Let's Encrypt 已上线 IP证书 caddy配置示例

@Theater5165 #18 哈，现在在国外买个域名也不记名啊？另外现在acme.sh能申请IP证书了吗？

@yuandatou #30

我是用的acme.sh 和nginx，就用楼上的命令申请证书，然后问了gemini，如何安装证书，然后nginx上添加https跳转就好了。

@yuandatou #30 发布于2025/12/17 22:57:33
安装了caddy 80 443 确定被监控
按照楼主的示例配置了文件
重启服务后
打开IP此站点连接不安全 看了下证书 显示没有证书

机器下的
/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/
明确生成了证书

• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/ssl/certs/ca-certificates.crt
• CApath: /etc/ssl/certs
  } [5 bytes data]
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
  } [512 bytes data]
• TLSv1.3 (IN), TLS alert, internal error (592):
  { [2 bytes data]
• error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
• Closing connection 0
  curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

不是有手就行吗。。。DEEPSEEK都被我问烂了 不知道问题在哪里

{
default_sni x.x.x.x
}
浏览器直接访问ip不会带sni，所以证书对不上,
所以理论上来说，仅支持一个IP，不知道后续会不会支持多个IP
https://www.nodeseek.com/post-544559-1

@zhou #33
大大大牛牛 转了三小时 不如大哥一句话。。。瞬间就好了

等什么时候面板支持了应该就能流行点了

@cloudfIare #0 发布于2025/12/17 16:55:35
IPv6好像caddy不识别，求坛友探索怎么处理

在最新的mholt/acmez@dfd3205已经修复了tls-alpn-01,现在ipv6证书可以签发了，(不过http-01仍有问题)

2025/12/18 03:14:42.219	INFO	trying to solve challenge	{"identifier": "2603:c024:4518:9bea:923::100", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2025/12/18 03:14:42.652	INFO	tls	served key authentication certificate	{"server_name": "0.0.1.0.0.0.0.0.0.0.0.0.3.2.9.0.a.e.b.9.8.1.5.4.4.2.0.c.3.0.6.2.ip6.arpa", "challenge": "tls-alpn-01", "remote": "[2600:3000:1511:200::82]:55395", "distributed": false}
2025/12/18 03:14:42.867	INFO	tls	served key authentication certificate	{"server_name": "0.0.1.0.0.0.0.0.0.0.0.0.3.2.9.0.a.e.b.9.8.1.5.4.4.2.0.c.3.0.6.2.ip6.arpa", "challenge": "tls-alpn-01", "remote": "[2406:da18:85:1401:e666:b432:b1a5:d4c]:13174", "distributed": false}
2025/12/18 03:14:43.035	INFO	tls	served key authentication certificate	{"server_name": "0.0.1.0.0.0.0.0.0.0.0.0.3.2.9.0.a.e.b.9.8.1.5.4.4.2.0.c.3.0.6.2.ip6.arpa", "challenge": "tls-alpn-01", "remote": "[2600:1f14:804:fd01:8b50:6acc:c30:b285]:63810", "distributed": false}
2025/12/18 03:14:43.092	INFO	tls	served key authentication certificate	{"server_name": "0.0.1.0.0.0.0.0.0.0.0.0.3.2.9.0.a.e.b.9.8.1.5.4.4.2.0.c.3.0.6.2.ip6.arpa", "challenge": "tls-alpn-01", "remote": "[2a05:d016:39f:3101:a3e9:2ac4:313b:267f]:24910", "distributed": false}
2025/12/18 03:14:43.112	INFO	tls	served key authentication certificate	{"server_name": "0.0.1.0.0.0.0.0.0.0.0.0.3.2.9.0.a.e.b.9.8.1.5.4.4.2.0.c.3.0.6.2.ip6.arpa", "challenge": "tls-alpn-01", "remote": "[2600:1f16:269:da02:cdf7:9dda:4664:41f5]:16008", "distributed": false}
2025/12/18 03:14:43.771	INFO	authorization finalized	{"identifier": "2603:c024:4518:9bea:923::100", "authz_status": "valid"}
2025/12/18 03:14:43.771	INFO	validations succeeded; finalizing order	{"order": "https://acme-v02.api.letsencrypt.org/acme/order/2886371126/459963373246"}
2025/12/18 03:14:46.677	INFO	got renewal info	{"names": [], "window_start": "2025/12/21 09:10:03.000", "window_end": "2025/12/21 12:20:53.000", "selected_time": "2025/12/21 10:11:09.000", "recheck_after": "2025/12/18 09:14:46.677", "explanation_url": ""}
2025/12/18 03:14:47.069	INFO	got renewal info	{"names": [], "window_start": "2025/12/21 09:10:03.000", "window_end": "2025/12/21 12:20:53.000", "selected_time": "2025/12/21 11:41:54.000", "recheck_after": "2025/12/18 09:14:47.069", "explanation_url": ""}
2025/12/18 03:14:47.069	INFO	successfully downloaded available certificate chains	{"count": 2, "first_url": "https://acme-v02.api.letsencrypt.org/acme/cert/06b2fa25b4441f69c6493db467d656350c0a"}
2025/12/18 03:14:47.080	INFO	tls.obtain	certificate obtained successfully	{"identifier": "2603:c024:4518:9bea:923::100", "issuer": "acme-v02.api.letsencrypt.org-directory"}
2025/12/18 03:14:47.080	INFO	tls.obtain	releasing lock	{"identifier": "2603:c024:4518:9bea:923::100"}
2025/12/18 03:14:47.080	WARN	tls	stapling OCSP	{"identifiers": ["2603:c024:4518:9bea:923::100"]}

curl -v https://[2603:c024:4518:9bea:923::100]
*   Trying [2603:c024:4518:9bea:923::100]:443...
* Connected to 2603:c024:4518:9bea:923::100 (2603:c024:4518:9bea:923::100) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: [NONE]
*  start date: Dec 18 02:16:14 2025 GMT
*  expire date: Dec 24 18:16:13 2025 GMT
*  subjectAltName: host "2603:c024:4518:9bea:923::100" matched cert's IP address!
*  issuer: C=US; O=Let's Encrypt; CN=E7
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: [2603:c024:4518:9bea:923::100]]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0xaaab15c4c0c0)
> GET / HTTP/2
> Host: [2603:c024:4518:9bea:923::100]
> user-agent: curl/7.88.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 200 
< alt-svc: h3=":443"; ma=2592000
< content-type: text/plain; charset=utf-8
< server: Caddy
< content-length: 12
< date: Thu, 18 Dec 2025 03:33:20 GMT
< 
* Connection #0 to host 2603:c024:4518:9bea:923::100 left intact
mjj ipv6 ok!

这是以后 域名 都不需要了, 直接上IP? 这部更危险嘛. 现在也都是用工具自动申请, 平常也不在意

反代好像有问题

看来我要适配下了