Let's Encrypt

Let's Encrypt is a free, automated Certificate Authority that has issued billions of certificates since 2016, driving HTTPS adoption from about 40% of web traffic to over 90%. But the real story isn't the certificates. It's what their existence revealed about the industry that came before.

The Emperor Had No Clothes

Before Let's Encrypt, HTTPS certificates cost money. Sometimes a lot of money—hundreds of dollars annually for a basic certificate. Getting one meant filling out forms, waiting for verification, manually installing the certificate, and remembering to renew it before it expired.

This seemed normal. Security costs money, right?

But here's what Let's Encrypt exposed: Domain Validation—proving you control example.com—is a technical question with a technical answer. Can you put a file at http://example.com/.well-known/acme-challenge/token? Can you create a DNS record? These questions can be answered by a machine in seconds. There was never a reason it should cost $200 and take three business days.

The old Certificate Authorities weren't selling security. They were selling artificial scarcity around a commodity.

What Let's Encrypt Actually Is

Let's Encrypt is a non-profit Certificate Authority operated by the Internet Security Research Group (ISRG), sponsored by Mozilla, Google, Cisco, and others. It provides Domain Validation certificates completely free to anyone who can prove they control a domain.

No hidden fees. No premium tiers. No expiration of the free offering. Free forever.

The catch? There isn't one. The mission is to encrypt the entire web. Every unencrypted connection is an opportunity for eavesdropping and manipulation. Let's Encrypt set out to remove both financial and technical barriers to HTTPS.

90-Day Certificates: The Brilliant Constraint

Let's Encrypt issues certificates that expire in 90 days. This initially seemed burdensome—why force renewal every three months when other CAs offered multi-year certificates?

The reasoning is clever: short lifetimes force automation. Manual renewal every 90 days would be unbearable. So you automate it. And once you automate it, the 90-day lifetime becomes invisible—your system renews certificates automatically, usually 30 days before expiration.

The result? 90-day automated certificates are actually easier than yearly manual certificates. You set it up once and never think about it again. No more calendar reminders. No more expired certificate emergencies.

Short lifetimes also limit damage from compromised keys, make revocation less critical (the certificate expires soon anyway), and force regular cryptographic updates.

The industry validated this approach. Maximum certificate lifetime has now dropped to 398 days for all CAs, with discussion of reducing it further.

ACME: The Protocol That Made It Possible

Let's Encrypt uses ACME (Automatic Certificate Management Environment) for all operations. ACME is an open standard that enables automated certificate issuance, renewal, and management.

The flow is simple:

1. Your ACME client requests a certificate for your domain
2. Let's Encrypt challenges you to prove control (put this file here, or create this DNS record)
3. Your client completes the challenge automatically
4. Let's Encrypt issues the certificate
5. Your client installs it and schedules renewal

The entire process takes seconds to minutes with no human involvement.

Validation Methods

HTTP-01: The most common method. Let's Encrypt requests a specific file at http://yourdomain.com/.well-known/acme-challenge/token. Your ACME client makes this file available. Requires port 80 to be accessible.

DNS-01: Required for wildcard certificates. Let's Encrypt requests a specific DNS TXT record. More complex (requires DNS provider API access) but works when HTTP-01 isn't feasible.

TLS-ALPN-01: Uses TLS with the ALPN extension. Less commonly used.

Most users use HTTP-01 for regular certificates and DNS-01 for wildcards.

ACME Clients

You need software to speak ACME. The main options:

Certbot: The official client from the Electronic Frontier Foundation. Feature-rich, well-documented, can automatically configure many web servers. Most users start here.

acme.sh: A lightweight shell script implementation. Minimal but powerful, with broad DNS provider support.

Dozens of other clients exist for various languages and platforms—built into hosting panels, CDNs, load balancers, and network appliances.

Rate Limits

To prevent abuse, Let's Encrypt limits certificate issuance:

• 50 certificates per registered domain per week
• 5 duplicate certificates per week
• 300 accounts per IP address per 3 hours

These limits are generous for legitimate use. If you hit them, use Let's Encrypt's staging environment for testing—it works identically to production but issues untrusted certificates that don't count against limits.

What Let's Encrypt Won't Do

Let's Encrypt issues only Domain Validation certificates. No Organization Validation. No Extended Validation.

This is intentional. DV certificates provide the same encryption as OV/EV. The padlock works the same. The TLS handshake is identical. OV/EV validation is labor-intensive and difficult to automate, and browsers have de-emphasized validation levels anyway (removing the green EV bar).

For most websites, DV is appropriate. Organizations needing OV/EV must use commercial CAs.

The Industry After Let's Encrypt

Let's Encrypt disrupted the CA industry completely. Free certificates forced commercial CAs to compete on services beyond the certificate itself—management tools, support, warranties, OV/EV validation.

Many commercial CAs now offer free DV certificates. The industry has accepted that DV certificates are commoditized. Value must come from elsewhere.

This competition benefited everyone. Barriers to HTTPS adoption disappeared. The web became dramatically more secure because a non-profit refused to participate in the theater of artificial scarcity.