Let's Encrypt: The Fully Transparent & Free Non-Profit Certificate Authority

Let's Encrypt: The Fully Transparent & Free Non-Profit Certificate Authority

Amazon Affiliate Store

Gear we used on Kit (affiliate Links)

Try ITProTV free of charge and get 30% off!

Use OfferCode LTSERVICES to get 10% off your order at

Tesla Referral Program Offer

Lawrence Systems Shirts and Swag

Digital Ocean Offer Code

HostiFi UniFi Cloud Hosting Service

Protect you privacy with a VPN from Private Internet Access

Google Fi Service Referral Code

More Of Our Affiliates that help us out and can get you discounts!



Our Forums



Our Web Site

Let’s Encrypt Has Issued a Billion Certificates

How Let’s Encrypt Runs CT Logs

38 thoughts on “Let's Encrypt: The Fully Transparent & Free Non-Profit Certificate Authority

  1. I watch so many of your videos if they're not t completely over my head. It just amazes me how fast your mind and your mouth work in concert. I have to wonder just how your employees can keep up with you once you get going. LOL. Sometimes, when I really want to get something, I'll set the speed to 75% so I can get it all. That's pretty funny too, because it makes you sound like you've had a 3 martini lunch.

  2. many isp's block port 80 for residential connections. So if that's the case, you won't be able to use Let's Encrypt

  3. Lawrence,
    Today, before I watched your video, I uninstalled the ACME and the HAProxy packages from my pfSense. For days, I have tried to make them work.
    HAProxy worked very well fowarding HTTP traffic, but I could not make it foward the HTTPS traffic (even without SSL Termination and new encryption) to the backend server. It was very, very buggy.
    The ACME package worked flawlessly using a STAGING key. But did not work at all with the production key. "Authorization must be pending" apeared in the logs among other things.

    – Could you please make a complete video? I mean creating a staging key and then a final production key?
    – Could you show the creation of the staging certificate and then the creation of the final production one?
    – Could you show SSL offloading and new encryption to the backend server?
    – Could you show a complete Frontend (I tried with two) with the Lua script for Webroot local folder validation and forwarding all HTTP traffic to HTTPS? This way, only port 443 wold be open on the backend server.
    – Could you show verification (CRL) of the backend server certificate really working?

    After days, my conclusion is that both packages (HAProxy and ACME) are not in production stage. At least not in this version of pfSense.
    PS: I watched the oficial Netgate videos about both of then, and watched an entire online course on HAProxy.

  4. Great video, thanks. I had heard of Let's Encrypt before but didn't look into it until I saw your video. I self host a couple of webapps from my home server and have now replaced my GoDaddy cert with a Let's Encrypt cert. Was super easy to setup and free. No brainer.

  5. I'm trying to find out how to extend beyond 10 ssl certificates. First 10 are free but beyond that I'm at a lose. I don't mind paying for that luxury. Any ideas??

  6. 6:05 Unless it's Godaddy, they charge an arm and a leg and everything in your pocket to give you SSL. I get mine from Cloudflare.

  7. letsencrypt is the best. My website uses Traefik reverse proxy with automagic LetsEncrypt integration using DNS challenge. Once its set up, I don't have to think about anything. It just works.

  8. Thank you Tom, how to get a certificate for FreeNas? Can you release the next videos on this subject?

  9. One difference worth mentioning is the info that is in the TLS cert. When you go through a conventional CA, they verify your identity (e.g. company name), and that info is shown in the cert when a user asks for details from the browser. Since Let’s Encrypt does not validate this information (or even ask for it), it can show nothing in the cert apart from your domain name. So all one of their certs is actually certifying is that the site you are connecting to is the actual owner of the domain name, nothing more or less.

  10. 8:12 Certs are not normally tied to IP addresses. Not sure if Let’s Encrypt even allows that.

  11. 4:56 One problem that I’m not sure has been solved is that any CA can issue a cert for any domain. Thus, one dodgy CA can undermine the whole system by issuing bogus certs for sites that everybody uses.

  12. Super coverage on this. I will be looking into Let's Encrypt since I just purchase a domain for my LAN.

  13. Good timing! I'm learning all about certs for my web servers at the moment.

    For those worried about the 90 day expiry, you should use the Certbot tool mentioned in the video:

    Certbot has a –renew operation. Just stick that into a nightly cron job (explained on their site) and Certbot will correctly renew the certificate that requires it.

    The 90 day thing is now recommended by Mozilla. In fact, Mozilla has a great service to help you modernize and harden your server certificates by using their recommendations: https://ssl-config.mozilla.org/

    You can test your domain's certificate thoroughly using this free service by SSL Labs:

    The problem I've run into now is that the "Intermediate" cipher suite that Mozilla recommends will only work with IE 11 and older Safari if you generate an ECDSA cert, and it appears that Certbot still has not figured out how to implement that:

    If you really want to push up your SSL Test score, I've found setting HSTS in your header and setting a CAA record inside your domain's DNS record both bump you up. Those require a bit of an explanation and a couple of lines of code, so get to Googling. You should also enable OSCP Stapling.

  14. Only issue I have had is when my certs expire through my hosting provider they do not seem to auto-renew at least not that I can see not sure why

  15. Shedding light upon this service is almost as awesome as the service itself. Thank you Tom, the internet thanks you!

  16. I will be honest the whole 90 day thing is a deal breaker. This might be great later when automation is better.

  17. Woohoo.. my 2 pihole servers, unifi controller and wordpress sites are all domain validated by letsencrypt.. works like clockwork..

  18. I would not call a DV CA which has not used multiple perspectives for a long time "abzulotsende secure", it's more minimum acceptable security. If you control the clients it's good to add some extra protection like certificate pinning and monitor the CT logs closely as CAA record seems not to be honored in terms of letsencrypt accounts. (Issuer Account Tag)

  19. Even worse than "lots of sniffing" where Internet- and Mobile Providers who injected tracking cookies and scripts or advertising. You really do your users a service if you offer only HTTPs, even on public and non-sensitive sites. (Not to mention you get Google SEO Charma)

  20. Tom, it is my understanding that the EV was originally brought in also to allow the browser address bar to change to a green background when it was on a site that had a valid EV certificate – a visual indicator to the web-site customer that it was good and not a dodgy site. The financial institution I work for spends quite a bit if time & effort assisting our customers in matters of internet security and the fact that the browser manufacturers are now moving away from highlighting an EV certificate is annoying.

  21. Use it on unifi controller and unifi video. Going to set it up on 3CX soon ( its used by default for none custom domains ) . No reason to noe use https nowadays. It should be the default. Honestly, should just phase out none https.

  22. Network Solutions is still really hard to get Let's Encrypt to work, they of course sell certificate services. Off topic, but what's the deal with Brave Browser? So many channels pushing this right now that it makes me think there is a big gotcha!

  23. Could you please do a video showing how you would enable LetsEncrypt on a Unifi Cloud key with a dyndns FQDN. Thank you

  24. Hi Tom. Looking forward for the up coming videos. Would love to have certs for my home network setup. Many thanks.

  25. What do you use for an internal PKI environment? Offline root CA, HSM? Any recommendations for a homelab/small business?

Leave a Reply

Your email address will not be published. Required fields are marked *