Looks like LetsEncrypt will soon start issuing IP address certificates:
Getting ready to issue IP address certificates - Issuance Tech - Let’s Encrypt Community (See also HN discussion.)
Thoughts?
The first thing that came to my mind is that if Caddy requests IP certs by default and supports ESNI/ECH, then Caddy could be among the first human-scale SNI web servers to support https connections where all its domains are kept private.
IP certs will be interesting for sure.
I’m not sure I follow entirely: can you elaborate?
Note that: Caddy already obtains certificates for IP addresses (currently it issues them itself, using its internal issuer, unless configured otherwise). ECH can’t be enabled by default since it requires DNS provider credentials.
ECH is cool but it’s not that helpful unless you are cloudflare serving thousands of domains from a single host and clients already know you host another domain. But with ubiquitous ip address certificates clients could conceivably connect to all hosts with ECH with the ip address of the host as the SNI name, allowing them to hide the real domain in ECH.
So I’m assuming ECH could work with ip address certificates like this (edited from cloudflare’s ECH Protocol page):
ECH can’t be enabled by default since it requires DNS provider credentials.
I’m not sure I follow.
Just that you were suggesting that:
if Caddy requests IP certs by default and supports ESNI/ECH, then Caddy could be among the first human-scale SNI web servers to support https connections where all its domains are kept private.
and this is a cool idea for sure, what I mean is that you’d have to add DNS credentials to your config to make it work, so it couldn’t be “by default” like we can serve HTTPS by default.
