What are some limitations to Let's Encrypt?

Information about how SSL/TLS is implemented on our hosting.
Post Reply
User avatar
Edge100x
Founder
Founder
Posts: 12287
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

What are some limitations to Let's Encrypt?

Post by Edge100x » Mon Apr 24, 2017 1:24 pm

  • Let's Encrypt does not support Extended Validation certificates -- the ones that cause some browsers to show a special name in the address bar. These must be obtained through a standard, full Certificate Authority, and we only support them on our 'Pro' webhosting plan.
  • Let's Encrypt rate-limits the number of subdomains that can be registered each week -- 20, as of this writing. They talk more about this here: https://letsencrypt.org/docs/rate-limits/. This limit is why we can't currently support encryption on our own subdomains (there are too many!).
  • Let's Encrypt certificates are only good for 90 days, meaning that they must be frequently renewed. We do this automatically for customers, providing a mostly seamless process, but the frequent renewal means that customers must be careful that the site requirements continue to be met.
  • Let's Encrypt is not compatible with CloudFlare. This is because CloudFlare mangles verification output that is needed as part of the Let's Encrypt activation process. We also generally recommend against using CloudFlare with our webhosting because it can degrade site performance, security, usability, and DDoS mitigation, and because CloudFlare can insert interstitial ads and alter its proxied output in various ways.
  • For our Let's Encrypt support, we use a technology called SNI (Server Name Indication) to run all websites from the same IP address. Some older browsers and clients do not support websites that use SNI and will break when trying to load customer pages. (Note that our traditional full SSL support comes with a dedicated IP address, so SNI is not used and this does not apply to it.)

Post Reply