Q-Droid 1010 Posted 23 hours ago Posted 23 hours ago Is it time to explore this either in Emby core or as a plug-in if possible? https://letsencrypt.org/2026/01/15/6day-and-ip-general-availability Quote Short-lived and IP address certificates are now generally available from Let’s Encrypt. These certificates are valid for 160 hours, just over six days. In order to get a short-lived certificate subscribers simply need to select the ‘shortlived’ certificate profile in their ACME client. 3 1 1
Neminem 1619 Posted 22 hours ago Posted 22 hours ago That sounds interesting, not that I need it. But is sounds a lot like DDNS + Cert.
Q-Droid 1010 Posted 22 hours ago Author Posted 22 hours ago (edited) 18 minutes ago, Neminem said: That sounds interesting, not that I need it. But is sounds a lot like DDNS + Cert. These are IP based certificates which eliminate the need for domains. I should rephrase: They eliminate the requirement of a domain name. Domain names still good but not needed. Edited 22 hours ago by Q-Droid 1
Neminem 1619 Posted 22 hours ago Posted 22 hours ago That sound really nice . Thanks for the explanation
Apotropaic 57 Posted 19 hours ago Posted 19 hours ago Interesting decision from Letsencrypt, I'm usually all-in when it comes to encrypting everything but surely this is just enabling bad actors from also enabling on the fly certs for whatever they're up to!? I know they're not the first to do this, but they are free and support automation. I can see organisations just blanket blacklisting their certs to deal with this. As for projects like emby it sounds pretty good, unless of course your IP is very dynamic
Q-Droid 1010 Posted 16 hours ago Author Posted 16 hours ago Organizations that are concerned about these IP based certs can create policies to restrict to Domain Validation (DV) or higher. They wouldn't have to blacklist the CA, ISRG in this instance. Even DV certs don't add that much protection since anyone can get a subdomain with a DDNS service or even free Cloudflare. For Emby users I see this as an option for those who rely on Emby Connect, don't have a domain and would like to benefit from end-to-end TLS/HTTPS without having to learn or follow the usual path to HTTPS. As for the rest I do see how this could open the door for bad actors against whom the only safeguard currently in place is a bad cert error in a browser or auto HTTPS failing to connect. But with free domains or options like Cloudflare some are likely presenting "valid" endpoints already. 1
darkassassin07 674 Posted 13 hours ago Posted 13 hours ago This would certainly improve security for those that don't want to setup a domain. There's been quite a few threads lately revealing servers that are publicly exposed with only http...
brothom 210 Posted 1 hour ago Posted 1 hour ago I'd be much more interested in seeing "Certify the Web" being implemented as it's a replacement for certbot (and I think also offer this feature?)
AV1Opus 5 Posted 1 hour ago Posted 1 hour ago Well, it's a Windows-only software and you can configure it yourself.
Q-Droid 1010 Posted 1 hour ago Author Posted 1 hour ago (edited) ACME .Net libraries and tools are available for developers to build or integrate ACME clients. A feature built into Emby to request, deploy and renew TLS certs could solve a lot of headaches. Granted it could create some too though overall I would say it lands on the positive side. Edited 1 hour ago by Q-Droid
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now