Just want to say, I'm not affiliated with LE, but I think it makes a lot of sense to donate to them if you use their services regularly.
From my own use case, integrating TLS for my site via LE and the autocert package in Go has been seamless. It's completely free (if you want it to be), and it looks like I won't have to worry about renewing certs anymore. The service LE is providing is amazing. Just thinking of the millions of dollars they're collectively saving everyone, yearly, is pretty crazy.
If anyone at LE reads this, thank you for your work!
Yes! At my job I've setup a per-paycheck donation to LE because they have saved me so much time (apache, nginx and caddy automagic SSL) and in the long run it'll probably still be cheaper than buying one of the SSL certs from the other companies.
I fully agree, which is why I set up a recurring donation for what I would otherwise pay to some commercial certificate authority. LetsEncrypt is doing great work!
What's crazy to me is that their crowdfunding campaign [1] has only raised $100K so far, considering what they're doing.
It sounds like everything is running fantastically for them, and I'm really glad.
LE has saved us from spending many man hours of time updating certificates across all dev, staging, and live machines across all of our servers every year (which just so happens to be almost exactly the amount of time needed to forget some of the details of what needs to be done...).
But all that being said, when are we going to see a competitor pop up? Clearly what they are doing is working, so when are we gonna see some others attempt to do this? Having all your eggs in one basket is never a good thing in any part of life (no matter how perfect that basket is).
Having more than one "Let' Encrypt" would at the very least spread out some of the risk, and might even enable them to specialize a bit more (perhaps the competitor could target the issue of wildcard certs, or be somehow tailored for the use case of needing thousands of subdomains).
> LE has saved us from spending many man hours of time updating certificates
Just out of interest, how are you managing the 90-day renewal schedule? Don't you need some means of verifying that timely renewal has occurred.
Since you mention dev and staging I assume you've implemented a central certificate-management server that talks with LE and then issues the certs to the internal machines?
Let's Encrypt + widespread SNI adoption is making it dead easy for SaaS companies like ours to host customer content on customer chosen domains. So their existence doesn't just help the technically proficient -- the "long tail" of websites published through various platforms will start seeing HTTPS as a default. And that's very much a good thing. For example, there should be no reason for publication platforms (like say Medium to pick on an example) to have such complicated custom domain + SSL configurations in the future.
The next step I'd like to see is all the $5 shared hosts supporting HTTPS by default via something like Let's Encrypt. There's really no excuse anymore.
BTW, shameless plug: We've found this process so easy that we've spun a side project out of our main SaaS project called clearalias.com. It's basically a Let's Encrypt proxy that makes it even easier to publish customer content via custom domains secured with HTTPS.
> The next step I'd like to see is all the $5 shared hosts supporting HTTPS by default via something like Let's Encrypt. There's really no excuse anymore.
Excellent point. I can see Lets Encrypt turn into one of those crucial infrastructure providers (similar to square/stripe/paypal for payments) but for https
Love LE. I've got people who didn't even know about TLS to use it as a matter of course, they now see it as a badge of honour to pass the ssllabs tests with an A+. They've changed the internet for the better.
The fact that these certificates are free and the fact that it's so easy to use has enabled me to move almost all of my websites to https. A project like this really is moving the web forward.
It depends on the level of certification done. If you are getting a regular SSL cert you only need to prove ownership of the domain, which can be automated easily and requires no human work. However EV(Extended Validation)[0] certificates involve a lot more due diligence on the part of the issuer. EV certs require validation of the legal entity behind the domain and this is requires work to be done by a human.
AFAIK the cost of previous SSL certs have been largely artificial. Obviously running servers and paying staff to keep an automated process in place isn't free, but I recon the cost has always been inflated quite a bit. There's also an artificial scarcity introduced because not everyone can start a CA and getting a root certificated trusted is non trivial. Let's Encrypt is sponsored so they do make some money, but this allows them to issue certs for free.
> Why do all the other CAs cost so much and take so long when the actual cert is generated in seconds?
I guess "so much" should be put in perspective: Domain Validation certificates, like the ones Let's Encrypt issue, are not really expensive - resellers typically offer them for something like $10/year. The more expensive certificates - OV and EV - involve some degree of manual verification of the information on the certificate (such as the company name). That's a large part of the cost.
But yeah, commercial CAs are (were?) money printing machines. Running Let's Encrypt costs about $3M/year, and they support >20M active certificates. Commercial CAs are going to have some marketing and support expenses, but the rest would be profit.
> Isn't that how it's supposed to work and LE is breaking the rules, thus living on borrowed time?
All CAs (should) follow the same set of rules - the Baseline Requirements. Let's Encrypt has had a pretty good track record so far - definitely better than some of the big commercial CAs like Symantec or Comodo.
> If it was possible to be so easy why no else did it? What is the secret ingredient?
To be fair, they were not the first free CA - both StartSSL and WoSign offered free DV certificates (for non-commercial usage). Not the best examples, I suppose.
Cloudflare offered free SSL (via Comodo) for their customers as well, as does cPanel via AutoSSL It's definitely viable, just took some time for people to care enough about encrypting the web to make it happen.
It takes a lot of work and isn't something someone in their college dorm room can make. It takes industry contacts, specialized skills, and solid marketing to build a network and trust in the system. To do this for nonprofit is a sacrifice when the people with these skills could be chasing big money. LE is a good example of the tech community doing something that probably a government agency should be doing with tax dollars to support the industry. Private sector altruism.
Well, it captures the niche target userbase that would otherwise self-sign a certificate to protect the channel.
It's a lot easier to push Lets Encrypt for the master keys, than go after N people that would go through the trouble to generate a self signed cert to secure the channel.
Why do banknotes costs so much? It's just a stupid paper made up of cotton with ink on top.
Because some agencies have the monopole to print them and they've made it very difficult for anyone else to get into that printing business and it turns out that that product is valuable to a lot of people and they're willing to assign a lot of money to it.
My experience with Let's Encrypt hasn't been great, but that's not LE's fault. Long story short, don't use Namecheap, at the very least not their shared servers.
From their support:
"Though we believe increased web security is a good thing, we also think that using certificates from free providers can get more risk and uncertainty into your business.
Additionally, we would like to draw your attention to several disadvantages and drawbacks of Let's Encrypt certificates:
1. No OV/EV support or possibility (no possibility to issue a certificate with medium or high assurance and user trust level);
2. Insufficient level of domain validation and the absence of brand validation ( All publicly trusted CAs are flagging the certificate containing IT, financial and other public words, brands etc for additional security checks, which is not applicable for LE.)
3. Short validity period (for LE certificates - only 90 days, for all trusted certificate provides - up to 39 months).
Since the nature of shared and reseller hosting implies having a significant number of independent customers' accounts on the same server instance, we cannot put at risk our other clients by enabling not fully secure technology.
These and other concerns (for example the fact that ACME-script for Let's Encrypt requires root access and is able to overwrite server configs) make us refrain from supporting Let's Encrypt on our shared servers. We hope for your kind understanding on the matter."
----------
Feel free to reply with other hosts that don't support LE, so I can avoid them (and hopefully others too!)
"These and other concerns (for example the fact that ACME-script for Let's Encrypt requires root access and is able to overwrite server configs) make us refrain from supporting Let's Encrypt on our shared servers. We hope for your kind understanding on the matter."
This is one of the problems I've had with LE, and the community defends it by saying that there are other tools, and forks of tools you can use, when the problem with those is that they could easily go out of date if LE changes anything and they'd never be fixed. Updating your certificates needs to be done in a reliable and contained manner, but nobody wanted to admit that LE tools doesn't do that.
I don't recommend LE unless you're actively maintaining a server and can invest the time into creating your own contained update script. I know hosters like Dreamhost have it built in and will auto-update for you, which is nice.
We live in a world where people take strong and increasingly indecipherable stances on the things they know almost nothing about.
There are unpaid supporters for three-letter agencies who have made moves to ban encryption. With LE anyone can obtain a certificate and set up an in-memory ephemeral message board that uses "unbreakable encryption." I don't know of any people who would be able to explain how to implement cryptography actually taking this stance.
There are apologists for the rent-seeking behaviour of academic journals, usually ill-informed (wrongly assuming that editing and peer review are not volunteer positions) and repeating arguments verbatim from those on the payroll that happen to resonate with whatever political line they follow. Still, they themselves are not on the payroll.
I can imagine, given sufficient technical knowledge or an article aimed a mass audience, certain pro-market contrarians could definitely find reason to hate this. Maybe even twice.
If you're genuinely pro-market, you should have no problem with an industry that pools funds to mitigate rent-seeking behaviours of an oligopoly, reduce the cost of a product for which there is no substitute and increase utilisation of other resources.
Is there a list of major B2B and eCommerce sites using LE for their primary customer facing sites? This would be useful if our customers brought it up.
Are there any plans or water-cooler discussions around supporting wildcard or multi-sub-domain SAN wildcard certs?
> Is there a list of major B2B and eCommerce sites using LE for their primary customer facing sites? This would be useful if our customers brought it up.
W3Techs[1] is generally a good source for this kind of information. Themeforest seems to be using them, for example. (Certificates issued by Let's Encrypt are counted under the IdenTrust root on W3Tech, since that's the CA that cross-signed Let's Encrypt.) Generally speaking, they get used on low-traffic sites (compared to the other major CAs), but that's not really surprising.
[+] [-] beeker87|9 years ago|reply
From my own use case, integrating TLS for my site via LE and the autocert package in Go has been seamless. It's completely free (if you want it to be), and it looks like I won't have to worry about renewing certs anymore. The service LE is providing is amazing. Just thinking of the millions of dollars they're collectively saving everyone, yearly, is pretty crazy.
If anyone at LE reads this, thank you for your work!
[+] [-] johnnycarcin|9 years ago|reply
[+] [-] dvko|9 years ago|reply
What's crazy to me is that their crowdfunding campaign [1] has only raised $100K so far, considering what they're doing.
1: https://www.generosity.com/community-fundraising/make-a-more...
[+] [-] gog|9 years ago|reply
[+] [-] Klathmon|9 years ago|reply
LE has saved us from spending many man hours of time updating certificates across all dev, staging, and live machines across all of our servers every year (which just so happens to be almost exactly the amount of time needed to forget some of the details of what needs to be done...).
But all that being said, when are we going to see a competitor pop up? Clearly what they are doing is working, so when are we gonna see some others attempt to do this? Having all your eggs in one basket is never a good thing in any part of life (no matter how perfect that basket is).
Having more than one "Let' Encrypt" would at the very least spread out some of the risk, and might even enable them to specialize a bit more (perhaps the competitor could target the issue of wildcard certs, or be somehow tailored for the use case of needing thousands of subdomains).
Has there been anyone else trying this?
[+] [-] M2Ys4U|9 years ago|reply
1) Let's Encrypt are based in the United States and are already forbidden from issuing domains to certain people[0] due to US law.
2) Having a separate production implementation of an ACME-compliant system would help make sure that the protocol is as robust as it can be
[0] Notably Iran and Syria - several certificates issued for gov.[ir|sy] had to be revoked after they slipped past their blocklist: https://community.letsencrypt.org/t/blocklist-incident-novem...
[+] [-] mhurron|9 years ago|reply
What would be the motivation for a competitor?
[+] [-] dingaling|9 years ago|reply
Just out of interest, how are you managing the 90-day renewal schedule? Don't you need some means of verifying that timely renewal has occurred.
Since you mention dev and staging I assume you've implemented a central certificate-management server that talks with LE and then issues the certs to the internal machines?
[+] [-] trey-jones|9 years ago|reply
[+] [-] lunaru|9 years ago|reply
The next step I'd like to see is all the $5 shared hosts supporting HTTPS by default via something like Let's Encrypt. There's really no excuse anymore.
BTW, shameless plug: We've found this process so easy that we've spun a side project out of our main SaaS project called clearalias.com. It's basically a Let's Encrypt proxy that makes it even easier to publish customer content via custom domains secured with HTTPS.
[+] [-] dylz|9 years ago|reply
[+] [-] i_ride_bart|9 years ago|reply
Excellent point. I can see Lets Encrypt turn into one of those crucial infrastructure providers (similar to square/stripe/paypal for payments) but for https
[+] [-] sofaofthedamned|9 years ago|reply
[+] [-] serge2k|9 years ago|reply
I should probably update things.
[+] [-] spiderfarmer|9 years ago|reply
[+] [-] nickpp|9 years ago|reply
Why do all the other CAs cost so much and take so long when the actual cert is generated in seconds?
Isn't that how it's supposed to work and LE is breaking the rules, thus living on borrowed time?
If it was possible to be so easy why no else did it? What is the secret ingredient?
[+] [-] K0nserv|9 years ago|reply
AFAIK the cost of previous SSL certs have been largely artificial. Obviously running servers and paying staff to keep an automated process in place isn't free, but I recon the cost has always been inflated quite a bit. There's also an artificial scarcity introduced because not everyone can start a CA and getting a root certificated trusted is non trivial. Let's Encrypt is sponsored so they do make some money, but this allows them to issue certs for free.
0: https://en.wikipedia.org/wiki/Extended_Validation_Certificat...
[+] [-] pfg|9 years ago|reply
I guess "so much" should be put in perspective: Domain Validation certificates, like the ones Let's Encrypt issue, are not really expensive - resellers typically offer them for something like $10/year. The more expensive certificates - OV and EV - involve some degree of manual verification of the information on the certificate (such as the company name). That's a large part of the cost.
But yeah, commercial CAs are (were?) money printing machines. Running Let's Encrypt costs about $3M/year, and they support >20M active certificates. Commercial CAs are going to have some marketing and support expenses, but the rest would be profit.
> Isn't that how it's supposed to work and LE is breaking the rules, thus living on borrowed time?
All CAs (should) follow the same set of rules - the Baseline Requirements. Let's Encrypt has had a pretty good track record so far - definitely better than some of the big commercial CAs like Symantec or Comodo.
> If it was possible to be so easy why no else did it? What is the secret ingredient?
To be fair, they were not the first free CA - both StartSSL and WoSign offered free DV certificates (for non-commercial usage). Not the best examples, I suppose.
Cloudflare offered free SSL (via Comodo) for their customers as well, as does cPanel via AutoSSL It's definitely viable, just took some time for people to care enough about encrypting the web to make it happen.
[+] [-] seibelj|9 years ago|reply
[+] [-] quickben|9 years ago|reply
[+] [-] user5994461|9 years ago|reply
Because some agencies have the monopole to print them and they've made it very difficult for anyone else to get into that printing business and it turns out that that product is valuable to a lot of people and they're willing to assign a lot of money to it.
[+] [-] schoen|9 years ago|reply
[+] [-] Fej|9 years ago|reply
From their support:
"Though we believe increased web security is a good thing, we also think that using certificates from free providers can get more risk and uncertainty into your business. Additionally, we would like to draw your attention to several disadvantages and drawbacks of Let's Encrypt certificates:
1. No OV/EV support or possibility (no possibility to issue a certificate with medium or high assurance and user trust level);
2. Insufficient level of domain validation and the absence of brand validation ( All publicly trusted CAs are flagging the certificate containing IT, financial and other public words, brands etc for additional security checks, which is not applicable for LE.)
3. Short validity period (for LE certificates - only 90 days, for all trusted certificate provides - up to 39 months).
Since the nature of shared and reseller hosting implies having a significant number of independent customers' accounts on the same server instance, we cannot put at risk our other clients by enabling not fully secure technology.
These and other concerns (for example the fact that ACME-script for Let's Encrypt requires root access and is able to overwrite server configs) make us refrain from supporting Let's Encrypt on our shared servers. We hope for your kind understanding on the matter."
----------
Feel free to reply with other hosts that don't support LE, so I can avoid them (and hopefully others too!)
[+] [-] devwastaken|9 years ago|reply
This is one of the problems I've had with LE, and the community defends it by saying that there are other tools, and forks of tools you can use, when the problem with those is that they could easily go out of date if LE changes anything and they'd never be fixed. Updating your certificates needs to be done in a reliable and contained manner, but nobody wanted to admit that LE tools doesn't do that.
I don't recommend LE unless you're actively maintaining a server and can invest the time into creating your own contained update script. I know hosters like Dreamhost have it built in and will auto-update for you, which is nice.
[+] [-] artursapek|9 years ago|reply
[+] [-] dpwm|9 years ago|reply
There are unpaid supporters for three-letter agencies who have made moves to ban encryption. With LE anyone can obtain a certificate and set up an in-memory ephemeral message board that uses "unbreakable encryption." I don't know of any people who would be able to explain how to implement cryptography actually taking this stance.
There are apologists for the rent-seeking behaviour of academic journals, usually ill-informed (wrongly assuming that editing and peer review are not volunteer positions) and repeating arguments verbatim from those on the payroll that happen to resonate with whatever political line they follow. Still, they themselves are not on the payroll.
I can imagine, given sufficient technical knowledge or an article aimed a mass audience, certain pro-market contrarians could definitely find reason to hate this. Maybe even twice.
If you're genuinely pro-market, you should have no problem with an industry that pools funds to mitigate rent-seeking behaviours of an oligopoly, reduce the cost of a product for which there is no substitute and increase utilisation of other resources.
[+] [-] techman9|9 years ago|reply
[+] [-] ns8sl|9 years ago|reply
[+] [-] breakingcups|9 years ago|reply
Which is it?
[+] [-] LinuxBender|9 years ago|reply
Are there any plans or water-cooler discussions around supporting wildcard or multi-sub-domain SAN wildcard certs?
[+] [-] pfg|9 years ago|reply
W3Techs[1] is generally a good source for this kind of information. Themeforest seems to be using them, for example. (Certificates issued by Let's Encrypt are counted under the IdenTrust root on W3Tech, since that's the CA that cross-signed Let's Encrypt.) Generally speaking, they get used on low-traffic sites (compared to the other major CAs), but that's not really surprising.
[1]: https://w3techs.com/technologies/details/sc-identrust/all/al...
[+] [-] achillean|9 years ago|reply
https://www.shodan.io/report/QlH0jpvb
[+] [-] jwilk|9 years ago|reply
[+] [-] clowd|9 years ago|reply
[+] [-] skrowl|9 years ago|reply
[+] [-] pg_is_a_butt|9 years ago|reply
[deleted]
[+] [-] mikebay|9 years ago|reply
[deleted]