Are there any downsides to using Let's Encrypt for a website's SSL certificates?

  • On the advantages side, I see several benefits to using the Let's Encrypt service (e.g., the service is free, easy to setup, and easy to maintain). I'm wondering what, if any, are the disadvantages to using Let's Encrypt? Any reasons why website operators -- whether big like Twitter or small like a local photographer -- should not consider replacing their existing SSL services with companies like GoDaddy with this service?

    (If the service is not yet available, this disadvantage can be ignored -- I'm more wondering about disadvantages once it is available for general public use.)

    On 2015 December 3, Let's Encrypt (beta version) became available for the general public.

    One reason I ran across is because it doesn't work! Look at all the issues! and . If you pay for your cert, you get (some) support, and it's manual, so nothing to break.

  • Let's Encrypt is a Certificate Authority, and they have more or less the same privileges and power of any other existing (and larger) certificate authority in the market.

    As of today, the main objective downside of using a Let's Encrypt certificate is compatibility. This is an issue that any new CA faces when approaching the market.

    In order for a certificate to be trusted, it must be signed by a certificate that belongs to a trusted CA. In order to be trusted, a CA must have the signing certificate bundled in the browser/OS. A CA that enters the market today, assuming they are approved to the root certificate program of each browser/OS from day 0 (which is impossible), will be included in the current releases of the various browser/OS. However, they won't be able to be included in older (and already released) versions.

    In other words, if a CA Foo joins the root program on Day 0 when the Google Chrome version is 48 and Max OSX is 10.7, the Foo CA will not be included (and trusted) in any version of Chrome prior to 48 or Mac OSX prior to 10.7. You can't retroactively trust a CA.

    To limit the compatibility issue, Let's Encrypt got their root certificate cross-signed by another older CA (IdenTrust). This means a client that doesn't include LE root certificate can still fallback to IdenTrust and the certificate will be trusted... in an ideal world. In fact, it looks like there are various cases where this is not currently happening (Java, Windows XP, iTunes and other environments). Therefore, that's the major downside of using a Let's Encrypt certificate: a reduced compatibility compared to other older competitors.

    Besides compatibility, other possible downsides are essentially related to the issuance policy of Let's Encrypt and their business decisions. Like any other service, they may not offer some features you need.

    Here's some notable differences of Let's Encrypt compared to other CAs (I also wrote an article about them):

    The points above are not necessarily downsides. However, they are business decisions that may not meet your specific requirements, and in that case they will represent downsides compared to other alternatives.

    the main rate limit is 20 certs per registered domain per week. However this does not restrict the number of renewals you can issue each week.

    Certainly the best and most objective answer. Also good explanation of the trust issue.

    Noticed that certificate issued to * by Let's Encrypt Authority :)

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM