Let’s Encrypt and DNSimple
This article describes a feature in Public Beta.
Table of Contents
- Differences between Let’s Encrypt and Standard SSL certificates
- Let’s Encrypt highlights
- DNSimple limitations
- DNSimple plan-specific features
- Ordering a certificate
Let’s Encrypt is an innovative certificate authority (CA) that joined the scene in late 2015. They became an official member of the CA/B forum in 2016.
Their three most distinguishing characteristics, as listed on their homepage, are free, automated, and open.
- Free: Let’s Encrypt SSL certificates are free. They don’t charge per certificate.
- Automated: Let’s Encrypt’s issuance process is fully automated. They developed an issuance protocol called ACME that’s designed to be fully automated with no manual intervention.
- Open: The source code of Let’s Encrypt’s certification authority is completely open source and available in a GitHub account.
Differences between Let’s Encrypt and Standard SSL certificates
This table summarizes the most important differences between Let’s Encrypt and Standard SSL certificates:
|Certificate Expiration||90 days||One year|
|Multi-domain (via SAN)||Supported by default||Supported only by specific products|
|Max SAN domains||100||Depends on the CA and product|
|Validation type||DV only||DV, OV, EV|
|Cost||Free||Depends on the CA and product|
|Limits||Per-domain, Per-week limits||N/A|
Let’s Encrypt highlights
Let’s Encrypt is different from most traditional CAs. Here are a few notes and limitations to keep in mind before requesting one of their SSL certificates:
- Let’s Encrypt only issues domain-validated SSL certificates. There’s no plan to support OV or EV certificates.
- Let’s Encrypt supports single-name and wildcard names.
- A single Let’s Encrypt certificate can include up to 100 SAN names. Names can be single-name, wildcard names, or both.
- Let’s Encrypt certificates have a fixed expiration period of 90 days. You can’t request a certificate with a longer expiration, though most other CAs will issue certificates valid for up to one year.
- Let’s Encrypt’s SSL certificates are compatible with major browsers and trusted by all major root programs.
- Let’s Encrypt certificates are domain-validated. The most common validation mechanisms are DNS-based and HTTP-based. They don’t support traditional email-based validation.
- Let’s Encrypt rate-limits requests. Understand their limits before requesting a large number of certificates.
Some Let’s Encrypt features may not be supported by DNSimple. Check the limitations section to learn which features are supported.
The DNSimple Let’s Encrypt integration allows you to request an SSL certificate for free using the Let’s Encrypt certification authority.
To request an SSL certificate with Let’s Encrypt, the domains must be delegated and resolving with DNSimple. The domain doesn’t need to be registered with DNSimple.
The certificate validation is completely automated using a DNS challenge. Once issued, you’ll receive an email and webhook notification. The certificate will then be available to download from your DNSimple account.
The certificate expiration is 90 days. If auto-renewal is enabled, the certificate will automatically renew before the expiration. If a new validation is necessary, we’ll automatically re-validate the domain via DNS. Once renewed, you’ll receive an email and webhook notification. You’ll still need to install the newly issued certificate once renewed.
As suggested by Let’s Encrypt, the renewal will happen any time after 60 days (30 days before expiration).
Although Let’s Encrypt certificates can be installed manually, the entire process is designed to be fully automated. We encourage you to use our certificate API to fetch the certificate and install it programmatically.
Let’s Encrypt provides only one type of certificate. They issue only domain-validated, SAN certificates, and support both single-name and wildcard names.
Single-name certificates can be considered a special type of multi-name certificate with a single name associated with it. Let’s Encrypt offering is both multi-name and single-name.
The ability to customize names associated with a Let’s Encrypt certificate depends on the plan you’re subscribed to. Check the plans and pricing page to view all your options.
DNSimple doesn’t support all Let’s Encrypt features. Some features will be incrementally introduced in the future, while others are not supported due to design decisions or limitations imposed by our system.
- We only support DNS-based validation. We don’t plan to support the HTTP or TLS-SNI challenges.
- We don’t support the ability to include names from different domains in the same certificate SAN. We only support same-domain names (subdomains).
- We don’t support custom CSR or private key while requesting a new certificate. The CSR will be generated by DNSimple based on the domains specified in the certificate order.
- To use our Let’s Encrypt integration, the domain must be resolving with us, as we’ll automatically create the DNS records required for the validation.
DNSimple plan-specific features
Let’s Encrypt feature support varies based on your DNSimple plan.
- You can request as many certificates as you want as long as you stay within Let’s Encrypt rate limits.
- Depending on your plan, you can specify your custom subdomains, or they’ll default to www/root domain. View our plans and pricing page to check which plans support certificates with subdomains.
- Depending on your plan, you can customize the certificate SAN with up to 100 extra names for a single certificate. View our plans and pricing page to check which plans support certificates with SAN.
We don’t support Let’s Encrypt in our sandbox environment. We discourage the use of the production environment for heavy or automated testing purposes, as you may quickly hit Let’s Encrypt rate limits.
If you have specific testing needs, consider using the Let’s Encrypt staging environment.
Ordering a certificate
To order a new certificate via Let’s Encrypt using DNSimple, follow the instructions in the article Ordering a Let’s Encrypt SSL certificate.
If you already have a certificate and you want to renew it, follow the instructions for Renewing an SSL certificate. We also support auto-renewals for Let’s Encrypt certificates.
DNSimple supports auto-renewals for Let’s Encrypt certificates. When the auto-renewal feature is turned on, we’ll automatically renew the certificate before expiration.
Once renewed, you’ll receive an email and webhook notification. The certificate will then be available to download from your DNSimple account.
Let’s Encrypt certificates are automatically renewed 30 days before the expiration date, as suggested by Let’s Encrypt, with automatic failover attempts every day in case of temporary failures.
This feature is available for free to all accounts. You can enable/disable auto-renewal for a certificate from the SSL certificate page. To use the feature, the certificate must not be expired.