lancert.dev

Real Let's Encrypt TLS certificates for private IPs. One curl, valid HTTPS on your LAN.

Quick start

1. Check if a certificate already exists
curl https://lancert.dev/certs/192.168.1.50
# 200 → cert ready  |  404 → not issued yet
What happens next?
200 — cert already exists
You're done! Use these names
192-168-1-50.lancert.dev
*.192-168-1-50.lancert.dev
404 — no cert yet
Request one
curl -X POST https://lancert.dev/certs/192.168.1.50
# 200 → ready  |  202 → issuance started, poll with GET
2. Point your service to the subdomain — DNS already resolves to your private IP
curl https://192-168-1-50.lancert.dev

How it works

  1. lancert.dev runs an authoritative DNS server for the lancert.dev zone
  2. Subdomains like 192-168-1-50.lancert.dev resolve to 192.168.1.50 by parsing the IP from the name
  3. POST triggers certificate issuance via Let's Encrypt DNS-01 challenge — fully automated and non-blocking
  4. Each IP gets a wildcard cert covering *.192-168-1-50.lancert.dev
  5. Certificates are cached and renewed on next request before expiry

Why lancert.dev

Real certificates

Trusted by every browser and device. No CA installation, no mkcert, no warnings.

Works on mobile

Service workers, push notifications, WebRTC — anything that needs a secure context.

One curl

No signup, no accounts, no config files. Request a cert and start using it.

Wildcard included

Each cert covers both the base domain and all subdomains under your IP.

Supported IP ranges

Only RFC 1918 private IPv4 addresses are accepted:

10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

API

Issuance is asynchronous. POST triggers it, GET polls for the result.

Endpoint Description
POST /certs/{ip} Request a certificate. 200 cached | 202 started
GET /certs/{ip} Fetch certificate status. 200 ready | 202 pending | 404 not found
GET /certs/{ip}/ttl Remaining certificate validity
Development use only These certificates are meant for local development. There is no ownership concept for private IPs — anyone can request a certificate for any RFC 1918 address. Security relies on LAN isolation. Do not use in production.