Q-Droid 1014 Posted March 30 Posted March 30 Is it time to explore this either in Emby core or as a plug-in if possible? https://letsencrypt.org/2026/01/15/6day-and-ip-general-availability Quote Short-lived and IP address certificates are now generally available from Let’s Encrypt. These certificates are valid for 160 hours, just over six days. In order to get a short-lived certificate subscribers simply need to select the ‘shortlived’ certificate profile in their ACME client. 4 1 1
Neminem 1640 Posted March 30 Posted March 30 That sounds interesting, not that I need it. But is sounds a lot like DDNS + Cert.
Q-Droid 1014 Posted March 30 Author Posted March 30 (edited) 18 minutes ago, Neminem said: That sounds interesting, not that I need it. But is sounds a lot like DDNS + Cert. These are IP based certificates which eliminate the need for domains. I should rephrase: They eliminate the requirement of a domain name. Domain names still good but not needed. Edited March 30 by Q-Droid 1
Apotropaic 62 Posted March 30 Posted March 30 Interesting decision from Letsencrypt, I'm usually all-in when it comes to encrypting everything but surely this is just enabling bad actors from also enabling on the fly certs for whatever they're up to!? I know they're not the first to do this, but they are free and support automation. I can see organisations just blanket blacklisting their certs to deal with this. As for projects like emby it sounds pretty good, unless of course your IP is very dynamic
Q-Droid 1014 Posted March 30 Author Posted March 30 Organizations that are concerned about these IP based certs can create policies to restrict to Domain Validation (DV) or higher. They wouldn't have to blacklist the CA, ISRG in this instance. Even DV certs don't add that much protection since anyone can get a subdomain with a DDNS service or even free Cloudflare. For Emby users I see this as an option for those who rely on Emby Connect, don't have a domain and would like to benefit from end-to-end TLS/HTTPS without having to learn or follow the usual path to HTTPS. As for the rest I do see how this could open the door for bad actors against whom the only safeguard currently in place is a bad cert error in a browser or auto HTTPS failing to connect. But with free domains or options like Cloudflare some are likely presenting "valid" endpoints already. 1
darkassassin07 676 Posted March 30 Posted March 30 This would certainly improve security for those that don't want to setup a domain. There's been quite a few threads lately revealing servers that are publicly exposed with only http...
brothom 211 Posted March 31 Posted March 31 I'd be much more interested in seeing "Certify the Web" being implemented as it's a replacement for certbot (and I think also offer this feature?)
AV1Opus 5 Posted March 31 Posted March 31 Well, it's a Windows-only software and you can configure it yourself.
Q-Droid 1014 Posted March 31 Author Posted March 31 (edited) ACME .Net libraries and tools are available for developers to build or integrate ACME clients. A feature built into Emby to request, deploy and renew TLS certs could solve a lot of headaches. Granted it could create some too though overall I would say it lands on the positive side. Edited March 31 by Q-Droid
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now