
Let’s Encrypt in the spotlight - enigmabridge
https://dancvrcek.com/letsencrypt-spotlight/
======
finnn
This seems like a basic explanation of some of the stuff on the Let's Encrypt
rate limit page (with some funny stuff mixed in to make it sounds like the
rate limits for IPv6 are somehow higher), followed by a link to a product.

~~~
enigmabridge
Followed by a link to a page with all the limits we could find.

------
venning
The submission URL should probably be changed to
[https://keychest.net/content/letsencrypt_numbers_to_know](https://keychest.net/content/letsencrypt_numbers_to_know)

The current link is just a poor summary of the data on that page.

~~~
enigmabridge
Funny enough, the page with a full analysis didn't get any upvotes. It seems
that a short summary is more interesting.

------
vsviridov
Ironic that the "https in browsers" figure uses a screenshot with a
certificate MITM'd by the antivirus software. If you see "Secure" in the green
bar instead of the domain name and EV attributes - your antivirus software is
MITM'ing you.

~~~
wielebny
Not true, it means that the certificate is not EV.

I see 'Secure' on my Chromium running under Debian, without any antivirus
software.

------
moulidorai
ManageEngine Key Manager Plus ([https://www.manageengine.com/key-
manager/](https://www.manageengine.com/key-manager/)) automates the entire
process of procuring certificates, track expiry, renew and deployment of Let's
Encrypt certificates.

~~~
enigmabridge
Looks really nice! But starting at $395/yr sounds steep.

~~~
moulidorai
Thanks for your kind words. ManageEngine Key Manager Plus has got lot more
features than just SSL Certificate Management. Please get in touch with us via
keymanagerplus-support@manageengine.com to know more about the product.

------
ams6110
Like with a lot of tech trends, I seem to be one of those people who doesn't
"get" the excitement about letsencrypt.

I don't find the process of generating a CSR and submitting it to a CA for
signing to be more complicated than setting up letsencrypt. In fact I think
it's quite a bit easier.

~~~
jldugger
It's free, and automated so you don't run into TLS outage post-mortems where
the question "why does the cert expire at christmas anyways?" is "Because it
expired same time last year and during the emergency repair we used the
default lifetime period of one year."

~~~
thinkMOAR
Why is your LE broken? 'because 1 of the 12 automated renewals last 3 years
(to compare vs 3 year paid certificate at 4 euro) failed for reason X, Y or
Z'. Be it them being down, be it your uplink being down, be it your dns
malfunctioning, be it another massive spamhaus-sized-internet-disrupting-ddos.
There are plenty of ways a LE renewal can go wrong, and having this 'chance'
occur 4 times a year, i find bad practice.

Just because something is free, doesn't make it better. And having 12x more
points in same timeframe where the automated renewal can fail, certainly
doesn't make it better statistically.

Also i grew up with the notion, 'nothing in the world is free, except the
sun'. So i wouldn't be surprised if they will start to monetise this LE user
base at some point in time.

~~~
majewsky
> Be it them being down, be it your uplink being down, be it your dns
> malfunctioning, be it another massive spamhaus-sized-internet-disrupting-
> ddos.

I have my certbot set to run once a week with --keep-until-expiring, so it
will try to issue a new certificate when the old one's remaining validity is
less than a month. I could also set it to run daily, because it doesn't
actually do anything if the cert is still valid for long enough. But a week
works on my (admittedly small) scale.

So unless you're experiencing a multi-week DNS malfunction or multi-week DDoS
(in which case you're in some deep shit anyway), you should be fine.

~~~
thinkMOAR
So you prefer to have something (which most people have ) with root privileges
to pull data unattended, 52 times a year, from some 3rd party host via python
then to manually do (if you wanted ONLY once in 3 years) something once a year
manually?

Is this really what i am reading?

~~~
jldugger
Certbot isn't the only acme client in town. I use Chef personally:
[https://github.com/schubergphilis/chef-
acme/](https://github.com/schubergphilis/chef-acme/)

Professionally, it's not once every three years, it's that x the number of
clients we host. Which is a lot. Many are clamoring for LE, because it's
within their budget: $0. So yea, I want to automate that.

------
hoopyfrood
Every time LetsEncrypt is brought up I am reminded of "if it's for free, You
are the product". In this case it is one's servers. A single company has a
hand on the pulse and runs software on your server in exchange for continuous
"convenience". I am still NOT buying in, diversifying SSL certs from reputable
companies with 12 (or sometimes 13) months validity are still ok for me in
2017.

~~~
duskwuff
This seems a little tin-foil-hatty. The only information which Let's Encrypt
receives is the domain name that the certificate is for (which is public
anyways for any CA implementing certificate transparency). The Certbot
software is open-source and easily verifiable, and there's multiple
independently developed alternatives available if you don't like it.

~~~
schoen
Certbot developer here.

If you don't like Certbot, we definitely encourage you to use one of the many
other implementations:

[https://community.letsencrypt.org/t/list-of-client-
implement...](https://community.letsencrypt.org/t/list-of-client-
implementations/2103)

Some of these are much lighter weight than Certbot and have many fewer
dependencies. You can also take your pick of what language they are written in
and how they are installed on your system.

You're also welcome to write your own client that speaks the ACME protocol.
Let's Encrypt is near to rolling out an API endpoint that will speak the IETF-
standardized version of ACME, developed through an open standards process and
in consultation with other implementers.

I know that some people have said they don't like running a large new
application as root, even when it's open source. So, please have a look at
some of the other clients and see if one of them strikes your fancy!

Let's Encrypt's operational funding is thanks to these entities

[https://letsencrypt.org/sponsors/](https://letsencrypt.org/sponsors/)

which view the service as worthwhile and important and have chosen to donate
funds to support its operation. The organization is overseen by these people

[https://letsencrypt.org/isrg/](https://letsencrypt.org/isrg/)

In this model there is no need to charge users for certificates or try to
indirectly monetize the use of the service, although users are very welcome to
donate if they find the service useful, and Let's Encrypt may be more
sustainable if some users choose to do so.

~~~
IronBacon
> I know that some people have said they don't like running a large new
> application as root, even when it's open source.

Certbot could be configured to run without root with little effort, at least
the part exposed to the web that was my concern.

