SSL certificates have become a must-have attribute for websites since Google declared secure HTTPS connections a ranking factor and especially since the search engine giant voiced its intention to start flagging all non-HTTPS pages as insecure later in 2017 in a visible-to-the-Chrome-user manner.
The hype around SSLs has made SSL providers reconsider the pricing of certificates so as to make them more affordable to the wide public.
Meanwhile, a public-benefit authority aimed at providing an all-free HTTPS encryption solution to users was born. We’ve now adopted their approach on our platform as well.
Learn more about the Let’s Encrypt initiative and how Let’s Encrypt SSLs fare against regular SSLs from our new post.
What is Let’s Encrypt all about?
Introduced in 2016, Let’s Encrypt represents a free open certificate authority (CA), which provides website owners with digital certificates for enabling HTTPS (SSL/TLS).
It was launched by the Internet Security Research Group (ISRG), a public-benefit organization sponsored by the Mozilla Foundation, the Electronic Frontier Foundation (EFF) and Cisco Systems, with the aim of making HTTPS encryption both affordable and user-friendly.
Their main goal is to create a more secure, privacy-driven web.
Let’s Encrypt certificates are:
- free to use: each domain name owner can obtain a trusted certificate at absolutely no cost;
- automatic: the certificate setup and renewal procedures are fully automated; no human intervention is needed;
- simple to use: there are neither payments to make, nor validation emails to respond to;
- secure: Let’s Encrypt serves as a platform for implementing the latest security practices;
- fully transparent: all issued certificates are publicly available for anyone to view;
- open: the issuance and renewal protocol is published as an open standard that can be adopted;
- ‘self-regulated’: Let’s Encrypt is a joint community effort, beyond the control of any organization;
The idea and history behind the Let’s Encrypt project
The Let’s Encrypt project was launched in 2016. During the first month alone, more than 200,000 certificates were issued and this number increased a hundredfold in just 1 year.
More than 20,000,000 active certificates are currently supported by Let’s Encrypt.
This explosive growth has been fuelled by the efforts of the Internet Security Research Group (the organization behind Let’s Encrypt) to help create a fully encrypted web.
Supported by a large community, this small group with only 9 full-time employees has managed to raise awareness among site owners about the need for investing in a more secure web.
The results speak for themselves – according to statistics provided by Mozilla’s Firefox Telemetry, the past year has seen a 10-percent increase in HTTPS page loads – from 39% in 2016 to 49% in 2017. This means that half the web is now encrypted, which makes everyone safer.
Today, Let’s Encrypt is trusted by the likes of Google, Apple and Mozilla.
How does the validation process work?
Generally, in order for an SSL certificate to be issued, a request must be sent to a trusted certificate signing authority.
That incurs some paperwork, which justifies the fees required for regular SSL certificates.
To bypass the certification fees, the founders of Let’s Encrypt had to remove the ‘human factor’. And so they did.
They came up with a solution – a certificate management agent, which runs on an HTTPS server and automatically obtains browser-trusted certificates from the Let’s Encrypt authority.
Let’s Encrypt uses the ACME (Automatic Certificate Management Environment) protocol to verify that one controls a given domain name and to issue them a certificate.
Prior to the domain authorization process itself, the agent generates a new public/private key pair, which will be used when interacting with Let’s Encrypt.
The agent needs to prove that the server on whose behalf it communicates actually controls the domain.
Proving control of a given domain can be accomplished in two ways.
For instance, the CA might demand that the agent:
- provision a DNS record (we use this validation method on our platform);
- provision an HTTP resource;
Then, the agent needs to prove that it controls the key pair by signing a nonce provided by the CA.
When ready, the agent informs the CA and the latter has to check whether all requirements have been met.
If everything has gone right, the agent will get authorization to provide certificate management for the given domain.
How are Let’s Encrypt certificates issued?
Once authorized, the agent can easily request, renew and revoke certificates.
All it needs to do is send certificate management messages and sign them with the authorized key pair.
To obtain a certificate, the agent creates a CSR (Certificate Signing Request), which asks the Let’s Encrypt CA to issue a certificate for the given domain with a specified public key.
The agent then signs the CSR with the authorized key and sends it to the Let’s Encrypt CA.
If everything is fine, the latter will issue a certificate with the CSR-included public key and return it to the agent.
What are the differences between regular and Let’s Encrypt SSLs?
Let’s Encrypt offers you a free and automated way of obtaining SSL certificates for your sites, so you may ask yourself: “Why would I ever go with a regular SSL certificate?”.
Just like regular SSL certificates, Let’s Encrypt certificates offer basic SSL encryption, i.e. they give site visitors assurance that they are exchanging information with the domain that is visible in the address bar and that their personal data (login details, credit card information, etc.) cannot be eavesdropped.
Also, Let’s Encrypt certificates are trusted by all major browsers.
If a site is using a Let’s Encrypt SSL, you will see “https://” at the beginning of the URL in your browser’s address bar, along with a green padlock.
So, what Let’s Encrypt certificates offer is secure communication most site visitors will feel comfortable with.
However, as a business entity you may also need a certain security guarantee against online abuses and this is where commercial SSLs kick in.
Read further below to learn more about the differences between a Let’s Encrypt certificate and a regular SSL:
- Warranty: Let’s Encrypt certificates do not include a warranty against misuse or mis-issuance, whereas regular SSLs do. While this may not be a problem for smaller websites, for larger organizations most probably will.
- Wildcard Certificates: Let’s Encrypt does not offer wildcard or multi-domain certificates, whereas traditional CAs usually do.
- Validity Period: Let’s Encrypt certificates are only valid for 90 days and must be renewed before they expire. Most regular SSL certificates are valid for at least one year. HTTPS site owners can also choose a longer validity period (3, 5, etc. years). On our platform, Let’s Encrypt certificates are renewed automatically, so you won’t have to worry about that.
- Support: Let’s Encrypt does not offer assistance with creating or installing SSL certificates. Only community help is available.This can be an issue for organizations that need to quickly equip their business sites with an SSL. However, this could be easily curbed with a quick re-generation and re-installation of the problematic Let’s Encrypt SSL.
A Let’s Encrypt certificate or a commercial SSL – the final verdict
Both Let’s Encrypt and commercial SSLs will do the encryption job that is expected of them in order to protect your sites against interception and eavesdropping.
So, your choice will solely be determined by the type of site you manage, which in fact defines your security requirements.
If you own a non-commercial site, a blog or a photo gallery, or just need a quickly configurable, simple and free SSL certificate that you can obtain with minimum effort, then Let’s Encrypt is the way to go.
If you run an e-store or an enterprise site, then you will need to invest in a paid, warranty-equipped SSL certificate issued by an established CA.
Due to Google’s recently voiced intent to give HTTPS sites higher search rankings and the subsequent rise of authorized SSL resellers, the prices for commercial SSLs have been going down steadily.
Today, every e-commerce website owner can obtain an affordable commercial SSL certificate from a reputable authority.
We’ve already lowered the prices for both regular and wildcard certificates and are doing our best to make sure our customers get the best security insurance on the web.
How do I enable a Let’s Encrypt SSL certificate for my site?
In there, click on the Edit Host icon in the Actions column:
Then click on the SSL Certificates drop-down menu:
The ‘Request Let`s Encrypt SSL’ option is located at the bottom of the list of SSL options:
Once you’ve selected the Let’s Encrypt option, just click on the Edit Host button and allow a few seconds for the certificate to be generated.
NOTE: Make sure you’ve selected a shared SSL IP address (or a dedicated IP, if available) from the IP Address drop-down menu.
That’s it! The Let’s Encrypt certificate has been installed on the selected domain name.
Now your domain will feature a Let’s Encrypt icon in the SSL table:
That’s it! You will now see a green padlock in front of your domain in your browser’s address bar:
All browsers will now recognize your site as being secure.
NOTE: Since the Let’s Encrypt certificate generation process involves domain/DNS validation, a domain needs to have valid NS records in order for the validation to go through.
For this reason, if the ‘Do Not Manage DNS’ option is enabled for a given domain, the Let’s Encrypt feature will not be visible.
How to ensure proper Let’s Encrypt certificate installation
Now that your site loads over HTTPS, you need to make sure that it is working properly and that http://www.my-site-name.net is pointing to https://www.my-site-name.net.
Here is how to check whether HTTPS has been properly set up on your site: use an online service like SSL Labs, which can thoroughly examine the configuration of any SSL web server on the web; visit some of your site’s pages and see if they all display a green padlock to the left of the URL;
Now that your site loads over HTTPS, you need to redirect all HTTP URLs to their HTTPS counterparts. You can do that by adding a few lines of code in your .htaccess file.
This way, you will inform the search engines to now consider only the HTTPS URLs.
To test whether or not the HTTP->HTTPS redirection has successfully gone through, you can do the following: enter your-domain.com in the Google search bar;
Check if all of the indexed links have been properly redirected and are now using the HTTPS protocol;
Keep in mind that it will take some time until the Googlebot picks up the redirection.
Plus, you will need to submit an updated sitemap for your site.
Since the Search Console treats the HTTP and HTTPS versions as completely separate sites, you will need to add a new HTTPS property first and then re-submit your sitemap.
If you get mixed HTTP/HTTPS content warnings, you can fix them using tools like the SSL Insecure Content Fixer.
A revolutionary initiative, Let’s Encrypt is the fruit of a great community effort. It still has a long way to go as far as global SSL usage is concerned, but it already plays an important role in making the digital world we live in a better place.
We’ll soon give you more information about the newly enabled Let’s Encrypt certificates, so stay tuned!