Skip to content
>_ITDITDWeb Security Platform

Glossary

#Let's Encrypt#TLS/SSL certificates#HTTPS

What is Let's Encrypt — the free CA that automates HTTPS

Let's Encrypt is a free CA that issues TLS/SSL certificates. ACME verifies domain control automatically, so issuance and renewal are hands-off; certs last 90 days to force automation. How it works (certbot/Caddy), and how to avoid the #1 incident — a stalled renewal that lets the cert expire.

Published 2026-06-29 Updated 2026-06-29 4 min read

"I want HTTPS, but certificates seem expensive and fiddly" — Let's Encrypt changed that premise. It's free, and issuance through renewal can be fully automated. Here's how it works, from a defender's point of view.

How it works: proving domain control, automatically (ACME)

Traditional certificates meant applying, submitting identity paperwork, and waiting — all by hand. Let's Encrypt replaces that with ACME (Automatic Certificate Management Environment), a protocol that turns the whole exchange into machine-to-machine steps.

1. Challenge: the CA says "if you control this domain, you can place this value at a specific spot"
2. Prove: the server places the value at a web path (HTTP-01) or a DNS record (DNS-01)
3. Issue: once verified, the CA issues the certificate. As expiry nears, steps 2–3 repeat automatically
The ACME basics: your server proves it controls the domain on the spot, and receives a certificate automatically.

The key point: it only verifies control of the domain (Domain Validation, DV). It doesn't vet a company's legal existence, which is why the process is light enough to fully automate. The encryption itself is no weaker than a paid certificate.

The 90-day lifetime forces automation

Let's Encrypt certificates are valid for 90 days. The short window is deliberate.

Shrink the blast radius of a leaked key

If a server's private key ever leaks, a short-lived certificate narrows the window it can be abused — and even if revocation lags, it expires on its own.

Make automated renewal the default

90 days is impractical to renew by hand, so operators have to automate — which pushed the whole industry toward "certificates are something you rotate automatically." In practice, renewal tools start trying ~30 days before expiry.

So the real job is monitoring

Automated renewal can quietly stop — a broken cron, changed permissions, a domain check that no longer passes. If you don't notice, 90 days later it expires. The defensive habit is to monitor renewal success and the days remaining.

Our take: we run it this way ourselves (automatic TLS)

This site runs on the Caddy web server, which issues and renews Let's Encrypt certificates automatically just by pointing a domain at it (there's barely any certificate config). "Not having to think about certificates" is the goal: the fewer places a human touches by hand, the fewer expiry incidents from a forgotten swap. If instead you run certbot on a cron, the safe move is to monitor whether that cron is actually still running — not just trust that it is.

The #1 incident: a stalled renewal, then expiry

The thing teams hit most often around HTTPS isn't an attack — it's an expired certificate. On expiry the browser throws a full-page warning and visitors almost always leave. The cause is nearly always "renewal automation had broken and nobody noticed."

That's exactly why you should have a way to periodically look at your own certificate's expiry. This site's site security audit checks the TLS certificate (days remaining, expiry, outdated protocols) on a site you've verified you own, alongside the other checks. Automate the renewal, then verify from the outside that the automation is alive — that two-layer habit prevents expiry incidents almost entirely.

FAQ

QIs Let's Encrypt really free, and how does it differ from a paid certificate?
A

Issuance and renewal are both free. Let's Encrypt only does Domain Validation (DV) — it automatically checks that you control the domain. The encryption strength is identical to a paid certificate, and browsers show the same padlock. The difference is there is no Organization/Extended Validation (OV/EV) step that vets a company's legal identity, and there's no warranty. For personal sites and small services, a free DV certificate is almost always enough to serve HTTPS.

QWhy are the certificates only valid for 90 days? Isn't that a hassle?
A

The short lifetime is a design choice, not a weakness. It limits how long a leaked private key can be abused, and it forces a culture where renewal is automated. To avoid the hassle, you automate renewal (most tools renew automatically starting ~30 days before expiry). The real hazard is the opposite — swapping certificates by hand once a year, then forgetting and letting one expire.

QWhat tools do I use to set it up?
A

The common ones are certbot (widely used with Apache/Nginx) and Caddy (a web server that serves HTTPS and auto-renews with zero certificate config). acme.sh and Traefik also speak ACME. If you need a wildcard certificate (*.example.com), you obtain it via the DNS-01 method, placing a verification value in a DNS record.