Let’s Encrypt is a new certificate authority that entered the internet scene at the end of 2015.
Let’s Encrypt is not simply another certificate authority, if for no other reason than the certificates are free, whereas the vast majority of existing certificate authorities sell SSL/TLS certificates for a price that depends on the certificate type.
However, Let’s Encrypt is not only free. Quoting the homepage: Let’s Encrypt is free, automated, and open.
But what does it mean? In this article I’ll share some of the direct consequences of that quote to help you better understand how Let’s Encrypt (currently) works. My goal here is not to judge or advertise the service offered by Let’s Encrypt (either in a negative or positive way), rather provide an overview of what you should expect if you use this service, and let you decide whether Let’s Encrypt is a good fit for you or not.
In addition, since I’ve been closely monitoring and testing the service for the last weeks for personal and business use, I’ll also provide some extra details you should know about the current status of the project and the issued certificates.
Let’s Encrypt is free
And this is a fact. It’s also very easy to understand: any certificate issued by Let’s Encrypt is free as in beer and you don’t need to pay for it (as long as you obtain it directly from the Let’s Encrypt website, as other providers may still resell the service in one way or another).
However, wording is important here: it’s not true that Let’s Encrypt will issue any certificate for free (and this is a common misunderstanding). Not because Let’s Encrypt charges you for some SSL certificate types, but because there are some types of certificates that Let’s Encrypt will not issue at all.
Let’s Encrypt is free to use, but not free to run or operate. Developing, maintaining, and operating a certificate authority is very complex. Indeed, there are non-trivial technical challenges associated with encryption/cryptography, but also security risks and implications associated with the ability to issue publicly trusted SSL certificates. The reason why I bring this to your attention is because, regardless your opinions about the current or future state/policies/decisions/… of the Let’s Encrypt service, you should respect the work of the people directly or indirectly involved with this project.
Let’s Encrypt is Automated
The operational model of Let’s Encrypt is designed to be completely automated: no manual intervention should be required to register for the service, request, issue, revoke or renew a certificate.
The goal is to encourage the development or libraries, tools, and services that can automate the deployment of secure sites. Nowadays the issuance process often involves manual steps (such as the email-based validation) that represent a bottleneck for the automatic deployment, and drastically affect a large-scale HTTPS distribution.
It’s easy to understand that this operational model has some limitations, and in fact Let’s Encrypt doesn’t support EV and OV certificates. This is an important aspect to keep in mind, but keep reading.
If you have some programming skills, it’s clear that the possibilities offered by Let’s Encrypt and a fully-automated process are almost infinite: you can integrate it into your service, create a command line tool, script the deployment a new machine from zero to HTTPS without a single human intervention.
Let’s Encrypt is Open
All the Let’s Encrypt code and protocol specifications are on GitHub.
letsencrypt/boulder is the heart of the service. It’s the certificate authority source code, written in Go. It contains the core modules, the validation authority, the certificate authority, everything.
letsencrypt/letsencrypt is a client, written in Python, that can be used to obtain certificates and extensibly update server configurations automatically. The client is compatible with Let’s Encrypt and any other authorities that follows the specifications of the ACME protocol.
The ACME specification itself is also open source. This protocol was designed to automate the management of domain-validation certificates, based on a simple JSON-over-HTTPS interface.
From the practical point of view of a technical person, Let’s Encrypt being open source means:
- if something is broken, you can fix it
- if something is missing, you can add it
- if something is outdated, you can update it
- contributors can contribute, but maintainers have to maintain (and to lead the service)
From the practical point of view of an user, Let’s Encrypt being open source means transparency.
Moreover, if you have a question or a doubt, you can generally find the answer in the source code or someone can point you to that. If you ever had to deal with a certificate authority in the past, you probably know how hard it is to get technical information or knowledgeable support (especially from their first-line customer services).
Beta and Limitations
Although the original meaning of beta has been drastically altered in the last years, in this case, beta indicates the service still hasn’t reached the maturity to be considered stable and complete. Therefore, it is potentially unstable, incomplete, and under heavy development.
In general, the following statement pragmatically summarizes the current state of the project:
In this section, I’ll talk about some of the limitations and outstanding issues that will likely affect your usage of the service.
It’s not by coincidence that this topic is the first one of the Beta section. It’s definitely one of the most popular “issues”. During this beta test, Let’s Encrypt have very tight rate-limiting in place. They plan to loosen these limits as the beta proceeds.
There are two rate limits in play:
- Registrations/IP address limits the number of registrations you can make in a given time period; currently 10 per 3 hours.
- Certificates/Domain is 5 certificates for a registered domain in a sliding window of 7 days.
A registered domain is a combination of a
Top Level Domain + Domain. Each issued certificate counts against the limit. If you issue a single SAN certificate with multiple domains, each domain will also counts against the limit.
You should use the staging environment for testing, before using the production environment. This will allow you to get things right before issuing trusted certificates and reduce the chance of hitting the rate limits.
Official answer about rate limiting. Rate limits also apply on renewals and reissues.
Does not work on XP
Certificates issues by Let’s Encrypt don’t play well on Windows XP. The issue is still under investigation, there is also an open ticket.
Does not work on Java
Java currently doesn’t recognize the certificate because one of the intermediate certificates is not trusted. See compatibility.
Let’s Encrypt is committed into the development of an official ACME client. The client is written in Python, and will support the majority of platforms.
The Let’s Encrypt Client is a fully-featured, extensible client for the Let’s Encrypt CA (or any other CA that speaks the ACME protocol) that can automate the tasks of obtaining certificates and configuring web servers to use them. Please remember the client is currently beta software.
The most relevant (current) limitations of the official client are:
- It only supports Debian-based OSes (such as Debian and Ubuntu). The support for other platforms is either experimental (such as Mac OS X) or not available yet
- It only supports Apache. The Nginx integration is experimental, however it’s also possible to generate a certificate manually using the
- It doesn’t support the DNS challenge, hence it’s not possible to use to validate a certificate via DNS. Most third-party client already support it.
- It doesn’t support Python 3
Elliptic Curve Cryptography (ECC) support
Right now, all the root and intermediate keys use RSA. Let’s Encrypt is planning to generate ECC keys and support Elliptic Curve Cryptography at some point in 2016.
Internationalized Domain Names support
Internationalized domain names are currently not supported. Let’s Encrypt will eventually support them, but it’s still not clear whether it will be before or after the general availability. There is currently no ETA.
How to Setup Let’s Encrypt on Windows Server
Let’s Encrypt is a free way to get an SSL certificate onto your website and until recently I had never tried it. It is very easy and I think it is awesome.
IIS is the web server software that Microsoft includes with Windows 10 and Windows Server. I have it installed on my laptop and it displays the default IIS page.
It is not really a good idea to host websites on your laptop, use a dedicated web server, or host with a hosting company, however, the techniques are the same and it gives me something to write about!
In order to point a domain name at what IIS on my machine was serving up, I did the following:
- Do a google search for “whats my IP.” This will return your public IP. Most residential ISPs use dynamic IPs so it may change over time, (which is another reason not to host a website on your laptop!).
- Add an A record on a domain with the IP address you have just got.
- Your public IP most likely points at your router, not your laptop, so enable port forwarding of port 80 and port 443 to the internal IP of your laptop (something like 192.168.0.11, etc.).
Now comes the fun Let’s Encrypt stuff!
First, you need a Let’s Encrypt client. There are a lot of them out there, mostly for Linux flavors, however, a bit of googling found a windows one. Go to https://github.com/PKISharp/win-acme/releases and download the zip file and unzip it.
Run the executable from the zip file and follow the onscreen prompts.
Press N to create a new certificate.
Then press 1 to bind to the single website found in your IIS setup.
And now, magically, Let’s Encrypt knows what you have setup in IIS.
Now, all you need to do is enter an email address, in case a renewal fails, and agree to the Let’s Encrypt terms, and you are all set up!
Recommended Hosting Provider for Let’s Encrypt
Since 2008, ASPHostPortal has been growing into one of the best cheap ASP.NET hosting provider that offer FREE SSL Certificate.
ASPHostPortal has various Let’s Encrypt shared hosting plan which start from with an affordable price. There are 4 favorite ASP.NET hosting plans that offer FREE SSL Certificate which start from Host One, Host Two, Host Three, and Host Four. Host One plan start with $5.00/month. Host Two start with $9.00/month, Host Three is the most favorite plan start from $14.00/month and Host Four start with $23.00/month. All of their ASP.NET hosting plan allows user host unlimited domains, unlimited email accounts, at least 1 MSSQL,1 MySQL database, and also FREE SSL Certificate Let’s Encrypt.
Let’s take a review at features of ASPHostPortal Let’s Encrypt hosting. All of their shared Let’s Encrypt hosting use the latest Windows Server version. Additionally, ASPHostPortal Let’s Encrypt hosting has IIS 8/8.5, dedicated application pools, full trust, URL Rewrite Module 2 and Web Deploy. Below is their complete features:
- MS SQL 2016, 2014, 2012, and also SQL 2008
- Microsoft Access Database and MySQL;
- NET Core, 4.5.2, 4.5.1, 4, 3.5, 2.0; MVC 5, 4, 3, 2, 1;
- Web Sockets, AJAX, Silverlight, RIA Services, LINQ;
Customer can always start from their Host One plan and this plan has support latest ASP.NET hosting and also Let’s Encrypt. For more information, please visit their site at http://www.asphostportal.com.
Founded in 2008 and since then they have grown into one of the largest Windows ASP.NET hosting companies in the Europe. HostForLIFEASP.NET is operated from their registered office based in Manchester. Previously, they only have data centers in UK and Amsterdam. Since their business growing very fast, they spread their wings to other country. They have opened 5 data centers within 5 years, it is Frankfurt, Milan, Paris, Seattle and Dallas.
Many developers trusted them due to reliable servers, excellent customer support and a wide range of features. The company was voted as best hosting providers by readers of the then popular magazines in UK and Netherlands. HostForLIFEASP.NET was the recipient of the “Golden European ASP.NET Hosting Services” award from Dev Pro Magazine.
HostForLIFEASP.NET has been recognized as a Microsoft Spotlight Hosting partner. They are also licensed under the Microsoft’s Service Provider Licensing Agreement (SPLA) Program. The company also received several awards from leading developer magazines and online portals.
All of HostForLIFEASP.NET ASP.NET shared hosting packages support FREE SSL Certificate which partner with Let’s Encrypt too. Customers can easily use this FREE SSL Certificate via their control panel. Customer just need to activate it within few clicks.
To maintain the highest stability, speed and security, HostForLIFEASP.NET uses more than one datacenter. They are top datacenters, one of which is Ace Data Centers. Network is first-class, which is built with hardware from Cisco, Juniper, Arbor Networks, Arista Networks, and Brocade.
HostForLIFEASP.NET ASP.NET Hosting is now offering 15% OFF for all of their shared ASP.NET hosting packages. The lowest plan should start from . Now, you can enjoy it just from €2.97/month. HostForLIFEASP.NET also offer 30 days money back guarantee if you are not satisfied with their hosting services. Remember! Instead of this discount price, you can get FREE SSL Certificate!
Here is other top recommendation for ASP.NET hosting, named UKWindowsHostASP.NET that support Let’s Encrypt on their control panel.
This company utilizes 5 datacenters. You can choose their London, Frankfurt, Paris, Milan, and also their Amsterdam data center while registering their ASP.NET Core hosting services. They have redundant resources to support UKWindowsHostASP.NET servers. Note that UKWindowsHostASP.NET purchases servers only from Dell.
Customer can easily deploy ASP.NET Core site via their Plesk panel. There are 3 options to choose while deploying your ASP.NET Core files, you can choose FTP, File Manager, and also WebDeploy. Customer can always start from their Economy plan (£5.99/month) which include 5 GB storage, 50 GB bandwith, full trust, 1 MSSQL, 1 MySQL, and unlimited email accounts. Plus their 24*7 support is awesome.