December 6, 2018

How many of you are using Letsencrypt ssl to get free SSL Certificates

Hi,

I was wondering how many indiehackers are using this free SSL service - https://letsencrypt.org/

Renewal is a bit of a pain, but it can be automated via scripts/tools available on various platforms.

We tried to use it in our product (https://www.feedbackrig.com/) which is a b2b platform. Therefore, we create sub-domain for each of our client. However, we faced various issues in generating certificates for wild-card sub-domains and we ended up buying a SSL cert with wild card support. I was wondering if anyone had faced similar situation and want to share their experience with LetsEncrypt ssl for wild card sub-domain.

Thanks.


  1. 3

    I have used Let's Encrypt for a number of years and the pain of renewals has been automated with several projects. My favorite is Traefik https://traefik.io/ which has largely automated how I deploy projects using Docker.

    Caddy https://caddyserver.com/ is also a really nice and works auto-magically with Let's Encrypt and it works with everything.

    1. 1

      @jeff Thank your for sharing. It looks interesting but our infrastructure does't support containerization at the moment.

      1. 2

        You can use Caddy without containers (we encourage it). I think you'll be pleasantly surprised by how helpful it'll be for your use case. There's been other businesses using it to secure 1000s of domains in various fashions. Let me know if you have more questions!

  2. 3

    Us e it for single (sub)domain sites but had a heck of time getting it working for wildcard. In the end I sprung for a $50 paid wildcard cert as several more hours of my time just wasn't worth it!

    1. 1

      @megabaz Thanks for sharing. Yes i agree. we also did the same.

  3. 2

    I use dehydrated as renew client for my letsencrypt wildcard certificates and it works really well and totally automated. But that's because for my server provider/dns provider there is a hook to automatically deploy the acme challenge as dns record. After the initial setup and configuration I only have to call the script as a cronjob regularly.

  4. 2

    All the time using the amazing Hatchbox. Just one click of a button and my site has SSL including any subdomains! it will also renew your certs for you ✨

  5. 2

    Yep. I deploy most of my sites to Digital Ocean with Laravel's Forge, that comes with built in LetsEncrypt support, single domain and wildcard. Point and click for any site I want :)

    I believe Heroku now uses LetsEncrypt for "free" certs. I say free but you have to upgrade to a paid worker before you can get a custom domain cert.

    1. 1

      We are using Laravel Forge + Digital Ocean too. Adding LetsEncrypt is as easy as adding your domains and clicking a "Obtain Certificate" button: https://i.imgur.com/GrkyUSz.jpg

      Forge automatically renews certificates for you.

    2. 1

      @Mubs That's interesting. Can you share a bit details e.g how long it usually takes to spin up a ssl enabled tenant?

      1. 1

        Kinda depends on how your overall application architecture is setup, but for me there is no real time to setup a new tenant.

        DNS is setup to support wildcard so that all resolve to the same IP ie: *.<yourservice.com> all go to the same server.

        We configured the DigitialOcean DNS server and LetsEncrypt to use wildcard SSL, Once it's setup, nothing additional to do when we add a new tenant. When we setup the ssl we used *.<yourservice.com>

        The application itself, looks at the domain name in the request

        <tenant>.<yourservice.com>, looks up in the DB if that tenant exists and routes the request and responds as it needs to the request.

        Users go to the main website page to signup, and create a tenant, which for me is just an entry in a DB table. All requests are then scoped down to that tenant id.

        1. 1

          @mubs

          Many Thanks for sharing the details. We are using similar mechanism for our signup (https://app.feedbackrig.com/signup) but using a separate wild card cert. Based on your experience it seems letsencrypt can now be a good replacement.

  6. 2

    you can set up subdomains with letsencrypt. though not wildcards i believe. It s actually easy to modify existing certs.

    Set a crontab to renew the stuff every week and you should never need to worry about it again, it s a very flexible app. I started using it for my toy projects but ended up using it everywhere after i automated everything because convenience.

  7. 1

    I've been using LetsEncrypt for a couple of years now for https://www.contractavailability.com/ and all the redirecting aliases and sub-domains as well as my WP based sites on another server. It's been trouble free since I set them up, in part because I use Ansible manifests to deploy all the servers, and pulled in a 'certbot' task which gets run a couple of times a day.

    It's a little more faffing around when I go to add a new (sub-)domain, but I've got a cheat-sheet list that I quickly figured out. I've not tried using wildcards yet though - that would be a little more involved with DNS configurations.

  8. 1

    I use wildcard domains with letsencrypt. I use Google as my DNS host, so it is really easy to set up auto renew.

  9. 1

    Hi,

    As a volunteer at Let's Encrypt Community, I want to invite you to post this question at community.letsencrypt.org, and there would be more people to help you out!

    Thank you

  10. 1

    Namecheap Hosting isn't planning on supporting it (you can get shell access and install it yourself but that seems a bit hard etc) so I need to look at new hosting.

    1. 2

      Hi,

      Beside certbot, there is one software that could work in your situation: acme.sh..

      Acme.sh supports cPanel API, which could request certificates and install them automatically . (And it's also able to run in cron within cPanel servers)

      1. 1

        sweet! I will try it out!

  11. 1

    We are using it for web site, dashboard and docs.

    Some of our customers complain that they are seeing SSL error and unable to access the site. But it does not happen to me and most of other customers. Does anyone have idea why is it happening few people?

    1. 1

      @justinhugo That's wierd problem. we have never came across any problems. Did you ask those customers to clear cookies/cache or try another browser?

      1. 1

        I did not ask them to clear cache or cookies. They are visiting the site first time.

        Even If they swich to firefox, they faces the issue.

  12. 1

    I plan to use it after my existing PositiveSSL cert expires. I also use AWS's free certs for load balancers.

  13. 1

    We use Let's Encrypt with wildcard certificate (https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html).

    The only problem we find is that it needs to be manually renewed every 90 days (has a DNS challenge) but I create a reminder in my calendar for 30, 15, 7 and 3 days before renewal and this takes about an hour (with DNS propagation).

    1. 1

      This comment was deleted 12 days ago.

  14. 1

    I use LetsEncrypt for any project I work on.

    For my main product, Codemason.io (app hosting for developers) it's used on the marketing site and built in so users can easily host and deploy apps with SSL. It takes care of renewals automatically so there's no pain there

    I haven't tried a wildcard SSL cert with letsencrypt yet, sounds like an interesting challenge though

    When a new client joins FeedbackRig, what happens? How do you grant them a new subdomain to use for their client portal? Does your code detect the subdomain they are on and identify the client or do you create an entirely new instance for each client?

    Happy to discuss further and spend some time working with you to see if we can figure out how you could approach wildcard SSLs for FeedbackRig using LetsEncrypt

    1. 1

      @benm

      Thanks for asking. We implemented application level multi-tenancy and isolation so we are able to figure out which tenant our customers are on.

      Sure, feel free to contact me at zaheer.ahmed@feedbackrig.com

  15. 1

    Renewals is super simple, but then I got some 20 years of experience with Linux :)

    1. 1

      @TomK32 Thanks but we were using Microsoft technology stack and there were very few and (buggy) renewal tools available.

  16. 1

    I use it. Renewal is automated. Set it and forget it by following easy to use docs. Great service. Subdomains can be difficult depending on volume. A company I was consulting ran into rate limit issues.

    1. 1

      Thanks @rorykoehler It works if really well if you know all the sub-domains in advance. However, for wildcard it's still an issue which we are trying to workaround.

      1. 4

        let's encrypt supports wildcard now.

        It has been like at least a year now. I think.

        Back then when it didn't support wildcard, it was a pain in the butt.

        1. 1

          @hlwjia Are you running this setup? if so then i would be interested to know the details.

          https://community.letsencrypt.org/t/wildcard-domain-step-by-step/58250/3

          It still requires adding txt records manually or or adding it via API. Unfortunately we can't use any of it.

          1. 1

            I'm running this setup for all my clients' projects. But I did use the API mode. How come you can't use the API mode though? if you don't mind me asking.

            I use this https://github.com/Neilpang/acme.sh to issue and renew SSLs.

            Hope it helps.

            1. 1

              @hlwjia Thank for sharing in detail. Our provider has paid api access and we are also worried if there could be any security implications if we add dynamic txt records via API.

      2. 1

        You should be able to set it all up so that it automatically generates a new cert for your new subdomain within ~20 seconds.... not ideal if you need it immediately but with a UX clever hack or two (eg show a welcome video alongside a preparing your subdomain message) you could circumvent this issue.

        1. 1

          @rorykoehler Nice Idea! We did consider that but in the end sanity prevailed :) so we opted to buy wildcard cert. However, we have been working on other b2b products which also require the same so looking for optimal solution that doesn't compromise the UX.

  17. 1

    I just deploy to firebase hosting and they give free SSL certificates automatically you don't have to do anything, no renewal nothing. Really easy. Really useful for testing because you can test it without having to buy a domain name

  18. 1

    I use let's encrypt. Didn't have to deal with wild card subdomains, but every time I needed, I just used certbot to set up and renew certificates automatically. That would assume you have separate entries in your server configuration for each subdomain. It's a bit more of work in exchange for a free certificate. The sweetspot depends on your context.

    Ps, what certificates are you using?

    1. 1

      @aqui_c Thanks for your thoughts. Yes we thought of it however it would have affected the user experience and on-boarding (our signup immediately redirects to client's sub-domain after successful signup). so it wasn't feasible for us to have separate entries for every new signup.

      We are currently using comodo ssl.

      1. 1

        Hi @indiehacker35 ,

        Quite off topic but I wanna know why do you use subdomain thing, i.e userpage1.yourdomain.com VS yourdomain.com/login/ . I am planning the latter for my upcoming project. Any pros and cons of the techniques?

        1. 1

          Hi Abhishek

          Good question. There are many apps (specially b2b) who use sub-domain based tenants in-order to allow your customers have a fully isolated tenancy and better security control. We provide custom domain which can easily be supported if you have sub-domain based multi-tenancy. However, it's purely a design choice and depends upon your requirements. Hope it helps.