The great thing about using Let's Encrypt is the automation

December 19, 2016

When I started using TLS certificates from Let's Encrypt, the obvious attraction was that the certificates were free. I could have certificates for as many different names as I wanted and I'd never have to worry about either the cost or the whole mechanical hassle of paying for them.

(You'd think that TLS certificate vendors would make it really easy to give them money either for new certificates or to renew ones you already have. In my limited experience, this is not the case; the one vendor's website I had to use seemed deliberately designed to make the process hard and opaque.)

It's funny that I should mention 'hassle', because that's turned out to be the great thing about switching my certificates over to Let's Encrypt. The only thing that's a hassle with Let's Encrypt is picking out a LE client and getting it set up properly on your system (I recommend acmetool). Once you've done that the LE and client automation takes over, everything just works, and you can stop even thinking about it.

(One of my TLS certificates renewed yesterday and the only reason I know is that I go out of my way to monitor our certificate expiry times, so I saw that site's time jump back to 90 days.)

Up until Let's Encrypt came along, both getting renewed certificates and deploying them was a hassle; the last time I went through it for our sites was basically a day of work. A properly operating Let's Encrypt client setup turns both into things that you can entirely forget about because it all just works and keeps on working with no by-hand care or attention. This is a great thing, since grinding through all of this by hand is just pointless work.

One somewhat subtle appeal of this automation is that it also basically removes the need to carefully keep track of and worry about certificate expiry times. Your monitoring system should still watch this, just in case, but you no longer need a note in your calendar about 'certificate X needs to be renewed now' and you don't need to worry about what happens if it slips through the cracks.

(The appeal of LE's automation is sufficiently great that it's started to make my co-workers enthused about switching to Let's Encrypt. We're okay with paying money for certificates, more or less, but we all really like the idea of never having to worry about certificate expiration or do work to roll over certificates.)

Written on 19 December 2016.
« People may be accepting that security questions are a bad idea
Don't assume you can renew TLS certificates whenever you want to »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Dec 19 01:20:43 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.