Introduction
The management over SSL certificates is an overhead for everyone involved, whether purchased and procured by GOSS or supplied by yourselves, there is always an admin and technical overhead to purchase or renew certificates, not to mention actual costs involved.
At GOSS we've been using Let's Encrypt as an automated and secure certificate provider since 2018. All our hosted environments are provisioned with a valid wildcard SSL certificate that is provided by Let's Encrypt, this is incredibly useful for non-live environments, but also for live environments to ensure sites can be set up and work securely before going live with a "proper" domain name.
Until recently we only supported Let's Encrypt certificates for GOSS owned domain names such as gosshosted.com, we have now extended this to cover non-GOSS owned domain names.
This means that once the DNS for any domain points at our hosting environment we can automatically obtain and maintain a Let's Encrypt SSL certificate free of charge.
Procurement Process
The only manual step in this process is for GOSS to add the domain to the list of domains to obtain a Let's Encrypt certificate for, once this has been completed as a one off the renewal is entirely automated for as long as the website is hosted by GOSS.
New Websites
We can only obtain the Let's Encrypt certificate once we are hosting a website. This means there is a very short period where the DNS for the website / domain needs to point at GOSS without a valid SSL certificate.
Generally once the DNS has been changed to point at GOSS it will only take minutes for us to run through the steps to obtain and apply a valid certificate, but this does depend on how quickly the DNS propagates, lowering the DNS Time to Live before switching may help speed up this process, please see your DNS hosting provider's documentation for more details.
Note: It is important that GOSS are aware of a go-live happening and for someone to be on hand to do this manual step and issue the first certificate as soon as the DNS has been changed.
Renewals of non-Let's Encrypt Certificates
If you are currently paying for an SSL certificate, either procured by yourselves or GOSS, and would like us to replace it with a Let's Encrypt certificate on the next renewal just let Support know. They will create at ticket for the certificate that is about to expire and enquire what you'd like to do with it, at this stage we can simply swap it out for a Let's Encrypt certificate.
As long as this decision is made before the existing certificate expires the switchover to a Let's Encrypt certificate will be seamless.
Frequently Asked Questions
See also the official Let's Encrypt FAQ on their website for other common questions and technical implementation details.
Are Let's Encrypt certificates less secure?
No. Let's Encrypt is a non-profit project run by the Internet Security Research Group which is a non-profit organisation that is transparent and open about how their projects are run and secured. More than 300 million websites use Let's Encrypt to secure traffic and the project is sponsored, trusted and audited by partners such as Mozilla, Google, Cisco and Meta.
As with any other SSL certificate procurement the private key for the certificate never leaves our environment, Let's Encrypt will only be sent a Certificate Signing Request and return the signed certificate once validation has passed.
Will the certificate be trusted by browsers?
Yes. See also Certificate Compatibility on their website, in short it is trusted in all modern browsers.
Does Let's Encrypt support Organisation Validated (OV) or Extended Validation (EV) certificates?
No. Let's Encrypt certificates are Domain Validated (DV) certificates and do not provide support for OV or EV certificates due to the automated nature of procuring the certificates.
If you have a need for OV or EV certificates we can still quote for and provide a paid for SSL certificate but please note there is a significant support overhead for non-automated certificates so further maintenance costs may apply.
How does Let's Encrypt validate domain ownership?
Let's Encrypt supports 2 validation methods, creating DNS records, or serving up files over HTTP.
For client-owned domain names we will use HTTP validation, we serve up challenge files requested by Let's Encrypt via the web servers which proves we have control of website and validates our legitimate interest in obtaining the certificate. This is identical to how many paid for SSL certificate providers request domain validation as well except that the request, challenge deployment and verification is entirely automated.
See also How it works on the official website.
Can you issue wildcard certificates for our domain names?
No. We can only obtain wildcard SSL certificates from Let's Encrypt if we have control over the DNS for the domain as DNS validation is the only option available for this type of certificate. GOSS do not manage the DNS for client-owned domain names.
What happens when the certificate expires?
Let's Encrypt certificates are issued automatically and valid for 3 months. After 2 months (1 month before expiry) GOSS will automatically renew and update the certificate during a scheduled maintenance window. There is no need for any manual actions during renewal.
Can you provide us with a copy of the Let's Encrypt key and certificate?
No. We will securely manage the certificate and private key and will not export this outside our hosting environment or provide copies of these certificates to anyone externally.
Are Let's Encrypt certificates shared between clients?
No. Each client environment will get their own Let's Encrypt SAN certificate(s), with one of the domain names being added to the certificate's Subject, and any additional domain names being added as Subject Alternative Names. We can support up to 100 domain names on each SAN certificate.
Will GOSS obtaining a Let's Encrypt certificate prevent me from obtaining my own certificate for a given domain?
No, you are still free to obtain your own certificates for any given domain name and this does is not affected or interfere with the Let's Encrypt certificate process.