
Public Beta: December 3, 2015 - arash_milani
https://letsencrypt.org/2015/11/12/public-beta-timing.html
======
tombrossman
I'm really pleased to see this initiative and I've used the private beta with
letsencrypt-nosudo[0] to issue a certificate, but after successfully getting a
certificate my site failed the SSL Labs test[1] with an 'unknown CA' error,
even though I used the newer one that should have been trusted. It was
probably down to user error and the additional complexity of denying sudo
privileges for the set up script, but it took much more work than I expected.
Then I noticed the certs will only ever be good for 90 days, and I'll have to
do this multiple times a year!

Bottom line for me is that with DV certs so inexpensive and simple to get, I'd
rather pay a few dollars a year for normal commercial certificates. I can do
things like use CloudFront at a custom subdomain with HTTPS without needing to
point DNS somewhere every few months to get a cert reissued.

I simply can't justify the extra work involved to get 'free' certificates, and
I'm happy to continue buying regular DV certs. Maybe these are temporary
limitations and if so I will definitely try again in the future.

[0][https://github.com/diafygi/letsencrypt-
nosudo](https://github.com/diafygi/letsencrypt-nosudo)
[1][https://www.ssllabs.com/ssltest/index.html](https://www.ssllabs.com/ssltest/index.html)

~~~
kevinreedy
I actually love the idea of 90 day (or less) certificates! Once you automate
the process of replacing your certificate (which let's encrypt will greatly
help with), it won't matter how short the period is. Also, if a key gets
compromised, it'll be valid for a shorter time. Give
[https://letsencrypt.org/2015/11/09/why-90-days.html](https://letsencrypt.org/2015/11/09/why-90-days.html)
a read! If you want to get more in-depth about certificate revocation,
[http://news.netcraft.com/archives/2013/05/13/how-
certificate...](http://news.netcraft.com/archives/2013/05/13/how-certificate-
revocation-doesnt-work-in-practice.html) is also a great/depressing read.

~~~
bmelton
Does Google still penalize short-term / soon-expiring SSL certs in search
rankings?

Edit: this does not appear to be a thing that happens.

~~~
tedchs
Why do you think that's a thing that's happening?

~~~
bmelton
Hrm. Good point. At some point I remember some SEO guru or other claiming that
long-duration domain name registrations were good for SEO, but looking at it
now, it seems as though that was a correlation !== causation, as MS, Goog, et
al register their domain names for decades at a time, and also tend to have
high search rankings.

As for the rest, chalk it up to my over-active imagination, compounded with
that bad knowledge. SSL is an SEO boost (according to a random Googling), and
if domain name expiration was a factor, it made sense to me that SSL expiry
would factor too.

TLDR, I was a dumb.

------
0x0
So a slight delay then, previously they announced general availability for
November 16th: [https://letsencrypt.org/2015/08/07/updated-lets-encrypt-
laun...](https://letsencrypt.org/2015/08/07/updated-lets-encrypt-launch-
schedule.html)

~~~
conorgil145
Given the scope of what they are trying to accomplish and the fact that I've
never worked on a project which was delivered on time and with all features
complete, I'm pretty happy that the delay isn't longer! :)

------
fenesiistvan
I am still unable to run the tool to get the certificates on Windows OS. I
know that there are some development in progress, but still far to be
finished. Windows OS is running around 30% of the web servers. Please don't
neglect it.

~~~
gluejar
Don't feel so bad, it doesn't run on Mac OSX or even RHEL. Use the Docker
container, it worked for me.

~~~
rascul
Works fine on FreeBSD, also is in ports.

[https://svnweb.freebsd.org/ports/head/security/py-
letsencryp...](https://svnweb.freebsd.org/ports/head/security/py-letsencrypt/)

------
discreditable
I am beginning to wonder how much effect Let's Encrypt will really have on
wide TLS deployment. A very large portion of the web is stuck at shared
hosting services, such as Go Daddy, Lunarpages, et al. These services
generally charge for TLS hosting, and due to the 90-day issuance on Let's
Encrypt certificates it seems somewhat infeasible to use their certificates on
shared hosts which offer very limited (if any) shell access.

~~~
atmosx
A VPS costs 5 bucks on DO and I've seen (can't remember where) a 3 USD/month
offering. So it's rather cheap to move away from shared hosting nowadays.

For me Let's Encrypt came out at the right time. They said they will automate
the 90-day renewal process.

~~~
Diamons
Side question, does anyone actually enjoy running a VPS? Between managing the
sites on it, you have to maintain the VPS, keep it up to date, its prone to
security bugs and flaws, etc. Am I missing something here? I remember setting
up multiple VPSes on Linode / DO and it was always a painful process of
installing the OS, installing the whole stack, configuring everything, setting
up users / roles, firewalls, etc.

On top of that, whereas on a shared host i click a button and host a second
domain, with a VPS I have to SSH in and manually edit server files.

But everyone always recommends running a VPS so I can't help but imagine I've
either missed some magical tool that makes running a VPS a snap or it's just
not a realistic solution for most people.

~~~
geerlingguy
On a basic level, shell scripts to do the basic config work in a pinch. But if
you can learn the basics of Ansible, setting up a new VM can take just a few
minutes and not be painful at all. It's quicker for me to add a new VM and
apply a few Ansible roles I've written for a new client site/app than to log
into some shared hosting provider and click through their UI to do the same.

~~~
voltagex_
Have you got any hints on learning Ansible? I've tried but I find YAML quite
tedious to write - I'm more likely to reach for shell scripts.

I'd also like to integrate it with
[https://github.com/voltagex/junkcode/blob/master/Python/spot...](https://github.com/voltagex/junkcode/blob/master/Python/spotprices/spotprices.py)
so I can do "least cost provisioning"

------
flyingmutant
Is there finally a way to renew the certificate without taking down the web
server listening on :443? This was the major thing missing from being able to
deploy it in production.

~~~
SuperKlaus
There's no downtime when using the webroot method, see here for details:
[https://community.letsencrypt.org/t/using-the-webroot-
domain...](https://community.letsencrypt.org/t/using-the-webroot-domain-
verification-method/1445/7)

~~~
ge0rg
The downtime happens when you restart the server so it loads the new
certificate. This must probably be addressed in the server implementation.

------
BrandoElFollito
This is a fantastic solution for _public_ web sites. Kudos to the team.

It is hardly usable for internal (non-Internet facing) ones because you have
to expose either the site or internal DNS for a check to go though.

------
Absentinsomniac
Hopefully some kind of OpenBSD support comes along. Pretty much letsencrypt-
nosudo until then. The standard letsencrypt program doesn't appear to work on
Debian 7 due to outdated openssl and what not.

------
plnii
The beta was good timing for me. I installed an LE cert on Ubuntu running
Apache and it's working fine. The instructions were a bit unclear about
whether the "auto" option works yet for that setup (it doesn't). Also, I had
an issue with permissions on the cert directory - I use a group for my server
permissions (instead of running at root), so had to add that group to the cert
directory. But the process is still better than what I've experienced
implementing a comodo cert.

------
Aissen
I tried the beta: it was fast, easy and boring. How it should be.

------
flavmartins
Anyone concerned with the amount of fraud that will come from this? Won't bad
actors utilize this to https all of their phishing sites?

~~~
Bedon292
These certs are to verify you control the domain name, not that you are who
you say you are. Those certificates are much more complicated and expensive.
See [https://letsencrypt.org/2015/10/29/phishing-and-
malware.html](https://letsencrypt.org/2015/10/29/phishing-and-malware.html)
for more information

~~~
cpeterso
What is the value of checking Google's Safe Browsing API before issuing a
certificate when the browser can/should use the same Safe Browsing API to
block the phishing website? Move the policy to the user agent.

