Ever Tried Letsencrypt, the FREE SSL Provider?

Please has anyone ever tried to use the FREE SSL provided by https://letsencrypt.org ?

If yes, will appreciate any feedback that I can get.

Cheers

1 Like

Yeah. Got a bunch of sites running on it now. Only downside I see is that you have to renew the cert (for free though) every 3 months.

yeah saw the info about the 3 months renewal on their site…

Does it work well for you?

LetsEncrypt is the cheapest and easiest way to get an SSL certificate. It works pretty well, even generates vhost configs for ngnix and apache, plus its sponsored by facebook, google, and other tech big wigs so rest assured your certificate will work in most browsers.

I just got to know about LetsEncrypt through this post. I think it’s actually an interesting idea. The root certificate authority (CA) for their certificate is IdenTrust Commercial Root CA 1 which is listed in the default trusted CA list used by Mozilla and many other applications.

https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt

That said, it’s important to point out that the CA is not what guarantees your site’s security, but the type of encryption mechanisms used by your server. These schemes can get too complex to understand, personally, I just use https://www.ssllabs.com/ssltest/analyze.html to check my SSL set up for issues.

Another option that I personally use:
Cloudflare’s Free SSL, and you get their other services as well. Depending on their option you could either not need a cert on your server, or use the option that requires a self-signed cert, or cert provider. https://www.cloudflare.com/ssl/

3 Likes

I have checked out Cloudflare but i realized its just “man in the middle” SSL. To me it appears they trick the browser that your site has SSL, but in the leg of the traffic from cloudflare to your own server, you may not have the encryption you need.

It was part of their “SSL everywhere” campaign from over a year ago. Not a trick in the sense of the word. You basically have get a free certificate from them that resides on their edge nodes, which can then connect to your own server using a self-signed certificate.

Cloudflare’s primary product as a web application firewall has always been to sit between your servers and your visitors, while helping to mitigate all threats, including preventing DDOS attacks. They have been at the front-line making their customers immune to the largest DDOS attacks in history. You can read more here, here, and here. They are also well positioned to mitigate against zero day exploits like Shellshock, or Heartbleed. An exciting account of Shellshock attacks they mitigated can be read here.

As a by product, they also act as a CDN to cache and serve your static assets. Your traffic can grow exponentially without your servers feeling a bulk of the pinch. For instance, a blog served from a WordPress install on some Digital Ocean droplet will stay online and remain fully usable even if the server is temporarily out of commission. They offer a whole load of other features as well that if you have been using them in the past, the free SSL addition makes a fine bonus. Think about it this way, an attacker who wants to watch traffic from your visitors to your server literally has to sit between your visitors and whatever IP address they think belongs to your server. When you are on Cloudflare, that IP is a Cloudflare one and the connection is encrypted.

When you try to get faux technical, you miss out on the beauty of the movement they started. On the other hand, LetsEncrypt is great as well, and anyone with good enough technical chops will be able to harness it to their advantage, such as auto-renewing of certificates, generating certificates for every subdomain you come up with (as they don’t support wildcard certificates just yet, and probably never will), etc.

2 Likes

There are levels, as shown on the link I sent. The Full option encrypts the connection between your site and their server, and their server and your server. You can create a self signed certificate on your server for that. The only thing is it won’t require you to have a certificate from a provider unlike the strict option.

Also what @xolubi said.

Yep, works fine. I might just cron up the renewal too.

Nice write up, thanks a mill mehn…