---
title:

Let's Encrypt: 6-day Certificates and IP Address Support

date: 2026-01-20
tags: [#lets-encrypt, #tls, #security, #automation, #certificates ]
draft: false
---

https://letsencrypt.org/2026/01/15/6day-and-ip-general-availability

Let’s Encrypt is expanding automation capabilities by announcing the availability of short-lived TLS certificates with a 6-day duration (160 hours) and support for IP address certificates (IPv4/IPv6). This significant update aims to enhance internet security by shortening certificate lifespans and broadening their application scope.

Key New Features

Short-lived certificates are now available to everyone, allowing the issuance of documents with a lifespan of just 6 days. To use this feature, you must select the shortlived profile in your ACME client. While this change is not mandatory for everyone right now, Let’s Encrypt is actively promoting it as a way to mitigate risks associated with private key leaks.

IP address certificates are now a reality, but with an important limitation: they are issued only as short-lived 6-day certificates. This is because control over an IP address can change more frequently than over a domain, and more frequent ownership verification is critically important for security.

Why 6 Days is Better Than 90

Certificate revocation mechanisms are unreliable, and browsers often continue to trust a stolen key until its expiration date. Reducing the certificate lifespan to 6 days significantly narrows the “vulnerability window” for attackers, even if the standard revocation procedure fails.

The industry is moving towards shorter terms, and Let’s Encrypt plans to gradually reduce the standard certificate lifespan from 90 to 45 days by 2028. Using profiles in ACME allows these changes to be introduced gradually, providing an opportunity to prepare infrastructure.

Practical Implications

Automation becomes critical, as manual certificate renewal every few days is impossible. It is recommended to run the ACME client daily and configure the renewal of “6-day” certificates every 2–3 days to avoid sudden HTTPS downtime due to renewal errors.

New mechanisms help maintain reliability, such as ACME Renewal Information (ARI), which allows the Let’s Encrypt server to signal the client when an early renewal is needed. Work is also underway on DNS-PERSIST-01 to simplify automation via DNS without the need to change records at every renewal.

IP address validation has its own specifics, excluding the use of DNS-01 and requiring confirmation via HTTP-01 or TLS-ALPN-01 directly on the address itself. This means that automation tools must have direct access to the server running on that IP, which changes traditional deployment approaches.