[bryanlarsen]

SSL certificates contain the name, not the IP. So the IP address can be anything, including internal ones.

[viovanov]

I thought Let's Encrypt wouldn't give you a cert if the domain on the cert resolves to a private IP. Good to know - thx.

[throwaway22032]

You just resolve the domain to a private IP on your internal network, Let's Encrypt can see it as whatever you want, for all they care it's 1.1.1.1.

[larcher]

Friendly reminder that 1.1.1.1 is a real, valid, public IP. Seen plenty of networks that don’t recognize this, use it for some internal purpose, and break https://1.1.1.1/

[wolrah]

> Seen plenty of networks that don’t recognize this, use it for some internal purpose, and break https://1.1.1.1/

AFAIK Cisco used 1.1.1.1 as an example "dummy" IP in their wireless LAN controller documentation, which of course led to infinite idiots copy/pasting exactly that and setting up broken networks.

[throwawayninja]

My college uses 1.1.1.1 as their iis administration endpoint, I was told the reason was "nobody would guess it so it reduces the number of dumb kids guessing the edu\Administrator domain password". Around the time cloudflare started using it their logs must have skyrocketed.

[saxonww]

They don't seem to check whether the hostname you're requesting a cert for resolves. At least with certbot, it requests the cert, creates the challenge record, then removes it after receiving the signed cert.

[akerl_]

I’ve got a ton of certs from LE where the IP resolves to an RFC 1918 IP

[bryanlarsen]

You can, but you might not want employeerecords.example.com leaking its IP address, even if it is an inaccessible 192.168.10.10. Defense in depth. You can use hosts or internal resolution.