Let’s Encrypt and DNSimple

This article describes a feature in Public Beta.

This article describes a feature that is only available to the new plans.

Table of Contents


Let’s Encrypt is a new certificate authority that joined the scenes in late 2015, and became an official member of the CA/B forum in 2016.

Let’s Encrypt is an innovative certificate authority from several point of views. The 3 most distinguishing characteristics, as listed on their homepage are free, automated, and open.

  • free: Let’s Encrypt SSL certificates are free; they don’t charge per certificate
  • automated: Let’s Encrypt issuance process is fully automated. They developed a new issuance protocol called ACME that is designed to be fully automated, with no manual intervention
  • open: the source code of the Let’s Encrypt certification authority is completely open source, and available in a GitHub account. This is by far the most unique characteristic of this CA.

Differences between Let’s Encrypt and Standard SSL certificates

The table below summarizes the most important differences between Let’s Encrypt and Standard SSL certificates.

  Let’s Encrypt Standard
Certificate Expiration 90 days 1-3 years
Single names Supported Supported
Wildcard names Not Supported Supported
Multi-domain (SAN) Supported by default Supported only by specific products
Max SAN domains 100 Depends on the CA and product
Validation type DV only DV, OV, EV
Cost Free Depends on the CA and product
Limits Per-domain, Per-week limits N/A

Let’s Encrypt highlights

Let’s Encrypt is quite different than most traditional certificate authorities. Here are a few relevant notes and limitations that you may want to keep in mind, before requesting one of their SSL certificates:

  • Let’s Encrypt only issues domain-validated SSL certificates. There is no plan to support OV or EV certificates.
  • Wildcard names are not supported, Let’s Encrypt SSL certificates can only include non-wildcard names.
  • A single Let’s Encrypt certificate can include up to 100 SAN names.
  • Let’s Encrypt certificates have fixed expiration period of 90 days. It’s not possible to request a certificate with a longer expiration, therefore it won’t be possible to obtain 1-year or multi-year SSL certificates.
  • Although Let’s Encrypt is a new authority, their SSL certificates are compatible with major browsers as their root certificate was cross-signed by an older certificate authority. For a complete list of supported platforms visit the certificate compatibility page.
  • Let’s Encrypt certificates are domain-validated. The most common validation mechanisms are DNS-based and HTTP-based. They do not support traditional email-based validation.
  • Let’s Encrypt is currently rate-limiting requests. Make sure to understand their limits before requesting a large number of certificates.

Please note that some Let’s Encrypt features may not be currently supported by DNSimple. Check the limitations section to know more about which features are supported.

Integration

The DNSimple Let’s Encrypt integration allows you to request an SSL certificate for free, using the Let’s Encrypt certification authority.

In order to request an SSL certificate with Let’s Encrypt, the domains must be delegated and resolving with DNSimple. The domain does not need to be registered with DNSimple.

The certificate validation is completely automated using a DNS challenge. Once issued, you will receive an email and webhook notification and the certificate will then be available to download from your DNSimple account.

The certificate expiration is 90 days. If auto-renewal is enabled, the certificate will automatically renew before the expiration. If a new validation is necessary, we will automatically re-validate the domain via DNS. Once renewed, you will receive an email and webhook notification. You will still need to install the newly issued certificate once renewed.

As suggested by Let’s Encrypt, the renewal will happen at any time after 60 days (30 days before expiration).

Although Let’s Encrypt certificates can be installed manually, the entire process is designed to be fully automated. Therefore, we encourage you to use our certificate API to fetch the certificate and install it programmatically.

Products

Let’s Encrypt currently provides only one product. They issue only domain-validated, SAN certificates. Let’s Encrypt does not support wildcard certificates.

If you are interested in a wildcard certificate, DNSimple offers wildcard certificates using a different certificate authority.

Single-name certificates can be considered a special type of multi-name certificates, with a single name associated with it. Therefore, Let’s Encrypt offering is both a multi-name and single-name.

The ability to customize the names associated with a Let’s Encrypt certificate depends on the plan you are subscribed to.

Plan-specific features

Let’s Encrypt feature support varies based on your DNSimple subscription plan.

Note that not all Let’s Encrypt features are currently supported by DNSimple. Some features will be incrementally introduced in the future, while others are not supported due to design decisions or limitations imposed by our system.

  • You can request as many certificates as you want, as long as you stay within Let’s Encrypt rate limits.
  • Depending on your plan, you can specify the hostname for the certificate, or it will be defaulted to www/root domain.
  • Depending on your plan, you can specify up to 100 extra hostnames for a single certificate. Remember that Let’s Encrypt doesn’t support wildcard certificates, and we currently only support subdomains (it’s not possible to add names from different domains).

Limitations

  • It’s currently not possible to provide a custom CSR or private key while requesting a new certificate. The CSR will be generated by DNSimple, based on the domains specified in the certificate order.
  • We only support DNS-based validation. It’s not possible to use the HTTP or TLS-SNI challenges.
  • The domain must be resolving with us, as we will automatically create the DNS records required for the validation.
  • We do not currently support the ability to include names from different domains in the same certificate SAN. Instead, we only support same-domain names (subdomains).

Testing

We currently do not support Let’s Encrypt in our sandbox environment. We discourage the use of the production environment for heavy or automated testing purposes, as you may quickly hit Let’s Encrypt rate limits.

If you have specific testing needs, you may want to consider using the Let’s Encrypt staging environment directly.

Order certificate

To order a new certificate via Let’s Encrypt using DNSimple, follow the instructions in the article Ordering a Let’s Encrypt SSL certificate.

If you already have a certificate and you want to renew it, follow the instructions for Renewing an SSL certificate. We also support auto-renewals for Let’s Encrypt certificates.

Auto-renewal

DNSimple supports auto-renewals for Let’s Encrypt certificates. When the auto-renewal feature is turned on, we will automatically renew the certificate before expiration.

Once renewed, you will receive an email and webhook notification, the certificate will then be available to download from your DNSimple account.

Let’s Encrypt certificates are automatically renewed 30 days before the expiration date, as suggested by Let’s Encrypt, with automatic failover attempts every day in case of temporary failures.

The feature is available for free to all accounts. You can enable/disable auto-renewal for a certificate at any time from the SSL certificate page.

Let's Encrypt SSL certificate auto-renewal