12/11/15

Quick thoughts about Let’s Encrypt

So I just switched over from StartSSL to Let’s Encrypt for all of Syn Fin dot Net’s SSL needs and wanted to give a few thoughts about the process:

It’s a very different experience getting up and started. I’ve used a variety of SSL CA’s for work and personal use and Let’s Encrypt is the first I’ve seen to so fully automate things. This has some pros and cons, but overall it’s much quicker and easier to get up and running with Let’s Encrypt then StartSSL (which honestly isn’t saying much) or most other CA’s. The downside of this is that the process is so different that you actually have to read the docs rather then just following the prompts, but having to RTFM is a small price to pay for a free SSL cert IMHO.

Let’s Encrypt (just LE for short) is also the first CA that limits their certs to 90 days. They claim that 90 day certs are becoming more common, but none of the CA’s I’ve ever used in the past even offer that as an option. Kinda annoying, but not a deal breaker considering how automated renewing certs are.

LE only offers domain validated certs (ie: no extended validation) which is fine for personal use, but it’s a little odd that there’s no requirement for any ownership information other then an email for contact purposes. For some use cases this makes a lot of sense, but I’d actually like people to know I own this domain (as long as they don’t spam/junk mail me).

LE’s automation makes it easy to get up and running quickly- if your needs adhere to their tool’s limitations. I ended up having to tell Nginx to serve up http://mail.synfin.net so I could get an SSL cert for Postfix. Lucky for me, my mail & web server are the same box so this was easy, but for most organizations this becomes a real pain.

My biggest feature request right now would allow the the letsencrypt-auto script listen on arbitrary ports and not just TCP/80 and TCP/443 to make it even easier to setup.