What is Let’s Encrypt?

What is Let’s Encrypt?

Certificate authorities (CAs) an entity that issues TLS/SSL certificates. An SSL certificate authenticates a website's identity and enables an encrypted connection.

Encryption is essential to secure communication between your web server and its users. HTTPS is encrypted in order to increase the security of data transfer.

The Internet Security Research Group (ISRG) is a public corporation that focuses on Internet security. Its mission is to make communication on the Internet secure regardless of the technical or financial capabilities of each user.

What is Let’s Encrypt SSL certificate?

Let’s Encrypt is an automated Certificate Authority (CA) run by the ISRG. It provides X.509 certificates for Transport Layer Security (TLS) encryption.

The CA enables organizations around the world to obtain, renew, and manage SSL/TLS certificates. It is used by websites to enable secure HTTPS connections.

Let’s Encrypt automatically renews certificates to reduce page errors.

How long is the certificate valid?

Let’s Encrypt certificates are valid for 90 days. There are no exceptions. However, you can automatically renew your certificates every 60 days.

Types of Let’s Encrypt certificates

Types of Let’s Encrypt certificates

  • Domain Validation Certificate

A Domain Validation SSL Certificate provides strong encryption to websites. It is a go-to option for users looking to secure their domain quickly.

Let’s Encrypt certificates are standard Domain Validation certificates. You can use them for any servers, such as web servers, mail servers, FTP servers, etc.

  • Wildcard Certificate

A Wildcard SSL can secure an unlimited number of subdomains on a single certificate. It adds an asterisk (*) before the domain name

The wildcard SSL can be shared on multiple servers.

You can issue Let’s Encrypt Wildcard certificate via ACMEv2 using the DNS-01 challenge.

What are LetsEncrypt's Rate Limits?

'Let's Encrypt' has set up rate limitations to ensure fair usage.

Limits are as follows:

  • Certificates per Registered Domain The limit is set to 50 certificates per week.

  • Pending Authorizations The limit is set to a max of 300. Exceeding the limit can trigger an error.

  • Orders You can create a maximum of 300 New Orders per account per 3 hours.

  • Names/Certificate Limit how many domain names you can include in a single certificate. The limit is up to a limit of 100 Names per Certificate.

  • Registrations/IP address Limits the number of registrations you can make in a given time period. The limit is 10 accounts per IP address every 3 hours. You can create a maximum of 500 Accounts per IP Range within an IPv6 /48 every 3 hours.

  • Failed Validation Limit of 5 failures per account, per hostname, per hour.

How does Let's Encrypt work?

Let’s Encrypt’s ACME protocol defines how clients communicate with their servers. The objective of Let’s Encrypt is to automatically obtain a web browser-trusted certificate.

To do this, CA has to check the certificate request to verify who controls the domain. It is accomplished by running a certificate management client on the webserver.

There are two steps to this process.

  1. Domain Validation

The client software has to prove to the CA that the server controls the domains.

The following ways to prove control of the domain:

  • Provision of a DNS record under the domain name.
  • Provision of an HTTP resource under a well-known URI on the domain name.

On the first interaction with Let’s Encrypt the client generates a unique token (key). It initiates a DNS request to retrieve a key derived from that token.

The CA also provides a nonce for the client to sign with its private key pair.

Domain Validation - Let's Encrypt

Once the client has completed the validation steps, the CA verifies the key. If the key is correct, the client has proven control on the domain. The server will sign and return a certificate.

Domain Validation - Let's Encrypt

The client is identified with the public key and is authorized to manage the certificate.

  1. Certificate Issuance and Revocation

Clients can easily request, renew, and revoke certificates with the authorized key pair.

To obtain a certificate for the domain, the clients construct a PKCS#10 CSR ( Certificate Signing Request). The CSR includes a signature by the private key corresponding to the public key.

Client also signs the whole CSR with the authorized key. When the Let’s Encrypt CA receives the request, it verifies both signatures.

Certificate Issuance and Revocation - Let's Encrypt

Similarly to revoke, the client signs a revocation request with the key pair. The CA verifies the request.

Certificate Issuance and Revocation - Let's Encrypt

CA publishes revocation information in the revocation channels.

Benefits of Let's Encrypt SSL certificate

  • Free

Let’s Encrypt is free. Website owners can obtain a trusted certificate for their domain at zero cost.

  • Automatic

Software running on your web server can automatically generate, install, and renew SSL certificates.

  • Easy

Let’s Encrypt is easy to install on any server, especially with a web hosting control panel.
There's no requirement for an additional account, payment, or email validation.

  • Secure

Let’s Encrypt implements Transport Layer Security (TLS) best practices.

  • Transparent

All issued certificates issued are publicly recorded for anyone to inspect.

  • Open

The automatic issuance and renewal protocol is published as an open standard for others to adopt.

Understanding Let's Encrypt Wildcard Certificates and Domain Verification

Let's Encrypt is a respected certificate authority that provides SSL certificates at no cost, allowing websites to create a secure connection via HTTPS that encrypts data transmitted to and from visitors. Additionally, Let's Encrypt provides wildcard certificates, which allow all domain subdomains to be secured with a single certificate, simplifying managing and maintaining SSL certificates.

To create a wildcard certificate, you can use Let's Encrypt's Certbot tool, which automates obtaining and installing SSL certificates. Verifying domain ownership is a crucial part of SSL certificate issuance. Let's Encrypt requires you to confirm domain ownership by adding a DNS TXT record to your domain's DNS settings.

After confirming domain ownership and obtaining your Let's Encrypt wildcard certificate, you can install it on your web server to enable HTTPS for your website and ensure that your visitors' data is securely encrypted. Using HTTPS and obtaining an SSL certificate from a trusted authority like Let's can improve your website's security and enhance your search engine rankings.

Conclusion

Let's Encrypt is the world's largest certificate authority used by more than 260 million websites. It is supported by most browsers and operating systems.

Many CMS platforms such as Squarespace, WordPress, and Wix provide Let's Encrypt to its customers.

You can also install free Let's Encrypt SSL certificate on CloudPanel with one click!

To ensure certificate compatibility determine whether the platform supports ISRG’s “ISRG Root X1” certificate.

Shraddha S.
Shraddha S.
Technical Writer

Shraddha Singh has a lot of thoughts about Technology and the Cloud Services Industry. An Indian native and a professional technical writer, she gets her management skills from IIT-B.


Deploy CloudPanel For Free! Get Started For Free!