In short - why we really love Let’s Encrypt:
- It's free! Anyone site owner can obtain a SSL certificate for his domain for free.
- It's automatic! The method of issuance is highly automated and there are many tools that make it so easy.
- It's simple! Forget about payments, emails, validations renewals etc. Everything is simple and automated.
- It's secure! Let’s Encrypt is as secure as paid SSL certificates and many large organizations are using it (like debian.org).
Until Let's Encrypt was introduced, no other certificate authority that issued free SSL certificates was accepted by default by most browsers as a valid SSL. You had to pay an annual fee to purchase the SSL from CA that is established and accepted by most browsers (Such as GeoTrust or Comodo/Sectigo). Let's Encrypt really came after there was a pressure from Google and other companies to solve the issue that most small websites did not use https, especially when personal information is transmitted to the web server (like bb forums or small eshops).
Let's Encrypt is a free service by non-profit organization Internet Security Research Group (ISRG) sponsored by Google, Facebook, Cisco, Mozilla Foundation, Internet Societe, Linux Foundation and other partners with the main goal to run for the public's benefit and make the web a lot safer and secure.
By allowing automated and free SSL issuance - any domain owner can now get instant SSL certificate with the same security as paid SSL certificates by using proven and open protocols of issuance. There is really minimal downside to choosing a free Let's Encrypt compared to paid SSL certificate. One is that you do not get any support like when you purchase paid SSL. The other is the issuance period - for Let's Encrypt it is 3 months compared 1-4 years for a paid SSL cert. However you can easily automate Let's Encrypt issuance and forget about dealing with renewals.
The automated validation by the Lets Encrypt servers is possible with several methods:
1. HTTP-01 challenge: Let’s Encrypt gives a token to your ACME client, and your ACME client puts a file on your web server that then the server checks if it is present. This is easily automated (for example with cert-bot) but has the disadvantage of being unable to issue wildcard certificates. Also if you have multiple web servers, you have to make sure the file is available on all of them.
2. DNS-01 challenge: By proving you control the DNS Let's Encrypt can validate you are the owner. After Let’s Encrypt gives your ACME client a token, your client will create a TXT record derived from that token and your account key. This way you can have SSL for wildcard domain names and works for multiple web servers in contrast to the HTTP method. However the disadvantage is that you must either have the DNS server on the same machine as the web server or have an API for the DNS that is controlled by the same machine (which is risky).
We provide an automated tool for our shared hosting service - for all your domains added, a SSL certificate will be issued automatically, provided that you are using our DNS.