How Reliable is the Let's Encrypt SSL Certification?

Joined
Mar 25, 2018
Messages
8
Likes
3
Degree
0
#1
I was looking for an affordable SSL encryption mechanism and while surfing came across the Let's Encrypt SSL Certification. It's free and renewal is every 90 days. I would like to hear from those who have used it. How reliable is it, and is there a way to install automatic renewal?

Thanks.
 

Ryuzaki

女性以上のお金
Staff member
BuSo Pro
Digital Strategist
Joined
Sep 3, 2014
Messages
3,163
Likes
5,777
Degree
7
#2
I use it on my sites. At first it wasn't as convenient but now there is a cPanel and WHM plugin called AutoSSL you can install that will automatically renew the certificate. It's a piece of cake if you're okay with SSH-ing into your server through the terminal. It's super simple:

https://blog.cpanel.com/announcing-cpanel-whms-official-lets-encrypt-with-autossl-plugin/

This is what it looks like in WHM once you have it installed.


You select Let's Encrypt and you're rocking. You can choose exactly which accounts to add it too, or you can install it for all of them in one shot.

After that, it's 100% hands free, run on a cron job.

If you use a CDN, you're not going to want to use Let's Encrypt though, because you'll have to send your certificate in to the CDN provider every 90 days. I'd either use a 365 day certificate, or as a last resort, use the CDN providers "shared certificate"... like shared hosting.
 
Joined
Oct 9, 2014
Messages
590
Likes
1,166
Degree
2
#3
Let's Encrypt, as an SSL cert, is great and totally sufficient for most sites. I've had quite a few sites in production for several years now with Let's Encrypt certs, and have never had an issue. Many of those sites have also rated A or A+ on Qualys Labs SSL test and several others, of course after a bit of additional optimization (additional security response headers, not really anything cert-related).

Absolute worst case, even on a barebones server setup, management, renewal, etc. can be easily handled with a cron job.

With hosts like Netlify, for those looking to run static sites, it's about as hands free, maintenance free, and painless as possible. You don't even have to think about renewal, it's just handled automatically.
 
Joined
Mar 25, 2018
Messages
8
Likes
3
Degree
0
#4
Let's Encrypt, as an SSL cert, is great and totally sufficient for most sites. I've had quite a few sites in production for several years now with Let's Encrypt certs, and have never had an issue. Many of those sites have also rated A or A+ on Qualys Labs SSL test and several others, of course after a bit of additional optimization (additional security response headers, not really anything cert-related).
@turbin3 Thank you for the comment. I was actually installing on Godaddy and I see it's working. I will trust your word that it's a suitable SSL certification solution. I am going to inspect its performance on one site and if it will be effective I think I'll add it to three more sites that I run.
 
Joined
Sep 17, 2014
Messages
385
Likes
246
Degree
1
#6
I have another +1 for Let's Encrypt. With the cron job or cpanel plugin, it's 100% reliable and hands free. As far as the actual security of it, I don't know. I didn't stress test it and wouldn't know how. But it gets me on HTTPS and gets the lock in the browser with little effort (and free).
 
Joined
Oct 31, 2016
Messages
5
Likes
14
Degree
0
#7
+1 on letsencrypt. With the Cpanel plugin (Directadmin also has this option) I've converted pretty much all my sites to SSL. I'd like to think Google gives you a little bump but I've never tested it. I do like that you get the little green lock on most browsers which helps you look legit in some peoples eyes.
 
Joined
Jan 25, 2017
Messages
6
Likes
2
Degree
0
#8
Yes, I also use it on all my sites. If you have Cpanel hosting it is really easy to set up, even for newbies. In case your host does not support Let's Encrypt, either change hosting or look around in forums. There is a ton of information around on how to install and automate the renewal with script examples for nearly all hosting environments.
 
Joined
Dec 26, 2015
Messages
39
Likes
44
Degree
0
#9
I use it a lot. For simple certificates it's the same you're paying for from i.e. your registrar. I would always use Let's Encrypt for domain validated SSL, no reason to use any other provider.
 

becool

BuSo Pro
Joined
May 10, 2018
Messages
54
Likes
35
Degree
0
#10
I have used it for about six months. I switched over from Comodo which I hated. Comparatively, the Comodo certificate was a pain to obtain and an equal pain to renew.
 

CCarter

If they cease to believe in u, do u even exist?
Staff member
BuSo Pro
Boot Camp
Digital Strategist
Joined
Sep 15, 2014
Messages
2,060
Likes
4,622
Degree
5
#11
Just an FYI, due to the way Lets Encrypt works by only allowing a domain to reside on a single server/IP Address, it means that copying certifications to other servers is a pain, and a ton of un-necessary work.

What do I mean?

Well if you are using a load balancer like NodeBalancer from Linode everytime the certification has to renew, your domain.com has to switch from the load balancer and resolve to your main server where the certification is renewed at. Then afterwards you have to do a ton of work to copy that certification to the load balancer (and other servers that need the SSL).

This can take about 30 mins to an hour; and doing this every 90 days across multiple servers if your domain needs to use multiple servers to run it's operation is tedious and pretty much a waste of time.

So if you got a SAAS or an operation that's more than simple website setup - or has the potential to grow to being hosted at different locations across the world for faster distribution then LetsEncrypt's setup is just not practical. So there are still a ton of scenarios where this is a no-go.
 

Ryuzaki

女性以上のお金
Staff member
BuSo Pro
Digital Strategist
Joined
Sep 3, 2014
Messages
3,163
Likes
5,777
Degree
7
#12
Then afterwards you have to do a ton of work to copy that certification to the load balancer (and other servers that need the SSL).
Same thing with CDN's, unless you're willing to go fully onto the CDN and use one of their "shared certificates." The annual ones are the only ones that make sense at that point. And even that's an annoyance unless you can bot re-uploading the certificate to the CDN constantly..
 
Joined
Dec 26, 2015
Messages
39
Likes
44
Degree
0
#13
For many CDN you can upload the cert from Let's Encrypt. I.e. for my Cloudfront distributions, I run AWS CLI on a cron with certbot.
 
Joined
Jun 12, 2018
Messages
34
Likes
25
Degree
0
#14
I use KnownHost for most of our hosting - I simply just ask them to take care of getting Let's Encrypt certs setup on all of our domains, and they're happy to oblige me. Never had a problem with them and its nice to have a hosting company that will do it for me :tongue:
 
Joined
Jan 24, 2018
Messages
9
Likes
0
Degree
0
#15
I am using it for one year. It’s fully automated CA issuing domain-validated certificates. I use it for all my websites which need SSL. Actually, I am working with lots of subdomains which change automatically. Let’s encrypt probably the way to have for multiple websites. It’s perfect for small and medium size websites. You can also find a reliable hosting company that will install the certificated on your website with simply one or 2 clicks.
 
Joined
Aug 25, 2018
Messages
35
Likes
35
Degree
0
#16
Sorry for reopening an older thread, but wanted to post a warning...

I use Let's Encrypt and love it, but I did have a problem once. For some reason I had certificates for both the www and non-www domain even though I redirected everyone to the www domain. One day I noticed my AdSense earnings were pretty much zero (I do $30-40 per day). I checked the site and got the dreaded "The site is not secure" warning.

It turns out that the non-www domain certificate renewed, but the www domain certificate failed to renew. I immediately fixed it and traffic resumed. I never figured out what happened, but I have since set up reminders on my phone to check the renewal every 90 days just to be safe.

Full disclosure, I never had a problem before or since and I really like Let'sEncrypt. However, I just pay more attention to it now. And I also make sure to double/triple check the settings.
 

CCarter

If they cease to believe in u, do u even exist?
Staff member
BuSo Pro
Boot Camp
Digital Strategist
Joined
Sep 15, 2014
Messages
2,060
Likes
4,622
Degree
5
#17
Just tested this: you can have multiple domains in a single IP and install LetsEncrypt certifications for all of them. It's pretty much become my go-to now.
 

SmokeTree

Developer/Linux Consultant
BuSo Pro
Digital Strategist
Joined
Sep 23, 2014
Messages
203
Likes
350
Degree
1
#18
I have had Lets Encrypt running on quite a few servers for several clients for a couple years or so and I can also confirm that you can have certs for multiple domains on a single IP without issues. One thing I'd like to add is - if you do a Linux upgrade, that will sometimes update packages related to Python which MAY cause certbot to no longer function. If you run "certbot-auto renew" and get an error that looks something like "Error: couldn’t get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt: ", the fix is to do a "rm -rf /opt/eff.org/*" then run certbot-auto renew" (Works on Ubuntu, not sure about other distros). It will reinstall what's needed and that should fix things. A good rule of thumb is to run "certbot-auto renew" after you do any type of Linux update just to make sure.

On another note, LetsEncrypt recently allows the generation of wildcard certs. I will be setting up a server for a client soon that will make use of this as I'm going to use it to secure the email I'm setting up as well (Postfix). I'd normally just generate a separate cert for mail.domain.tld but in this case the client wants a multi-tenant setup using subdomains for tenants, so a wildcard cert makes sense.