I want to replace the self-signed certificate for the web GUI with a Let's Encrypt certificate for my IP address. I do not have a domain name and access using the IP address directly. I see that Let's Encrypt just started issuing certificates for IP addresses so I should be good to go, right? Can't get it to work.
I followed instructions found in many tutorials on the web for setting up an LE cert with FQDN but entered the IPv4 instead of a FDQN. A Google search brought me this set of AI-generated instructions specifically for doing it with an IP address instead of FQDN, all of which I followed:
AI Overview
To set up OPNsense with a Let's Encrypt certificate for a public IP address, you must use the OPNsense ACME client plugin and the HTTP-01 or TLS-ALPN-01 challenge methods, as DNS challenges are not supported for IP addresses. The certificate will be valid for approximately six days and must be renewed automatically.
Prerequisites
• A static, public IP address that your OPNsense firewall can serve traffic on.
• The os-acme-client plugin installed on your OPNsense system (go to System > Firmware > Plugins and install it if it is not already present).
• Ports 80 or 443 must be publicly accessible and forward traffic to the OPNsense instance for the duration of the validation process.
Step-by-Step Guide
1. Configure the ACME Account:
1. Navigate to Services > ACME Client > Accounts.
2. Click the + button to add a new account.
3. Enter a Descriptive name.
4. Select Let's Encrypt Production ACME v02 as the ACME CA.
5. Enter your email address for important notifications (like renewal failures).
6. Check the E-mail box and click Register new account.
7. Click Save.
2. Create a Certificate:
1. Go to Services > ACME Client > Certificates.
2. Click the + button.
3. Enter a Descriptive name.
4. In the Common Name field, enter your public IP address.
5. Select the ACME Account you created in the previous step.
6. Click Save.
3. Configure the Challenge Type:
1. Go to the Services > ACME Client > Settings page and then the Challenge Types tab.
2. Click the + button.
3. Select the Challenge Type (either HTTP-01 or TLS-ALPN-01). The HTTP-01 method is generally simpler.
4. Select the correct Interface where the public IP resides (e.g., WAN).
5. Click Save.
4. Issue the Certificate:
1. Go back to Services > ACME Client > Certificates.
2. Click the "Issue/Renew All Certificates" button (or the issue button specific to your certificate).
3. Wait a few seconds and refresh the page. The "Issue Date" and "Last ACME Status" fields should show as "OK".
5. Automate Renewal:
1. Let's Encrypt IP certificates are short-lived (around 6 days), so automation is essential. The OPNsense ACME client handles this automatically, but you should ensure the service is enabled and running under Services > ACME Client > Settings.
2. You may also create an automation to restart the web GUI (under the Automations tab in ACME Client settings) and link it to the certificate to ensure the new certificate is applied automatically after renewal.
6. Assign the Certificate to the Web GUI (Optional):
1. Navigate to System > Settings > Administration.
2. In the Web GUI section, select your new Let's Encrypt certificate from the SSL Certificate dropdown menu.
3. Click Save. Your browser will now use the valid certificate when you access the OPNsense web interface via its public IP address.
I DO have a firewall rule on interface WAN allowing ports 80 and 443 to "This Firewall". I do NOT have the web GUI listening on 443.
Has anyone been able to make IP address certificate work? Anyone got any suggestions?
You cannot have a certificate for an IP address. You must use a domain name.
Quote from: Patrick M. Hausen on January 26, 2026, 06:18:30 PMYou cannot have a certificate for an IP address. You must use a domain name.
Do you mean in general or in this specifically an OPNsense issue? In general, Let's Encrypt says we can as of a few days ago:
https://letsencrypt.org/2026/01/15/6day-and-ip-general-availability (https://letsencrypt.org/2026/01/15/6day-and-ip-general-availability)
I had not yet got that memo. In the past you could not use IP addresses for HTTPS certificates, period. I'll check those docs, thank you.
In order to obtain a certificate from Let's Encrypt with an IP address, the ACME client needs to use the 'shortlived' profile (https://letsencrypt.org/docs/profiles/#shortlived). However, the 'os-acme-client' OPNSense plug in does not support profile selection. Support is marked as "not planned" in opnsense/plugins/issues/4791 (https://github.com/opnsense/plugins/issues/4791).
Even the underlying 'acme.sh' script which requests the certificates was only recently updated to support profiles in acme.sh/issues/6193 (https://github.com/acmesh-official/acme.sh/issues/6193).
I have created a #5170 (https://github.com/opnsense/plugins/issues/5170) feature request on Github for the same.