Seriously, I would understand if you will be a student, or a small organization, or a start up…
You do not have enough money to buy a normal certificate?
I have never noticed until today when I opened the the https://mikrotik.com and my browser firefox gave me message that something wrong with the certificate.
It is actually very convenient to use Let’s Encrypt on an internet-visible site (it is much more difficult for an intranet or similar) because you can install the software to automatically renew it.
So no longer the stressful situation around expired certificates that you have when buying them.
And as there is no difference in security (compared to other domain-control-validated certificates), why not?
EV certificates are going to die anyway. https is no longer focussing on the reliable verification of the remote party, but only on the encryption of the in-transit data.
Let’s Encrypt is just as good, if not better than any other commercial CA. The short lifetime (3 months) limits the duration that a compromised certificate is useful. Considering the track record of commercial CA’s mis-issuing certificates, I would trust Let’s Encrypt far more than Comodo and friends. If your browser was generating errors then your system clock is likely not set correctly as the Let’s Encrypt issuing cert is trusted by all major browsers.
… and remember the actual trust value of the whole certificate system is just the trust value of the lowest offerer!
It does not matter if there are others that are better than Let’s Encrypt, and if there are others that are worse than them, the whole system is still no better than that.
And given that there lots of questionable CA’s from states all over the world, there actually is no trust at all in the system.
Yes, I checked, the problem with my browser is only on my computer…
I use a lot the Let’s Encrypt for my projects, just did not expect to see it here.
Thank you all for answers!
Funny exercise is to open list of trusted CAs in your browser and then think how much you really trust all of them. With Let’s Encrypt you at least know what it is, you can’t say that for most others.
That is what I mean! And the worst thing is: the trust in the whole system is equal to the trust in the CA that you trust the LEAST!
This is because there is (in practice) no link between the website and the CA that is authorized to issue certificates for it.
Any CA can issue certificates for any site.
In many questionable countries, the state has its own CA. Realize what that means! It means that your state can install a “great firewall” that intercepts all traffic (or order the ISPs do do so), and it can examine your browsing traffic in plaintext. For each site you visit, they can issue a certificate and play man-in-the-middle WITHOUT YOU EVEN NOTICING. The padlock will be green as usual.
The only thing particular would be when you check the details, you would see the name of the CA. But they can, from their top-level CA, just create fake intermediate CAs with the same name as the original CA, so you would just see “Verified by: Let’s Encrypt” when you quickly hover over the icon!
Only when you examine the certificate in detail, you would notice that the Let’s Encrypt CA is not signed by the usual root CA but by that CA from your own state.
The only thing you can do to avoid that is to manually configure your browser to remove the trust in those CAs, but that is a long and tedious process which potentially has to be repeated at every browser update you do, and furthermore it will lock you out of legitimate usage of that root CA (e.g. when you electronically file your tax form), so you will likely have to toggle it off and on regularly.
Not really a usable solution.
With certificate transparency being a requirement these days, any state that MITM’s their users with trusted certificates will be very quickly discovered and their certificates revoked.
I still buy certificates for some clients, but lately, most of them issue 1 year certificates only. It is a hassle to renew manually so LE is a smart choice.
For example, I just bought a 4 year extension for a client. My surprise: the certificate is valid only for 1 year, after which I have to request a new one (included in price, but still the work has to be done manually)
For example read: https://www.ssls.com/knowledgebase/how-does-ssl-reactivation-work/
When your SSL Certificate is 30 days from needing Reactivation, we’ll send you a few email reminders. You’ll see a Reactivate button in your user Account, and follow the system guidance steps. Once the Reactivation is complete, you’ll see the Certificate Expiry date change in your Account.
In the same way as a Renewal, you’ll need to contact your hosting provider to install the SSL on your hosting account. But unlike a Renewal, this is not a new purchase.
F this ^
There are good reasons to make validity shorter. Only that was the last advantage of domain-validated certificates from commercial CAs. They are dead as paid product. And it’s not even the price, they were already cheap. The work needed to get them and install them often cost more than the price of certificate itself. Of course being free is nice bonus, but the best is that when you automate it, it just works by itself and you don’t have to do anything.