Looking for FAQs

Hi all! I have a request: without looking at our current FAQ, post some things that you think are currently Frequently Asked Questions (and would fit well in a FAQ).

We originally wrote our first FAQ before we launched. It was focused on a lot of questions people had back then. Now, more than 5 years later, it's probably not as relevant. The reason I'm asking not to look at our current FAQ is that it's easy, when you have an example in front of you, to say "oh yeah that's a good question, let's update that one." But that leads to FAQs that grow indefinitely! I'd like to do a complete reboot.


Can I use a Let's Encrypt certificate to secure my email server?


From where can I order a Let's Encrypt certificate?


So what's the catch?


How do I get a Let's Encrypt certificate to use with my private server/device (behind a firewall/router/proxy)?


My first thoughts off the top of my head, in no particular order (which I think is what you're looking for):

  • What is a certificate and why do I need one?

  • I'm developing some embedded/IoT system, how do I set up my device's trust store for connecting to my back-end API? (This one should be asked more often than it is, I suspect.)

  • What is a domain name and how do I know what mine is?

  • Why can't Let's Encrypt's servers validate my server? (Covering things like checking firewalls, checking connectivity to your server from worldwide, etc.)

  • Why does Let's Encrypt say it can't find a valid IP when I put my IP in there? (Covering both RFC 1918 space as well as RFC 6598 Carrier-NAT space, and how they're not accessible from outside one's network.)

  • Not sure on the question exactly, but something about how both A and AAAA records need to be correct, since some users might have only one of IPv4 or IPv6, and Let's Encrypt uses both.

  • How do I set up having multiple servers that each need a certificate for the same name? (Maybe including Pros and Cons of having one server get the cert and copy it to the others, versus having each server get its own cert.)

  • I'm going to need a cert from within an ephemeral/server-as-cattle/disposable/container/etc, environment, how do I ensure that I don't abuse Let's Encrypt's resources and hit rate limits?

  • When won't a Let's Encrypt certificate be suitable for me? (Needing OV/EV, or maybe not being able to automate?)

  • What do I need to back up from my server as relates to my account/certificate keys, and how do I do it?

I may see if I can come up with more later.


What does an SSL certificate do?


Your question is actually a lot better than you might initially think, @Litbelb. There are MANY misconceptions about the function of SSL/TLS certificates. It differs slightly from @petercooperjr's first question, which is more elementary.


Here's a fun one:

  • I keep getting a weird error on my phone, and the only thing I can really understand from tapping around on the details is that it says something about "Let's Encrypt". What did you do to my phone?

I don't know enough about the smartphone ecosystem to know if this is only one specific brand or if the UI is better in newer versions, but it certainly causes confusion when like, someone's mail system certificate expired or there's some malware on the device that has a back-end with a bad certificate, so every time the device checks mail or whatever(regardless of what the user is trying to do in the meantime) one sees an error. This has definitely caused confusion on the forum when the community tries to help fix the server that's involved when the user doesn't actually know anything about the server. See Let's Encrypt got on my iphone without permission, Help Pop Up Message, Newbie trying to understand for some example threads where there was a lot of confusion.

In general ensuring there's at least some part of the FAQ that makes sense to end-users, rather than web site developers/administrators, would probably make sense.


I installed and can see my Let's Encrypt certificate, so why does my browser say that my site/device is insecure? (What is mixed content?)


Will you do XXX for me ?

1 Like

Do I want a "wildcard" ?

  • How do I delete my old certificate so I can get a new one?

  • How do I delete my old certificate so I can get a certificate on another machine?

  • How do I delete my certificate so I can start over?

  • How do I delete my certificate so I can go back to HTTP?

  • My host (or device) gave me a CSR, where do I upload it?

  • Can you renew my certificate for me?

  • My former consultant/employee got a certificate for me, how do I renew it?

  • My certificate was issued but it didn't show on my site; how long does it take to propagate?

  • Can I use the same certificate on two servers? How do I get certificates on two servers at the same time?

  • How do I migrate my certificate to a new server? How can I get a certificate in place now on a new server that I'm planning to switch to in the near future?

  • I got some files from Let's Encrypt; how do they correspond to the files that my [...] is asking for?
  • I get an error when requesting a certificate, HELP!

I haven't looked at other people's answers, so duplicates will be there :wink:

  1. Are the certificates really free?
  2. What kind of certificates do you have? Wildcard certificates?
  3. Do you offer OV/EV certificates?
  4. For how long are the certificates valid?
  5. Why are they only valid for 90 days?
  6. Why do I have to install an ACME client, instead of simply using a web UI such as with other CAs?
  7. How to install the certificate I just got?
  8. Can I have a sub-CA certificate restricted to my domain/zone/...?

Related: "I just want to download the certificate in my web browser—how do I do that?" :slight_smile:


Good lord. There are several questions worded in different ways regarding people hitting the rate limit of 5/week. Some people don't know why they get an error message after successfully obtain 5 identical certs (and then will delete them).

I was just heading off to bed, but I'll revisit this and edit my post into questions users have posted (but you get my drift of the rate limit questions). Back in a few hours.

  • Certbot says I successfull created a certificate but my site still is still unsecured.
    a. User used --manual
    b. User has mixed content
    c. User hasn't restarted server
    d. User's browser cache is still showing old info

Now off to bed.


I hit a rate limit, how do I revoke my certs so I can make more?

  • You have a lot of corporate sponsors, including some competing CAs; why do they all support Let's Encrypt?

  • Let's Encrypt is an amazing non-profit helping secure the Internet, how do I contribute money to it?

  • Let's Encrypt is an amazing non-profit helping secure the Internet, how do I contribute bitcoin/cryptocurrency to it?

  • Let's Encrypt is an amazing non-profit helping secure the Internet, how do I volunteer my time to help the project?

  • What's the "recommended contribution" I should be giving as a subscriber to Let's Encrypt?

  • What is an "intermediate certificate" and how often will they change?

  • Why shouldn't I store intermediate certificates in a trust store (and what should I do instead)?

  • What does "revoking" a certificate mean and when should I (and shouldn't I) do so?

  • What's the difference between RSA and ECSDA certificates, and which one should I be using?

  • What is a cipher suite?

  • What's the difference between "SSL" and "TLS"?

  • What TLS versions and cipher suites should I be enabling on my server? (I'm assuming this should just link to Mozilla's Guidelines and configurator unless there's a better source out there?)

  • What are some good tools to check that my site is accessible from the outside world, is ready for a challenge to work, and has a good TLS configuration? (I don't know what the policy is or should be on linking to other sites, but there are many popular good tools out there and we might be able to cut down on forum help needs quite a bit if links to them were more prominent.)

And some more from an end-user perspective:

  • There's a site using a Let's Encrypt certificate that is doing naughty things, where do I report it so that you will stop helping them?

  • There's a site using a Let's Encrypt certificate, does that mean that it's safe for me to type my credit card number or other personally identifiable information onto it?