Can you get an SSL certificate for an IP address (like https://203.0.113.50)? Yes — but Let’s Encrypt doesn’t support it, and there are better alternatives.
Who can issue certificates for IP addresses?
| CA | IP address certificates | Cost |
|---|---|---|
| Let’s Encrypt | ❌ Not supported | — |
| ZeroSSL | ✅ Via ACME (public IPs) | Free (limited) |
| Google Trust Services | ✅ Via ACME | Free |
| DigiCert | ✅ (OV/EV only) | Paid |
| Sectigo | ✅ | Paid |
| Self-signed | ✅ | Free (browser warning) |
Let’s Encrypt’s ACME implementation does not validate IP addresses — it only validates domain names. This means GetHTTPS can’t issue certificates for IP addresses.
Why domains are almost always better
| IP address certificate | Domain certificate | |
|---|---|---|
| Supported by Let’s Encrypt | ❌ | ✅ |
| Free options | Limited | Unlimited (Let’s Encrypt) |
| Can change servers | ❌ Tied to that IP | ✅ Update DNS |
| Human-readable | ❌ https://203.0.113.50 | ✅ https://example.com |
| CDN/load balancer | ❌ Breaks if IP changes | ✅ DNS-based routing |
| SEO | ❌ No keyword value | ✅ Brandable |
In almost every case, registering a domain ($10-15/year) and using Let’s Encrypt (free) is cheaper and more flexible than getting an IP address certificate.
When IP address certificates make sense
- Internal infrastructure — monitoring dashboards, admin panels, APIs on a private network where DNS isn’t set up
- IoT/embedded devices — devices that connect to a fixed IP and can’t resolve DNS
- Development/testing — quick HTTPS on a test server without configuring DNS
- Legacy systems — applications hardcoded to connect to an IP
Alternatives to IP address certificates
Option 1: Use a domain (recommended)
Register a domain or subdomain, point it to your IP, get a free Let’s Encrypt certificate.
# Example: point a subdomain to your IP
server.example.com → A record → 203.0.113.50
# Then get a certificate for server.example.comCost: $0 (if you already have a domain) to $10-15/year (new domain).
Option 2: Self-signed certificate
For internal use where browser warnings are acceptable:
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:P-256 \
-keyout key.pem -out cert.pem -days 365 -nodes \
-subj "/CN=203.0.113.50" \
-addext "subjectAltName=IP:203.0.113.50"Note the IP: prefix in the SAN — not DNS:.
Option 3: nip.io or sslip.io (clever DNS trick)
These free services provide DNS records that resolve to the IP embedded in the hostname:
203.0.113.50.nip.io → resolves to 203.0.113.50You can then get a Let’s Encrypt certificate for 203.0.113.50.nip.io using GetHTTPS with DNS-01 challenge. The domain is ugly but functional.
Option 4: Cloudflare Tunnel
Expose your IP-based service through Cloudflare’s tunnel with a real domain and automatic SSL — no public IP needed.
Frequently asked questions
Why doesn’t Let’s Encrypt support IP addresses?
Let’s Encrypt validates domain ownership via DNS or HTTP challenges. IP addresses don’t have DNS ownership in the same way — the validation model doesn’t apply cleanly. Other CAs (ZeroSSL, Google Trust Services) have added IP support to their ACME implementations.
Can I use a wildcard certificate for IP addresses?
No. Wildcards only apply to DNS names (*.example.com). IP addresses don’t have subdomains.
What about private/internal IPs (192.168.x.x, 10.x.x.x)?
No public CA will issue a certificate for a private IP address — they’re not globally unique. Use a self-signed certificate or a private CA for internal networks.
Can I get a free certificate for a public IP?
ZeroSSL and Google Trust Services support IP address certificates via ACME. However, the free tier may be limited. A domain with Let’s Encrypt is more reliable and truly unlimited.