Anyone tried Let's Encrypt yet?

Hybrid · Feb 4, 2016

They just reached a new 500K milestone https://letsencrypt.org/stats

Many open source webservers and control panels are already adopting the auto generating and renewal of the certificate.

Anyone tried it yet?

Hhussam · Feb 6, 2016

Probably not till cpanel supports it.
The issue with automatically generated certificates is that they bypass the background and authenticity checks that paid CAs do.
This means you can pretend to be another company.

Joe · Feb 6, 2016

I want to try it, but I'm not anywhere near deploying this in production.
I want it to be a successful project, but I'm very conservative when it comes to security on my servers.... (Well, everything on my servers, really).

Hybrid · Feb 11, 2016

Its not meant for corporates really. It's just to provide a level of encryption for personal websites, blogs and small businesses.

There are already 3rd party plugins for cPanel that support it. One of my shared host servers has it installed. The server is running on Cloudlinux + litespeed
http://i.imgur.com/B1fVaK4.png

JJadcham · Feb 23, 2016

Hey Hybrid,
I actually tried let's encrypt and they have a solid algorithm. When I tried it, it was just one day out of closed beta and only had CLI tool. The CLI had to be on the server that is actually hosting the website so they can make sure that you are the owner of the website.
Now Plesk integrated it in their panel I am pretty sire that Cpanel will do the same.
Everything on the web should become https.

Hybrid · Feb 24, 2016

Didn't know plesk supports it, great to know!

DirectAdmin just started supporting it too http://www.directadmin.com/features.php?id=1828

rolf · Feb 24, 2016

Joe wrote I want it to be a successful project, but I'm very conservative when it comes to security on my servers.... (Well, everything on my servers, really).

That's the spirit. I'm conservative about anything that touches my code/my work, let alone production servers.
But yeah setting up SSL is painful. I've done it once for Apache, using a website that offered free 1-year certificates, spent about half a day doing things that I barely understood. When the time came to renew it, I thought I'd buy a certificate from GoDaddy instead, maybe that would come with clear instructions and would be easy to set up. Naw, it was worse, and I think that it's not properly set up at the moment, but I'm just pretending that I forgot about it, as long as nobody is complaining.

Terrible, I know, but hey it's hard to be a developer, a sysadmin, accountant, and all that at the same time, on your own, that's why I'm kinda avoiding freelancing.

Jadcham wrote Everything on the web should become https.

Like who needs caching, application-level firewalls. Let's just have a big fat SSL tunnel and pump everything through that and everyone else can get lost!
Seriously though, without lacking respect or anything (no offense meant), moving everything over to SSL would pose a performance problem.
Also SSL can offer a false sense of security. If I remember well, there was an instance where ISPs (in Egypt) used a root certificate to secretly snoop on users. It was unveiled and things have been put in place to try to avoid that in the future, but that is one case where HTTPS would have provided a false sense of security to users.

rolf · May 19, 2017

Related:
"Let's Encrypt and free SSL certificates"
https://lebgeeks.com/forums/viewtopic.php?pid=167372#p167372