If an attacker manages to gain ownership of an IP address, and gets a Let's Encrypt certificate for that IP address, the certificate will show up in Certificate Transparency logs. In that way, if people are watching, the attack will become visible fairly quickly.
(29 points) https://news.ycombinator.com/item?id=47343278
Related 6-Day and IP Address Certificates Are Generally Available (506 points, 2 months ago, 281 comments) https://news.ycombinator.com/item?id=46647491
As seen in the BND's attack on jabber.ru, some adversaries have no difficulty taking over your IP address. Will this be a new threat vector?
If an attacker manages to gain ownership of an IP address, and gets a Let's Encrypt certificate for that IP address, the certificate will show up in Certificate Transparency logs. In that way, if people are watching, the attack will become visible fairly quickly.
When will they let me generate certificates for IMAP and SMTP?
They never stopped supporting it, to my knowledge. I first started using their certs for my IMAP and SMTP servers 10ish years ago, at least.
If you use HTTP-01 challenge method you require an HTTP server on the host.
If you don't want an HTTP server on your imap/smtp server you need to use the DNS-01 challenge method.
And what if I want to run DNS and http on separate servers than my mail server?
The same thing everyone else does. Build automation, use configuration management, use cert manager or other similar solutions.
Nice. I've been using lego for this the past few weeks.
They should at least restricted it to IPv6. Here it will be a kill for everyone using mobile network and 5g hotspots.