How Reliable is the Let's Encrypt SSL Certification?

Ernest Dancy

Joined
Mar 25, 2018
Messages
8
Likes
3
Degree
0
I was looking for an affordable SSL encryption mechanism and while surfing came across the Let's Encrypt SSL Certification. It's free and renewal is every 90 days. I would like to hear from those who have used it. How reliable is it, and is there a way to install automatic renewal?

Thanks.
 
I use it on my sites. At first it wasn't as convenient but now there is a cPanel and WHM plugin called AutoSSL you can install that will automatically renew the certificate. It's a piece of cake if you're okay with SSH-ing into your server through the terminal. It's super simple:

https://blog.cpanel.com/announcing-cpanel-whms-official-lets-encrypt-with-autossl-plugin/

This is what it looks like in WHM once you have it installed.

Ohd1DI0.png

You select Let's Encrypt and you're rocking. You can choose exactly which accounts to add it too, or you can install it for all of them in one shot.

After that, it's 100% hands free, run on a cron job.

If you use a CDN, you're not going to want to use Let's Encrypt though, because you'll have to send your certificate in to the CDN provider every 90 days. I'd either use a 365 day certificate, or as a last resort, use the CDN providers "shared certificate"... like shared hosting.
 
Let's Encrypt, as an SSL cert, is great and totally sufficient for most sites. I've had quite a few sites in production for several years now with Let's Encrypt certs, and have never had an issue. Many of those sites have also rated A or A+ on Qualys Labs SSL test and several others, of course after a bit of additional optimization (additional security response headers, not really anything cert-related).

Absolute worst case, even on a barebones server setup, management, renewal, etc. can be easily handled with a cron job.

With hosts like Netlify, for those looking to run static sites, it's about as hands free, maintenance free, and painless as possible. You don't even have to think about renewal, it's just handled automatically.
 
turbin3 said:
Let's Encrypt, as an SSL cert, is great and totally sufficient for most sites. I've had quite a few sites in production for several years now with Let's Encrypt certs, and have never had an issue. Many of those sites have also rated A or A+ on Qualys Labs SSL test and several others, of course after a bit of additional optimization (additional security response headers, not really anything cert-related).
Click to expand...

@turbin3 Thank you for the comment. I was actually installing on Godaddy and I see it's working. I will trust your word that it's a suitable SSL certification solution. I am going to inspect its performance on one site and if it will be effective I think I'll add it to three more sites that I run.
 
I have another +1 for Let's Encrypt. With the cron job or cpanel plugin, it's 100% reliable and hands free. As far as the actual security of it, I don't know. I didn't stress test it and wouldn't know how. But it gets me on HTTPS and gets the lock in the browser with little effort (and free).
 
+1 on letsencrypt. With the Cpanel plugin (Directadmin also has this option) I've converted pretty much all my sites to SSL. I'd like to think Google gives you a little bump but I've never tested it. I do like that you get the little green lock on most browsers which helps you look legit in some peoples eyes.
 
Yes, I also use it on all my sites. If you have Cpanel hosting it is really easy to set up, even for newbies. In case your host does not support Let's Encrypt, either change hosting or look around in forums. There is a ton of information around on how to install and automate the renewal with script examples for nearly all hosting environments.
 
I use it a lot. For simple certificates it's the same you're paying for from i.e. your registrar. I would always use Let's Encrypt for domain validated SSL, no reason to use any other provider.
 
I have used it for about six months. I switched over from Comodo which I hated. Comparatively, the Comodo certificate was a pain to obtain and an equal pain to renew.
 
Just an FYI, due to the way Lets Encrypt works by only allowing a domain to reside on a single server/IP Address, it means that copying certifications to other servers is a pain, and a ton of un-necessary work.

What do I mean?

Well if you are using a load balancer like NodeBalancer from Linode everytime the certification has to renew, your domain.com has to switch from the load balancer and resolve to your main server where the certification is renewed at. Then afterwards you have to do a ton of work to copy that certification to the load balancer (and other servers that need the SSL).

This can take about 30 mins to an hour; and doing this every 90 days across multiple servers if your domain needs to use multiple servers to run it's operation is tedious and pretty much a waste of time.

So if you got a SAAS or an operation that's more than simple website setup - or has the potential to grow to being hosted at different locations across the world for faster distribution then LetsEncrypt's setup is just not practical. So there are still a ton of scenarios where this is a no-go.
 
CCarter said:
Then afterwards you have to do a ton of work to copy that certification to the load balancer (and other servers that need the SSL).
Click to expand...

Same thing with CDN's, unless you're willing to go fully onto the CDN and use one of their "shared certificates." The annual ones are the only ones that make sense at that point. And even that's an annoyance unless you can bot re-uploading the certificate to the CDN constantly..
 
For many CDN you can upload the cert from Let's Encrypt. I.e. for my Cloudfront distributions, I run AWS CLI on a cron with certbot.
 
I use KnownHost for most of our hosting - I simply just ask them to take care of getting Let's Encrypt certs setup on all of our domains, and they're happy to oblige me. Never had a problem with them and its nice to have a hosting company that will do it for me :tongue:
 
I am using it for one year. It’s fully automated CA issuing domain-validated certificates. I use it for all my websites which need SSL. Actually, I am working with lots of subdomains which change automatically. Let’s encrypt probably the way to have for multiple websites. It’s perfect for small and medium size websites. You can also find a reliable hosting company that will install the certificated on your website with simply one or 2 clicks.
 
Sorry for reopening an older thread, but wanted to post a warning...

I use Let's Encrypt and love it, but I did have a problem once. For some reason I had certificates for both the www and non-www domain even though I redirected everyone to the www domain. One day I noticed my AdSense earnings were pretty much zero (I do $30-40 per day). I checked the site and got the dreaded "The site is not secure" warning.

It turns out that the non-www domain certificate renewed, but the www domain certificate failed to renew. I immediately fixed it and traffic resumed. I never figured out what happened, but I have since set up reminders on my phone to check the renewal every 90 days just to be safe.

Full disclosure, I never had a problem before or since and I really like Let'sEncrypt. However, I just pay more attention to it now. And I also make sure to double/triple check the settings.
 
Just tested this: you can have multiple domains in a single IP and install LetsEncrypt certifications for all of them. It's pretty much become my go-to now.
 
I have had Lets Encrypt running on quite a few servers for several clients for a couple years or so and I can also confirm that you can have certs for multiple domains on a single IP without issues. One thing I'd like to add is - if you do a Linux upgrade, that will sometimes update packages related to Python which MAY cause certbot to no longer function. If you run "certbot-auto renew" and get an error that looks something like "Error: couldn’t get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt: ", the fix is to do a "rm -rf /opt/eff.org/*" then run certbot-auto renew" (Works on Ubuntu, not sure about other distros). It will reinstall what's needed and that should fix things. A good rule of thumb is to run "certbot-auto renew" after you do any type of Linux update just to make sure.

On another note, LetsEncrypt recently allows the generation of wildcard certs. I will be setting up a server for a client soon that will make use of this as I'm going to use it to secure the email I'm setting up as well (Postfix). I'd normally just generate a separate cert for mail.domain.tld but in this case the client wants a multi-tenant setup using subdomains for tenants, so a wildcard cert makes sense.
 
You must log in or register to reply here.
Back