path for Traefik to use?
I see that you can add external certificates as documented here Traefik TLS Documentation - Traefik but I do not understand how a router and a certificate get matched up?
The possibly better path, is there a way to publish additional parameters in the Traefik config that Lego will use?
Just checked the documents, there are some LEGO environment variables you can set to augment how ACME works... but I think this might affect all of LEGO, not just the certificates that I want to create/renew based on IP.
The way regular custom TLS certs work: the cert includes a main (example.com) and optional sans (some sub.example.com or a wildcard *). Host or HostSNI is used to find a matching TLS cert. Fallback is to a default cert, if defined. Last resort is a custom-generated Traefik cert.
I don't know about the new IP certs. Is the IP used as main? Then you would probably need to use the IP in .rule=Host(`1.2.3.4`). Is this what you want, access the service by IP only, no domain name?
And for regular automated LetsEncrypt in Traefik, the name from Host() or HostSNI() is used to create a new TLS certs. Unless specific main/sans have already been defined.
That specifically uses the certResolver which is a ACME or other type detail and it generates the cert - I'm curious about using the a side container with a modern go-acme client in it to generate the certs, then I would assume that I wouldn't have a certResolver, but I might have domains (IPs) that I would specify in each IP based router config. Possibly that is how you can configure a cert and list the 'domain' the cert should match to... but I feel these IP certs have different key+values than 'domain'.
Just wanted to thank Traefik developers and the forum here!! Got my IPv4 Lets Encrypt TLS Cert working, but interestingly, I have not been able to get the IPv6 version working.