Real Let's Encrypt Certificates for Local Development on Private IPs

Wildcard TLS certificates for RFC 1918 IPs. One curl, valid HTTPS on your LAN.

# most common LAN IPs are pre-issued — just grab it $ curl https://lancert.dev/certs/192.168.1.50 { "ip": "192.168.1.50", "domains": ["192-168-1-50.lancert.dev", "*.192-168-1-50.lancert.dev"], "not_after": "2026-06-21T07:44:41Z", "privkey_pem": "-----BEGIN EC PRIVATE KEY-----...", "fullchain_pem": "-----BEGIN CERTIFICATE-----..." }
# DNS already resolves to your LAN $ dig 192-168-1-50.lancert.dev +short 192.168.1.50
# done — valid HTTPS on your private IP $ curl https://192-168-1-50.lancert.dev 🔒 valid HTTPS

Pre-issued certificates cover 24 common LAN IPs — gateways, Docker bridge, and typical static addresses.

Need a different IP?

If your IP isn't pre-issued, request a certificate on demand. Issuance takes a few seconds via Let's Encrypt DNS-01 challenge.

# request a cert for any RFC 1918 IP $ curl -X POST https://lancert.dev/certs/192.168.1.77 202 — issuance started
# poll — ready in seconds $ curl https://lancert.dev/certs/192.168.1.77 200 — certificate ready

Why lancert

Real certificates

Real Let's Encrypt certificates, trusted by every browser on every device. No custom CA to install, no per-device setup, no warnings.

Test from any device

Service Workers, push notifications, WebRTC — anything that requires HTTPS on a real device on your LAN.

One curl

No signup, no API keys, no DNS config. One request, certificate ready.

Wildcard included

Each cert covers the base domain and *.192-168-1-50.lancert.dev — use any subdomain without requesting additional certificates.

Security

lancert does not provide confidentiality

The private keys are served via API to anyone who requests them. There is no ownership concept for private IPs — 192.168.1.50 on your network is the same address as 192.168.1.50 on someone else's. Anyone who knows the IP can download the same certificate and private key.

The browser will show a valid HTTPS connection, but this does not mean the traffic is protected from other devices on the same network.

The threat model is simple: you trust your local network enough to develop on it, and you need the browser to trust your certificate. That's it. Do not use these certificates in production.

How it works

Authoritative DNS

lancert runs its own DNS server for the lancert.dev zone.

IP in the name

Subdomains like 192-168-1-50.lancert.dev resolve to 192.168.1.50 by parsing the IP from the hostname.

DNS-01 challenge

POST triggers certificate issuance via Let's Encrypt DNS-01 challenge, fully automated and non-blocking.

Wildcard cert

Each IP gets a wildcard cert covering *.192-168-1-50.lancert.dev, cached and renewed automatically on next request before expiry.

Example: Caddy

Download the PEM files and use them with Caddy to serve HTTPS on your LAN.

1. Download the certificate files

$ curl -o fullchain.pem https://lancert.dev/certs/192.168.1.50/fullchain.pem $ curl -o privkey.pem https://lancert.dev/certs/192.168.1.50/privkey.pem

2. Create a Caddyfile

# wildcard cert covers any subdomain 192-168-1-50.lancert.dev, hi.192-168-1-50.lancert.dev { tls fullchain.pem privkey.pem respond "Hello from lancert!" }

3. Run and test

$ caddy run
# from another terminal or any device on your network $ curl https://192-168-1-50.lancert.dev Hello from lancert! $ curl https://hi.192-168-1-50.lancert.dev Hello from lancert!

FAQ

Which IPs are pre-issued?

Let's Encrypt enforces rate limits on certificate issuance. To stay within those limits, lancert pre-issues certificates for 24 common LAN addresses:

Gateways & vendor defaults
192.168.0.1 192.168.1.1 10.0.0.1 10.0.1.1 172.17.0.1 192.168.0.254 192.168.1.254 192.168.50.1 192.168.88.1

Common static/dev hosts
192.168.0.2 192.168.0.9 192.168.0.10 192.168.0.20 192.168.0.50 192.168.0.100 192.168.1.2 192.168.1.10 192.168.1.20 192.168.1.50 192.168.1.100 10.0.0.10 10.0.0.50 10.0.0.100 10.0.1.10

How long do certificates last?

90 days, as issued by Let's Encrypt. Pre-issued certificates are renewed automatically. On-demand certificates are cached and renewed on next request before expiry, as long as the service is running.

Can I request a new IP to be pre-issued?

Yes — open an issue on the GitHub repository with the IP and use case.

Which IP ranges are supported?

Any private IP in the RFC 1918 ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.

Is this safe to use?

lancert is designed for local development only. The private keys are served via API to anyone who requests them — there is no ownership model for private IPs. The browser will show a valid HTTPS connection, but this does not mean the traffic is protected from other devices on the same network. See the Security section for details. Do not use these certificates in production.