What are disadvantages of Let's Encrypt
Letsencrypt is now installed on more than 50% of all webservers. This is mostly thanks to its adoption by many web hosting providers. We can also see it starts being used by large companies and enterprises. But what are the downsides?
First of all - certificates' (including Let's Encrypt certificates) main task is to prove the authenticity of their owner, e.g., a web server. There is no difference between Let’s Encrypt and any other certificate your browser can verify (DigiCert, COMODO, Entrust, etc), and all browsers can now verify Let’s Encrypt certificates.
When we look at limitations of Let's Encrypt, they are mostly operational. There is one big disadvantage of Let’s Encrypt - rate limits. These restrict the number of operations you can do per second, hour, week, depending on the type of requests. The limits are most severe for the number of certificates you can issue per “registered domain”, e.g. keychest.net. I have described most of those limits here.
New management approach
Further, when using a Let’s Encrypt certificate, there are significant operational differences, i.e., how you manage such a certificate on your server.
Let’s Encrypt uses a set of new protocols for automated certificate management. There are two important effects of that:
- The process of issuing a certificate is different from most other CAs, which require manual steps, notably proving that you are the owner of a given server.
- The same process is designed to work fully automatically. Let’s Encrypt is about automation to keep the certificate issuance costs low. There’s always a question how much you need to automate something you do once a year or maybe once every two years, this may be one of the reasons why Let’s Encrypt certificates are valid only 90 days.
As a result, you have to renew your certificates four times, but more likely 6 times a year (due to time overlap), but you can automate it, if you have the skills and/or support. I would also recommend monitoring that your automation works. (I have been active in this area so you can try our service KeyChest, which is free for 500 domains and personal use.)
I have also recently looked into the reliability of Let’s Encrypt certificate issuance and described some of the results in my blog Let’s Encrypt uptime is 99.9% — or 98.8% without defects in 2017. It’s actually quite good for a completely new system, but much worse than commercial CAs. I came up with 2 numbers: 98.0% and 99.9%, and the real truth is somewhere between them for vast majority of users. 99.9% is when Let’s Encrypt was up for at least some of its users, 98.0% when it worked flawlessly.
"Color" of padlock
As a side note. There is a special type of certificates - so called Extended Validation certificates, or EV certificates. When a server presents an EV certificate, browsers tend to show the company name, rather than a web address. You can see the difference below - a Let’s Encrypt certificate (top) and an EV certificate (bottom).
Domain validated certificate will only show the domain name.
Extended validation (EV) certificate will show the company name.