HN Reader

817

349

2 months agoby SGran

Let's Encrypt was _huge_ in making it's absurd to not have TLS and now we (I, at least) take it for granted because it's just the baseline for any website I build. Incredible, free service that helped make the web a more secure place. What a wonderful service - thank you to the entire team.

The CEO at my last company (2022) refused to use Let's Encrypt because "it looked cheap to customers". That is absurd to me because 1), it's (and was at the time) the largest certificate authority in the world, and 2) I've never seen someone care about who issued your cert on a sales call. It coming from GoDaddy is not a selling point...

So my question: has anyone actually commented to you in a negative way about using Let's Encrypt? I couldn't imagine, but curious on others' experiences.

2 months agoby jjice

It’s easy to forget how awful TLS was before Let’s Encrypt: you’d pay per-hostname, file tickets, manually validate domains, and then babysit a 1-year cert renewal calendar. Today it’s basically “install an ACME client once and forget it” and the web quietly shifted from <30% HTTPS to ~80% globally and ~95% in the US in a few years.

The impressive bit isn’t just the crypto, it’s that they attacked the operational problem: automation (ACME), good client ecosystem, and a nonprofit CA that’s fine with being invisible infrastructure. A boring, free cert became the default.

The next 10 years feel harder: shrinking lifetimes (45-day certs are coming) means “click to install cert” can’t exist anymore, and there’s still a huge long tail of internal dashboards, random appliances, and IoT gear that don’t have good automation hooks. We’ve solved “public websites on Linux boxes,” but not “everything else on the network.”

2 months agoby pedrozieg

As a sysadmin in the 2007-2011 timeframe I literally used openssl to generate csrs, went to godaddy to purchase SSL certificates and then manually deployed them to servers. Man what a world of change. Let's encrypt is one the best services we've had on the internet. I wish we had more things like this.

2 months agoby asim

Snowden was the other big reason that TLS became the de facto standard for every site.

Prior to that, the consensus was that you only really needed TLS if you were dealing with money and wasn't worth the hassle otherwise. You could sniff traffic from Facebook and Twitter easily.

I remember listening to a talk given by an IRS investigator in around 2008 about how they were able to do a sting and shutdown illegal internet casinos. They collected a good bulk of that evidence from clear-text packet captures of gambling sessions and messages. He preemptively answered the question of whether encryption was a hurdle, by saying no one used it.

2 months agoby ok123456

Lets hope they stay independent and never get acquired by Google or any other large tech company. You can imagine a web where SSL issuance is used as a tool to censor websites. I think most browsers have been made to make standard http sites look malicious to normal users.

2 months agoby t1234s

New baseline expectation that web traffic will be encrypted on the wire: very good!

New de-facto requirement that you need to receive the blessing of a CA to make use of basic web platform features... not so good.

2 months agoby greyface-

I still remember the original announcement around LE and thought "Great idea, no idea if they'll be able to get buy-in from browsers/etc", now I use it on all my self-hosted sites and will probably be transitioning my employer over to it when we switch to automated renewal sometime next year.

LE has been an amazing resource and every time I setup a new website and get a LE cert I smile. Especially after having lived/experienced the pain that was SSL/TLS before LE.

2 months agoby joshstrange

LetsEncrypt is on my end of year Donate list for the past 5 years. With all modern browsers requiring HTTPS everywhere, a world without Let's Encrypt would be really difficult for indie developers.

Thank You for an amazing product!

2 months agoby vadepaysa

Let’s Encrypt is something so amazingly valuable that I was certain it’d be killed dead within a year to prop up the existing SSL cert business.

Congrats on a decade, ya’ll, here’s to many, many more in securing the free internet.

2 months agoby stego-tech

Seems Let's Encrypt also have control of https://letsdecrypt.org.

It takes you to https://www.nsa.gov rather than Let's Encrypt.

Not sure what to make of that!

1 month agoby martinclayton

I am glad to be one of the users using that for around 7 years. I can't think of how much better is life of people just doing blogs or some silly websites with free https certs. Would I pay 50$ bucks a year for ability to self host nextcloud? Probably not. But security enhancement is so enormous with that service. Thanks to everyone involved for making world a little bit better.

2 months agoby npodbielski

I am so grateful for this. Bummer that they stopped with the email reminder, anyways I was wondering how this would work without active payments. Still amazing.

2 months agoby Decoy1008

Wow. Feels like Let’s encrypt been around for longer.

2 months agoby victorbjorklund

LE has been really great, particularly in running hobby web sites on the public internet. Getting certbot up and running wasn't hard, automating renewal wasn't hard, and because they have DNS-based pathways to verification you can use LE certificates for sites not exposed to the public internet as well. Combine it with something like Caddy and getting SSL for an app becomes the default without ever having to manage certificates by hand.

I find it pretty amazing how far its come, and how big a change it has made to the internet in the decade it's been operating.

2 months agoby scblock

Seems longer than 10 years ago? But hey... Let's Encrypt absolutely changed the game... TLS and certificates were a huuuuuge PITA and expensive... we only used them when money was moving around online and they were slow most times. It was also a process to add one, update one, etc. I remember not trusting it at first because it was so easy lol. THANK YOU Let's Encrypt... you made us all more sane, saved time, and secured us all up too. Firm handshakes.

1 month agoby chuckreynolds

only downside to LE is the attack surface presented by CTLs (Certificate Transparency Logs). as soon as you request a cert, you will get attacks on the endpoint/subdomain you have registered by countless IPs trying to login etc.

2 months agoby omani

https://community.letsencrypt.org/t/revoking-certain-certifi...

https://community.letsencrypt.org/t/2020-02-29-caa-recheckin...

https://bugzilla.mozilla.org/show_bug.cgi?id=1619047

https://www.theregister.com/2020/03/03/lets_encrypt_cert_rev...

1 month agoby 1vuio0pswjnm7

Thank you Let's Encrypt, together with the acme.sh , caddy and the whole ecosystem for TLS.

You simply cannot emphasize the information security enough if all your Internet traffic is audited, censored and manipulated by a number of adversaries supported by (authoritarian) governments and what not.

2 months agoby RandyOrion

This is something that legitimately made the world a better place.

2 months agoby bruvva

Congratulations to Let’s Encrypt. I do wish there was something akin to them for code signing. OV and EV certificates are out of reach for many indie devs.

1 month agoby hgs3

I use Let’s Encrypt. It is an amazing service and I am forever grateful.

However, it is time for a second source of free certificates. It is not good that we rely on one supplier.

2 months agoby Gud

10 great years.

For the next years I'm hoping for more resilience/global distribution in the issuance process. Since I live on an island for about half the year I do have experience with internet outages, and we do appear to live in turbulent times. That could be an issue with the ever decreasing certificate lifetime. I'd love to see LE exploring options like working with ccTLD registrars to work on local issuance.

2 months agoby phillipseamore

They helped change the security game, hats off to Let's Encrypt making it accessible. I remember when people would get upset about having to pay 400$ for a cert from go daddy nearly 2 decades ago. Google pushing the HTTPs requirement was also a good thing and Let's Encrypt made it possible for many that otherwise wouldn't have bought a cert in the first place.

2 months agoby ZebusJesus

Another amazing success born at Mozilla:

"The Let's Encrypt project was started in 2012 by two Mozilla employees, Josh Aas and Eric Rescorla, together with Peter Eckersley at the Electronic Frontier Foundation and J. Alex Halderman at the University of Michigan."

https://en.wikipedia.org/wiki/Let%27s_Encrypt

What was Mozilla's role, beyond conception? Parenting? Care and feeding? A roof?

2 months agoby mmooss

The next steps:

1. Add support for DNS-based persistent authentication: https://datatracker.ietf.org/doc/draft-ietf-acme-dns-persist...

2. Allow the user to just publish their public key into that TXT record.

3. Cut out the middleman and do the authentication directly in the browser.

4. DANE

2 months agoby cyberax

I probably downloaded terabytes of data from the internet unnecessarily because https everywhere makes makes it prohibitively complicated to setup local caching proxy.

No to mention time lost waiting for downloads to finish.

I'll never understand why caching proxy is not a default part of every OS.

1 month agoby scotty79

10 years of solving a problem that didn't exist, and creating a few dozen new ones in the process.

Not evening mentioning the massive security risk they pose; Well, I did now.

1 month agoby johndoh42

> 10 Years of Let's Encrypt

Aren't they only 45 days [1] old ?

[1] https://letsencrypt.org/2025/12/02/from-90-to-45

2 months agoby hulitu

Getting yourself an IP address certificate still seems like an idea that's too crazy to work. I'm actually looking forward to seeing all the things breaking by becoming more secure.

2 months agoby 1970-01-01

Let's Encrypt is awesome. Is there any other ridiculously overpriced good/service that could be Let's Encrypt'ed today?

1 month agoby xnx

Would be interesting to hear what database they are using and how they are doing replication? Is it simple master / slave or multi-master?

2 months agoby nodesocket

One domain parking actor is responsible for nearly 10% of all issued ssl certificates. 185.53.178.99. This is just one of many bad actors.

2 months agoby elnerd

I remember buying certs from Godaddy then Namecheap then using Let's Encrypt feels like when GitHub offered free private repos

1 month agoby ge96

The thing that has made me feel the oldest this week is that someone I used to mentor posted a holiday pictures with visible wrinkles. If people you think are young look old, then buddy, check the mirror.

But this is a close second. 10 years? That can't be right. Even accounting for Covid Time Dialation.

2 months agoby hinkley

I love Let's Encrypt

A small VPS + LetsEncrypt + Dokku is a fantastic way to run personal side projects/hustles at minimal cost.

1 month agoby chasd00

Is there a notion of tier 1 and tier 2 certificates? Like if I setup paid and backed by contract agreements with a cert provider, does this give users more confidence that their lock icon in the browser actually means they are talking to who they think they are?

It's one thing to provide a cert to provide secure encrypted TLS, it's another thing to establish identity with the user. Though, most users would never notice either way.

2 months agoby nixpulvis

I'm not sure that I'm more surprised that it's only been 10 years or that it's been that long. I mean, that's a relatively quick turn around to pretty much dominate TLS certs to the point that it's the default for so many platforms... that HTTPS has become such a norm over the exception.

On the other hand, has it really been that long, it seems just yesterday I was first trying to configure nginx for it. That said, since I discovered Caddy, I haven't really looked back, though I do use Traefik too.

I mean, by comparison, it feels like IE6 took longer to die than Let's Encrypt has been around.

2 months agoby tracker1

Incredibly grateful for this project

2 months agoby awaseem

The pathetic part of EVs is that they should have been issued by whatever the business register/regulator is in the country of issue.

Not some arbitrary group like D&B etc.

The US/other countries should have ensured that each state/registration area had an appropriate cert to sign with.

It should be part of my company's annual registration/reporting expenses that they issue the appropriate certificate for "*.<mycompany>.<2LDs>.<gTLD>", signed by them (and by the TLD root cert of the nation of registration).

2 months agoby rswail

my friends work here! and it was founded by an alum from my school Macalester College

2 months agoby kyawzazaw

That is awesome i love how you change the TLS Scene for ever! Keep pushing it!

2 months agoby mpingu

What else is kept behind paperwork and fees that could be freed?

2 months agoby janpmz

Yes let's. But that doesn't answer my question.

2 months agoby hbn

it is hard to believe it's been ten years.

2 months agoby jrochkind1

Cloudflare: "Oh no, we can't have that much centralization, that's horrible, just think of the impact outages have!"

Let's Encrypt: crickets

Obviously I use LE myself and like what they do, and even in the example above some downtime would have less of an impact than Cloudflare would (due to renewals being less time sensitive), I'm just surprised that there aren't like 5 other orgs that do the same at scale, like an EU based one for example. If there's a lot of domain registrars, why doesn't every single one of them have ACME compatible services?

I think there was ZeroSSL but I vaguely remember something scummy about upsells there a few years back.

2 months agoby KronisLV

10 years and still no S/MIME.

2 months agoby stephenr

Just 10, it feels like more.

2 months agoby racl101

Next step: Let's Tor?

2 months agoby amelius

Still not convinced it's not a honeypot. Would like to see concrete evidence.

2 months agoby nofunsir

A couple of years ago, I went through the process of signing a kenel minifiter that I wrote for our endpoint-security product. It was complicated, to put it mildly.

Imagine if we had a similar process for websites! Thanks Let's Encrypt.

2 months agoby dilawar

Reminder that it’s a non profit

2 months agoby Havoc

thank you for your service

2 months agoby postbase

Let's Encrypt allows anyone to have secure https communication, sure, but it doesn't address the question of website authenticity. I groan when I'm on an e-commerce site and I click on the browser URL lock icon and see a Let's Encrypt certificate because frankly anyone can create one for no cost and I don't know if it's the real website or if I made a URL typo. Say what you will about the expensive cert providers, but it's reassuring when you see DigiCert or Sectigo - with a company name and the address of the head office.

2 months agoby letsgetreal