Letsencrypt won't issue certificates to IP addresses - but will to domain names (including those assigned by dynamic DNS providers, but most dynamic DNS providers need manual sign-up with username and password)

Of course, has-a.name will be rate-limited to 50 certificate a week by Letsencrypt until they get themselves onto the public suffix list. And whether it's a good idea to bypass LE's no-certs-for-ip-addresses policy is another matter...

Couldn't they just get a wildcard cert for "*.has-a.name"?

And give it to everyone?

not sure what you mean by give it to everyone. who are they giving it to?

Anyone who then wants their site accessible through this. It’s not a proxy, they’re just returning your IPv6 address based on what subdomain you type.

In order for a wildcard to work, every single user of the service needs the private key for that wildcard certificate.

I feel like I'm missing something. How is this different than AWS providing a wildcard certificate for every S3 bucket via https://<bucket>.s3.amazonaws.com. Is it the same thing?

Yes, you are missing something: S3 bucket resolves to Amazon's servers. <ipv6>.has-a.name resolves to the ip address specified in <ipv6>. You will have to install the certificate on the actual server that serves the webpage. For S3 bucket this is Amazon, so they can put their certificate. For your own IP, you need to install the certificate yourself, so they would have to hand you their private key as well, which is not allowed.

Yup. This is one thing I hate about AWS. Oh sure make it nice and easy to use the wildcard cert on any AWS infrastructure. But what if you want to use that wild card cert somewhere else? Too bad. AWS holds the private key for your wildcard cert, and they don't give it to you. They hold it hostage on their server.

Considering the domain is amazonaws.com, it is only fair they keep it with themselves. They can't be in the business of providing arbitrary subdomains under their parent domain just to have it point to some other external IP.

I'm talking about custom domains. You can setup AWS to manage certs for mycompany.com (for example). When you do that they ought to give you a copy of the private key to *.mycompany.com. I am not talking about the amazonaws.com certs.

Uhhh, I am really glad they don’t share it with me or anyone else... if they did, then any other customer of AWS could impersonate me.

>Uhhh, I am really glad they don’t share it with me or anyone else

It's your domain, you ought to own it. Obviously no one else should. If you buy a wildcard cert from say Comodo (or a number of other cert houses) you can use that cert on any provider you wish, or use it on your locally own infrastructure. You get the private and public key, as you should.

Because that DNS entry resolves to an Amazon owned servers which have the certificate and key. This service resolves the DNS entries to your own server, meaning requests would hit your server which would require your server respond with the signed certificate and have control of the accompanying private key.

Are there others who issue?

You need to wrap IPv6 addresses in brackets, else it gets confused with the :port# syntax. http://[::1]/ or http://[::1]:123/ for instance.

In theory you can get a certificate for anything that vaguely resembles X.500 directory object. Whether some CA will sign such certificate and whether it is accepted by clients is different issue.